diff --git a/checklists/avd_checklist.en.json b/checklists/avd_checklist.en.json index 41c2bd00a..af0aedbf8 100644 --- a/checklists/avd_checklist.en.json +++ b/checklists/avd_checklist.en.json @@ -1,1523 +1,1523 @@ -{ - "items": [ - { - "category": "Business Continuity and Disaster Recovery", - "subcategory": "Compute", - "text": "Determine the expected High Availability SLA for applications/desktops published through AVD", - "description": "AVD control plane does not offer a financially backed service level agreement. We strive to attain at least 99.9% availability for the Azure Virtual Desktop service URLs. The availability of the session host virtual machines in your subscription is covered by the Virtual Machines SLA. Dependent resources/services and infrastructure availability must be also considered to properly satisfy global high-availability requirements.", - "waf": "Reliability", - "guid": "56c57ba5-9119-4bf8-b8f5-c586c7d9cdc1", - "id": "A01.01", - "severity": "High", - "link": "https://azure.microsoft.com/support/legal/sla/virtual-desktop/v1_0/" - }, - { - "category": "Business Continuity and Disaster Recovery", - "subcategory": "Compute", - "text": "Assess Geo Disaster Recovery requirements for AVD Host Pools", - "description": "'Active-Active' model can be achieved with multiple host pools in different regions. A single Host Pool with VMs from different regions is not recommended. If multiple pools for same users will be used, the problem of how to synchronize/replicate user profiles must be solved. FSLogix Cloud Cache could be used, but need to be carefully reviewed and planned, or customers can decide to do not synchronize/replicate at all. 'Active-Passive' can be achieved using Azure Site Recovery (ASR) or on-demand Pool deployment with automated mechanism. For a detailed discussion on multi-region BCDR, please read the companion article in the 'More Info' column and this FSLogix related page: https://learn.microsoft.com/fslogix/concepts-container-recovery-business-continuity.", - "waf": "Reliability", - "guid": "6acc076e-f9b1-441a-a989-579e76b897e7", - "id": "A01.02", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/architecture/example-scenario/wvd/azure-virtual-desktop-multi-region-bcdr" - }, - { - "category": "Business Continuity and Disaster Recovery", - "subcategory": "Compute", - "text": "Separate critical applications in different AVD Host Pools", - "description": "Before approaching Azure Virtual Desktop BCDR planning and design, it is important to initially consider which applications consumed through AVD are critical. You may want to separate them from non-critical apps and use a separate Host Pool with a different disaster recovery approach and capabilities.", - "waf": "Reliability", - "guid": "10a7da7b-e996-46e1-9d3c-4ada97cc3d13", - "id": "A01.03", - "severity": "Low", - "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery" - }, - { - "category": "Business Continuity and Disaster Recovery", - "subcategory": "Compute", - "text": "Plan the best resiliency option for AVD Host Pool deployment", - "description": "Each Host Pool can be deployed using Availability Zones (AZ) or Availability Set (AS). To maximize resiliency, usage of AZ is recommended: at Host Pool creation time you can decide to spread Host Pool Session Hosts across all available AZ. Usage of AS will not protect from single datacenter failure, then should be used only in regions where AZ are not available. More details on AZ and AVD in the companion article. For a comparison between AZ and AS you can read here: https://learn.microsoft.com/azure/virtual-machines/availability.", - "waf": "Reliability", - "guid": "25ab225c-6f4e-4168-9fdd-dea8a4b7cdeb", - "id": "A01.04", - "severity": "High", - "link": "https://techcommunity.microsoft.com/t5/azure-virtual-desktop-blog/announcing-general-availability-of-support-for-azure/ba-p/3636262" - }, - { - "category": "Business Continuity and Disaster Recovery", - "subcategory": "Compute", - "text": "Assess the requirement to backup AVD Session Host VMs", - "description": "Azure Backup can be used to protect Host Pool VMs. For Pooled Pools, this is not necessary since should be stateless. Instead, this option can be considered for Personal Host Pools.", - "waf": "Reliability", - "guid": "4c61fc3f-c14e-4ea6-b69e-8d9a3eec218e", - "id": "A01.05", - "severity": "Medium", - "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery" - }, - { - "category": "Business Continuity and Disaster Recovery", - "subcategory": "Compute", - "text": "Prepare a local DR strategy for Personal Host Pool Session Hosts", - "description": "Even for Personal Pools, usage of Availability Zones, when available, is recommended. Three possible in-region DR strategies are possible, it is recommended to select the best one based on cost, RTO/RPO, and if it is really necessary to save the entire VM OS disk: (1) create each session host in a specific zone (AZ) and then use Azure Site Recovery (ASR) to replicate to a different zone. (2) Use Azure Backup to backup and restore the specific session host in a different AZ. (3) Create a new session host in a different AZ and rely on FSLogix and/or OneDrive to make data and settings available on the new machine. All options require administrator intervention for DR and direct user assignment at Host Pool level, then must be planned and configured in advance.", - "waf": "Reliability", - "guid": "5da58639-ca3a-4961-890b-29663c5e10d", - "id": "A01.06", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/site-recovery/azure-to-azure-how-to-enable-zone-to-zone-disaster-recovery" - }, - { - "category": "Business Continuity and Disaster Recovery", - "subcategory": "Dependencies", - "text": "Plan for Golden Image cross-region availability", - "description": "If custom images are used to deploy AVD Host Pool VMs, it is important to ensure those artifacts are available in all regions where AVD is deployed. Azure Compute Gallery service can be used to replicate images across all regions where a Host Pool is deployed, with redundant storage and in multiple copies. Please be aware that the Azure Compute Gallery service isn't a global resource. For disaster recovery scenarios, the best practice is to have at least two galleries, in different regions.", - "waf": "Reliability", - "guid": "dd2e0d5d-771d-441e-9610-cc57b4a4a141", - "id": "A02.01", - "severity": "Low", - "link": "https://learn.microsoft.com/azure/virtual-machines/azure-compute-gallery" - }, - { - "category": "Business Continuity and Disaster Recovery", - "subcategory": "Dependencies", - "text": "Assess Infrastructure & Application dependencies ", - "description": "If users of the AVD infrastructure need on-premises resource access, high availability of network infrastructure required to connect is also critical and should be considered. Resiliency of authentication infrastructure needs to be assessed and evaluated. BCDR aspects for dependent applications and other resources need to be considered to ensure availability in the secondary DR location.", - "waf": "Reliability", - "guid": "fd339489-8c12-488b-9c6a-57cfb644451e", - "id": "A02.02", - "severity": "Medium", - "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery" - }, - { - "category": "Business Continuity and Disaster Recovery", - "subcategory": "Storage", - "text": "Assess which data need to be protected in the Profile and Office Containers", - "description": "Not all data inside FSLogix user profiles may deserve protection from disaster. Additionally, if external storage is used, for example OneDrive or File Servers/Shares, what is remaining in the FSLogix profile is minimal and could be lost in some extreme circumstances. In other cases, data inside the profile can be rebuilt from other storages (for example Outlook Inbox in cached mode).", - "waf": "Reliability", - "guid": "687ab077-adb5-49e5-a960-3334fdf8cc23", - "id": "A03.01", - "severity": "Medium", - "link": "https://docs.microsoft.com/fslogix/manage-profile-content-cncpt" - }, - { - "category": "Business Continuity and Disaster Recovery", - "subcategory": "Storage", - "text": "Build a backup protection strategy for Profile and Office Containers", - "description": "Preventing data loss for critical user data is important, first step is to assess which data need to be saved and protected. If using OneDrive or other external storage, saving user Profile and/or Office Containers data maybe not necessary. Appropriate mechanism must be considered to provide protection for critical user data. Azure Backup service can be used to protect Profile and Office Containers data when stored on Azure Files Standard and Premium tiers. Azure NetApp Files Snapshots and Policies can be used for Azure NetApp Files (all tiers).", - "waf": "Reliability", - "guid": "fc4972cc-3cd2-45bf-a707-6e9eab4bed32", - "id": "A03.02", - "severity": "Medium", - "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery" - }, - { - "category": "Business Continuity and Disaster Recovery", - "subcategory": "Storage", - "text": "Assess Profile Container storage replication requirements and resiliency for BCDR purpose", - "description": "In AVD, multiple replication mechanisms and strategies can be used for user data residing in FSLogix containers: [Profile Pattern #1]: Native Azure storage replication mechanisms, for example Azure Files Standard GRS replication, Azure NetApp Files Cross Region Replication. Use Zone Replicated Storage (ZRS) or Geo replicated storage (GRS) for Azure Files is recommended. LRS with local-only resiliency can be used if no zone/region protection is required. NOTE: Azure Files Share Standard is LRS/ZRS/GRS, but with 100TB large support enabled only LRS/ZRS are supported. [Profile Pattern #2]: FSLogix Cloud Cache is built in automatic mechanism to replicate containers between different (up to 4) storage accounts. Cloud Cache should be used only when:(1) User Profile or Office containers data availability required high-availability SLA is critical and need to be resilient to region failure. (2) Selected storage option is not able to satisfy BCDR requirements. For example, with Azure File Share Premium tier, or Azure File Share Standard with Large File Support enabled, GRS is not available. (3) When replication between disparate storage is required. [Profile Pattern #3]: Only set up geo disaster recovery for application data and not for user data/profile containers: store important application data in separate storages, like OneDrive or other external storage with its own built-in DR mechanism.", - "waf": "Reliability", - "guid": "9f7547c1-746d-4c56-868a-714435bd09dd", - "id": "A03.03", - "severity": "Medium", - "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery" - }, - { - "category": "Business Continuity and Disaster Recovery", - "subcategory": "Storage", - "text": "Review Azure Files disaster recovery strategy", - "description": "For local disaster recovery, Azure Backup for Azure Files can be used. For cross-region geo disaster recovery: GRS for Azure Files is only available with standard SKU and no large share support, then not suitable in most customer scenarios. If geo-replication is required with Azure File Share Premium, replication with FSLogix Cloud Cache can be evaluated, or 'in-region' Availability Zone (AZ) only resiliency should be considered.", - "waf": "Reliability", - "guid": "3d4f3537-c134-46dc-9602-7a71efe1bd05", - "id": "A03.04", - "severity": "Medium", - "link": "https://docs.microsoft.com/azure/backup/backup-afs" - }, - { - "category": "Business Continuity and Disaster Recovery", - "subcategory": "Storage", - "text": "Use Zone Redundant Storage (ZRS) for Azure Files to maximize resiliency", - "description": "Zone Redundant Storage will maximize in-region resiliency for the user profile data. ZRS is supported for premium file shares through the 'FileStorage' storage account kind. ZRS is supported in standard general-purpose v2 storage accounts. Usage of zone redundant storage must be paired with zone redundant deployment of Session Hosts in each Host Pool. ", - "waf": "Reliability", - "guid": "10d4e875-d502-4142-a795-f2b6eff34f88", - "id": "A03.05", - "severity": "High", - "link": "https://learn.microsoft.com/azure/storage/files/files-redundancy#zone-redundant-storage" - }, - { - "category": "Business Continuity and Disaster Recovery", - "subcategory": "Storage", - "text": "Review Azure NetApp Files disaster recovery strategy", - "description": "For local disaster recovery, Azure NetApp Files (ANF) native backup is available. ANF is essentially locally redundant, then for cross-region geo disaster recovery it is necessary to use an additional mechanism that is Cross-Region Replication (CRR) https://learn.microsoft.com/azure/azure-netapp-files/cross-region-replication-create-peering. Currently, ANF does not provide replication nor redundancy across different Availability Zones (AZ), only the possibility to select in which single AZ to place the ANF volume: https://learn.microsoft.com/azure/azure-netapp-files/manage-availability-zone-volume-placement.", - "waf": "Reliability", - "guid": "23429db7-2281-4376-85cc-57b4a4b18142", - "id": "A03.06", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/azure-netapp-files/cross-region-replication-create-peering" - }, - { - "category": "Compute", - "subcategory": "Golden Images", - "text": "Determine how applications will be deployed in AVD Host Pools", - "description": "Applications can be preinstalled in the golden image/s, can be attached using MSIX & AppAttach feature or distributed to the session hosts after host pool deployment using traditional software distribution methods.", - "waf": "Operations", - "guid": "86ba2802-1459-4014-95d3-8e5309ccbd97", - "id": "B01.01", - "severity": "High", - "link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-golden-image" - }, - { - "category": "Compute", - "subcategory": "Golden Images", - "text": "Estimate the number of golden images that will be required", - "description": "Multiple golden images can be required to support different OS versions and/or settings, different groups of applications that must be separated and cannot be included in a single image.", - "waf": "Operations", - "guid": "9266bcca-274f-4aa1-abf3-9d95d44c7c89", - "id": "B01.02", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-golden-image" - }, - { - "category": "Compute", - "subcategory": "Golden Images", - "text": "Determine which OS image/s you will use for Host Pool deployment", - "description": "Determine which Guest OS will be used to deploy each Host Pool: Windows 10 vs. Windows Server, Marketplace vs. Custom images", - "waf": "Reliability", - "guid": "19ca1f6d-5315-4ae5-84ba-34d4585e2213", - "id": "B01.03", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#operating-systems-and-licenses" - }, - { - "category": "Compute", - "subcategory": "Golden Images", - "text": "Select the proper store for custom images", - "description": "Azure VM custom images can be created and stored in different ways: in an Azure Compute Gallery, as a managed image object or as a managed disk in the storage. The recommended way is to use Azure Compute Gallery.", - "waf": "Reliability", - "guid": "5a2adb2c-3e23-426b-b225-ca44e1696fdd", - "id": "B01.04", - "severity": "Low", - "link": "https://learn.microsoft.com/azure/virtual-machines/shared-image-galleries" - }, - { - "category": "Compute", - "subcategory": "Golden Images", - "text": "Design your build process for custom images", - "description": "If custom images will be used, plan for an automated build process. If no pre-existing software factory exists, consider using Custom Image Templates and/or Azure Image Builder to automate the build process.", - "waf": "Operations", - "guid": "9bd7bb01-2f7b-495e-86e1-54e2aa359282", - "id": "B01.05", - "severity": "Low", - "link": "https://learn.microsoft.com/azure/virtual-desktop/create-custom-image-templates" - }, - { - "category": "Compute", - "subcategory": "Golden Images", - "text": "If custom image will be used, check recommended best practices for AVD on how to build custom image", - "description": "There are some known best practices and recommendations for the golden image customization, be sure to check the referenced article.", - "waf": "Operations", - "guid": "deace4cb-1dec-44c6-90c3-fc14eebb36a3", - "id": "B01.06", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-golden-image" - }, - { - "category": "Compute", - "subcategory": "Golden Images", - "text": "Include the latest version of FSLogix in the golden image update process", - "description": "FSLogix stack installed in AVD session hosts does not provide auto-update capability. For this reason, it is recommended to download the latest version of FSLogix and include in the golden image update process.", - "waf": "Reliability", - "guid": "ed5c9027-dd1a-4343-86ca-52b199223186", - "id": "B01.07", - "severity": "High", - "link": "https://learn.microsoft.com/fslogix/how-to-install-fslogix" - }, - { - "category": "Compute", - "subcategory": "Golden Images", - "text": "Evaluate the usage of Virtual-Desktop-Optimization-Tool", - "description": "This tool-set has been created to automatically apply setting referenced in white paper 'Optimizing Windows 10, version 2004 for a Virtual Desktop Infrastructure (VDI) role': https://docs.microsoft.com/windows-server/remote/remote-desktop-services/rds-vdi-recommendations-2004. Usage of the tool and/or optimizations mentioned in the white-paper should be considered. ", - "waf": "Performance", - "guid": "829e3fec-2183-4687-a017-7a2b5945bda4", - "id": "B01.08", - "severity": "Low", - "link": "https://github.com/The-Virtual-Desktop-Team/Virtual-Desktop-Optimization-Tool" - }, - { - "category": "Compute", - "subcategory": "Golden Images", - "text": "Determine if Microsoft OneDrive will be part of AVD deployment", - "description": "If OneDrive is used and included in a golden image, be sure to follow the configuration procedure reported in the companion article in the 'More Info' section. Not in scope in this AVD checklist, but OneDrive optimizations like 'Known Folder Redirection' and 'Files On-Demand' should be evaluated used to reduce the space used in FSLogix profiles and provide a better user experience. OneDrive today is not supported for Remote Apps.", - "waf": "Operations", - "guid": "e3d3e084-4276-4d4b-bc01-5bcf219e4a1e", - "id": "B01.09", - "severity": "Low", - "link": "https://learn.microsoft.com/azure/virtual-desktop/install-office-on-wvd-master-image#install-onedrive-in-per-machine-mode" - }, - { - "category": "Compute", - "subcategory": "Golden Images", - "text": "Determine if Microsoft Teams will be part of AVD deployment", - "description": "Be sure to review the requirements and configuration procedure contained in the companion article in the 'More Info' column. Since Teams automatic updates will be disabled, it is recommended to check and include Teams latest version in the golden image update process.", - "waf": "Performance", - "guid": "b5887953-5d22-4788-9d30-b66c67be5951", - "id": "B01.10", - "severity": "Low", - "link": "https://learn.microsoft.com/azure/virtual-desktop/teams-on-AVD" - }, - { - "category": "Compute", - "subcategory": "Golden Images", - "text": "Assess the requirement to support multiple languages", - "description": "AVD can support users with different language and localization requirements in the same host pool. This can be done customizing golden images to ensure users can select whichever language they need. The procedure to configure additional language packs in Windows 11 is documented in the reference article.", - "waf": "Reliability", - "guid": "7c336f3b-822a-498e-8cd1-667d1150df4a", - "id": "B01.11", - "severity": "Low", - "link": "https://learn.microsoft.com/azure/virtual-desktop/windows-11-language-packs" - }, - { - "category": "Compute", - "subcategory": "MSIX & AppAttach", - "text": "Do not use the same storage account/share as FSLogix profiles", - "description": "It is highly recommended to use separate storage accounts/shares to store MSIX packages. If necessary, storage can scale out independently and not being impacted by profile I/O activities. Azure offers multiple storage options that can be used for MISX app attach. We recommend using Azure Files or Azure NetApp Files as those options offer the best value between cost and management overhead. ", - "waf": "Performance", - "guid": "90083845-c587-4cb3-a1ec-16a1d076ef9f", - "id": "B02.01", - "severity": "Medium", - "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-file-share" - }, - { - "category": "Compute", - "subcategory": "MSIX & AppAttach", - "text": "Review performance considerations for MSIX", - "description": "In the referenced article, we reported few but important performance considerations for MSIX usage in AVD context, be sure to carefully review.", - "waf": "Performance", - "guid": "241addce-5793-477b-adb3-751ab2ac1fad", - "id": "B02.02", - "severity": "Medium", - "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-file-share" - }, - { - "category": "Compute", - "subcategory": "MSIX & AppAttach", - "text": "Check proper session host permissions for MSIX share", - "description": "MSIX app attach requires read-only permissions to access the file share. If you're storing your MSIX applications in Azure Files, then for your session hosts, you'll need to assign all session host VMs both storage account role-based access control (RBAC) and file share New Technology File System (NTFS) permissions on the share.", - "waf": "Security", - "guid": "66e15d4d-5a2a-4db2-a3e2-326bf225ca41", - "id": "B02.03", - "severity": "Medium", - "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-file-share" - }, - { - "category": "Compute", - "subcategory": "MSIX & AppAttach", - "text": "MSIX packages for 3rd-party applications", - "description": "3rd-party software vendor must provide a MSIX package, it is not recommended for customer to attempt the conversion procedure without proper support from the application owner.", - "waf": "Cost", - "guid": "bd362caa-ab79-4b19-adab-81932c9fc9d1", - "id": "B02.04", - "severity": "Low", - "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-faq" - }, - { - "category": "Compute", - "subcategory": "MSIX & AppAttach", - "text": "Disable auto-update for MSIX packages", - "description": "MSIX app attach doesn't support auto-update for MSIX applications, so they should be disabled.", - "waf": "Operations", - "guid": "bb88037f-5e6b-4fbb-aed5-03547cc447e8", - "id": "B02.05", - "severity": "Low", - "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-faq" - }, - { - "category": "Compute", - "subcategory": "MSIX & AppAttach", - "text": "Review operating systems support", - "description": "In order to leverage MSIX & App Attach, guest OS image for AVD Host pool must be Windows 10/11 Enterprise or Windows 10/11 Enterprise Multi-session, version 2004 or later.", - "waf": "Reliability", - "guid": "26128a71-f0f1-4cac-9d9e-f1d5e832e42e", - "id": "B02.06", - "severity": "Medium", - "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-faq" - }, - { - "category": "Compute", - "subcategory": "Session Host", - "text": "Evaluate the usage of Gen2 VM for Host Pool deployment", - "description": "Once selected the VM SKU that will be used for Host Pool deployment, it is recommended to use Gen2 type of the SKU for higher security and improved capabilities.", - "waf": "Performance", - "guid": "e4633254-3185-40a1-b120-bd563a1c8e9d", - "id": "B03.01", - "severity": "Medium", - "link": "https://docs.microsoft.com/azure/virtual-machines/generation-2" - }, - { - "category": "Compute", - "subcategory": "Session Host", - "text": "Consider using MMR (MultiMedia Redirection) to get better video performance on browser", - "description": "MMR redirects the media content from Session Host to your local machine for faster processing and rendering. It only works when you play media content on Microsoft Edge or Google Chrome. See linked URL for more details.", - "waf": "Performance", - "guid": "adecb27f-dc40-40f5-aca2-0090f633b1c9", - "id": "B03.02", - "severity": "Low", - "link": "https://learn.microsoft.com/azure/virtual-desktop/multimedia-redirection" - }, - { - "category": "Foundation", - "subcategory": "Capacity Planning", - "text": "Determine the Host Pool type to use", - "description": "A host pool is a collection of Azure virtual machines that register to Azure Virtual Desktop as session hosts. A host pool can be one of two types: Personal and Pooled. Which type to use, and how many, is a key design decision that must be documented and validated. See companion article in 'More Info' column for more details.", - "waf": "Cost", - "guid": "8468c55a-775c-46ee-a5b8-6ad8844ce3b2", - "id": "C01.01", - "severity": "High", - "link": "https://learn.microsoft.com/azure/virtual-desktop/terminology#host-pools" - }, - { - "category": "Foundation", - "subcategory": "Capacity Planning", - "text": "Estimate the number of different Host Pools to deploy ", - "description": "Use your design criteria to determine the number of Host Pools to deploy. This will be based on factors such as different OS images, multi-region support, guest VM hardware differences (such as GPU support or no), different user expectations and uptime requirements (examples might be 'Executives', 'Office Workers', 'Developers', etc.), and Host Pool RDP settings (such as drive redirection support). These will determine the number of host pools as well as how many hosts will be in each pool.", - "waf": "Performance", - "guid": "4e98495f-d3c0-4af2-aa59-a793395a32a7", - "id": "C01.02", - "severity": "High", - "link": "https://learn.microsoft.com/azure/virtual-desktop/terminology?WT.mc_id=Portal-fx#host-pools" - }, - { - "category": "Foundation", - "subcategory": "Capacity Planning", - "text": "For Personal Host Pool type, select the proper assignment type", - "description": "Confirm that the difference between automatic and direct assignment is well understood and the selected option is appropriate for the scenario in question. Automatic is the default setting.", - "waf": "Operations", - "guid": "b38b875b-a1cf-4204-a901-3a5d3ce474db", - "id": "C01.03", - "severity": "Low", - "link": "https://docs.microsoft.com/azure/virtual-desktop/configure-host-pool-personal-desktop-assignment-type" - }, - { - "category": "Foundation", - "subcategory": "Capacity Planning", - "text": "For Pooled Host Pool type, select the best load balancing method", - "description": "Check which one to use and available options, autoscale ignores existing load-balancing algorithms.", - "waf": "Performance", - "guid": "cbd8682a-6abc-4a2a-9fda-1dbf3dc95d48", - "id": "C01.04", - "severity": "Low", - "link": "https://docs.microsoft.com/azure/virtual-desktop/host-pool-load-balancing" - }, - { - "category": "Foundation", - "subcategory": "Capacity Planning", - "text": "For Pooled Host Pool type, VMs shouldn't have more than 32 cores", - "description": "The number of cores increase, the system's synchronization overhead also increases. Especially for multiple user's sign-in simultaneously. Make sure not to use a VM that is too large for the session host", - "waf": "Performance", - "guid": "b3724959-4943-4577-a3a9-e10ff6345f24", - "id": "C01.05", - "severity": "Medium", - "link": "https://learn.microsoft.com/windows-server/remote/remote-desktop-services/virtual-machine-recs" - }, - { - "category": "Foundation", - "subcategory": "Capacity Planning", - "text": "Do not use the same Host Pool to offer both full desktops (DAG) and Remote Apps to the same set of users", - "description": "AVD does not support assigning both the RemoteApp and Desktop Application Group (DAG) in a single host pool to the same set of users. Doing so will cause a single user to have two user sessions in a single host pool. Users aren't supposed to have two active sessions at the same time in the same host pool using the same profile.", - "waf": "Security", - "guid": "b384b7ed-1cdd-457e-a2cd-c8d4d55bc144", - "id": "C01.06", - "severity": "High", - "link": "https://learn.microsoft.com/azure/virtual-desktop/terminology?WT.mc_id=Portal-fx#application-groups" - }, - { - "category": "Foundation", - "subcategory": "Capacity Planning", - "text": "Estimate the number of Application Groups required across all Host Pools in the Microsoft Entra ID tenant", - "description": "There is a limit of 500 Application Groups that can be created in AVD for each Microsoft Entra ID (former Azure AD) tenant. The limit can be increased (see the companion link for details) but it is not recommended.", - "waf": "Reliability", - "guid": "971cc4a4-b1f7-4c12-90e0-1ad96808f00c", - "id": "C01.07", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits#azure-virtual-desktop-service-limits" - }, - { - "category": "Foundation", - "subcategory": "Capacity Planning", - "text": "Estimate the number of Applications for each Application Group", - "description": "Applications are grouped under Application Groups as containers for publishing and assigning permissions: we recommend that you do not publish more than 50 applications per application group.", - "waf": "Reliability", - "guid": "fa9f2895-473d-439b-ab8e-5a5cf92c7f32", - "id": "C01.08", - "severity": "Low", - "link": "https://learn.microsoft.com/azure/architecture/example-scenario/wvd/windows-virtual-desktop#considerations" - }, - { - "category": "Foundation", - "subcategory": "Capacity Planning", - "text": "Evaluate the usage of FSLogix for Personal Host Pools", - "description": "FSLogix is not required for Personal Host Pools since each VM is statically assigned to a single user, then no immediate needs for a roaming profile solution. In some usage scenarios FSLogix can help. For example, a VM can be re-assigned, or user moved to another desktop, or roaming profile can be used to save user profile in a different location for DR purposes.", - "waf": "Reliability", - "guid": "38b19ab6-0693-4992-9394-5590883916ec", - "id": "C01.09", - "severity": "Low", - "link": "https://learn.microsoft.com/azure/virtual-desktop/configure-host-pool-personal-desktop-assignment-type?tabs=azure#reassign-a-personal-desktop" - }, - { - "category": "Foundation", - "subcategory": "Capacity Planning", - "text": "Run workload performance test to determine the best Azure VM SKU and size to use", - "description": "Use the link provided to set a starting point for SKU decision, then validate using a performance test. Ensure a minimum of four cores for Production is selected per Session Host (multi-session)", - "waf": "Performance", - "guid": "e1112dbd-7ba0-412e-9b94-ef6e047d2ea2", - "id": "C01.10", - "severity": "High", - "link": "https://docs.microsoft.com/windows-server/remote/remote-desktop-services/virtual-machine-recs" - }, - { - "category": "Foundation", - "subcategory": "Capacity Planning", - "text": "Verify AVD scalability limits for the environment", - "description": "It is critical to check AVD capacity and limits reported in the referenced article. Additional limits and thresholds apply for network, compute, storage and service management. ", - "waf": "Reliability", - "guid": "992b1cd6-d2f5-44b2-a769-e3a691e8838a", - "id": "C01.11", - "severity": "High", - "link": "https://learn.microsoft.com/azure/architecture/example-scenario/wvd/windows-virtual-desktop#considerations" - }, - { - "category": "Foundation", - "subcategory": "Capacity Planning", - "text": "Determine if Session Hosts will require GPU", - "description": "Host Pools with GPU require special configuration, please be sure to review the referenced article.", - "waf": "Performance", - "guid": "c936667e-13c0-4056-94b1-e945a459837e", - "id": "C01.12", - "severity": "Low", - "link": "https://docs.microsoft.com/azure/virtual-desktop/configure-vm-gpu" - }, - { - "category": "Foundation", - "subcategory": "Capacity Planning", - "text": "Use Azure VM SKUs able to leverage Accelerated Networking", - "description": "Whenever is possible, it is recommended to leverage VM SKUs with Accelerated Networking feature. This feature does require specific VM SKU/size and OS versions, please see the list and requirement in the companion article.", - "waf": "Performance", - "guid": "b47a393a-0803-4272-a479-8b1578b219a4", - "id": "C01.13", - "severity": "Low", - "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview" - }, - { - "category": "Foundation", - "subcategory": "Clients & Users", - "text": "Assess how many users will connect to AVD and from which regions", - "description": "For proper planning and deployment, it is important to assess the maximum number of concurrent and total users for each Host Pool. Additionally, users from different regions may require different Host Pools to ensure the best user experience.", - "waf": "Performance", - "guid": "bb91a33d-90ca-4e2c-a881-3706f7c0cb9f", - "id": "C02.01", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/virtual-desktop/overview" - }, - { - "category": "Foundation", - "subcategory": "Clients & Users", - "text": "Assess external dependencies for each Host Pool", - "description": "The dependencies on resources external to the AVD pool should be assessed and reviewed, for example Active Directory, external file shares or other storage, on-premises services and resources, network infrastructure components like VPN and or ExpressRoute, external services and 3rd-party components. For all these resources, latency from the AVD Host Pool needs to be evaluated and connectivity considered. Additionally, BCDR considerations need to be applied to these dependencies as well.", - "waf": "Performance", - "guid": "6abca2a4-fda1-4dbf-9dc9-5d48c7c791dc", - "id": "C02.02", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/architecture/example-scenario/wvd/windows-virtual-desktop?toc=%2Fazure%2Fvirtual-desktop%2Ftoc.json&bc=%2Fazure%2Fvirtual-desktop%2Fbreadcrumb%2Ftoc.json" - }, - { - "category": "Foundation", - "subcategory": "Clients & Users", - "text": "Review user client OS used and AVD client type", - "description": "AVD offers a variety of client types (fat, thin, web) to connect over different platforms (Windows, MacOS, iOS, Android). Review limitations of each client and compare multiple options when possible.", - "waf": "Performance", - "guid": "a1f6d565-99e5-458b-a37d-4985e1112dbd", - "id": "C02.03", - "severity": "Low", - "link": "https://learn.microsoft.com/azure/virtual-desktop/users/connect-windows" - }, - { - "category": "Foundation", - "subcategory": "Clients & Users", - "text": "Run a PoC to validate end-to-end user experience and impact of network latency", - "description": "Depending on the user locations, and AVD region deployment, users may have a non-optimal experience, hence is important to test as soon as possible in a small PoC environment. Run the 'Azure Virtual Desktop Experience Estimator' tool to select the best Azure region to deploy Host Pools. Beyond 150ms latency, user experience may be not optimal.", - "waf": "Performance", - "guid": "d2f54b29-769e-43a6-a1e8-838ac936667e", - "id": "C02.04", - "severity": "High", - "link": "https://azure.microsoft.com/services/virtual-desktop/assessment/" - }, - { - "category": "Foundation", - "subcategory": "Clients & Users", - "text": "Assess and document RDP settings for all user groups", - "description": "RDP settings can currently only be configured at the host pool level, not per user/group. If different settings are required for different set of users, it is recommended to create multiple Host Pools.", - "waf": "Security", - "guid": "3b365a5c-7acb-4e48-abe5-4cd79f2e8776", - "id": "C02.05", - "severity": "Low", - "link": "https://docs.microsoft.com/azure/virtual-desktop/customize-rdp-properties" - }, - { - "category": "Foundation", - "subcategory": "General", - "text": "Determine in which Azure regions AVD Host Pools will be deployed.", - "description": "AVD is a non-regional service, Host Pools can be created in any region, automatic redirection from closest front-end will happen automatically.", - "waf": "Performance", - "guid": "42e52f47-21d9-428c-8b1b-d521e44a29a9", - "id": "C03.01", - "severity": "High", - "link": "https://azure.microsoft.com/global-infrastructure/services/?products=virtual-desktop" - }, - { - "category": "Foundation", - "subcategory": "General", - "text": "Determine metadata location for AVD service", - "description": "AVD must store metadata to support the service; this is stored in the specified geography. However, this is independent of the regions where Host Pools are located.", - "waf": "Reliability", - "guid": "bad37ead-53cc-47ce-8d7a-aab3571449ab", - "id": "C03.02", - "severity": "Medium", - "link": "https://docs.microsoft.com/azure/virtual-desktop/data-locations" - }, - { - "category": "Foundation", - "subcategory": "General", - "text": "Check Azure quotas and availability for specific VM sizes and types in the selected regions", - "description": "Check for specific VM SKUs, especially if you need GPU or high-specs SKUs, and eventually Azure NetApp Files if used.", - "waf": "Reliability", - "guid": "8053d89e-89dc-47b3-9be2-a1a27f7a9e91", - "id": "C03.03", - "severity": "Low", - "link": "https://docs.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits" - }, - { - "category": "Identity", - "subcategory": "Active Directory", - "text": "Create at least two Active Directory Domain Controllers (DCs) in Azure VNet environment close to AVD Host Pool", - "description": "AD DCs in Azure are recommended (at least two in different AZ) to reduce latency for users logging into AVD session hosts, and eventually for Azure NetApp Files and AD integration. A DC need to be able to talk to DCs for ALL child domains. As alternative, on-premise connectivity must be used to reach AD DCs.", - "waf": "Reliability", - "guid": "c14aea7e-65e8-4d9a-9aec-218e6436b073", - "id": "D01.01", - "severity": "Medium", - "link": "https://docs.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain" - }, - { - "category": "Identity", - "subcategory": "Active Directory", - "text": "Create a specific OU in Active Directory for each Host Pool", - "description": "Recommended to create a separate OU per Host Pool under a separate OU hierarchy. These OUs will contain machine accounts of AVD Session Hosts. ", - "waf": "Operations", - "guid": "6db55f57-9603-4334-adf9-cc23418db612", - "id": "D01.02", - "severity": "Medium", - "link": "https://docs.microsoft.com/azure/virtual-desktop/create-host-pools-azure-marketplace" - }, - { - "category": "Identity", - "subcategory": "Active Directory", - "text": "Review Domain GPOs that will be applied to OU and impacting Host Pool Session Hosts functionalities", - "description": "Carefully review, and potentially block/filter inheritance of GPOs to the OUs containing AVD Host Pools. ", - "waf": "Operations", - "guid": "7126504b-b47a-4393-a080-327294798b15", - "id": "D01.03", - "severity": "Medium", - "link": "https://docs.microsoft.com/previous-versions/windows/desktop/Policy/group-policy-hierarchy" - }, - { - "category": "Identity", - "subcategory": "Active Directory", - "text": "Configure FSLogix settings using the built-in provided GPO ADMX template", - "description": "If Active Directory Domain GPOs are used, it is recommended to configure FSLogix using the built-in provided GPO ADMX template referenced in the companion article in the 'More Info' column", - "waf": "Operations", - "guid": "2226a8e3-50a4-4ac3-8bd6-ee150553051f", - "id": "D01.04", - "severity": "Medium", - "link": "https://learn.microsoft.com/fslogix/how-to-use-group-policy-templates" - }, - { - "category": "Identity", - "subcategory": "Active Directory", - "text": "Create a dedicated user account with only permissions to join VM to the domain", - "description": "It is recommended to have a specific dedicated account with minimal permissions, and without the default 10 joins limitation. Review the companion article for more details.", - "waf": "Security", - "guid": "347dc560-28a7-41ff-b1cd-15dd2f0d5e77", - "id": "D01.05", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#session-hosts" - }, - { - "category": "Identity", - "subcategory": "Active Directory", - "text": "Create a domain user group for each set of users that will be granted access to each Host Pool Application Group (DAG or RAG)", - "description": "Avoid granting access per user, instead use AD groups and replicate them using Active Directory Connector (ADC) in Microsoft Entra ID (former Azure AD). ", - "waf": "Security", - "guid": "2d41e361-1cc5-47b4-a4b1-410d43958a8c", - "id": "D01.06", - "severity": "Medium", - "link": "https://docs.microsoft.com/azure/virtual-desktop/manage-app-groups" - }, - { - "category": "Identity", - "subcategory": "Active Directory", - "text": "Review your organization password expiration policy for accounts used by Azure Files AD integration", - "description": "If Azure Files Active Directory (AD) integration is used, as part of the configuration procedure, an AD account to represent the storage account (file share) will be created. You can choose to register as a computer account or service logon account, see FAQ for details. For computer accounts, there is a default password expiration age set in AD at 30 days. Similarly, the service logon account may have a default password expiration age set on the AD domain or Organizational Unit (OU). For both account types, we recommend you check the password expiration age configured in your AD environment and plan to update the password of your storage account identity of the AD account before the maximum password age. You can consider creating a new AD Organizational Unit (OU) in AD and disabling password expiration policy on computer accounts or service logon accounts accordingly.", - "waf": "Security", - "guid": "2289b3d6-b57c-4fc6-9546-1e1a3e3453a3", - "id": "D01.07", - "severity": "High", - "link": "https://docs.microsoft.com/azure/storage/files/storage-files-identity-ad-ds-enable" - }, - { - "category": "Identity", - "subcategory": "Active Directory", - "text": "A Windows Server Active Directory forest/domain must be in sync with Microsoft Entra ID", - "description": "You can configure this using Active Directory Connect (ADC) or Azure AD Domain Services (for hybrid or cloud organizations). Microsoft Entra ID is the new name for Azure Active Directory (Azure AD).", - "waf": "Reliability", - "guid": "5119bf8e-8f58-4542-a7d9-cec166cd072a", - "id": "D01.08", - "severity": "High", - "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#identity" - }, - { - "category": "Identity", - "subcategory": "Microsoft Entra ID", - "text": "Configure Azure Files share for Microsoft Entra ID (former Azure AD) Kerberos authentication on Microsoft Entra ID Joined scenario", - "description": "If Azure Files is used and pre-requisites can be satisfied, it is recommended to configure (Microsoft Entra ID) Kerberos authentication. This configuration will allow to store FSLogix profiles that can be accessed by hybrid user identities from Azure AD-joined session hosts without requiring network line-of-sight to domain controllers.", - "waf": "Security", - "guid": "e777fd5e-c5f1-4d6e-8fa9-fc210b88e338", - "id": "D02.01", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/storage/files/storage-files-identity-auth-hybrid-identities-enable" - }, - { - "category": "Identity", - "subcategory": "Requirements", - "text": "A Microsoft Entra ID tenant must be available with at least one subscription linked", - "description": "An Azure subscription must be parented to the same Microsoft Entra ID (former Azure AD) tenant, that contains a virtual network that either contains or is connected to the Windows Server Active Directory Domain Services or Microsoft Entra ID Domain Services instance.", - "waf": "Reliability", - "guid": "6ceb5443-5125-4922-9442-93bb628537a5", - "id": "D03.01", - "severity": "High", - "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#identity" - }, - { - "category": "Identity", - "subcategory": "Requirements", - "text": "Review and document your identity scenario", - "description": "Azure Virtual Desktop supports different types of identities depending on which configuration you choose. Please review the supported scenarios mentioned in the 'More Info' article and document the design decision accordingly in the 'Comment' column. Critically, external identities (B2B or B2C) are not supported. Be sure to review also the list of supported scenarios in https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#supported-identity-scenarios.", - "waf": "Security", - "guid": "b4ce4781-7557-4a1f-8043-332ae199d44c", - "id": "D03.02", - "severity": "High", - "link": "https://learn.microsoft.com/azure/virtual-desktop/authentication" - }, - { - "category": "Identity", - "subcategory": "Requirements", - "text": "Assess User Account types and requirements", - "description": "Users need accounts that are in Microsoft Entra ID (former Azure AD). If you're also using AD DS or Azure AD Domain Services in your deployment of Azure Virtual Desktop, these accounts will need to be hybrid identities, which means the user accounts are synchronized. If you're using Microsoft Entra ID with AD DS, you'll need to configure Azure AD Connect to synchronize user identity data between AD DS and Microsoft Entra ID. If you're using Microsoft Entra ID with Azure AD Domain Services, user accounts are synchronized one way from Microsoft Entra ID to Azure AD Domain Services. This synchronization process is automatic. AVD also supports Microsoft Entra ID native accounts with some restrictions. External identities (B2B or B2C) are not supported.", - "waf": "Security", - "guid": "f9b141a8-98a5-435e-9378-97e71ca7da7b", - "id": "D03.03", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#supported-identity-scenarios" - }, - { - "category": "Identity", - "subcategory": "Requirements", - "text": "If Single-Sign On (SSO) is a requirement, review the supported scenarios and prerequisites", - "description": "AVD supports SSO using either Active Directory Federation Services (AD FS) or Microsoft Entra ID (former Azure AD) authentication. The latter is recommended, please check the requirements and limitation in the 'More Info' article. Using AD FS could be a viable choice if already present in the customer environment, it is not recommended to deploy a brand new ADFS infrastructure just for AVD SSO implementation.", - "waf": "Reliability", - "guid": "5f9f680a-ba07-4429-bbf7-93d7071561f4", - "id": "D03.04", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/virtual-desktop/authentication#single-sign-on-sso" - }, - { - "category": "Identity", - "subcategory": "Requirements", - "text": "Select the proper AVD Session Host domain join type", - "description": "VMs can be Windows Active Directory (AD) domain-joined, Hybrid AD-joined, Microsoft Entra ID (former Azure AD) Joined or Azure AD Domain Services joined. Be sure to review supported scenarios, limitations and requirements from the referenced article.", - "waf": "Security", - "guid": "ea962a15-9394-46da-a7cc-3923266b2258", - "id": "D03.05", - "severity": "High", - "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#supported-identity-scenarios" - }, - { - "category": "Identity", - "subcategory": "Requirements", - "text": "Before using Azure AD Domain Services (AAD-DS) for AVD, be sure to review the limitations.", - "description": "Compare self-managed Windows Active Directory Domain Services, Microsoft Entra ID (former Azure AD), and managed Azure AD Domain Services (AAD-DS)", - "waf": "Reliability", - "guid": "6f4a1651-bddd-4ea8-a487-cdeb4861bc3b", - "id": "D03.06", - "severity": "Low", - "link": "https://docs.microsoft.com/azure/active-directory-domain-services/compare-identity-solutions" - }, - { - "category": "Monitoring and Management", - "subcategory": "Management", - "text": "Use built-in provided administrative templates for AVD settings configuration", - "description": "AVD provides administrative templates for Intune and Active Directory GPO. Using these templates it is possible to centrally control several AVD configuration settings: Graphics related data logging, Screen capture protection, RDP Shortpath for managed networks, Watermarking. See companion article in 'More Info' colum for details. NOTE: FSLogix has its own separate template.", - "waf": "Operations", - "guid": "5549524b-36c0-4f1a-892b-ab3ca78f5db2", - "id": "E01.01", - "severity": "Low", - "link": "https://learn.microsoft.com/azure/virtual-desktop/administrative-template" - }, - { - "category": "Monitoring and Management", - "subcategory": "Management", - "text": "Plan AVD Session Hosts configuration management strategy", - "description": "Determine if a configuration management tool is already in place to manage Host Pool VM configuration after initial deployment, For example SCCM/SCOM, Intune/ConfigurationManager, 3rd-party solutions.", - "waf": "Operations", - "guid": "3334fdf9-1c23-4418-8b65-285269440b4b", - "id": "E01.02", - "severity": "Low", - "link": "https://learn.microsoft.com/azure/virtual-desktop/management" - }, - { - "category": "Monitoring and Management", - "subcategory": "Management", - "text": "Evaluate Intune for AVD Session Hosts management", - "description": "We recommend using Microsoft Intune, if requirements can be satisfied, to manage your Azure Virtual Desktop environment. Review supported scenarios and requirements to enable Intune for AVD Session Host management in the referenced article in the “More Info” column. Document your choice in the 'Comment' column. In that article, review the different requirements and capabilities for single-session https://learn.microsoft.com/mem/intune/fundamentals/windows-virtual-desktop and multi-session https://learn.microsoft.com/mem/intune/fundamentals/windows-virtual-desktop-multi-session AVD.", - "waf": "Operations", - "guid": "63a08be1-6004-4b4a-a79b-f3239faae113", - "id": "E01.03", - "severity": "Medium", - "link": "https://learn.microsoft.com/mem/intune/fundamentals/azure-virtual-desktop" - }, - { - "category": "Monitoring and Management", - "subcategory": "Management", - "text": "Assess the requirements for host pool auto-scaling capability", - "description": "The scaling tool provides a low-cost automation option for customers who want to optimize their session host VM costs. You can use the scaling tool to schedule VMs to start and stop based on Peak and Off-Peak business hours, scale out VMs based on number of sessions per CPU core, scale in VMs during Off-Peak hours, leaving the minimum number of session host VMs running. Not available yet for Personal Host Pool type.", - "waf": "Reliability", - "guid": "7138b820-102c-4e16-be30-1e6e872e52e3", - "id": "E01.04", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/virtual-desktop/autoscale-scenarios" - }, - { - "category": "Monitoring and Management", - "subcategory": "Management", - "text": "Consider the usage of Start VM on Connect for Personal Host Pools", - "description": "Start VM On Connect lets you reduce costs by enabling end users to turn on their session host virtual machines (VMs) only when they need them. You can then turn off VMs when they're not needed. You can configure Start VM on Connect for personal or pooled host pools using the Azure portal or PowerShell. Start VM on Connect is a host pool wide setting.", - "waf": "Cost", - "guid": "55f612fe-f215-4f0d-a956-10e7dd96bcbc", - "id": "E01.05", - "severity": "Low", - "link": "https://learn.microsoft.com/azure/virtual-desktop/start-virtual-machine-connect" - }, - { - "category": "Monitoring and Management", - "subcategory": "Management", - "text": "Evaluate the implementation of an ad-hoc mechanism to shut down Personal AVD Session Hosts", - "description": "'Start VM On Connect' provides a smart way to automatically start previously stopped Session Hosts but does not provide a mechanism to shut down when not in used. Administrators are encouraged to configure additional policies to sign users out of their sessions and run Azure automation scripts to de-allocate VMs. Users should be not allowed to shut down their Personal Hosts since will not be able to de-allocate Azure VMs, then billing will still be active with no cost reduction.", - "waf": "Cost", - "guid": "79a686ea-d971-4ea0-a9a8-1aea074c94cb", - "id": "E01.06", - "severity": "Low", - "link": "https://learn.microsoft.com/azure/virtual-desktop/start-virtual-machine-connect-faq#are-vms-automatically-deallocated-when-a-user-stops-using-them" - }, - { - "category": "Monitoring and Management", - "subcategory": "Management", - "text": "Review and adopt suggested Azure Tags for Azure Virtual Desktop", - "description": "Azure Virtual Desktop billing is mainly based on cost associated to compute, networking and storage resources consumed by Host Pools. In addition to this, costs can be generated by dependent resources, for example VPN or ExpressRoute or vWAN, Active Directory Domain Controllers, DNS, etc. There is no direct cost associated to AVD objects like workspaces, host pools or application groups. To make AVD associated costs more evident and grouped by Host Pool, it is recommended to use 'cm-resource-parent' tag. ", - "waf": "Cost", - "guid": "51bcafca-476a-48fa-9b91-9645a7679f20", - "id": "E01.07", - "severity": "Low", - "link": "https://learn.microsoft.com/azure/virtual-desktop/tag-virtual-desktop-resources" - }, - { - "category": "Monitoring and Management", - "subcategory": "Management", - "text": "Periodically check Azure Advisor recommendations for AVD", - "description": "Azure Advisor analyzes your configurations and telemetry to offer personalized recommendations to solve common problems. With these recommendations, you can optimize your Azure resources for reliability, security, operational excellence, performance, and cost.", - "waf": "Operations", - "guid": "611dd68c-5a4b-4252-8e44-a59a9c2399c4", - "id": "E01.08", - "severity": "Low", - "link": "https://learn.microsoft.com/azure/virtual-desktop/azure-advisor-recommendations" - }, - { - "category": "Monitoring and Management", - "subcategory": "Management", - "text": "Plan for a Session Host emergency patching and update strategy", - "description": "Customers have several options: Microsoft Configuration Manager, this article explains how to automatically apply updates to a Azure Virtual Desktop session hosts running Windows 10/11: https://learn.microsoft.com/azure/virtual-desktop/configure-automatic-updates, Microsoft Intune: https://docs.microsoft.com/mem/intune/fundamentals/windows-virtual-desktop-multi-session, Azure Update Management and WSUS for Windows Server OS only (client OS not supported: https://learn.microsoft.com/azure/automation/update-management/operating-system-requirements), 3rd Party tools. Outside an emergency security patching situation, it is recommended to move away from an 'in-place' update strategy patching strategy and adopt a re-imaging approach.", - "waf": "Operations", - "guid": "04722da2-9c2b-41cd-922f-54b29bade3aa", - "id": "E01.09", - "severity": "Medium", - "link": "https://learn.microsoft.com/mem/intune/fundamentals/azure-virtual-desktop-multi-session" - }, - { - "category": "Monitoring and Management", - "subcategory": "Management", - "text": "Configure the Scheduled Agent Updates feature", - "description": "The Scheduled Agent Updates feature lets you create up to two maintenance windows per Host Pool to update AVD components at a convenient time. It is recommended to specify maintenance windows then upgrading Session Hosts will not happen during peak business hours. Scheduled Agent Updates is disabled by default. This means that, unless you enable this setting, the agent can get updated at any time by the agent update flighting service.", - "waf": "Reliability", - "guid": "c067939b-e5ca-4698-b9ce-3bd91843e73f", - "id": "E01.10", - "severity": "Low", - "link": "https://learn.microsoft.com/azure/virtual-desktop/scheduled-agent-updates" - }, - { - "category": "Monitoring and Management", - "subcategory": "Management", - "text": "Create a validation (canary) Host Pool", - "description": "Host pools are a collection of one or more identical virtual machines within Azure Virtual Desktop environment. We highly recommend you create a validation host pool where service updates are applied first. This allows you to monitor service updates before the service applies them to your standard or non-validation environment.", - "waf": "Operations", - "guid": "d1e8c38e-c936-4667-913c-005674b1e944", - "id": "E01.11", - "severity": "Medium", - "link": "https://docs.microsoft.com/azure/virtual-desktop/create-validation-host-pool" - }, - { - "category": "Monitoring and Management", - "subcategory": "Management", - "text": "Determine Host Pool deployment strategy", - "description": "An AVD Host Pool can be deployed in several ways: Azure Portal, ARM templates, Azure CLI tool, Powershell, manual VM creation with registration token, Terraform, 3rd-party tools. It is important to adopt proper method/s to support automatic deployment through automation and CI/CD tools.", - "waf": "Operations", - "guid": "a459c373-e7ed-4616-83b3-65a917ecbe48", - "id": "E01.12", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/wvd/eslz-platform-automation-and-devops" - }, - { - "category": "Monitoring and Management", - "subcategory": "Management", - "text": "Turn on Session Host VMs at least every 90 days for token refresh", - "description": "After you register a VM to a host pool within the Azure Virtual Desktop service, the agent regularly refreshes the VM's token whenever the VM is active. The certificate for the registration token is valid for 90 days. Because of this 90-day limit, we recommend VMs to be online for 20 minutes every 90 days so that the machine can refresh its tokens and update the agent and side-by-side stack components.", - "waf": "Operations", - "guid": "ebe54cd7-df2e-48bb-ac35-81559bb9153e", - "id": "E01.13", - "severity": "Medium", - "link": "https://docs.microsoft.com/azure/virtual-desktop/faq" - }, - { - "category": "Monitoring and Management", - "subcategory": "Monitoring", - "text": "Enable monitoring for AVD", - "description": "Azure Virtual Desktop Insights is a dashboard built on Azure Monitor Workbooks that helps IT professionals understand their Azure Virtual Desktop environments. Read the referenced article to learn how to set up Azure Monitor for Azure Virtual Desktop to monitor your AVD environments.", - "waf": "Reliability", - "guid": "63cfff1c-ac59-49ef-8d5a-83dd4de36c1c", - "id": "E02.01", - "severity": "High", - "link": "https://learn.microsoft.com/azure/virtual-desktop/insights" - }, - { - "category": "Monitoring and Management", - "subcategory": "Monitoring", - "text": "Enable diagnostic settings for Workspaces, Host Pools, Application Groups and Host VMs to Log Analytics workspace", - "description": "Azure Virtual Desktop uses Azure Monitor and Log Analytics for monitoring and alerts like many other Azure services. This lets admins identify issues through a single interface. The service creates activity logs for both user and administrative actions. Each activity log falls under the following categories: Management, Feed, Connections, Host Registration, Errors, Checkpoints. ", - "waf": "Reliability", - "guid": "81770afb-c4c0-4e43-a186-58d2857ed671", - "id": "E02.02", - "severity": "Medium", - "link": "https://docs.microsoft.com/azure/virtual-desktop/diagnostics-log-analytics" - }, - { - "category": "Monitoring and Management", - "subcategory": "Monitoring", - "text": "Create alerts on the profile storage to be alerted in case of high usage and throttling", - "description": "See the referenced article and this additional one to setup proper monitoring and alerting for storage: https://docs.microsoft.com/azure/storage/files/storage-troubleshooting-files-performance. ", - "waf": "Reliability", - "guid": "2463cffe-179c-4599-be0d-5973dd4ce32c", - "id": "E02.03", - "severity": "Medium", - "link": "https://docs.microsoft.com/azure/storage/files/storage-files-monitoring?tabs=azure-portal" - }, - { - "category": "Monitoring and Management", - "subcategory": "Monitoring", - "text": "Configure Azure Service Health for AVD alerts ", - "description": "You can use Azure Service Health to monitor service issues and health advisories for Azure Virtual Desktop. Azure Service Health can notify you with different types of alerts (for example, email or SMS), help you understand the effect of an issue, and keep you updated as the issue resolves.", - "waf": "Reliability", - "guid": "18813706-f7c4-4c0d-9e51-4548d2457ed6", - "id": "E02.04", - "severity": "Medium", - "link": "https://docs.microsoft.com/azure/virtual-desktop/set-up-service-alerts" - }, - { - "category": "Networking", - "subcategory": "Networking", - "text": "Determine if hybrid connectivity is required to connect to on-premises environment", - "description": "If required to connect to on-premises environment, assess the current connectivity option or plan for the required connectivity (ExpressRoute, Azure S2S or 3rd-party NVA VPN). ", - "waf": "Reliability", - "guid": "dd399cfd-7b28-4dc8-9555-6202bfe4563b", - "id": "F01.01", - "severity": "Medium", - "link": "https://docs.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/" - }, - { - "category": "Networking", - "subcategory": "Networking", - "text": "Determine Azure Virtual Network (VNet) placement for each AVD Host Pool", - "description": "AVD Host Pools can be deployed in either Azure Virtual WAN or traditional 'Hub & Spoke' network topologies. It is recommended to deploy each Host Pool in a separate 'spoke' VNet, using 'hub' is not recommended.", - "waf": "Performance", - "guid": "c8639648-a652-4d6c-85e5-02965388e5de", - "id": "F01.02", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/wvd/eslz-network-topology-and-connectivity" - }, - { - "category": "Networking", - "subcategory": "Networking", - "text": "Assess which on-premises resources are required from AVD Host Pools", - "description": "Evaluate the bandwidth requirements, ensure VPN/ER bandwidth will be enough, ensure proper routing and firewall rules are in place, test end-to-end latency. ", - "waf": "Reliability", - "guid": "d227dd14-2b06-4c21-a799-9a646f4389a7", - "id": "F01.03", - "severity": "Medium", - "link": "https://docs.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/" - }, - { - "category": "Networking", - "subcategory": "Networking", - "text": "Need to control/restrict Internet outbound traffic for AVD hosts?", - "description": "Several options are available. You can use Azure Firewall or equivalent 3rd-party NVA, Network Security Group (NSG) and/or Proxy servers. NSG is not able to enable/disable by URL, only ports and protocols. Proxy should be used only as explicit setting in user browser. Details on using Azure Firewall Premium with AVD are reported in the companion article in the 'More Info' column. Be sure to allow proper access to required AVD URLs. Forced Tunneling to on-premises is not recommended.", - "waf": "Security", - "guid": "fc4972cd-3cd2-41bf-9703-6e5e6b4bed3d", - "id": "F01.04", - "severity": "Medium", - "link": "https://docs.microsoft.com/azure/firewall/protect-windows-virtual-desktop" - }, - { - "category": "Networking", - "subcategory": "Networking", - "text": "Ensure AVD control plane endpoints are accessible", - "description": "Required URLs for AVD control plane access by session hosts are documented here: https://docs.microsoft.com/azure/virtual-desktop/safe-url-list. A check tool is available to verify connectivity from the session hosts: https://docs.microsoft.com/azure/virtual-desktop/safe-url-list#required-url-check-tool. Forced Tunneling to on-premises is not recommended.", - "waf": "Reliability", - "guid": "65c7acbe-45bb-4e60-ad89-f2e87778424d", - "id": "F01.05", - "severity": "High", - "link": "https://docs.microsoft.com/azure/virtual-desktop/safe-url-list" - }, - { - "category": "Networking", - "subcategory": "Networking", - "text": "Need to control/restrict Internet outbound traffic only for users on AVD hosts? ", - "description": "Consider the usage of Azure Defender Endpoint or similar 3rd-party agents to control user web navigation, see the Security section for more details.", - "waf": "Security", - "guid": "73676ae4-6691-4e88-95ad-a42223e13810", - "id": "F01.06", - "severity": "Medium", - "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/onboard-windows-multi-session-device?view=o365-worldwide" - }, - { - "category": "Networking", - "subcategory": "Networking", - "text": "Review custom UDR and NSG for AVD Host Pool subnets", - "description": "Custom UDR and NSG can be applied to AVD Host Pool subnets, for example to redirect to Azure Firewall or NVA, or to filter/block network traffic. In this case is recommended to carefully review to ensure optimal path for outbound traffic to AVD control plane is used. Service Tags can now be used with UDR and NSG, then AVD management plane traffic can be easily allowed: https://learn.microsoft.com/azure/virtual-desktop/safe-url-list.", - "waf": "Security", - "guid": "523181a9-4174-4158-93ff-7ae7c6d37431", - "id": "F01.07", - "severity": "Low", - "link": "https://docs.microsoft.com/azure/firewall/protect-windows-virtual-desktop" - }, - { - "category": "Networking", - "subcategory": "Networking", - "text": "Do not use Proxy servers, SSL termination and Deep Packet Inspection for AVD control plane traffic", - "description": "Network traffic from AVD Session Host VMs to AVD control plane should be as direct as possible. Redirecting this traffic through a Proxy or Firewall with deep packet inspection and/or SSL termination could cause serious issues and bad customer experience. It is recommended to bypass Proxy and Firewall just for the AVD control plane. User generated traffic surfing the web instead, should be filtered by Firewall and/or redirected to a Proxy. For details and guidelines, please see the companion article in the 'More Info' column.", - "waf": "Reliability", - "guid": "cc6edca0-aeca-4566-9e92-cf246f1465af", - "id": "F01.08", - "severity": "High", - "link": "https://learn.microsoft.com/azure/virtual-desktop/proxy-server-support" - }, - { - "category": "Networking", - "subcategory": "Networking", - "text": "Check the network bandwidth required for each user and in total for the VM SKU", - "description": "It is recommended to assess and review networking bandwidth requirements for users, based on the specific workload type. The referenced article provide general estimations and recommendations, but specific measure are required for proper sizing. ", - "waf": "Performance", - "guid": "516785c6-fa96-4c96-ad88-408f372734c8", - "id": "F01.09", - "severity": "Low", - "link": "https://learn.microsoft.com/azure/virtual-desktop/rdp-bandwidth" - }, - { - "category": "Networking", - "subcategory": "Networking", - "text": "Evaluate usage Private Endpoint for Azure Files share", - "description": "If Azure Files SMB share will be used to store user profiles via FSLogix, the usage of Private Endpoint (PE) for private access to the storage is recommended. AVD Session Hosts will access the storage using a private IP in the same VNet, a separate subnet is recommended. This feature has an additional cost that must be evaluated. If PE will not be used, at least Service Endpoint is recommended (no cost associated).", - "waf": "Security", - "guid": "ec27d589-9178-426d-8df2-ff60020f30a6", - "id": "F01.10", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/storage/files/storage-files-networking-endpoints" - }, - { - "category": "Networking", - "subcategory": "Networking", - "text": "Evaluate usage of RDP ShortPath for clients connecting from managed internal networks", - "description": "Connections to Azure Virtual Desktop can use TCP or UDP. RDP Shortpath is a feature of AVD that establishes a direct UDP-based transport between a supported Windows Remote Desktop client and session host. if clients have line of sight to AVD session hosts from internal network (VPN usage is not recommended), this feature can provide lower latency and best performances as explained in https://learn.microsoft.com/azure/virtual-desktop/rdp-shortpath?tabs=managed-networks#key-benefits.", - "waf": "Performance", - "guid": "b2074747-d01a-4f61-b1aa-92ad793d9ff4", - "id": "F01.11", - "severity": "Medium", - "link": "https://docs.microsoft.com/azure/virtual-desktop/shortpath" - }, - { - "category": "Security", - "subcategory": "Active Directory", - "text": "Review Active Directory GPO to secure RDP sessions", - "description": "Security mechanisms provided by GPO should be used, if available. For example, it is possible to impose desktop screen lock and idle session disconnection time. Existing GPOs applied to on-premises environment should be reviewed and eventually applied also to secure also AVD Hosts when joined to the domain.", - "waf": "Security", - "guid": "a135e337-897e-431c-97d6-8cb6a22ac19f", - "id": "G01.01", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#establish-maximum-inactive-time-and-disconnection-policies" - }, - { - "category": "Security", - "subcategory": "Host Configuration", - "text": "Ensure anti-virus and anti-malware solutions are used", - "description": "Microsoft Defender for Endpoint supports Azure Virtual Desktop for Windows 10/11 Enterprise multi-session. Check article for onboarding non-persistent virtual desktop infrastructure (VDI) devices: https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi", - "waf": "Security", - "guid": "b1172576-9ef6-4691-a483-5ac932223ece", - "id": "G02.01", - "severity": "High", - "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/deployment-vdi-microsoft-defender-antivirus" - }, - { - "category": "Security", - "subcategory": "Host Configuration", - "text": "Assess disk encryption requirements for AVD Session Hosts", - "description": "Disks in Azure are already encrypted at rest by default with Microsoft managed keys. Host VM OS disk encryption is possible and supported using Azure Disk Encryption (ADE - BitLocker) and Disk Encryption Set (DES - Server Side Encryption), the latter is recommended. Encryption of FSLogix storage using Azure Files can be done using SSE on Azure Storage. For OneDrive encryption, see this article: https://docs.microsoft.com/compliance/assurance/assurance-encryption-for-microsoft-365-services.", - "waf": "Security", - "guid": "0fd32907-98bc-4178-adc5-a06ca7144351", - "id": "G02.02", - "severity": "Low", - "link": "https://learn.microsoft.com/azure/virtual-machines/disk-encryption-overview" - }, - { - "category": "Security", - "subcategory": "Host Configuration", - "text": "Enable Trusted launch in Azure Gen2 VM Session Hosts", - "description": "Trusted launch are Gen2 Azure VMs with enhanced security features aimed to protect against “bottom of the stack” threats through attack vectors such as rootkits, boot kits, and kernel-level malware. Recommended to enable and leverage Secure Boot, Virtual TPM (vTPM) and Integrity Monitoring.", - "waf": "Security", - "guid": "36a5a67f-bb9e-4d5b-9547-8c4479816b28", - "id": "G02.03", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#azure-virtual-desktop-support-for-trusted-launch" - }, - { - "category": "Security", - "subcategory": "Host Configuration", - "text": "Enable Trusted Launch and use Gen2 image are system requirements for Windows 11", - "description": "Trusted Launch and Gen2 VM are not only security and performance enhancing features but also system requirements for Windows 11. When building an AVD environment based on Windows 11, it is essential to enable these features.", - "waf": "Security", - "guid": "135d3899-4b31-44d3-bc8f-028871a359d8", - "id": "G02.04", - "severity": "High", - "link": "https://learn.microsoft.com/windows/whats-new/windows-11-requirements" - }, - { - "category": "Security", - "subcategory": "Host Configuration", - "text": "Consider enabling screen capture protection to prevent sensitive information from being captured", - "description": "Displayed content will be automatically blocked or hidden in screenshots. Keep in mind screen sharing will also be blocked when using Teams or other collaboration software which use screen sharing.", - "waf": "Security", - "guid": "a49dc137-7896-4343-b2bc-1a31bf1d30b6", - "id": "G02.05", - "severity": "Low", - "link": "https://learn.microsoft.com/azure/virtual-desktop/screen-capture-protection" - }, - { - "category": "Security", - "subcategory": "Host Configuration", - "text": "Restrict device redirection and drive mapping", - "description": "If not absolutely required, redirecting drives, printers, and USB devices to a user's local device in a remote desktop session should be disabled or highly restricted. Restrict Windows Explorer access by hiding local and remote drive mappings is also a secure measure to adopt preventing users from discovering unwanted information about system configuration and users.", - "waf": "Security", - "guid": "7ce2cd20-85b4-4f82-828e-6558736ede6a", - "id": "G02.06", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#other-security-tips-for-session-hosts" - }, - { - "category": "Security", - "subcategory": "Management", - "text": "When possible, prefer Remote Apps over Full Desktops (DAG)", - "description": "When choosing a deployment model, you can either provide remote users access to entire virtual desktops or only select applications. Remote applications, or RemoteApps, provide a seamless experience as the user works with apps on their virtual desktop. RemoteApps reduce risk by only letting the user work with a subset of the remote machine exposed by the application.", - "waf": "Security", - "guid": "4e25d70e-3924-44f4-b66f-d6cdd4f4a973", - "id": "G03.01", - "severity": "Medium", - "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/web-protection-overview" - }, - { - "category": "Security", - "subcategory": "Management", - "text": "Need to control/restrict user Internet navigation from AVD session hosts?", - "description": "Web content filtering feature provided by Web Protection capability in Microsoft Defender for Endpoint, can be used to to control user web navigation. If this tool is used, configuration of web filtering for user Internet browsing is recommended. Access by the Guest OS system to required AVD control plane URLs must be guaranteed.", - "waf": "Security", - "guid": "e19dd344-29eb-4722-a237-a151c5bb4e4f", - "id": "G03.02", - "severity": "Medium", - "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/web-protection-overview" - }, - { - "category": "Security", - "subcategory": "Management", - "text": "Ensure AVD users will not have local administrator privileges on AVD Hosts", - "description": "We recommend you don't grant your users admin access to virtual desktops. If you need software packages, we recommend you make them available through configuration management utilities.", - "waf": "Security", - "guid": "a0cdb3b5-4eb2-4eb0-9dda-a3592718e2ed", - "id": "G03.03", - "severity": "High", - "link": "https://docs.microsoft.com/azure/virtual-desktop/security-guide" - }, - { - "category": "Security", - "subcategory": "Management", - "text": "Enable Microsoft Defender for Cloud to manage AVD Session Hosts security posture", - "description": "We recommend you enable Defender for Cloud for the subscriptions, virtual machines, key vaults, and storage accounts used by AVD. With this tool is possible to assess and manage vulnerabilities, assess compliance with common frameworks like PCI, strengthen the overall security of your AVD environment and measure it over time using 'Secure Score': https://learn.microsoft.com/azure/virtual-desktop/security-guide#improve-your-secure-score.", - "waf": "Security", - "guid": "1814387e-5ca9-4c26-a9b3-2ab5bdfc6998", - "id": "G03.04", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#enable-microsoft-defender-for-cloud" - }, - { - "category": "Security", - "subcategory": "Management", - "text": "Enable diagnostic and audit logging", - "description": "Enabling audit log collection lets you view user and admin activity related to Azure Virtual Desktop and store in a central repository like Log Analytics workspace. ", - "waf": "Security", - "guid": "a0916a76-4980-4ad0-b278-ee293c1bc352", - "id": "G03.05", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#collect-audit-logs" - }, - { - "category": "Security", - "subcategory": "Management", - "text": "Assess the requirement to use custom RBAC roles for AVD management", - "description": "Assign the least privilege required by defining administrative, operations, and engineering roles to Azure RBAC roles. To limit access to high privilege roles within your Azure Virtual Desktop landing zone, consider integration with Azure Privileged Identity Management (PIM). Maintaining knowledge of which team is responsible for each particular administrative area helps you determine Azure role-based access control (RBAC) roles and configuration.", - "waf": "Security", - "guid": "baaab757-1849-4ab8-893d-c9fc9d1bb73b", - "id": "G03.06", - "severity": "Low", - "link": "https://docs.microsoft.com/azure/virtual-desktop/rbac" - }, - { - "category": "Security", - "subcategory": "Management", - "text": "Restrict users from installing un-authorized applications", - "description": "AVD users should not have permission to install application. If required, Windows Defender Application Control (WDAC) can be used to control which drivers and applications are allowed to run on their Windows clients. ", - "waf": "Security", - "guid": "b9ea80c8-0628-49fc-ae63-125aa4c0a284", - "id": "G03.07", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#windows-defender-application-control" - }, - { - "category": "Security", - "subcategory": "Microsoft Entra ID", - "text": "Evaluate the usage of Multi-Factor Authentication (MFA) and Conditional Access (CA) for AVD users", - "description": "Enabling MFA and CA lets you manage risks before you grant users access to your AVD environment. When deciding which users to grant access to, we recommend you also consider who the user is, how they sign in, and which device they're using. Additional details and configuration procedures are provided in the companion article. Microsoft Entra ID is the new name for Azure Active Directory (Azure AD).", - "waf": "Security", - "guid": "916d697d-8ead-4ed2-9bdd-186f1ac252b9", - "id": "G04.01", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-mfa" - }, - { - "category": "Security", - "subcategory": "Zero Trust", - "text": "Review and Apply Zero Trust principles and guidance", - "description": "If Zero Trust is a requirement, review the companion article in the 'More Info' column. It provides steps to apply the principles of Zero Trust to an Azure Virtual Desktop deployment.", - "waf": "Security", - "guid": "221102d0-90af-49fc-b2b7-8d3fe397e43", - "id": "G05.01", - "severity": "Medium", - "link": "https://learn.microsoft.com/security/zero-trust/azure-infrastructure-avd" - }, - { - "category": "Storage", - "subcategory": "Azure Files", - "text": "Check best-practices for Azure Files", - "description": "If used, make sure to check the list of best practices and recommendations described in the referenced article.", - "waf": "Performance", - "guid": "9164e990-9ae2-48c8-9c33-b6b7808bafe6", - "id": "H01.01", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/virtual-desktop/fslogix-containers-azure-files#best-practices-for-azure-virtual-desktop" - }, - { - "category": "Storage", - "subcategory": "Azure Files", - "text": "Enable SMB multichannel when using a premium file share to host FSLogix profile containers.", - "description": "SMB Multichannel enables clients to use multiple network connections that provide increased performance while lowering the cost of ownership. Increased performance is achieved through bandwidth aggregation over multiple NICs and utilizing Receive Side Scaling (RSS) support for NICs to distribute the IO load across multiple CPUs.", - "waf": "Performance", - "guid": "5784b6ca-5e9e-4bcf-8b54-c95459ea7369", - "id": "H01.02", - "severity": "Low", - "link": "https://learn.microsoft.com/azure/storage/files/storage-files-smb-multichannel-performance" - }, - { - "category": "Storage", - "subcategory": "Azure NetApp Files", - "text": "If NetApp Files storage is required, check storage service availability in your specific region.", - "description": "If a second region is required for DR purposes verify NetApp availability in there as well.", - "waf": "Reliability", - "guid": "4a359836-ee79-4d6c-9d3a-364a5b7abae3", - "id": "H02.01", - "severity": "Medium", - "link": "https://azure.microsoft.com/global-infrastructure/services/" - }, - { - "category": "Storage", - "subcategory": "Azure NetApp Files", - "text": "If NetApp Files storage is used enable CA (Continuous Availability) option to increase resiliency", - "description": "CA option is a recommended setting in the FSLogix scenario, as it enables a more resilient SMB session between the Session Host and NetApp Files.", - "waf": "Reliability", - "guid": "a2661898-866a-4c8d-9d1f-8cfc86e88024", - "id": "H02.02", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/virtual-desktop/create-fslogix-profile-container" - }, - { - "category": "Storage", - "subcategory": "Azure NetApp Files", - "text": "If Azure NetApp Files storage is used, check Active Directory Site name setting in the Active Directory Connection configuration", - "description": "An Active Directory Site should be created for the Azure virtual network environment where Azure NetApp Files (ANF) subnet will be created, and that site name should be specified in the ANF connection property when executing the join procedure as explained in the reference article.", - "waf": "Reliability", - "guid": "6647e977-db49-48a8-bc35-743f17499d42", - "id": "H02.03", - "severity": "High", - "link": "https://docs.microsoft.com/azure/azure-netapp-files/create-active-directory-connections" - }, - { - "category": "Storage", - "subcategory": "Capacity Planning", - "text": "Determine which type of managed disk will be used for the Session Hosts", - "description": "Possible options: Standard HDD, Standard SSD, or Premium SSD. Ephemeral disks are not supported, Ultra-Disks not recommended. Recommended to evaluate Premium for OS disk if user density is not low, and if Cloud Cache will be used. ", - "waf": "Performance", - "guid": "3611c818-b0a0-4bc5-80e4-3a18a9cd289c", - "id": "H03.01", - "severity": "Medium", - "link": "https://docs.microsoft.com/azure/virtual-machines/disks-types" - }, - { - "category": "Storage", - "subcategory": "Capacity Planning", - "text": "Determine which storage backend solution will be used for FSLogix Profiles", - "description": "Possible options are: Azure NetApp Files, Azure Files, VM based File Server. File-server it is not recommended. Azure Files Premium typically a good starting point. NetApp usually required for large scale / high-performant environment. For a detailed comparison see the article in the 'More Info' column.", - "waf": "Performance", - "guid": "ed6b17db-8255-4462-b2ae-e4553afc8339", - "id": "H03.02", - "severity": "High", - "link": "https://docs.microsoft.com/azure/virtual-desktop/store-fslogix-profile" - }, - { - "category": "Storage", - "subcategory": "Capacity Planning", - "text": "Do not share storage and profiles between different Host Pools", - "description": "Every Host Pool should use a separate set of storage accounts/volumes (at least one) and shares. Users should have a different profile for each Host Pool since settings and configurations are specific to each Host Pool. Additionally, accessing different Host Pools at the same time can cause errors on the shared user profile VHD/X. Usage of different storage accounts/volumes for multiple shares is also recommended to scale independently.", - "waf": "Performance", - "guid": "2fad62bd-5004-453c-ace4-64d862e7f5a4", - "id": "H03.03", - "severity": "High", - "link": "https://learn.microsoft.com/azure/virtual-desktop/store-fslogix-profile" - }, - { - "category": "Storage", - "subcategory": "Capacity Planning", - "text": "Verify storage scalability limits and Host Pool requirements", - "description": "As a starting point for estimating profile container storage performance requirements we recommend to assume 10 IOPS per user in the steady state and 50 IOPS per user during sign-in/sign-out. Space requirements is simply obtained based on the maximum profiles size in FSLogix per the total number of users for each Host Pool. Multiple storage accounts can be used for the same Host Pool if required.", - "waf": "Reliability", - "guid": "680e7828-9c93-4665-9d02-bff4564b0d93", - "id": "H03.04", - "severity": "High", - "link": "https://learn.microsoft.com/azure/virtual-desktop/faq#what-s-the-largest-profile-size-fslogix-can-handle-" - }, - { - "category": "Storage", - "subcategory": "Capacity Planning", - "text": "For optimal performance, the storage solution and the FSLogix profile container should be in the same Azure region.", - "description": "Avoid introducing additional latency and costs associated with cross-region network traffic where possible.", - "waf": "Performance", - "guid": "8aad53cc-79e2-4e86-9673-57c549675c5e", - "id": "H03.05", - "severity": "High", - "link": "https://docs.microsoft.com/azure/virtual-desktop/fslogix-containers-azure-files" - }, - { - "category": "Storage", - "subcategory": "FSLogix", - "text": "Do not use Office Containers (ODFC) if not strictly required and justified", - "description": "The recommendation in Azure Virtual Desktop is to use Profile Container without Office Container (ODFC) split unless you are planning for specific Business Continuity and Disaster Recovery (BCDR) scenarios as described in the Disaster Recovery section below. https://docs.microsoft.com/fslogix/profile-container-office-container-cncpt ", - "waf": "Reliability", - "guid": "df47d2d9-2881-4b1c-b5d1-e54a29759e39", - "id": "H04.01", - "severity": "High", - "link": "https://learn.microsoft.com/fslogix/concepts-container-types#when-to-use-profile-and-odfc-containers" - }, - { - "category": "Storage", - "subcategory": "FSLogix", - "text": "Configure the recommended antivirus exclusions for FSLogix (includes not scanning VHD(x) files on connect).", - "description": "Make sure to configure the following antivirus exclusions for FSLogix Profile Container virtual hard drives, as documented in the referenced article in the 'More Info' column.", - "waf": "Security", - "guid": "83f63047-22ee-479d-9b5c-3632054b69ba", - "id": "H04.02", - "severity": "Medium", - "link": "https://learn.microsoft.com/fslogix/overview-prerequisites#configure-antivirus-file-and-folder-exclusions" - }, - { - "category": "Storage", - "subcategory": "FSLogix", - "text": "Review and confirm configured maximum profile size in FSLogix", - "description": "Profile containers have a default max size of 30GB. If large Profile Containers are anticipated, and customers wants to try to keep them small, consider using OneDrive to host Office 365 files outside the FSLogix profile.", - "waf": "Cost", - "guid": "01e6a84d-e5df-443d-8992-481718d5d1e5", - "id": "H04.03", - "severity": "High", - "link": "https://docs.microsoft.com/fslogix/profile-container-configuration-reference" - }, - { - "category": "Storage", - "subcategory": "FSLogix", - "text": "Review FSLogix registry keys and determine which ones to apply", - "description": "Defaults and recommended settings are reported in the companion article in the 'More Info' column. If not recommended keys and/or values must be used, be sure to review with a Microsoft AVD expert and clearly document your choices.", - "waf": "Reliability", - "guid": "d34aad5e-8c78-4e1d-9666-7313c405674c", - "id": "H04.04", - "severity": "High", - "link": "https://learn.microsoft.com/fslogix/concepts-configuration-examples" - }, - { - "category": "Storage", - "subcategory": "FSLogix", - "text": "Avoid usage of concurrent or multiple connections", - "description": "Concurrent or multiple connections are not recommended in Azure Virtual Desktop. Concurrent connections are also not supported by Session Hosts running in an Azure Virtual Desktop Host Pool. OneDrive, if used, doesn't support concurrent or multiple connections using the same container, under any circumstance. For multiple connections, usage of the same profile disk is not recommended.", - "waf": "Reliability", - "guid": "5e985b85-9c77-43e7-b261-623b775a917e", - "id": "H04.05", - "severity": "High", - "link": "https://learn.microsoft.com/fslogix/concepts-multi-concurrent-connections" - }, - { - "category": "Storage", - "subcategory": "FSLogix", - "text": "If FSLogix Cloud Cache is used, consider moving the cache directory to the VM temporary drive.", - "description": "Cloud Cache uses OS drive as local cache storage and may generate lot of pressure on the VM disk. Depending on the VM SKU and size used, the VM temporary drive can be a viable and performant solution where to relocate Cloud Cache cached content. Before adopting this solution, tests should be executed to confirm performance and stability. More details on Cloud Cache can be found here: https://learn.microsoft.com/fslogix/concepts-fslogix-cloud-cache. ", - "waf": "Performance", - "guid": "b2d1215a-e114-4ba3-9df5-85ecdcd9bd3b", - "id": "H04.06", - "severity": "Low", - "link": "https://docs.microsoft.com/fslogix/cloud-cache-configuration-reference" - }, - { - "category": "Storage", - "subcategory": "FSLogix", - "text": "Review the usage of FSLogix redirection.", - "description": "REDIRECTION.XML file is used to control what folders are redirected out of the profile container to the 'C:' drive. Exclusions should be the exception and should never be used unless the specific exclusion is completely understood by the person configuring the exclusion. Exclusions should always be fully tested in the environment where they are intended to be implemented. Configuring exclusions may impact functionality, stability and performance.", - "waf": "Cost", - "guid": "0b50ca97-b1d2-473c-b4d9-6e98b0f912de", - "id": "H04.07", - "severity": "Medium", - "link": "https://docs.microsoft.com/fslogix/manage-profile-content-cncpt#redirectionsxml" - } - ], - "categories": [ - { - "name": "Foundation" - }, - { - "name": "Identity" - }, - { - "name": "Compute" - }, - { - "name": "Networking" - }, - { - "name": "Storage" - }, - { - "name": "Monitoring and Management" - }, - { - "name": "Security" - }, - { - "name": "Business Continuity and Disaster Recovery" - } - ], - "waf": [ - { - "name": "Reliability" - }, - { - "name": "Security" - }, - { - "name": "Cost" - }, - { - "name": "Operations" - }, - { - "name": "Performance" - } - ], - "yesno": [ - { - "name": "Yes" - }, - { - "name": "No" - } - ], - "status": [ - { - "name": "Not verified", - "description": "This check has not been looked at yet" - }, - { - "name": "Open", - "description": "There is an action item associated to this check" - }, - { - "name": "Fulfilled", - "description": "This check has been verified, and there are no further action items associated to it" - }, - { - "name": "Not required", - "description": "Recommendation understood, but not needed by current requirements" - }, - { - "name": "N/A", - "description": "Not applicable for current design" - } - ], - "severities": [ - { - "name": "High" - }, - { - "name": "Medium" - }, - { - "name": "Low" - } - ], - "metadata": { - "name": "Azure Virtual Desktop Review", - "state": "GA", - "timestamp": "November 06, 2023" - } -} +{ + "items": [ + { + "category": "Business Continuity and Disaster Recovery", + "subcategory": "Compute", + "text": "Determine the expected High Availability SLA for applications/desktops published through AVD", + "description": "AVD control plane does not offer a financially backed service level agreement. We strive to attain at least 99.9% availability for the Azure Virtual Desktop service URLs. The availability of the session host virtual machines in your subscription is covered by the Virtual Machines SLA. Dependent resources/services and infrastructure availability must be also considered to properly satisfy global high-availability requirements.", + "waf": "Reliability", + "guid": "56c57ba5-9119-4bf8-b8f5-c586c7d9cdc1", + "id": "A01.01", + "severity": "High", + "link": "https://azure.microsoft.com/support/legal/sla/virtual-desktop/v1_0/" + }, + { + "category": "Business Continuity and Disaster Recovery", + "subcategory": "Compute", + "text": "Assess Geo Disaster Recovery requirements for AVD Host Pools", + "description": "'Active-Active' model can be achieved with multiple host pools in different regions. A single Host Pool with VMs from different regions is not recommended. If multiple pools for same users will be used, the problem of how to synchronize/replicate user profiles must be solved. FSLogix Cloud Cache could be used, but need to be carefully reviewed and planned, or customers can decide to do not synchronize/replicate at all. 'Active-Passive' can be achieved using Azure Site Recovery (ASR) or on-demand Pool deployment with automated mechanism. For a detailed discussion on multi-region BCDR, please read the companion article in the 'More Info' column and this FSLogix related page: https://learn.microsoft.com/fslogix/concepts-container-recovery-business-continuity.", + "waf": "Reliability", + "guid": "6acc076e-f9b1-441a-a989-579e76b897e7", + "id": "A01.02", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/architecture/example-scenario/wvd/azure-virtual-desktop-multi-region-bcdr" + }, + { + "category": "Business Continuity and Disaster Recovery", + "subcategory": "Compute", + "text": "Separate critical applications in different AVD Host Pools", + "description": "Before approaching Azure Virtual Desktop BCDR planning and design, it is important to initially consider which applications consumed through AVD are critical. You may want to separate them from non-critical apps and use a separate Host Pool with a different disaster recovery approach and capabilities.", + "waf": "Reliability", + "guid": "10a7da7b-e996-46e1-9d3c-4ada97cc3d13", + "id": "A01.03", + "severity": "Low", + "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery" + }, + { + "category": "Business Continuity and Disaster Recovery", + "subcategory": "Compute", + "text": "Plan the best resiliency option for AVD Host Pool deployment", + "description": "Each Host Pool can be deployed using Availability Zones (AZ) or Availability Set (AS). To maximize resiliency, usage of AZ is recommended: at Host Pool creation time you can decide to spread Host Pool Session Hosts across all available AZ. Usage of AS will not protect from single datacenter failure, then should be used only in regions where AZ are not available. More details on AZ and AVD in the companion article. For a comparison between AZ and AS you can read here: https://learn.microsoft.com/azure/virtual-machines/availability.", + "waf": "Reliability", + "guid": "25ab225c-6f4e-4168-9fdd-dea8a4b7cdeb", + "id": "A01.04", + "severity": "High", + "link": "https://techcommunity.microsoft.com/t5/azure-virtual-desktop-blog/announcing-general-availability-of-support-for-azure/ba-p/3636262" + }, + { + "category": "Business Continuity and Disaster Recovery", + "subcategory": "Compute", + "text": "Assess the requirement to backup AVD Session Host VMs", + "description": "Azure Backup can be used to protect Host Pool VMs. For Pooled Pools, this is not necessary since should be stateless. Instead, this option can be considered for Personal Host Pools.", + "waf": "Reliability", + "guid": "4c61fc3f-c14e-4ea6-b69e-8d9a3eec218e", + "id": "A01.05", + "severity": "Medium", + "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery" + }, + { + "category": "Business Continuity and Disaster Recovery", + "subcategory": "Compute", + "text": "Prepare a local DR strategy for Personal Host Pool Session Hosts", + "description": "Even for Personal Pools, usage of Availability Zones, when available, is recommended. Three possible in-region DR strategies are possible, it is recommended to select the best one based on cost, RTO/RPO, and if it is really necessary to save the entire VM OS disk: (1) create each session host in a specific zone (AZ) and then use Azure Site Recovery (ASR) to replicate to a different zone. (2) Use Azure Backup to backup and restore the specific session host in a different AZ. (3) Create a new session host in a different AZ and rely on FSLogix and/or OneDrive to make data and settings available on the new machine. All options require administrator intervention for DR and direct user assignment at Host Pool level, then must be planned and configured in advance.", + "waf": "Reliability", + "guid": "5da58639-ca3a-4961-890b-29663c5e10d", + "id": "A01.06", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/site-recovery/azure-to-azure-how-to-enable-zone-to-zone-disaster-recovery" + }, + { + "category": "Business Continuity and Disaster Recovery", + "subcategory": "Dependencies", + "text": "Plan for Golden Image cross-region availability", + "description": "If custom images are used to deploy AVD Host Pool VMs, it is important to ensure those artifacts are available in all regions where AVD is deployed. Azure Compute Gallery service can be used to replicate images across all regions where a Host Pool is deployed, with redundant storage and in multiple copies. Please be aware that the Azure Compute Gallery service isn't a global resource. For disaster recovery scenarios, the best practice is to have at least two galleries, in different regions.", + "waf": "Reliability", + "guid": "dd2e0d5d-771d-441e-9610-cc57b4a4a141", + "id": "A02.01", + "severity": "Low", + "link": "https://learn.microsoft.com/azure/virtual-machines/azure-compute-gallery" + }, + { + "category": "Business Continuity and Disaster Recovery", + "subcategory": "Dependencies", + "text": "Assess Infrastructure & Application dependencies ", + "description": "If users of the AVD infrastructure need on-premises resource access, high availability of network infrastructure required to connect is also critical and should be considered. Resiliency of authentication infrastructure needs to be assessed and evaluated. BCDR aspects for dependent applications and other resources need to be considered to ensure availability in the secondary DR location.", + "waf": "Reliability", + "guid": "fd339489-8c12-488b-9c6a-57cfb644451e", + "id": "A02.02", + "severity": "Medium", + "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery" + }, + { + "category": "Business Continuity and Disaster Recovery", + "subcategory": "Storage", + "text": "Assess which data need to be protected in the Profile and Office Containers", + "description": "Not all data inside FSLogix user profiles may deserve protection from disaster. Additionally, if external storage is used, for example OneDrive or File Servers/Shares, what is remaining in the FSLogix profile is minimal and could be lost in some extreme circumstances. In other cases, data inside the profile can be rebuilt from other storages (for example Outlook Inbox in cached mode).", + "waf": "Reliability", + "guid": "687ab077-adb5-49e5-a960-3334fdf8cc23", + "id": "A03.01", + "severity": "Medium", + "link": "https://docs.microsoft.com/fslogix/manage-profile-content-cncpt" + }, + { + "category": "Business Continuity and Disaster Recovery", + "subcategory": "Storage", + "text": "Build a backup protection strategy for Profile and Office Containers", + "description": "Preventing data loss for critical user data is important, first step is to assess which data need to be saved and protected. If using OneDrive or other external storage, saving user Profile and/or Office Containers data maybe not necessary. Appropriate mechanism must be considered to provide protection for critical user data. Azure Backup service can be used to protect Profile and Office Containers data when stored on Azure Files Standard and Premium tiers. Azure NetApp Files Snapshots and Policies can be used for Azure NetApp Files (all tiers).", + "waf": "Reliability", + "guid": "fc4972cc-3cd2-45bf-a707-6e9eab4bed32", + "id": "A03.02", + "severity": "Medium", + "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery" + }, + { + "category": "Business Continuity and Disaster Recovery", + "subcategory": "Storage", + "text": "Assess Profile Container storage replication requirements and resiliency for BCDR purpose", + "description": "In AVD, multiple replication mechanisms and strategies can be used for user data residing in FSLogix containers: [Profile Pattern #1]: Native Azure storage replication mechanisms, for example Azure Files Standard GRS replication, Azure NetApp Files Cross Region Replication. Use Zone Replicated Storage (ZRS) or Geo replicated storage (GRS) for Azure Files is recommended. LRS with local-only resiliency can be used if no zone/region protection is required. NOTE: Azure Files Share Standard is LRS/ZRS/GRS, but with 100TB large support enabled only LRS/ZRS are supported. [Profile Pattern #2]: FSLogix Cloud Cache is built in automatic mechanism to replicate containers between different (up to 4) storage accounts. Cloud Cache should be used only when:(1) User Profile or Office containers data availability required high-availability SLA is critical and need to be resilient to region failure. (2) Selected storage option is not able to satisfy BCDR requirements. For example, with Azure File Share Premium tier, or Azure File Share Standard with Large File Support enabled, GRS is not available. (3) When replication between disparate storage is required. [Profile Pattern #3]: Only set up geo disaster recovery for application data and not for user data/profile containers: store important application data in separate storages, like OneDrive or other external storage with its own built-in DR mechanism.", + "waf": "Reliability", + "guid": "9f7547c1-746d-4c56-868a-714435bd09dd", + "id": "A03.03", + "severity": "Medium", + "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery" + }, + { + "category": "Business Continuity and Disaster Recovery", + "subcategory": "Storage", + "text": "Review Azure Files disaster recovery strategy", + "description": "For local disaster recovery, Azure Backup for Azure Files can be used. For cross-region geo disaster recovery: GRS for Azure Files is only available with standard SKU and no large share support, then not suitable in most customer scenarios. If geo-replication is required with Azure File Share Premium, replication with FSLogix Cloud Cache can be evaluated, or 'in-region' Availability Zone (AZ) only resiliency should be considered.", + "waf": "Reliability", + "guid": "3d4f3537-c134-46dc-9602-7a71efe1bd05", + "id": "A03.04", + "severity": "Medium", + "link": "https://docs.microsoft.com/azure/backup/backup-afs" + }, + { + "category": "Business Continuity and Disaster Recovery", + "subcategory": "Storage", + "text": "Use Zone Redundant Storage (ZRS) for Azure Files to maximize resiliency", + "description": "Zone Redundant Storage will maximize in-region resiliency for the user profile data. ZRS is supported for premium file shares through the 'FileStorage' storage account kind. ZRS is supported in standard general-purpose v2 storage accounts. Usage of zone redundant storage must be paired with zone redundant deployment of Session Hosts in each Host Pool. ", + "waf": "Reliability", + "guid": "10d4e875-d502-4142-a795-f2b6eff34f88", + "id": "A03.05", + "severity": "High", + "link": "https://learn.microsoft.com/azure/storage/files/files-redundancy#zone-redundant-storage" + }, + { + "category": "Business Continuity and Disaster Recovery", + "subcategory": "Storage", + "text": "Review Azure NetApp Files disaster recovery strategy", + "description": "For local disaster recovery, Azure NetApp Files (ANF) native backup is available. ANF is essentially locally redundant, then for cross-region geo disaster recovery it is necessary to use an additional mechanism that is Cross-Region Replication (CRR) https://learn.microsoft.com/azure/azure-netapp-files/cross-region-replication-create-peering. Currently, ANF does not provide replication nor redundancy across different Availability Zones (AZ), only the possibility to select in which single AZ to place the ANF volume: https://learn.microsoft.com/azure/azure-netapp-files/manage-availability-zone-volume-placement.", + "waf": "Reliability", + "guid": "23429db7-2281-4376-85cc-57b4a4b18142", + "id": "A03.06", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/azure-netapp-files/cross-region-replication-create-peering" + }, + { + "category": "Compute", + "subcategory": "Golden Images", + "text": "Determine how applications will be deployed in AVD Host Pools", + "description": "Applications can be preinstalled in the golden image/s, can be attached using MSIX & AppAttach feature or distributed to the session hosts after host pool deployment using traditional software distribution methods.", + "waf": "Operations", + "guid": "86ba2802-1459-4014-95d3-8e5309ccbd97", + "id": "B01.01", + "severity": "High", + "link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-golden-image" + }, + { + "category": "Compute", + "subcategory": "Golden Images", + "text": "Estimate the number of golden images that will be required", + "description": "Multiple golden images can be required to support different OS versions and/or settings, different groups of applications that must be separated and cannot be included in a single image.", + "waf": "Operations", + "guid": "9266bcca-274f-4aa1-abf3-9d95d44c7c89", + "id": "B01.02", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-golden-image" + }, + { + "category": "Compute", + "subcategory": "Golden Images", + "text": "Determine which OS image/s you will use for Host Pool deployment", + "description": "Determine which Guest OS will be used to deploy each Host Pool: Windows 10 vs. Windows Server, Marketplace vs. Custom images", + "waf": "Reliability", + "guid": "19ca1f6d-5315-4ae5-84ba-34d4585e2213", + "id": "B01.03", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#operating-systems-and-licenses" + }, + { + "category": "Compute", + "subcategory": "Golden Images", + "text": "Select the proper store for custom images", + "description": "Azure VM custom images can be created and stored in different ways: in an Azure Compute Gallery, as a managed image object or as a managed disk in the storage. The recommended way is to use Azure Compute Gallery.", + "waf": "Reliability", + "guid": "5a2adb2c-3e23-426b-b225-ca44e1696fdd", + "id": "B01.04", + "severity": "Low", + "link": "https://learn.microsoft.com/azure/virtual-machines/shared-image-galleries" + }, + { + "category": "Compute", + "subcategory": "Golden Images", + "text": "Design your build process for custom images", + "description": "If custom images will be used, plan for an automated build process. If no pre-existing software factory exists, consider using Custom Image Templates and/or Azure Image Builder to automate the build process.", + "waf": "Operations", + "guid": "9bd7bb01-2f7b-495e-86e1-54e2aa359282", + "id": "B01.05", + "severity": "Low", + "link": "https://learn.microsoft.com/azure/virtual-desktop/create-custom-image-templates" + }, + { + "category": "Compute", + "subcategory": "Golden Images", + "text": "If custom image will be used, check recommended best practices for AVD on how to build custom image", + "description": "There are some known best practices and recommendations for the golden image customization, be sure to check the referenced article.", + "waf": "Operations", + "guid": "deace4cb-1dec-44c6-90c3-fc14eebb36a3", + "id": "B01.06", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-golden-image" + }, + { + "category": "Compute", + "subcategory": "Golden Images", + "text": "Include the latest version of FSLogix in the golden image update process", + "description": "FSLogix stack installed in AVD session hosts does not provide auto-update capability. For this reason, it is recommended to download the latest version of FSLogix and include in the golden image update process.", + "waf": "Reliability", + "guid": "ed5c9027-dd1a-4343-86ca-52b199223186", + "id": "B01.07", + "severity": "High", + "link": "https://learn.microsoft.com/fslogix/how-to-install-fslogix" + }, + { + "category": "Compute", + "subcategory": "Golden Images", + "text": "Evaluate the usage of Virtual-Desktop-Optimization-Tool", + "description": "This tool-set has been created to automatically apply setting referenced in white paper 'Optimizing Windows 10, version 2004 for a Virtual Desktop Infrastructure (VDI) role': https://docs.microsoft.com/windows-server/remote/remote-desktop-services/rds-vdi-recommendations-2004. Usage of the tool and/or optimizations mentioned in the white-paper should be considered. ", + "waf": "Performance", + "guid": "829e3fec-2183-4687-a017-7a2b5945bda4", + "id": "B01.08", + "severity": "Low", + "link": "https://github.com/The-Virtual-Desktop-Team/Virtual-Desktop-Optimization-Tool" + }, + { + "category": "Compute", + "subcategory": "Golden Images", + "text": "Determine if Microsoft OneDrive will be part of AVD deployment", + "description": "If OneDrive is used and included in a golden image, be sure to follow the configuration procedure reported in the companion article in the 'More Info' section. Not in scope in this AVD checklist, but OneDrive optimizations like 'Known Folder Redirection' and 'Files On-Demand' should be evaluated used to reduce the space used in FSLogix profiles and provide a better user experience. OneDrive today is not supported for Remote Apps.", + "waf": "Operations", + "guid": "e3d3e084-4276-4d4b-bc01-5bcf219e4a1e", + "id": "B01.09", + "severity": "Low", + "link": "https://learn.microsoft.com/azure/virtual-desktop/install-office-on-wvd-master-image#install-onedrive-in-per-machine-mode" + }, + { + "category": "Compute", + "subcategory": "Golden Images", + "text": "Determine if Microsoft Teams will be part of AVD deployment", + "description": "Be sure to review the requirements and configuration procedure contained in the companion article in the 'More Info' column. Since Teams automatic updates will be disabled, it is recommended to check and include Teams latest version in the golden image update process.", + "waf": "Performance", + "guid": "b5887953-5d22-4788-9d30-b66c67be5951", + "id": "B01.10", + "severity": "Low", + "link": "https://learn.microsoft.com/azure/virtual-desktop/teams-on-AVD" + }, + { + "category": "Compute", + "subcategory": "Golden Images", + "text": "Assess the requirement to support multiple languages", + "description": "AVD can support users with different language and localization requirements in the same host pool. This can be done customizing golden images to ensure users can select whichever language they need. The procedure to configure additional language packs in Windows 11 is documented in the reference article.", + "waf": "Reliability", + "guid": "7c336f3b-822a-498e-8cd1-667d1150df4a", + "id": "B01.11", + "severity": "Low", + "link": "https://learn.microsoft.com/azure/virtual-desktop/windows-11-language-packs" + }, + { + "category": "Compute", + "subcategory": "MSIX & AppAttach", + "text": "Do not use the same storage account/share as FSLogix profiles", + "description": "It is highly recommended to use separate storage accounts/shares to store MSIX packages. If necessary, storage can scale out independently and not being impacted by profile I/O activities. Azure offers multiple storage options that can be used for MISX app attach. We recommend using Azure Files or Azure NetApp Files as those options offer the best value between cost and management overhead. ", + "waf": "Performance", + "guid": "90083845-c587-4cb3-a1ec-16a1d076ef9f", + "id": "B02.01", + "severity": "Medium", + "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-file-share" + }, + { + "category": "Compute", + "subcategory": "MSIX & AppAttach", + "text": "Review performance considerations for MSIX", + "description": "In the referenced article, we reported few but important performance considerations for MSIX usage in AVD context, be sure to carefully review.", + "waf": "Performance", + "guid": "241addce-5793-477b-adb3-751ab2ac1fad", + "id": "B02.02", + "severity": "Medium", + "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-file-share" + }, + { + "category": "Compute", + "subcategory": "MSIX & AppAttach", + "text": "Check proper session host permissions for MSIX share", + "description": "MSIX app attach requires read-only permissions to access the file share. If you're storing your MSIX applications in Azure Files, then for your session hosts, you'll need to assign all session host VMs both storage account role-based access control (RBAC) and file share New Technology File System (NTFS) permissions on the share.", + "waf": "Security", + "guid": "66e15d4d-5a2a-4db2-a3e2-326bf225ca41", + "id": "B02.03", + "severity": "Medium", + "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-file-share" + }, + { + "category": "Compute", + "subcategory": "MSIX & AppAttach", + "text": "MSIX packages for 3rd-party applications", + "description": "3rd-party software vendor must provide a MSIX package, it is not recommended for customer to attempt the conversion procedure without proper support from the application owner.", + "waf": "Cost", + "guid": "bd362caa-ab79-4b19-adab-81932c9fc9d1", + "id": "B02.04", + "severity": "Low", + "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-faq" + }, + { + "category": "Compute", + "subcategory": "MSIX & AppAttach", + "text": "Disable auto-update for MSIX packages", + "description": "MSIX app attach doesn't support auto-update for MSIX applications, so they should be disabled.", + "waf": "Operations", + "guid": "bb88037f-5e6b-4fbb-aed5-03547cc447e8", + "id": "B02.05", + "severity": "Low", + "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-faq" + }, + { + "category": "Compute", + "subcategory": "MSIX & AppAttach", + "text": "Review operating systems support", + "description": "In order to leverage MSIX & App Attach, guest OS image for AVD Host pool must be Windows 10/11 Enterprise or Windows 10/11 Enterprise Multi-session, version 2004 or later.", + "waf": "Reliability", + "guid": "26128a71-f0f1-4cac-9d9e-f1d5e832e42e", + "id": "B02.06", + "severity": "Medium", + "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-faq" + }, + { + "category": "Compute", + "subcategory": "Session Host", + "text": "Evaluate the usage of Gen2 VM for Host Pool deployment", + "description": "Once selected the VM SKU that will be used for Host Pool deployment, it is recommended to use Gen2 type of the SKU for higher security and improved capabilities.", + "waf": "Performance", + "guid": "e4633254-3185-40a1-b120-bd563a1c8e9d", + "id": "B03.01", + "severity": "Medium", + "link": "https://docs.microsoft.com/azure/virtual-machines/generation-2" + }, + { + "category": "Compute", + "subcategory": "Session Host", + "text": "Consider using MMR (MultiMedia Redirection) to get better video performance on browser", + "description": "MMR redirects the media content from Session Host to your local machine for faster processing and rendering. It only works when you play media content on Microsoft Edge or Google Chrome. See linked URL for more details.", + "waf": "Performance", + "guid": "adecb27f-dc40-40f5-aca2-0090f633b1c9", + "id": "B03.02", + "severity": "Low", + "link": "https://learn.microsoft.com/azure/virtual-desktop/multimedia-redirection" + }, + { + "category": "Foundation", + "subcategory": "Capacity Planning", + "text": "Determine the Host Pool type to use", + "description": "A host pool is a collection of Azure virtual machines that register to Azure Virtual Desktop as session hosts. A host pool can be one of two types: Personal and Pooled. Which type to use, and how many, is a key design decision that must be documented and validated. See companion article in 'More Info' column for more details.", + "waf": "Cost", + "guid": "8468c55a-775c-46ee-a5b8-6ad8844ce3b2", + "id": "C01.01", + "severity": "High", + "link": "https://learn.microsoft.com/azure/virtual-desktop/terminology#host-pools" + }, + { + "category": "Foundation", + "subcategory": "Capacity Planning", + "text": "Estimate the number of different Host Pools to deploy ", + "description": "Use your design criteria to determine the number of Host Pools to deploy. This will be based on factors such as different OS images, multi-region support, guest VM hardware differences (such as GPU support or no), different user expectations and uptime requirements (examples might be 'Executives', 'Office Workers', 'Developers', etc.), and Host Pool RDP settings (such as drive redirection support). These will determine the number of host pools as well as how many hosts will be in each pool.", + "waf": "Performance", + "guid": "4e98495f-d3c0-4af2-aa59-a793395a32a7", + "id": "C01.02", + "severity": "High", + "link": "https://learn.microsoft.com/azure/virtual-desktop/terminology?WT.mc_id=Portal-fx#host-pools" + }, + { + "category": "Foundation", + "subcategory": "Capacity Planning", + "text": "For Personal Host Pool type, select the proper assignment type", + "description": "Confirm that the difference between automatic and direct assignment is well understood and the selected option is appropriate for the scenario in question. Automatic is the default setting.", + "waf": "Operations", + "guid": "b38b875b-a1cf-4204-a901-3a5d3ce474db", + "id": "C01.03", + "severity": "Low", + "link": "https://docs.microsoft.com/azure/virtual-desktop/configure-host-pool-personal-desktop-assignment-type" + }, + { + "category": "Foundation", + "subcategory": "Capacity Planning", + "text": "For Pooled Host Pool type, select the best load balancing method", + "description": "Check which one to use and available options, autoscale ignores existing load-balancing algorithms.", + "waf": "Performance", + "guid": "cbd8682a-6abc-4a2a-9fda-1dbf3dc95d48", + "id": "C01.04", + "severity": "Low", + "link": "https://docs.microsoft.com/azure/virtual-desktop/host-pool-load-balancing" + }, + { + "category": "Foundation", + "subcategory": "Capacity Planning", + "text": "For Pooled Host Pool type, VMs shouldn't have more than 32 cores", + "description": "The number of cores increase, the system's synchronization overhead also increases. Especially for multiple user's sign-in simultaneously. Make sure not to use a VM that is too large for the session host", + "waf": "Performance", + "guid": "b3724959-4943-4577-a3a9-e10ff6345f24", + "id": "C01.05", + "severity": "Medium", + "link": "https://learn.microsoft.com/windows-server/remote/remote-desktop-services/virtual-machine-recs" + }, + { + "category": "Foundation", + "subcategory": "Capacity Planning", + "text": "Do not use the same Host Pool to offer both full desktops (DAG) and Remote Apps to the same set of users", + "description": "AVD does not support assigning both the RemoteApp and Desktop Application Group (DAG) in a single host pool to the same set of users. Doing so will cause a single user to have two user sessions in a single host pool. Users aren't supposed to have two active sessions at the same time in the same host pool using the same profile.", + "waf": "Security", + "guid": "b384b7ed-1cdd-457e-a2cd-c8d4d55bc144", + "id": "C01.06", + "severity": "High", + "link": "https://learn.microsoft.com/azure/virtual-desktop/terminology?WT.mc_id=Portal-fx#application-groups" + }, + { + "category": "Foundation", + "subcategory": "Capacity Planning", + "text": "Estimate the number of Application Groups required across all Host Pools in the Microsoft Entra ID tenant", + "description": "There is a limit of 500 Application Groups that can be created in AVD for each Microsoft Entra ID (former Azure AD) tenant. The limit can be increased (see the companion link for details) but it is not recommended.", + "waf": "Reliability", + "guid": "971cc4a4-b1f7-4c12-90e0-1ad96808f00c", + "id": "C01.07", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits#azure-virtual-desktop-service-limits" + }, + { + "category": "Foundation", + "subcategory": "Capacity Planning", + "text": "Estimate the number of Applications for each Application Group", + "description": "Applications are grouped under Application Groups as containers for publishing and assigning permissions: we recommend that you do not publish more than 50 applications per application group.", + "waf": "Reliability", + "guid": "fa9f2895-473d-439b-ab8e-5a5cf92c7f32", + "id": "C01.08", + "severity": "Low", + "link": "https://learn.microsoft.com/azure/architecture/example-scenario/wvd/windows-virtual-desktop#considerations" + }, + { + "category": "Foundation", + "subcategory": "Capacity Planning", + "text": "Evaluate the usage of FSLogix for Personal Host Pools", + "description": "FSLogix is not required for Personal Host Pools since each VM is statically assigned to a single user, then no immediate needs for a roaming profile solution. In some usage scenarios FSLogix can help. For example, a VM can be re-assigned, or user moved to another desktop, or roaming profile can be used to save user profile in a different location for DR purposes.", + "waf": "Reliability", + "guid": "38b19ab6-0693-4992-9394-5590883916ec", + "id": "C01.09", + "severity": "Low", + "link": "https://learn.microsoft.com/azure/virtual-desktop/configure-host-pool-personal-desktop-assignment-type?tabs=azure#reassign-a-personal-desktop" + }, + { + "category": "Foundation", + "subcategory": "Capacity Planning", + "text": "Run workload performance test to determine the best Azure VM SKU and size to use", + "description": "Use the link provided to set a starting point for SKU decision, then validate using a performance test. Ensure a minimum of four cores for Production is selected per Session Host (multi-session)", + "waf": "Performance", + "guid": "e1112dbd-7ba0-412e-9b94-ef6e047d2ea2", + "id": "C01.10", + "severity": "High", + "link": "https://docs.microsoft.com/windows-server/remote/remote-desktop-services/virtual-machine-recs" + }, + { + "category": "Foundation", + "subcategory": "Capacity Planning", + "text": "Verify AVD scalability limits for the environment", + "description": "It is critical to check AVD capacity and limits reported in the referenced article. Additional limits and thresholds apply for network, compute, storage and service management. ", + "waf": "Reliability", + "guid": "992b1cd6-d2f5-44b2-a769-e3a691e8838a", + "id": "C01.11", + "severity": "High", + "link": "https://learn.microsoft.com/azure/architecture/example-scenario/wvd/windows-virtual-desktop#considerations" + }, + { + "category": "Foundation", + "subcategory": "Capacity Planning", + "text": "Determine if Session Hosts will require GPU", + "description": "Host Pools with GPU require special configuration, please be sure to review the referenced article.", + "waf": "Performance", + "guid": "c936667e-13c0-4056-94b1-e945a459837e", + "id": "C01.12", + "severity": "Low", + "link": "https://docs.microsoft.com/azure/virtual-desktop/configure-vm-gpu" + }, + { + "category": "Foundation", + "subcategory": "Capacity Planning", + "text": "Use Azure VM SKUs able to leverage Accelerated Networking", + "description": "Whenever is possible, it is recommended to leverage VM SKUs with Accelerated Networking feature. This feature does require specific VM SKU/size and OS versions, please see the list and requirement in the companion article.", + "waf": "Performance", + "guid": "b47a393a-0803-4272-a479-8b1578b219a4", + "id": "C01.13", + "severity": "Low", + "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview" + }, + { + "category": "Foundation", + "subcategory": "Clients & Users", + "text": "Assess how many users will connect to AVD and from which regions", + "description": "For proper planning and deployment, it is important to assess the maximum number of concurrent and total users for each Host Pool. Additionally, users from different regions may require different Host Pools to ensure the best user experience.", + "waf": "Performance", + "guid": "bb91a33d-90ca-4e2c-a881-3706f7c0cb9f", + "id": "C02.01", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/virtual-desktop/overview" + }, + { + "category": "Foundation", + "subcategory": "Clients & Users", + "text": "Assess external dependencies for each Host Pool", + "description": "The dependencies on resources external to the AVD pool should be assessed and reviewed, for example Active Directory, external file shares or other storage, on-premises services and resources, network infrastructure components like VPN and or ExpressRoute, external services and 3rd-party components. For all these resources, latency from the AVD Host Pool needs to be evaluated and connectivity considered. Additionally, BCDR considerations need to be applied to these dependencies as well.", + "waf": "Performance", + "guid": "6abca2a4-fda1-4dbf-9dc9-5d48c7c791dc", + "id": "C02.02", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/architecture/example-scenario/wvd/windows-virtual-desktop?toc=%2Fazure%2Fvirtual-desktop%2Ftoc.json&bc=%2Fazure%2Fvirtual-desktop%2Fbreadcrumb%2Ftoc.json" + }, + { + "category": "Foundation", + "subcategory": "Clients & Users", + "text": "Review user client OS used and AVD client type", + "description": "AVD offers a variety of client types (fat, thin, web) to connect over different platforms (Windows, MacOS, iOS, Android). Review limitations of each client and compare multiple options when possible.", + "waf": "Performance", + "guid": "a1f6d565-99e5-458b-a37d-4985e1112dbd", + "id": "C02.03", + "severity": "Low", + "link": "https://learn.microsoft.com/azure/virtual-desktop/users/connect-windows" + }, + { + "category": "Foundation", + "subcategory": "Clients & Users", + "text": "Run a PoC to validate end-to-end user experience and impact of network latency", + "description": "Depending on the user locations, and AVD region deployment, users may have a non-optimal experience, hence is important to test as soon as possible in a small PoC environment. Run the 'Azure Virtual Desktop Experience Estimator' tool to select the best Azure region to deploy Host Pools. Beyond 150ms latency, user experience may be not optimal.", + "waf": "Performance", + "guid": "d2f54b29-769e-43a6-a1e8-838ac936667e", + "id": "C02.04", + "severity": "High", + "link": "https://azure.microsoft.com/services/virtual-desktop/assessment/" + }, + { + "category": "Foundation", + "subcategory": "Clients & Users", + "text": "Assess and document RDP settings for all user groups", + "description": "RDP settings can currently only be configured at the host pool level, not per user/group. If different settings are required for different set of users, it is recommended to create multiple Host Pools.", + "waf": "Security", + "guid": "3b365a5c-7acb-4e48-abe5-4cd79f2e8776", + "id": "C02.05", + "severity": "Low", + "link": "https://docs.microsoft.com/azure/virtual-desktop/customize-rdp-properties" + }, + { + "category": "Foundation", + "subcategory": "General", + "text": "Determine in which Azure regions AVD Host Pools will be deployed.", + "description": "AVD is a non-regional service, Host Pools can be created in any region, automatic redirection from closest front-end will happen automatically.", + "waf": "Performance", + "guid": "42e52f47-21d9-428c-8b1b-d521e44a29a9", + "id": "C03.01", + "severity": "High", + "link": "https://azure.microsoft.com/global-infrastructure/services/?products=virtual-desktop" + }, + { + "category": "Foundation", + "subcategory": "General", + "text": "Determine metadata location for AVD service", + "description": "AVD must store metadata to support the service; this is stored in the specified geography. However, this is independent of the regions where Host Pools are located.", + "waf": "Reliability", + "guid": "bad37ead-53cc-47ce-8d7a-aab3571449ab", + "id": "C03.02", + "severity": "Medium", + "link": "https://docs.microsoft.com/azure/virtual-desktop/data-locations" + }, + { + "category": "Foundation", + "subcategory": "General", + "text": "Check Azure quotas and availability for specific VM sizes and types in the selected regions", + "description": "Check for specific VM SKUs, especially if you need GPU or high-specs SKUs, and eventually Azure NetApp Files if used.", + "waf": "Reliability", + "guid": "8053d89e-89dc-47b3-9be2-a1a27f7a9e91", + "id": "C03.03", + "severity": "Low", + "link": "https://docs.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits" + }, + { + "category": "Identity", + "subcategory": "Active Directory", + "text": "Create at least two Active Directory Domain Controllers (DCs) in Azure VNet environment close to AVD Host Pool", + "description": "AD DCs in Azure are recommended (at least two in different AZ) to reduce latency for users logging into AVD session hosts, and eventually for Azure NetApp Files and AD integration. A DC need to be able to talk to DCs for ALL child domains. As alternative, on-premise connectivity must be used to reach AD DCs.", + "waf": "Reliability", + "guid": "c14aea7e-65e8-4d9a-9aec-218e6436b073", + "id": "D01.01", + "severity": "Medium", + "link": "https://docs.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain" + }, + { + "category": "Identity", + "subcategory": "Active Directory", + "text": "Create a specific OU in Active Directory for each Host Pool", + "description": "Recommended to create a separate OU per Host Pool under a separate OU hierarchy. These OUs will contain machine accounts of AVD Session Hosts. ", + "waf": "Operations", + "guid": "6db55f57-9603-4334-adf9-cc23418db612", + "id": "D01.02", + "severity": "Medium", + "link": "https://docs.microsoft.com/azure/virtual-desktop/create-host-pools-azure-marketplace" + }, + { + "category": "Identity", + "subcategory": "Active Directory", + "text": "Review Domain GPOs that will be applied to OU and impacting Host Pool Session Hosts functionalities", + "description": "Carefully review, and potentially block/filter inheritance of GPOs to the OUs containing AVD Host Pools. ", + "waf": "Operations", + "guid": "7126504b-b47a-4393-a080-327294798b15", + "id": "D01.03", + "severity": "Medium", + "link": "https://docs.microsoft.com/previous-versions/windows/desktop/Policy/group-policy-hierarchy" + }, + { + "category": "Identity", + "subcategory": "Active Directory", + "text": "Configure FSLogix settings using the built-in provided GPO ADMX template", + "description": "If Active Directory Domain GPOs are used, it is recommended to configure FSLogix using the built-in provided GPO ADMX template referenced in the companion article in the 'More Info' column", + "waf": "Operations", + "guid": "2226a8e3-50a4-4ac3-8bd6-ee150553051f", + "id": "D01.04", + "severity": "Medium", + "link": "https://learn.microsoft.com/fslogix/how-to-use-group-policy-templates" + }, + { + "category": "Identity", + "subcategory": "Active Directory", + "text": "Create a dedicated user account with only permissions to join VM to the domain", + "description": "It is recommended to have a specific dedicated account with minimal permissions, and without the default 10 joins limitation. Review the companion article for more details.", + "waf": "Security", + "guid": "347dc560-28a7-41ff-b1cd-15dd2f0d5e77", + "id": "D01.05", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#session-hosts" + }, + { + "category": "Identity", + "subcategory": "Active Directory", + "text": "Create a domain user group for each set of users that will be granted access to each Host Pool Application Group (DAG or RAG)", + "description": "Avoid granting access per user, instead use AD groups and replicate them using Active Directory Connector (ADC) in Microsoft Entra ID (former Azure AD). ", + "waf": "Security", + "guid": "2d41e361-1cc5-47b4-a4b1-410d43958a8c", + "id": "D01.06", + "severity": "Medium", + "link": "https://docs.microsoft.com/azure/virtual-desktop/manage-app-groups" + }, + { + "category": "Identity", + "subcategory": "Active Directory", + "text": "Review your organization password expiration policy for accounts used by Azure Files AD integration", + "description": "If Azure Files Active Directory (AD) integration is used, as part of the configuration procedure, an AD account to represent the storage account (file share) will be created. You can choose to register as a computer account or service logon account, see FAQ for details. For computer accounts, there is a default password expiration age set in AD at 30 days. Similarly, the service logon account may have a default password expiration age set on the AD domain or Organizational Unit (OU). For both account types, we recommend you check the password expiration age configured in your AD environment and plan to update the password of your storage account identity of the AD account before the maximum password age. You can consider creating a new AD Organizational Unit (OU) in AD and disabling password expiration policy on computer accounts or service logon accounts accordingly.", + "waf": "Security", + "guid": "2289b3d6-b57c-4fc6-9546-1e1a3e3453a3", + "id": "D01.07", + "severity": "High", + "link": "https://docs.microsoft.com/azure/storage/files/storage-files-identity-ad-ds-enable" + }, + { + "category": "Identity", + "subcategory": "Active Directory", + "text": "A Windows Server Active Directory forest/domain must be in sync with Microsoft Entra ID", + "description": "You can configure this using Active Directory Connect (ADC) or Azure AD Domain Services (for hybrid or cloud organizations). Microsoft Entra ID is the new name for Azure Active Directory (Azure AD).", + "waf": "Reliability", + "guid": "5119bf8e-8f58-4542-a7d9-cec166cd072a", + "id": "D01.08", + "severity": "High", + "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#identity" + }, + { + "category": "Identity", + "subcategory": "Microsoft Entra ID", + "text": "Configure Azure Files share for Microsoft Entra ID (former Azure AD) Kerberos authentication on Microsoft Entra ID Joined scenario", + "description": "If Azure Files is used and pre-requisites can be satisfied, it is recommended to configure (Microsoft Entra ID) Kerberos authentication. This configuration will allow to store FSLogix profiles that can be accessed by hybrid user identities from Azure AD-joined session hosts without requiring network line-of-sight to domain controllers.", + "waf": "Security", + "guid": "e777fd5e-c5f1-4d6e-8fa9-fc210b88e338", + "id": "D02.01", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/storage/files/storage-files-identity-auth-hybrid-identities-enable" + }, + { + "category": "Identity", + "subcategory": "Requirements", + "text": "A Microsoft Entra ID tenant must be available with at least one subscription linked", + "description": "An Azure subscription must be parented to the same Microsoft Entra ID (former Azure AD) tenant, that contains a virtual network that either contains or is connected to the Windows Server Active Directory Domain Services or Microsoft Entra ID Domain Services instance.", + "waf": "Reliability", + "guid": "6ceb5443-5125-4922-9442-93bb628537a5", + "id": "D03.01", + "severity": "High", + "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#identity" + }, + { + "category": "Identity", + "subcategory": "Requirements", + "text": "Review and document your identity scenario", + "description": "Azure Virtual Desktop supports different types of identities depending on which configuration you choose. Please review the supported scenarios mentioned in the 'More Info' article and document the design decision accordingly in the 'Comment' column. Critically, external identities (B2B or B2C) are not supported. Be sure to review also the list of supported scenarios in https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#supported-identity-scenarios.", + "waf": "Security", + "guid": "b4ce4781-7557-4a1f-8043-332ae199d44c", + "id": "D03.02", + "severity": "High", + "link": "https://learn.microsoft.com/azure/virtual-desktop/authentication" + }, + { + "category": "Identity", + "subcategory": "Requirements", + "text": "Assess User Account types and requirements", + "description": "Users need accounts that are in Microsoft Entra ID (former Azure AD). If you're also using AD DS or Azure AD Domain Services in your deployment of Azure Virtual Desktop, these accounts will need to be hybrid identities, which means the user accounts are synchronized. If you're using Microsoft Entra ID with AD DS, you'll need to configure Azure AD Connect to synchronize user identity data between AD DS and Microsoft Entra ID. If you're using Microsoft Entra ID with Azure AD Domain Services, user accounts are synchronized one way from Microsoft Entra ID to Azure AD Domain Services. This synchronization process is automatic. AVD also supports Microsoft Entra ID native accounts with some restrictions. External identities (B2B or B2C) are not supported.", + "waf": "Security", + "guid": "f9b141a8-98a5-435e-9378-97e71ca7da7b", + "id": "D03.03", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#supported-identity-scenarios" + }, + { + "category": "Identity", + "subcategory": "Requirements", + "text": "If Single-Sign On (SSO) is a requirement, review the supported scenarios and prerequisites", + "description": "AVD supports SSO using either Active Directory Federation Services (AD FS) or Microsoft Entra ID (former Azure AD) authentication. The latter is recommended, please check the requirements and limitation in the 'More Info' article. Using AD FS could be a viable choice if already present in the customer environment, it is not recommended to deploy a brand new ADFS infrastructure just for AVD SSO implementation.", + "waf": "Reliability", + "guid": "5f9f680a-ba07-4429-bbf7-93d7071561f4", + "id": "D03.04", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/virtual-desktop/authentication#single-sign-on-sso" + }, + { + "category": "Identity", + "subcategory": "Requirements", + "text": "Select the proper AVD Session Host domain join type", + "description": "VMs can be Windows Active Directory (AD) domain-joined, Hybrid AD-joined, Microsoft Entra ID (former Azure AD) Joined or Azure AD Domain Services joined. Be sure to review supported scenarios, limitations and requirements from the referenced article.", + "waf": "Security", + "guid": "ea962a15-9394-46da-a7cc-3923266b2258", + "id": "D03.05", + "severity": "High", + "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#supported-identity-scenarios" + }, + { + "category": "Identity", + "subcategory": "Requirements", + "text": "Before using Azure AD Domain Services (AAD-DS) for AVD, be sure to review the limitations.", + "description": "Compare self-managed Windows Active Directory Domain Services, Microsoft Entra ID (former Azure AD), and managed Azure AD Domain Services (AAD-DS)", + "waf": "Reliability", + "guid": "6f4a1651-bddd-4ea8-a487-cdeb4861bc3b", + "id": "D03.06", + "severity": "Low", + "link": "https://docs.microsoft.com/azure/active-directory-domain-services/compare-identity-solutions" + }, + { + "category": "Monitoring and Management", + "subcategory": "Management", + "text": "Use built-in provided administrative templates for AVD settings configuration", + "description": "AVD provides administrative templates for Intune and Active Directory GPO. Using these templates it is possible to centrally control several AVD configuration settings: Graphics related data logging, Screen capture protection, RDP Shortpath for managed networks, Watermarking. See companion article in 'More Info' colum for details. NOTE: FSLogix has its own separate template.", + "waf": "Operations", + "guid": "5549524b-36c0-4f1a-892b-ab3ca78f5db2", + "id": "E01.01", + "severity": "Low", + "link": "https://learn.microsoft.com/azure/virtual-desktop/administrative-template" + }, + { + "category": "Monitoring and Management", + "subcategory": "Management", + "text": "Plan AVD Session Hosts configuration management strategy", + "description": "Determine if a configuration management tool is already in place to manage Host Pool VM configuration after initial deployment, For example SCCM/SCOM, Intune/ConfigurationManager, 3rd-party solutions.", + "waf": "Operations", + "guid": "3334fdf9-1c23-4418-8b65-285269440b4b", + "id": "E01.02", + "severity": "Low", + "link": "https://learn.microsoft.com/azure/virtual-desktop/management" + }, + { + "category": "Monitoring and Management", + "subcategory": "Management", + "text": "Evaluate Intune for AVD Session Hosts management", + "description": "We recommend using Microsoft Intune, if requirements can be satisfied, to manage your Azure Virtual Desktop environment. Review supported scenarios and requirements to enable Intune for AVD Session Host management in the referenced article in the \u0093More Info\u0094 column. Document your choice in the 'Comment' column. In that article, review the different requirements and capabilities for single-session https://learn.microsoft.com/mem/intune/fundamentals/windows-virtual-desktop and multi-session https://learn.microsoft.com/mem/intune/fundamentals/windows-virtual-desktop-multi-session AVD.", + "waf": "Operations", + "guid": "63a08be1-6004-4b4a-a79b-f3239faae113", + "id": "E01.03", + "severity": "Medium", + "link": "https://learn.microsoft.com/mem/intune/fundamentals/azure-virtual-desktop" + }, + { + "category": "Monitoring and Management", + "subcategory": "Management", + "text": "Assess the requirements for host pool auto-scaling capability", + "description": "The scaling tool provides a low-cost automation option for customers who want to optimize their session host VM costs. You can use the scaling tool to schedule VMs to start and stop based on Peak and Off-Peak business hours, scale out VMs based on number of sessions per CPU core, scale in VMs during Off-Peak hours, leaving the minimum number of session host VMs running. Not available yet for Personal Host Pool type.", + "waf": "Reliability", + "guid": "7138b820-102c-4e16-be30-1e6e872e52e3", + "id": "E01.04", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/virtual-desktop/autoscale-scenarios" + }, + { + "category": "Monitoring and Management", + "subcategory": "Management", + "text": "Consider the usage of Start VM on Connect for Personal Host Pools", + "description": "Start VM On Connect lets you reduce costs by enabling end users to turn on their session host virtual machines (VMs) only when they need them. You can then turn off VMs when they're not needed. You can configure Start VM on Connect for personal or pooled host pools using the Azure portal or PowerShell. Start VM on Connect is a host pool wide setting.", + "waf": "Cost", + "guid": "55f612fe-f215-4f0d-a956-10e7dd96bcbc", + "id": "E01.05", + "severity": "Low", + "link": "https://learn.microsoft.com/azure/virtual-desktop/start-virtual-machine-connect" + }, + { + "category": "Monitoring and Management", + "subcategory": "Management", + "text": "Evaluate the implementation of an ad-hoc mechanism to shut down Personal AVD Session Hosts", + "description": "'Start VM On Connect' provides a smart way to automatically start previously stopped Session Hosts but does not provide a mechanism to shut down when not in used. Administrators are encouraged to configure additional policies to sign users out of their sessions and run Azure automation scripts to de-allocate VMs. Users should be not allowed to shut down their Personal Hosts since will not be able to de-allocate Azure VMs, then billing will still be active with no cost reduction.", + "waf": "Cost", + "guid": "79a686ea-d971-4ea0-a9a8-1aea074c94cb", + "id": "E01.06", + "severity": "Low", + "link": "https://learn.microsoft.com/azure/virtual-desktop/start-virtual-machine-connect-faq#are-vms-automatically-deallocated-when-a-user-stops-using-them" + }, + { + "category": "Monitoring and Management", + "subcategory": "Management", + "text": "Review and adopt suggested Azure Tags for Azure Virtual Desktop", + "description": "Azure Virtual Desktop billing is mainly based on cost associated to compute, networking and storage resources consumed by Host Pools. In addition to this, costs can be generated by dependent resources, for example VPN or ExpressRoute or vWAN, Active Directory Domain Controllers, DNS, etc. There is no direct cost associated to AVD objects like workspaces, host pools or application groups. To make AVD associated costs more evident and grouped by Host Pool, it is recommended to use 'cm-resource-parent' tag. ", + "waf": "Cost", + "guid": "51bcafca-476a-48fa-9b91-9645a7679f20", + "id": "E01.07", + "severity": "Low", + "link": "https://learn.microsoft.com/azure/virtual-desktop/tag-virtual-desktop-resources" + }, + { + "category": "Monitoring and Management", + "subcategory": "Management", + "text": "Periodically check Azure Advisor recommendations for AVD", + "description": "Azure Advisor analyzes your configurations and telemetry to offer personalized recommendations to solve common problems. With these recommendations, you can optimize your Azure resources for reliability, security, operational excellence, performance, and cost.", + "waf": "Operations", + "guid": "611dd68c-5a4b-4252-8e44-a59a9c2399c4", + "id": "E01.08", + "severity": "Low", + "link": "https://learn.microsoft.com/azure/virtual-desktop/azure-advisor-recommendations" + }, + { + "category": "Monitoring and Management", + "subcategory": "Management", + "text": "Plan for a Session Host emergency patching and update strategy", + "description": "Customers have several options: Microsoft Configuration Manager, this article explains how to automatically apply updates to a Azure Virtual Desktop session hosts running Windows 10/11: https://learn.microsoft.com/azure/virtual-desktop/configure-automatic-updates, Microsoft Intune: https://docs.microsoft.com/mem/intune/fundamentals/windows-virtual-desktop-multi-session, Azure Update Management and WSUS for Windows Server OS only (client OS not supported: https://learn.microsoft.com/azure/automation/update-management/operating-system-requirements), 3rd Party tools. Outside an emergency security patching situation, it is recommended to move away from an 'in-place' update strategy patching strategy and adopt a re-imaging approach.", + "waf": "Operations", + "guid": "04722da2-9c2b-41cd-922f-54b29bade3aa", + "id": "E01.09", + "severity": "Medium", + "link": "https://learn.microsoft.com/mem/intune/fundamentals/azure-virtual-desktop-multi-session" + }, + { + "category": "Monitoring and Management", + "subcategory": "Management", + "text": "Configure the Scheduled Agent Updates feature", + "description": "The Scheduled Agent Updates feature lets you create up to two maintenance windows per Host Pool to update AVD components at a convenient time. It is recommended to specify maintenance windows then upgrading Session Hosts will not happen during peak business hours. Scheduled Agent Updates is disabled by default. This means that, unless you enable this setting, the agent can get updated at any time by the agent update flighting service.", + "waf": "Reliability", + "guid": "c067939b-e5ca-4698-b9ce-3bd91843e73f", + "id": "E01.10", + "severity": "Low", + "link": "https://learn.microsoft.com/azure/virtual-desktop/scheduled-agent-updates" + }, + { + "category": "Monitoring and Management", + "subcategory": "Management", + "text": "Create a validation (canary) Host Pool", + "description": "Host pools are a collection of one or more identical virtual machines within Azure Virtual Desktop environment. We highly recommend you create a validation host pool where service updates are applied first. This allows you to monitor service updates before the service applies them to your standard or non-validation environment.", + "waf": "Operations", + "guid": "d1e8c38e-c936-4667-913c-005674b1e944", + "id": "E01.11", + "severity": "Medium", + "link": "https://docs.microsoft.com/azure/virtual-desktop/create-validation-host-pool" + }, + { + "category": "Monitoring and Management", + "subcategory": "Management", + "text": "Determine Host Pool deployment strategy", + "description": "An AVD Host Pool can be deployed in several ways: Azure Portal, ARM templates, Azure CLI tool, Powershell, manual VM creation with registration token, Terraform, 3rd-party tools. It is important to adopt proper method/s to support automatic deployment through automation and CI/CD tools.", + "waf": "Operations", + "guid": "a459c373-e7ed-4616-83b3-65a917ecbe48", + "id": "E01.12", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/wvd/eslz-platform-automation-and-devops" + }, + { + "category": "Monitoring and Management", + "subcategory": "Management", + "text": "Turn on Session Host VMs at least every 90 days for token refresh", + "description": "After you register a VM to a host pool within the Azure Virtual Desktop service, the agent regularly refreshes the VM's token whenever the VM is active. The certificate for the registration token is valid for 90 days. Because of this 90-day limit, we recommend VMs to be online for 20 minutes every 90 days so that the machine can refresh its tokens and update the agent and side-by-side stack components.", + "waf": "Operations", + "guid": "ebe54cd7-df2e-48bb-ac35-81559bb9153e", + "id": "E01.13", + "severity": "Medium", + "link": "https://docs.microsoft.com/azure/virtual-desktop/faq" + }, + { + "category": "Monitoring and Management", + "subcategory": "Monitoring", + "text": "Enable monitoring for AVD", + "description": "Azure Virtual Desktop Insights is a dashboard built on Azure Monitor Workbooks that helps IT professionals understand their Azure Virtual Desktop environments. Read the referenced article to learn how to set up Azure Monitor for Azure Virtual Desktop to monitor your AVD environments.", + "waf": "Reliability", + "guid": "63cfff1c-ac59-49ef-8d5a-83dd4de36c1c", + "id": "E02.01", + "severity": "High", + "link": "https://learn.microsoft.com/azure/virtual-desktop/insights" + }, + { + "category": "Monitoring and Management", + "subcategory": "Monitoring", + "text": "Enable diagnostic settings for Workspaces, Host Pools, Application Groups and Host VMs to Log Analytics workspace", + "description": "Azure Virtual Desktop uses Azure Monitor and Log Analytics for monitoring and alerts like many other Azure services. This lets admins identify issues through a single interface. The service creates activity logs for both user and administrative actions. Each activity log falls under the following categories: Management, Feed, Connections, Host Registration, Errors, Checkpoints. ", + "waf": "Reliability", + "guid": "81770afb-c4c0-4e43-a186-58d2857ed671", + "id": "E02.02", + "severity": "Medium", + "link": "https://docs.microsoft.com/azure/virtual-desktop/diagnostics-log-analytics" + }, + { + "category": "Monitoring and Management", + "subcategory": "Monitoring", + "text": "Create alerts on the profile storage to be alerted in case of high usage and throttling", + "description": "See the referenced article and this additional one to setup proper monitoring and alerting for storage: https://docs.microsoft.com/azure/storage/files/storage-troubleshooting-files-performance. ", + "waf": "Reliability", + "guid": "2463cffe-179c-4599-be0d-5973dd4ce32c", + "id": "E02.03", + "severity": "Medium", + "link": "https://docs.microsoft.com/azure/storage/files/storage-files-monitoring?tabs=azure-portal" + }, + { + "category": "Monitoring and Management", + "subcategory": "Monitoring", + "text": "Configure Azure Service Health for AVD alerts ", + "description": "You can use Azure Service Health to monitor service issues and health advisories for Azure Virtual Desktop. Azure Service Health can notify you with different types of alerts (for example, email or SMS), help you understand the effect of an issue, and keep you updated as the issue resolves.", + "waf": "Reliability", + "guid": "18813706-f7c4-4c0d-9e51-4548d2457ed6", + "id": "E02.04", + "severity": "Medium", + "link": "https://docs.microsoft.com/azure/virtual-desktop/set-up-service-alerts" + }, + { + "category": "Networking", + "subcategory": "Networking", + "text": "Determine if hybrid connectivity is required to connect to on-premises environment", + "description": "If required to connect to on-premises environment, assess the current connectivity option or plan for the required connectivity (ExpressRoute, Azure S2S or 3rd-party NVA VPN). ", + "waf": "Reliability", + "guid": "dd399cfd-7b28-4dc8-9555-6202bfe4563b", + "id": "F01.01", + "severity": "Medium", + "link": "https://docs.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/" + }, + { + "category": "Networking", + "subcategory": "Networking", + "text": "Determine Azure Virtual Network (VNet) placement for each AVD Host Pool", + "description": "AVD Host Pools can be deployed in either Azure Virtual WAN or traditional 'Hub & Spoke' network topologies. It is recommended to deploy each Host Pool in a separate 'spoke' VNet, using 'hub' is not recommended.", + "waf": "Performance", + "guid": "c8639648-a652-4d6c-85e5-02965388e5de", + "id": "F01.02", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/wvd/eslz-network-topology-and-connectivity" + }, + { + "category": "Networking", + "subcategory": "Networking", + "text": "Assess which on-premises resources are required from AVD Host Pools", + "description": "Evaluate the bandwidth requirements, ensure VPN/ER bandwidth will be enough, ensure proper routing and firewall rules are in place, test end-to-end latency. ", + "waf": "Reliability", + "guid": "d227dd14-2b06-4c21-a799-9a646f4389a7", + "id": "F01.03", + "severity": "Medium", + "link": "https://docs.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/" + }, + { + "category": "Networking", + "subcategory": "Networking", + "text": "Need to control/restrict Internet outbound traffic for AVD hosts?", + "description": "Several options are available. You can use Azure Firewall or equivalent 3rd-party NVA, Network Security Group (NSG) and/or Proxy servers. NSG is not able to enable/disable by URL, only ports and protocols. Proxy should be used only as explicit setting in user browser. Details on using Azure Firewall Premium with AVD are reported in the companion article in the 'More Info' column. Be sure to allow proper access to required AVD URLs. Forced Tunneling to on-premises is not recommended.", + "waf": "Security", + "guid": "fc4972cd-3cd2-41bf-9703-6e5e6b4bed3d", + "id": "F01.04", + "severity": "Medium", + "link": "https://docs.microsoft.com/azure/firewall/protect-windows-virtual-desktop" + }, + { + "category": "Networking", + "subcategory": "Networking", + "text": "Ensure AVD control plane endpoints are accessible", + "description": "Required URLs for AVD control plane access by session hosts are documented here: https://docs.microsoft.com/azure/virtual-desktop/safe-url-list. A check tool is available to verify connectivity from the session hosts: https://docs.microsoft.com/azure/virtual-desktop/safe-url-list#required-url-check-tool. Forced Tunneling to on-premises is not recommended.", + "waf": "Reliability", + "guid": "65c7acbe-45bb-4e60-ad89-f2e87778424d", + "id": "F01.05", + "severity": "High", + "link": "https://docs.microsoft.com/azure/virtual-desktop/safe-url-list" + }, + { + "category": "Networking", + "subcategory": "Networking", + "text": "Need to control/restrict Internet outbound traffic only for users on AVD hosts? ", + "description": "Consider the usage of Azure Defender Endpoint or similar 3rd-party agents to control user web navigation, see the Security section for more details.", + "waf": "Security", + "guid": "73676ae4-6691-4e88-95ad-a42223e13810", + "id": "F01.06", + "severity": "Medium", + "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/onboard-windows-multi-session-device?view=o365-worldwide" + }, + { + "category": "Networking", + "subcategory": "Networking", + "text": "Review custom UDR and NSG for AVD Host Pool subnets", + "description": "Custom UDR and NSG can be applied to AVD Host Pool subnets, for example to redirect to Azure Firewall or NVA, or to filter/block network traffic. In this case is recommended to carefully review to ensure optimal path for outbound traffic to AVD control plane is used. Service Tags can now be used with UDR and NSG, then AVD management plane traffic can be easily allowed: https://learn.microsoft.com/azure/virtual-desktop/safe-url-list.", + "waf": "Security", + "guid": "523181a9-4174-4158-93ff-7ae7c6d37431", + "id": "F01.07", + "severity": "Low", + "link": "https://docs.microsoft.com/azure/firewall/protect-windows-virtual-desktop" + }, + { + "category": "Networking", + "subcategory": "Networking", + "text": "Do not use Proxy servers, SSL termination and Deep Packet Inspection for AVD control plane traffic", + "description": "Network traffic from AVD Session Host VMs to AVD control plane should be as direct as possible. Redirecting this traffic through a Proxy or Firewall with deep packet inspection and/or SSL termination could cause serious issues and bad customer experience. It is recommended to bypass Proxy and Firewall just for the AVD control plane. User generated traffic surfing the web instead, should be filtered by Firewall and/or redirected to a Proxy. For details and guidelines, please see the companion article in the 'More Info' column.", + "waf": "Reliability", + "guid": "cc6edca0-aeca-4566-9e92-cf246f1465af", + "id": "F01.08", + "severity": "High", + "link": "https://learn.microsoft.com/azure/virtual-desktop/proxy-server-support" + }, + { + "category": "Networking", + "subcategory": "Networking", + "text": "Check the network bandwidth required for each user and in total for the VM SKU", + "description": "It is recommended to assess and review networking bandwidth requirements for users, based on the specific workload type. The referenced article provide general estimations and recommendations, but specific measure are required for proper sizing. ", + "waf": "Performance", + "guid": "516785c6-fa96-4c96-ad88-408f372734c8", + "id": "F01.09", + "severity": "Low", + "link": "https://learn.microsoft.com/azure/virtual-desktop/rdp-bandwidth" + }, + { + "category": "Networking", + "subcategory": "Networking", + "text": "Evaluate usage Private Endpoint for Azure Files share", + "description": "If Azure Files SMB share will be used to store user profiles via FSLogix, the usage of Private Endpoint (PE) for private access to the storage is recommended. AVD Session Hosts will access the storage using a private IP in the same VNet, a separate subnet is recommended. This feature has an additional cost that must be evaluated. If PE will not be used, at least Service Endpoint is recommended (no cost associated).", + "waf": "Security", + "guid": "ec27d589-9178-426d-8df2-ff60020f30a6", + "id": "F01.10", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/storage/files/storage-files-networking-endpoints" + }, + { + "category": "Networking", + "subcategory": "Networking", + "text": "Evaluate usage of RDP ShortPath for clients connecting from managed internal networks", + "description": "Connections to Azure Virtual Desktop can use TCP or UDP. RDP Shortpath is a feature of AVD that establishes a direct UDP-based transport between a supported Windows Remote Desktop client and session host. if clients have line of sight to AVD session hosts from internal network (VPN usage is not recommended), this feature can provide lower latency and best performances as explained in https://learn.microsoft.com/azure/virtual-desktop/rdp-shortpath?tabs=managed-networks#key-benefits.", + "waf": "Performance", + "guid": "b2074747-d01a-4f61-b1aa-92ad793d9ff4", + "id": "F01.11", + "severity": "Medium", + "link": "https://docs.microsoft.com/azure/virtual-desktop/shortpath" + }, + { + "category": "Security", + "subcategory": "Active Directory", + "text": "Review Active Directory GPO to secure RDP sessions", + "description": "Security mechanisms provided by GPO should be used, if available. For example, it is possible to impose desktop screen lock and idle session disconnection time. Existing GPOs applied to on-premises environment should be reviewed and eventually applied also to secure also AVD Hosts when joined to the domain.", + "waf": "Security", + "guid": "a135e337-897e-431c-97d6-8cb6a22ac19f", + "id": "G01.01", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#establish-maximum-inactive-time-and-disconnection-policies" + }, + { + "category": "Security", + "subcategory": "Host Configuration", + "text": "Ensure anti-virus and anti-malware solutions are used", + "description": "Microsoft Defender for Endpoint supports Azure Virtual Desktop for Windows 10/11 Enterprise multi-session. Check article for onboarding non-persistent virtual desktop infrastructure (VDI) devices: https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi", + "waf": "Security", + "guid": "b1172576-9ef6-4691-a483-5ac932223ece", + "id": "G02.01", + "severity": "High", + "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/deployment-vdi-microsoft-defender-antivirus" + }, + { + "category": "Security", + "subcategory": "Host Configuration", + "text": "Assess disk encryption requirements for AVD Session Hosts", + "description": "Disks in Azure are already encrypted at rest by default with Microsoft managed keys. Host VM OS disk encryption is possible and supported using Azure Disk Encryption (ADE - BitLocker) and Disk Encryption Set (DES - Server Side Encryption), the latter is recommended. Encryption of FSLogix storage using Azure Files can be done using SSE on Azure Storage. For OneDrive encryption, see this article: https://docs.microsoft.com/compliance/assurance/assurance-encryption-for-microsoft-365-services.", + "waf": "Security", + "guid": "0fd32907-98bc-4178-adc5-a06ca7144351", + "id": "G02.02", + "severity": "Low", + "link": "https://learn.microsoft.com/azure/virtual-machines/disk-encryption-overview" + }, + { + "category": "Security", + "subcategory": "Host Configuration", + "text": "Enable Trusted launch in Azure Gen2 VM Session Hosts", + "description": "Trusted launch are Gen2 Azure VMs with enhanced security features aimed to protect against \u0093bottom of the stack\u0094 threats through attack vectors such as rootkits, boot kits, and kernel-level malware. Recommended to enable and leverage Secure Boot, Virtual TPM (vTPM) and Integrity Monitoring.", + "waf": "Security", + "guid": "36a5a67f-bb9e-4d5b-9547-8c4479816b28", + "id": "G02.03", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#azure-virtual-desktop-support-for-trusted-launch" + }, + { + "category": "Security", + "subcategory": "Host Configuration", + "text": "Enable Trusted Launch and use Gen2 image are system requirements for Windows 11", + "description": "Trusted Launch and Gen2 VM are not only security and performance enhancing features but also system requirements for Windows 11. When building an AVD environment based on Windows 11, it is essential to enable these features.", + "waf": "Security", + "guid": "135d3899-4b31-44d3-bc8f-028871a359d8", + "id": "G02.04", + "severity": "High", + "link": "https://learn.microsoft.com/windows/whats-new/windows-11-requirements" + }, + { + "category": "Security", + "subcategory": "Host Configuration", + "text": "Consider enabling screen capture protection to prevent sensitive information from being captured", + "description": "Displayed content will be automatically blocked or hidden in screenshots. Keep in mind screen sharing will also be blocked when using Teams or other collaboration software which use screen sharing.", + "waf": "Security", + "guid": "a49dc137-7896-4343-b2bc-1a31bf1d30b6", + "id": "G02.05", + "severity": "Low", + "link": "https://learn.microsoft.com/azure/virtual-desktop/screen-capture-protection" + }, + { + "category": "Security", + "subcategory": "Host Configuration", + "text": "Restrict device redirection and drive mapping", + "description": "If not absolutely required, redirecting drives, printers, and USB devices to a user's local device in a remote desktop session should be disabled or highly restricted. Restrict Windows Explorer access by hiding local and remote drive mappings is also a secure measure to adopt preventing users from discovering unwanted information about system configuration and users.", + "waf": "Security", + "guid": "7ce2cd20-85b4-4f82-828e-6558736ede6a", + "id": "G02.06", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#other-security-tips-for-session-hosts" + }, + { + "category": "Security", + "subcategory": "Management", + "text": "When possible, prefer Remote Apps over Full Desktops (DAG)", + "description": "When choosing a deployment model, you can either provide remote users access to entire virtual desktops or only select applications. Remote applications, or RemoteApps, provide a seamless experience as the user works with apps on their virtual desktop. RemoteApps reduce risk by only letting the user work with a subset of the remote machine exposed by the application.", + "waf": "Security", + "guid": "4e25d70e-3924-44f4-b66f-d6cdd4f4a973", + "id": "G03.01", + "severity": "Medium", + "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/web-protection-overview" + }, + { + "category": "Security", + "subcategory": "Management", + "text": "Need to control/restrict user Internet navigation from AVD session hosts?", + "description": "Web content filtering feature provided by Web Protection capability in Microsoft Defender for Endpoint, can be used to to control user web navigation. If this tool is used, configuration of web filtering for user Internet browsing is recommended. Access by the Guest OS system to required AVD control plane URLs must be guaranteed.", + "waf": "Security", + "guid": "e19dd344-29eb-4722-a237-a151c5bb4e4f", + "id": "G03.02", + "severity": "Medium", + "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/web-protection-overview" + }, + { + "category": "Security", + "subcategory": "Management", + "text": "Ensure AVD users will not have local administrator privileges on AVD Hosts", + "description": "We recommend you don't grant your users admin access to virtual desktops. If you need software packages, we recommend you make them available through configuration management utilities.", + "waf": "Security", + "guid": "a0cdb3b5-4eb2-4eb0-9dda-a3592718e2ed", + "id": "G03.03", + "severity": "High", + "link": "https://docs.microsoft.com/azure/virtual-desktop/security-guide" + }, + { + "category": "Security", + "subcategory": "Management", + "text": "Enable Microsoft Defender for Cloud to manage AVD Session Hosts security posture", + "description": "We recommend you enable Defender for Cloud for the subscriptions, virtual machines, key vaults, and storage accounts used by AVD. With this tool is possible to assess and manage vulnerabilities, assess compliance with common frameworks like PCI, strengthen the overall security of your AVD environment and measure it over time using 'Secure Score': https://learn.microsoft.com/azure/virtual-desktop/security-guide#improve-your-secure-score.", + "waf": "Security", + "guid": "1814387e-5ca9-4c26-a9b3-2ab5bdfc6998", + "id": "G03.04", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#enable-microsoft-defender-for-cloud" + }, + { + "category": "Security", + "subcategory": "Management", + "text": "Enable diagnostic and audit logging", + "description": "Enabling audit log collection lets you view user and admin activity related to Azure Virtual Desktop and store in a central repository like Log Analytics workspace. ", + "waf": "Security", + "guid": "a0916a76-4980-4ad0-b278-ee293c1bc352", + "id": "G03.05", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#collect-audit-logs" + }, + { + "category": "Security", + "subcategory": "Management", + "text": "Assess the requirement to use custom RBAC roles for AVD management", + "description": "Assign the least privilege required by defining administrative, operations, and engineering roles to Azure RBAC roles. To limit access to high privilege roles within your Azure Virtual Desktop landing zone, consider integration with Azure Privileged Identity Management (PIM). Maintaining knowledge of which team is responsible for each particular administrative area helps you determine Azure role-based access control (RBAC) roles and configuration.", + "waf": "Security", + "guid": "baaab757-1849-4ab8-893d-c9fc9d1bb73b", + "id": "G03.06", + "severity": "Low", + "link": "https://docs.microsoft.com/azure/virtual-desktop/rbac" + }, + { + "category": "Security", + "subcategory": "Management", + "text": "Restrict users from installing un-authorized applications", + "description": "AVD users should not have permission to install application. If required, Windows Defender Application Control (WDAC) can be used to control which drivers and applications are allowed to run on their Windows clients. ", + "waf": "Security", + "guid": "b9ea80c8-0628-49fc-ae63-125aa4c0a284", + "id": "G03.07", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#windows-defender-application-control" + }, + { + "category": "Security", + "subcategory": "Microsoft Entra ID", + "text": "Evaluate the usage of Multi-Factor Authentication (MFA) and Conditional Access (CA) for AVD users", + "description": "Enabling MFA and CA lets you manage risks before you grant users access to your AVD environment. When deciding which users to grant access to, we recommend you also consider who the user is, how they sign in, and which device they're using. Additional details and configuration procedures are provided in the companion article. Microsoft Entra ID is the new name for Azure Active Directory (Azure AD).", + "waf": "Security", + "guid": "916d697d-8ead-4ed2-9bdd-186f1ac252b9", + "id": "G04.01", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-mfa" + }, + { + "category": "Security", + "subcategory": "Zero Trust", + "text": "Review and Apply Zero Trust principles and guidance", + "description": "If Zero Trust is a requirement, review the companion article in the 'More Info' column. It provides steps to apply the principles of Zero Trust to an Azure Virtual Desktop deployment.", + "waf": "Security", + "guid": "221102d0-90af-49fc-b2b7-8d3fe397e43", + "id": "G05.01", + "severity": "Medium", + "link": "https://learn.microsoft.com/security/zero-trust/azure-infrastructure-avd" + }, + { + "category": "Storage", + "subcategory": "Azure Files", + "text": "Check best-practices for Azure Files", + "description": "If used, make sure to check the list of best practices and recommendations described in the referenced article.", + "waf": "Performance", + "guid": "9164e990-9ae2-48c8-9c33-b6b7808bafe6", + "id": "H01.01", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/virtual-desktop/fslogix-containers-azure-files#best-practices-for-azure-virtual-desktop" + }, + { + "category": "Storage", + "subcategory": "Azure Files", + "text": "Enable SMB multichannel when using a premium file share to host FSLogix profile containers.", + "description": "SMB Multichannel enables clients to use multiple network connections that provide increased performance while lowering the cost of ownership. Increased performance is achieved through bandwidth aggregation over multiple NICs and utilizing Receive Side Scaling (RSS) support for NICs to distribute the IO load across multiple CPUs.", + "waf": "Performance", + "guid": "5784b6ca-5e9e-4bcf-8b54-c95459ea7369", + "id": "H01.02", + "severity": "Low", + "link": "https://learn.microsoft.com/azure/storage/files/storage-files-smb-multichannel-performance" + }, + { + "category": "Storage", + "subcategory": "Azure NetApp Files", + "text": "If NetApp Files storage is required, check storage service availability in your specific region.", + "description": "If a second region is required for DR purposes verify NetApp availability in there as well.", + "waf": "Reliability", + "guid": "4a359836-ee79-4d6c-9d3a-364a5b7abae3", + "id": "H02.01", + "severity": "Medium", + "link": "https://azure.microsoft.com/global-infrastructure/services/" + }, + { + "category": "Storage", + "subcategory": "Azure NetApp Files", + "text": "If NetApp Files storage is used enable CA (Continuous Availability) option to increase resiliency", + "description": "CA option is a recommended setting in the FSLogix scenario, as it enables a more resilient SMB session between the Session Host and NetApp Files.", + "waf": "Reliability", + "guid": "a2661898-866a-4c8d-9d1f-8cfc86e88024", + "id": "H02.02", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/virtual-desktop/create-fslogix-profile-container" + }, + { + "category": "Storage", + "subcategory": "Azure NetApp Files", + "text": "If Azure NetApp Files storage is used, check Active Directory Site name setting in the Active Directory Connection configuration", + "description": "An Active Directory Site should be created for the Azure virtual network environment where Azure NetApp Files (ANF) subnet will be created, and that site name should be specified in the ANF connection property when executing the join procedure as explained in the reference article.", + "waf": "Reliability", + "guid": "6647e977-db49-48a8-bc35-743f17499d42", + "id": "H02.03", + "severity": "High", + "link": "https://docs.microsoft.com/azure/azure-netapp-files/create-active-directory-connections" + }, + { + "category": "Storage", + "subcategory": "Capacity Planning", + "text": "Determine which type of managed disk will be used for the Session Hosts", + "description": "Possible options: Standard HDD, Standard SSD, or Premium SSD. Ephemeral disks are not supported, Ultra-Disks not recommended. Recommended to evaluate Premium for OS disk if user density is not low, and if Cloud Cache will be used. ", + "waf": "Performance", + "guid": "3611c818-b0a0-4bc5-80e4-3a18a9cd289c", + "id": "H03.01", + "severity": "Medium", + "link": "https://docs.microsoft.com/azure/virtual-machines/disks-types" + }, + { + "category": "Storage", + "subcategory": "Capacity Planning", + "text": "Determine which storage backend solution will be used for FSLogix Profiles", + "description": "Possible options are: Azure NetApp Files, Azure Files, VM based File Server. File-server it is not recommended. Azure Files Premium typically a good starting point. NetApp usually required for large scale / high-performant environment. For a detailed comparison see the article in the 'More Info' column.", + "waf": "Performance", + "guid": "ed6b17db-8255-4462-b2ae-e4553afc8339", + "id": "H03.02", + "severity": "High", + "link": "https://docs.microsoft.com/azure/virtual-desktop/store-fslogix-profile" + }, + { + "category": "Storage", + "subcategory": "Capacity Planning", + "text": "Do not share storage and profiles between different Host Pools", + "description": "Every Host Pool should use a separate set of storage accounts/volumes (at least one) and shares. Users should have a different profile for each Host Pool since settings and configurations are specific to each Host Pool. Additionally, accessing different Host Pools at the same time can cause errors on the shared user profile VHD/X. Usage of different storage accounts/volumes for multiple shares is also recommended to scale independently.", + "waf": "Performance", + "guid": "2fad62bd-5004-453c-ace4-64d862e7f5a4", + "id": "H03.03", + "severity": "High", + "link": "https://learn.microsoft.com/azure/virtual-desktop/store-fslogix-profile" + }, + { + "category": "Storage", + "subcategory": "Capacity Planning", + "text": "Verify storage scalability limits and Host Pool requirements", + "description": "As a starting point for estimating profile container storage performance requirements we recommend to assume 10 IOPS per user in the steady state and 50 IOPS per user during sign-in/sign-out. Space requirements is simply obtained based on the maximum profiles size in FSLogix per the total number of users for each Host Pool. Multiple storage accounts can be used for the same Host Pool if required.", + "waf": "Reliability", + "guid": "680e7828-9c93-4665-9d02-bff4564b0d93", + "id": "H03.04", + "severity": "High", + "link": "https://learn.microsoft.com/azure/virtual-desktop/faq#what-s-the-largest-profile-size-fslogix-can-handle-" + }, + { + "category": "Storage", + "subcategory": "Capacity Planning", + "text": "For optimal performance, the storage solution and the FSLogix profile container should be in the same Azure region.", + "description": "Avoid introducing additional latency and costs associated with cross-region network traffic where possible.", + "waf": "Performance", + "guid": "8aad53cc-79e2-4e86-9673-57c549675c5e", + "id": "H03.05", + "severity": "High", + "link": "https://docs.microsoft.com/azure/virtual-desktop/fslogix-containers-azure-files" + }, + { + "category": "Storage", + "subcategory": "FSLogix", + "text": "Do not use Office Containers (ODFC) if not strictly required and justified", + "description": "The recommendation in Azure Virtual Desktop is to use Profile Container without Office Container (ODFC) split unless you are planning for specific Business Continuity and Disaster Recovery (BCDR) scenarios as described in the Disaster Recovery section below. https://docs.microsoft.com/fslogix/profile-container-office-container-cncpt ", + "waf": "Reliability", + "guid": "df47d2d9-2881-4b1c-b5d1-e54a29759e39", + "id": "H04.01", + "severity": "High", + "link": "https://learn.microsoft.com/fslogix/concepts-container-types#when-to-use-profile-and-odfc-containers" + }, + { + "category": "Storage", + "subcategory": "FSLogix", + "text": "Configure the recommended antivirus exclusions for FSLogix (includes not scanning VHD(x) files on connect).", + "description": "Make sure to configure the following antivirus exclusions for FSLogix Profile Container virtual hard drives, as documented in the referenced article in the 'More Info' column.", + "waf": "Security", + "guid": "83f63047-22ee-479d-9b5c-3632054b69ba", + "id": "H04.02", + "severity": "Medium", + "link": "https://learn.microsoft.com/fslogix/overview-prerequisites#configure-antivirus-file-and-folder-exclusions" + }, + { + "category": "Storage", + "subcategory": "FSLogix", + "text": "Review and confirm configured maximum profile size in FSLogix", + "description": "Profile containers have a default max size of 30GB. If large Profile Containers are anticipated, and customers wants to try to keep them small, consider using OneDrive to host Office 365 files outside the FSLogix profile.", + "waf": "Cost", + "guid": "01e6a84d-e5df-443d-8992-481718d5d1e5", + "id": "H04.03", + "severity": "High", + "link": "https://docs.microsoft.com/fslogix/profile-container-configuration-reference" + }, + { + "category": "Storage", + "subcategory": "FSLogix", + "text": "Review FSLogix registry keys and determine which ones to apply", + "description": "Defaults and recommended settings are reported in the companion article in the 'More Info' column. If not recommended keys and/or values must be used, be sure to review with a Microsoft AVD expert and clearly document your choices.", + "waf": "Reliability", + "guid": "d34aad5e-8c78-4e1d-9666-7313c405674c", + "id": "H04.04", + "severity": "High", + "link": "https://learn.microsoft.com/fslogix/concepts-configuration-examples" + }, + { + "category": "Storage", + "subcategory": "FSLogix", + "text": "Avoid usage of concurrent or multiple connections", + "description": "Concurrent or multiple connections are not recommended in Azure Virtual Desktop. Concurrent connections are also not supported by Session Hosts running in an Azure Virtual Desktop Host Pool. OneDrive, if used, doesn't support concurrent or multiple connections using the same container, under any circumstance. For multiple connections, usage of the same profile disk is not recommended.", + "waf": "Reliability", + "guid": "5e985b85-9c77-43e7-b261-623b775a917e", + "id": "H04.05", + "severity": "High", + "link": "https://learn.microsoft.com/fslogix/concepts-multi-concurrent-connections" + }, + { + "category": "Storage", + "subcategory": "FSLogix", + "text": "If FSLogix Cloud Cache is used, consider moving the cache directory to the VM temporary drive.", + "description": "Cloud Cache uses OS drive as local cache storage and may generate lot of pressure on the VM disk. Depending on the VM SKU and size used, the VM temporary drive can be a viable and performant solution where to relocate Cloud Cache cached content. Before adopting this solution, tests should be executed to confirm performance and stability. More details on Cloud Cache can be found here: https://learn.microsoft.com/fslogix/concepts-fslogix-cloud-cache. ", + "waf": "Performance", + "guid": "b2d1215a-e114-4ba3-9df5-85ecdcd9bd3b", + "id": "H04.06", + "severity": "Low", + "link": "https://docs.microsoft.com/fslogix/cloud-cache-configuration-reference" + }, + { + "category": "Storage", + "subcategory": "FSLogix", + "text": "Review the usage of FSLogix redirection.", + "description": "REDIRECTION.XML file is used to control what folders are redirected out of the profile container to the 'C:' drive. Exclusions should be the exception and should never be used unless the specific exclusion is completely understood by the person configuring the exclusion. Exclusions should always be fully tested in the environment where they are intended to be implemented. Configuring exclusions may impact functionality, stability and performance.", + "waf": "Cost", + "guid": "0b50ca97-b1d2-473c-b4d9-6e98b0f912de", + "id": "H04.07", + "severity": "Medium", + "link": "https://docs.microsoft.com/fslogix/manage-profile-content-cncpt#redirectionsxml" + } + ], + "categories": [ + { + "name": "Foundation" + }, + { + "name": "Identity" + }, + { + "name": "Compute" + }, + { + "name": "Networking" + }, + { + "name": "Storage" + }, + { + "name": "Monitoring and Management" + }, + { + "name": "Security" + }, + { + "name": "Business Continuity and Disaster Recovery" + } + ], + "waf": [ + { + "name": "Reliability" + }, + { + "name": "Security" + }, + { + "name": "Cost" + }, + { + "name": "Operations" + }, + { + "name": "Performance" + } + ], + "yesno": [ + { + "name": "Yes" + }, + { + "name": "No" + } + ], + "status": [ + { + "name": "Not verified", + "description": "This check has not been looked at yet" + }, + { + "name": "Open", + "description": "There is an action item associated to this check" + }, + { + "name": "Fulfilled", + "description": "This check has been verified, and there are no further action items associated to it" + }, + { + "name": "Not required", + "description": "Recommendation understood, but not needed by current requirements" + }, + { + "name": "N/A", + "description": "Not applicable for current design" + } + ], + "severities": [ + { + "name": "High" + }, + { + "name": "Medium" + }, + { + "name": "Low" + } + ], + "metadata": { + "name": "Azure Virtual Desktop Review", + "state": "GA", + "timestamp": "November 09, 2023" + } +} \ No newline at end of file diff --git a/checklists/avd_checklist.es.json b/checklists/avd_checklist.es.json index 3db59c6dc..d26464379 100644 --- a/checklists/avd_checklist.es.json +++ b/checklists/avd_checklist.es.json @@ -1,5 +1,4 @@ { - "$schema": "checklist.schema.json", "categories": [ { "name": "Fundación" @@ -17,7 +16,7 @@ "name": "Almacenamiento" }, { - "name": "Monitoreo y Gestión" + "name": "Seguimiento y gestión" }, { "name": "Seguridad" @@ -29,1179 +28,1439 @@ "items": [ { "category": "Continuidad del negocio y recuperación ante desastres", - "description": "El plano de control AVD no ofrece un acuerdo de nivel de servicio respaldado financieramente. Nos esforzamos por lograr una disponibilidad mínima del 99,9 % para las direcciones URL del servicio Azure Virtual Desktop. La disponibilidad de las máquinas virtuales host de sesión en su suscripción está cubierta por el SLA de máquinas virtuales. También se debe considerar la disponibilidad de recursos/servicios dependientes y de infraestructura para satisfacer adecuadamente los requisitos globales de alta disponibilidad.", + "description": "El plano de control de AVD no ofrece un acuerdo de nivel de servicio respaldado financieramente. Nos esforzamos por lograr al menos un 99,9 % de disponibilidad para las direcciones URL del servicio Azure Virtual Desktop. La disponibilidad de las máquinas virtuales de host de sesión de la suscripción está cubierta por el Acuerdo de Nivel de Servicio de Máquinas Virtuales. También se deben tener en cuenta los recursos/servicios dependientes y la disponibilidad de la infraestructura para satisfacer adecuadamente los requisitos globales de alta disponibilidad.", "guid": "56c57ba5-9119-4bf8-b8f5-c586c7d9cdc1", + "id": "A01.01", "link": "https://azure.microsoft.com/support/legal/sla/virtual-desktop/v1_0/", "severity": "Alto", "subcategory": "Calcular", - "text": "Determinar el SLA de alta disponibilidad esperado para aplicaciones o escritorios publicados a través de AVD" + "text": "Determinar el Acuerdo de Nivel de Servicio de Alta Disponibilidad esperado para aplicaciones o escritorios publicados a través de AVD", + "waf": "Fiabilidad" }, { "category": "Continuidad del negocio y recuperación ante desastres", - "description": "El modelo 'Activo-Activo' se puede lograr con varios grupos de hosts en diferentes regiones. No se recomienda un único grupo de hosts con máquinas virtuales de diferentes regiones. Si se van a utilizar varios grupos para los mismos usuarios, se debe resolver el problema de cómo sincronizar/replicar perfiles de usuario. FSLogix Cloud Cache podría usarse, pero debe revisarse y planificarse cuidadosamente, o los clientes pueden decidir no sincronizar / replicar en absoluto. \"Activo-pasivo\" se puede lograr mediante Azure Site Recovery (ASR) o la implementación de grupos a petición con un mecanismo automatizado. Para una discusión detallada sobre BCDR multi-región, lea el artículo complementario en la columna 'Más información' y esta página relacionada con FSLogix: https://learn.microsoft.com/en-us/fslogix/concepts-container-recovery-business-continuity.", + "description": "El modelo \"Activo-Activo\" se puede lograr con varios grupos de hosts en diferentes regiones. No se recomienda un único grupo de hosts con máquinas virtuales de diferentes regiones. Si se van a utilizar varios grupos para los mismos usuarios, se debe resolver el problema de cómo sincronizar/replicar los perfiles de usuario. Se puede usar la caché en la nube de FSLogix, pero debe revisarse y planificarse cuidadosamente, o los clientes pueden decidir no sincronizar ni replicar en absoluto. \"Activo-pasivo\" se puede lograr mediante Azure Site Recovery (ASR) o la implementación de grupos a petición con un mecanismo automatizado. Para obtener una explicación detallada sobre BCDR multirregional, lea el artículo complementario en la columna \"Más información\" y esta página relacionada con FSLogix: https://learn.microsoft.com/fslogix/concepts-container-recovery-business-continuity.", "guid": "6acc076e-f9b1-441a-a989-579e76b897e7", + "id": "A01.02", "link": "https://learn.microsoft.com/azure/architecture/example-scenario/wvd/azure-virtual-desktop-multi-region-bcdr", "severity": "Medio", "subcategory": "Calcular", - "text": "Evaluar los requisitos de recuperación ante desastres geográficos para grupos de hosts AVD" + "text": "Evalúe los requisitos de recuperación ante desastres geográfica para grupos de hosts de AVD", + "waf": "Fiabilidad" }, { "category": "Continuidad del negocio y recuperación ante desastres", - "description": "Antes de abordar la planeación y el diseño de BCDR de Azure Virtual Desktop, es importante considerar inicialmente qué aplicaciones que se consumen a través de AVD son críticas. Es posible que desee separarlas de las aplicaciones no críticas y usar un grupo de hosts independiente con un enfoque y capacidades de recuperación ante desastres diferentes.", + "description": "Antes de abordar la planeación y el diseño de BCDR de Azure Virtual Desktop, es importante tener en cuenta inicialmente qué aplicaciones consumidas a través de AVD son críticas. Es posible que desee separarlos de las aplicaciones no críticas y usar un grupo de hosts independiente con un enfoque y capacidades de recuperación ante desastres diferentes.", "guid": "10a7da7b-e996-46e1-9d3c-4ada97cc3d13", + "id": "A01.03", "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery", "severity": "Bajo", "subcategory": "Calcular", - "text": "Separar las aplicaciones críticas en diferentes grupos de hosts AVD" + "text": "Separe las aplicaciones críticas en diferentes grupos de hosts de AVD", + "waf": "Fiabilidad" }, { "category": "Continuidad del negocio y recuperación ante desastres", - "description": "Cada grupo de hosts se puede implementar mediante zonas de disponibilidad (AZ) o conjunto de disponibilidad (AS). Para maximizar la resistencia, se recomienda el uso de AZ: en el momento de la creación del grupo de hosts, puede decidir distribuir los hosts de sesión del grupo de hosts en todas las zonas de disponibilidad disponibles. El uso de AS no protegerá contra errores de un solo centro de datos, por lo que solo debe usarse en regiones donde AZ no esté disponible. Más detalles sobre AZ y AVD en el artículo complementario. Para una comparación entre AZ y AS puede leer aquí: https://learn.microsoft.com/en-us/azure/virtual-machines/availability.", + "description": "Cada grupo de hosts se puede implementar mediante zonas de disponibilidad (AZ) o conjunto de disponibilidad (AS). Para maximizar la resistencia, se recomienda el uso de AZ: en el momento de la creación del grupo de hosts, puede decidir distribuir los hosts de sesión del grupo de hosts entre todas las zonas de disponibilidad disponibles. El uso de AS no protegerá de errores de un solo centro de datos, por lo que solo debe usarse en regiones donde AZ no esté disponible. Más detalles sobre AZ y AVD en el artículo complementario. Para una comparación entre AZ y AS puedes leer aquí: https://learn.microsoft.com/azure/virtual-machines/availability.", "guid": "25ab225c-6f4e-4168-9fdd-dea8a4b7cdeb", + "id": "A01.04", "link": "https://techcommunity.microsoft.com/t5/azure-virtual-desktop-blog/announcing-general-availability-of-support-for-azure/ba-p/3636262", "severity": "Alto", "subcategory": "Calcular", - "text": "Planeación de la mejor opción de resistencia para la implementación del grupo de hosts AVD" + "text": "Planear la mejor opción de resistencia para la implementación del grupo de hosts de AVD", + "waf": "Fiabilidad" }, { "category": "Continuidad del negocio y recuperación ante desastres", - "description": "Copia de seguridad de Azure se puede usar para proteger máquinas virtuales del grupo de hosts. Para los grupos agrupados, esto no es necesario ya que debe ser apátrida. En su lugar, esta opción se puede considerar para grupos de hosts personales.", + "description": "Azure Backup se puede usar para proteger las máquinas virtuales del grupo de hosts. En el caso de los grupos agrupados, esto no es necesario, ya que no debe tener estado. En su lugar, esta opción se puede considerar para los grupos de anfitriones personales.", "guid": "4c61fc3f-c14e-4ea6-b69e-8d9a3eec218e", + "id": "A01.05", "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery", "severity": "Medio", "subcategory": "Calcular", - "text": "Evaluar el requisito de copia de seguridad de las máquinas virtuales host de sesión AVD" + "text": "Evaluar el requisito de hacer una copia de seguridad de las VM de host de sesión de AVD", + "waf": "Fiabilidad" }, { "category": "Continuidad del negocio y recuperación ante desastres", - "description": "Incluso para grupos personales, se recomienda el uso de zonas de disponibilidad, cuando estén disponibles. Son posibles tres posibles estrategias de recuperación ante desastres en la región, se recomienda seleccionar la mejor en función del costo, RTO/RPO y, si es realmente necesario, guardar todo el disco del sistema operativo de máquina virtual: (1) crear cada host de sesión en una zona específica (AZ) y, a continuación, usar Azure Site Recovery (ASR) para replicar en una zona diferente. (2) Use Copia de seguridad de Azure para realizar copias de seguridad y restaurar el host de sesión específico en una zona de disponibilidad diferente. (3) Cree un nuevo host de sesión en una zona de disponibilidad diferente y confíe en FSLogix y/o OneDrive para que los datos y la configuración estén disponibles en la nueva máquina. Todas las opciones requieren la intervención del administrador para DR y la asignación directa de usuarios a nivel de grupo de hosts, luego deben planificarse y configurarse de antemano.", + "description": "Incluso en el caso de los grupos personales, se recomienda el uso de zonas de disponibilidad, cuando estén disponibles. Son posibles tres posibles estrategias de recuperación ante desastres en la región, se recomienda seleccionar la mejor en función del costo, RTO/RPO y si es realmente necesario guardar todo el disco del sistema operativo de la máquina virtual: (1) crear cada host de sesión en una zona específica (AZ) y, a continuación, usar Azure Site Recovery (ASR) para replicar en una zona diferente. (2) Use Azure Backup para realizar copias de seguridad y restaurar el host de sesión específico en una zona de disponibilidad diferente. (3) Cree un nuevo host de sesión en una zona de disponibilidad diferente y confíe en FSLogix o OneDrive para que los datos y la configuración estén disponibles en la nueva máquina. Todas las opciones requieren la intervención del administrador para la recuperación ante desastres y la asignación directa de usuarios en el nivel del grupo de hosts, luego deben planificarse y configurarse de antemano.", "guid": "5da58639-ca3a-4961-890b-29663c5e10d", + "id": "A01.06", "link": "https://learn.microsoft.com/azure/site-recovery/azure-to-azure-how-to-enable-zone-to-zone-disaster-recovery", "severity": "Medio", "subcategory": "Calcular", - "text": "Preparar una estrategia de recuperación ante desastres local para hosts de sesión de grupo de hosts personales" + "text": "Preparación de una estrategia de recuperación ante desastres local para hosts de sesión de grupo de hosts personales", + "waf": "Fiabilidad" }, { "category": "Continuidad del negocio y recuperación ante desastres", - "description": "Si se usan imágenes personalizadas para implementar máquinas virtuales de grupos de hosts de AVD, es importante asegurarse de que esos artefactos estén disponibles en todas las regiones donde se implementa AVD. El servicio Galería de proceso de Azure se puede usar para replicar imágenes en todas las regiones donde se implementa un grupo de hosts, con almacenamiento redundante y en varias copias. Tenga en cuenta que el servicio Galería de proceso de Azure no es un recurso global. Para escenarios de recuperación ante desastres, la práctica recomendada es tener al menos dos galerías, en diferentes regiones.", + "description": "Si se usan imágenes personalizadas para implementar VM de AVD Host Pool, es importante asegurarse de que esos artefactos estén disponibles en todas las regiones en las que se implementa AVD. El servicio Azure Compute Gallery se puede usar para replicar imágenes en todas las regiones en las que se implementa un grupo de hosts, con almacenamiento redundante y en varias copias. Tenga en cuenta que el servicio Azure Compute Gallery no es un recurso global. En el caso de los escenarios de recuperación ante desastres, el procedimiento recomendado es tener al menos dos galerías en diferentes regiones.", "guid": "dd2e0d5d-771d-441e-9610-cc57b4a4a141", + "id": "A02.01", "link": "https://learn.microsoft.com/azure/virtual-machines/azure-compute-gallery", "severity": "Bajo", "subcategory": "Dependencias", - "text": "Planeación de la disponibilidad de Golden Image entre regiones" + "text": "Planear la disponibilidad de Golden Image entre regiones", + "waf": "Fiabilidad" }, { "category": "Continuidad del negocio y recuperación ante desastres", - "description": "Si los usuarios de la infraestructura AVD necesitan acceso a recursos locales, la alta disponibilidad de la infraestructura de red necesaria para conectarse también es crítica y debe tenerse en cuenta. Es necesario evaluar la resiliencia de la infraestructura de autenticación. Los aspectos de BCDR para aplicaciones dependientes y otros recursos deben considerarse para garantizar la disponibilidad en la ubicación secundaria de DR.", + "description": "Si los usuarios de la infraestructura AVD necesitan acceso a recursos locales, la alta disponibilidad de la infraestructura de red necesaria para conectarse también es fundamental y debe tenerse en cuenta. Es necesario evaluar la resiliencia de la infraestructura de autenticación. Es necesario tener en cuenta los aspectos de BCDR para las aplicaciones dependientes y otros recursos para garantizar la disponibilidad en la ubicación de recuperación ante desastres secundaria.", "guid": "fd339489-8c12-488b-9c6a-57cfb644451e", + "id": "A02.02", "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery", "severity": "Medio", "subcategory": "Dependencias", - "text": "Evaluar las dependencias de infraestructura y aplicaciones " + "text": "Evalúe las dependencias de la infraestructura y las aplicaciones ", + "waf": "Fiabilidad" }, { "category": "Continuidad del negocio y recuperación ante desastres", - "description": "No todos los datos dentro de los perfiles de usuario de FSLogix pueden merecer protección contra desastres. Además, si se utiliza almacenamiento externo, por ejemplo, OneDrive o servidores de archivos/recursos compartidos, lo que queda en el perfil FSLogix es mínimo y podría perderse en algunas circunstancias extremas. En otros casos, los datos dentro del perfil se pueden reconstruir desde otros almacenamientos (por ejemplo, la Bandeja de entrada de Outlook en modo caché).", + "description": "Es posible que no todos los datos dentro de los perfiles de usuario de FSLogix merezcan protección contra desastres. Además, si se usa almacenamiento externo, por ejemplo, OneDrive o servidores de archivos/recursos compartidos, lo que queda en el perfil de FSLogix es mínimo y podría perderse en algunas circunstancias extremas. En otros casos, los datos dentro del perfil se pueden reconstruir desde otros almacenamientos (por ejemplo, la bandeja de entrada de Outlook en modo de caché).", "guid": "687ab077-adb5-49e5-a960-3334fdf8cc23", + "id": "A03.01", "link": "https://docs.microsoft.com/fslogix/manage-profile-content-cncpt", "severity": "Medio", "subcategory": "Almacenamiento", - "text": "Evaluar qué datos deben protegerse en los contenedores de perfil y Office" + "text": "Evalúe qué datos deben protegerse en los contenedores de perfiles y Office", + "waf": "Fiabilidad" }, { "category": "Continuidad del negocio y recuperación ante desastres", - "description": "Prevenir la pérdida de datos para los datos críticos del usuario es importante, el primer paso es evaluar qué datos deben guardarse y protegerse. Si usa OneDrive u otro almacenamiento externo, es posible que no sea necesario guardar los datos del perfil de usuario o de los contenedores de Office. Se debe considerar un mecanismo apropiado para proporcionar protección a los datos críticos del usuario. El servicio Copia de seguridad de Azure se puede usar para proteger los datos de contenedores de Office y perfiles cuando se almacenan en los niveles Standard y Premium de Azure Files. Azure NetApp Files Snapshots and Policies se puede usar para Azure NetApp Files (todos los niveles).", + "description": "Es importante evitar la pérdida de datos de los usuarios críticos, el primer paso es evaluar qué datos deben guardarse y protegerse. Si usa OneDrive u otro almacenamiento externo, es posible que no sea necesario guardar el perfil de usuario o los datos de los contenedores de Office. Se debe considerar un mecanismo adecuado para proporcionar protección a los datos críticos de los usuarios. El servicio Azure Backup se puede usar para proteger los datos de los contenedores de Office y de perfil cuando se almacenan en los niveles Estándar y Premium de Azure Files. Las instantáneas y directivas de Azure NetApp Files se pueden usar para Azure NetApp Files (todos los niveles).", "guid": "fc4972cc-3cd2-45bf-a707-6e9eab4bed32", + "id": "A03.02", "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery", "severity": "Medio", "subcategory": "Almacenamiento", - "text": "Crear una estrategia de protección de copia de seguridad para contenedores de perfiles y Office" + "text": "Creación de una estrategia de protección de copia de seguridad para contenedores de perfiles y Office", + "waf": "Fiabilidad" }, { "category": "Continuidad del negocio y recuperación ante desastres", - "description": "En AVD, se pueden usar varios mecanismos y estrategias de replicación para los datos de usuario que residen en contenedores FSLogix: [Patrón de perfil #1]: mecanismos de replicación de almacenamiento nativos de Azure, por ejemplo, replicación GRS estándar de Azure Files, replicación entre regiones de Azure NetApp Files. Se recomienda usar almacenamiento replicado en zona (ZRS) o almacenamiento con replicación geográfica (GRS) para Azure Files. LRS con resiliencia solo local se puede usar si no se requiere protección de zona o región. NOTA: Azure Files Share Standard es LRS/ZRS/GRS, pero con la compatibilidad grande de 100 TB habilitada, solo se admiten LRS/ZRS. [Patrón de perfil # 2]: FSLogix Cloud Cache está integrado en un mecanismo automático para replicar contenedores entre diferentes (hasta 4) cuentas de almacenamiento. Cloud Cache solo debe usarse cuando:(1) Perfil de usuario o contenedores de Office disponibilidad de datos requerida El SLA de alta disponibilidad es crítico y debe ser resistente a los errores de la región. (2) La opción de almacenamiento seleccionada no puede satisfacer los requisitos de BCDR. Por ejemplo, con el nivel Premium de Azure File Share o Azure File Share Standard con compatibilidad con archivos grandes habilitada, GRS no está disponible. (3) Cuando se requiere replicación entre almacenamiento de información dispar. [Patrón de perfil # 3]: solo configure la recuperación geográfica ante desastres para los datos de la aplicación y no para los contenedores de datos / perfiles de usuario: almacene los datos importantes de la aplicación en almacenamientos separados, como OneDrive u otro almacenamiento externo con su propio mecanismo de DR incorporado.", + "description": "En AVD, se pueden usar varios mecanismos y estrategias de replicación para los datos de usuario que residen en contenedores de FSLogix: [Patrón de perfil #1]: mecanismos de replicación de almacenamiento nativo de Azure, por ejemplo, replicación GRS estándar de Azure Files, replicación entre regiones de Azure NetApp Files. Se recomienda usar el almacenamiento replicado de zona (ZRS) o el almacenamiento replicado geográficamente (GRS) para Azure Files. LRS con resistencia solo local se puede usar si no se requiere protección de zona o región. NOTA: Azure Files Share Standard es LRS/ZRS/GRS, pero con la compatibilidad con 100 TB de gran tamaño habilitada, solo se admiten LRS/ZRS. [Patrón de perfil #2]: FSLogix Cloud Cache está integrado en un mecanismo automático para replicar contenedores entre diferentes (hasta 4) cuentas de almacenamiento. Cloud Cache solo se debe usar cuando:(1) La disponibilidad de datos de perfil de usuario o contenedores de Office requiere un acuerdo de nivel de servicio de alta disponibilidad crítico y debe ser resistente a errores de región. (2) La opción de almacenamiento seleccionada no puede satisfacer los requisitos de BCDR. Por ejemplo, con el nivel Premium de Azure File Share o Azure File Share Standard con compatibilidad con archivos grandes habilitada, GRS no está disponible. (3) Cuando se requiere la replicación entre almacenamiento dispar. [Patrón de perfil #3]: Configure solo la recuperación ante desastres geográfica para los datos de la aplicación y no para los contenedores de datos de usuario/perfil: almacene los datos importantes de la aplicación en almacenamientos separados, como OneDrive u otro almacenamiento externo con su propio mecanismo de recuperación ante desastres incorporado.", "guid": "9f7547c1-746d-4c56-868a-714435bd09dd", + "id": "A03.03", "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery", "severity": "Medio", "subcategory": "Almacenamiento", - "text": "Evaluar los requerimientos de replicación y la resiliencia del almacenamiento de almacenamiento de información de contenedores de perfiles para fines de BCDR" + "text": "Evalúe los requisitos de replicación y la resistencia del almacenamiento de contenedores de perfiles para el propósito de BCDR", + "waf": "Fiabilidad" }, { "category": "Continuidad del negocio y recuperación ante desastres", - "description": "Para la recuperación ante desastres local, se puede usar Azure Backup for Azure Files. Para la recuperación ante desastres geográficos entre regiones: GRS para Azure Files solo está disponible con SKU estándar y sin compatibilidad con recursos compartidos grandes, por lo que no es adecuado en la mayoría de los escenarios de clientes. Si se requiere replicación geográfica con Azure File Share Premium, se puede evaluar la replicación con FSLogix Cloud Cache o solo se debe considerar la resistencia de la zona de disponibilidad (AZ) \"en la región\".", + "description": "Para la recuperación ante desastres local, se puede usar Azure Backup para Azure Files. Para la recuperación ante desastres geográfica entre regiones: GRS para Azure Files solo está disponible con una SKU estándar y no es compatible con recursos compartidos grandes, por lo que no es adecuado en la mayoría de los escenarios de clientes. Si se requiere la replicación geográfica con Azure File Share Premium, se puede evaluar la replicación con la caché en la nube de FSLogix o se debe tener en cuenta la resistencia solo de la zona de disponibilidad (AZ) \"en la región\".", "guid": "3d4f3537-c134-46dc-9602-7a71efe1bd05", + "id": "A03.04", "link": "https://docs.microsoft.com/azure/backup/backup-afs", "severity": "Medio", "subcategory": "Almacenamiento", - "text": "Revisión de la estrategia de recuperación ante desastres de Azure Files" + "text": "Revisión de la estrategia de recuperación ante desastres de Azure Files", + "waf": "Fiabilidad" }, { "category": "Continuidad del negocio y recuperación ante desastres", - "description": "El almacenamiento con redundancia de zona maximizará la resistencia dentro de la región para los datos del perfil de usuario. ZRS es compatible con recursos compartidos de archivos premium a través del tipo de cuenta de almacenamiento 'FileStorage'. ZRS es compatible con las cuentas de almacenamiento v2 de uso general estándar. El uso del almacenamiento con redundancia de zona debe combinarse con la implementación con redundancia de zona de hosts de sesión en cada grupo de hosts. ", + "description": "El almacenamiento con redundancia de zona maximizará la resistencia en la región para los datos de perfil de usuario. ZRS es compatible con recursos compartidos de archivos premium a través del tipo de cuenta de almacenamiento \"FileStorage\". ZRS es compatible con las cuentas de almacenamiento estándar de uso general v2. El uso del almacenamiento con redundancia de zona debe combinarse con la implementación con redundancia de zona de los hosts de sesión en cada grupo de hosts. ", "guid": "10d4e875-d502-4142-a795-f2b6eff34f88", + "id": "A03.05", "link": "https://learn.microsoft.com/azure/storage/files/files-redundancy#zone-redundant-storage", "severity": "Alto", "subcategory": "Almacenamiento", - "text": "Uso del almacenamiento con redundancia de zona (ZRS) para Azure Files para maximizar la resistencia" + "text": "Uso del almacenamiento con redundancia de zona (ZRS) para Azure Files para maximizar la resistencia", + "waf": "Fiabilidad" }, { "category": "Continuidad del negocio y recuperación ante desastres", - "description": "Para la recuperación ante desastres local, está disponible la copia de seguridad nativa de Azure NetApp Files (ANF). ANF es esencialmente redundante localmente, entonces para la recuperación de desastres geográficos entre regiones es necesario utilizar un mecanismo adicional que sea la replicación entre regiones (CRR) https://learn.microsoft.com/en-us/azure/azure-netapp-files/cross-region-replication-create-peering. Actualmente, ANF no proporciona replicación ni redundancia en diferentes zonas de disponibilidad (AZ), solo la posibilidad de seleccionar en qué AZ colocar el volumen ANF: https://learn.microsoft.com/en-us/azure/azure-netapp-files/manage-availability-zone-volume-placement.", + "description": "Para la recuperación ante desastres local, está disponible la copia de seguridad nativa de Azure NetApp Files (ANF). ANF es esencialmente redundante localmente, por lo que para la recuperación ante desastres geográfica entre regiones es necesario usar un mecanismo adicional que es la replicación entre regiones (CRR) https://learn.microsoft.com/azure/azure-netapp-files/cross-region-replication-create-peering. Actualmente, ANF no proporciona replicación ni redundancia entre diferentes zonas de disponibilidad (AZ), solo la posibilidad de seleccionar en qué única AZ colocar el volumen ANF: https://learn.microsoft.com/azure/azure-netapp-files/manage-availability-zone-volume-placement.", "guid": "23429db7-2281-4376-85cc-57b4a4b18142", + "id": "A03.06", "link": "https://learn.microsoft.com/azure/azure-netapp-files/cross-region-replication-create-peering", "severity": "Medio", "subcategory": "Almacenamiento", - "text": "Revisión de la estrategia de recuperación ante desastres de Azure NetApp Files" + "text": "Revisión de la estrategia de recuperación ante desastres de Azure NetApp Files", + "waf": "Fiabilidad" }, { "category": "Calcular", - "description": "Las aplicaciones se pueden preinstalar en la(s) imagen(es) dorada, se pueden adjuntar mediante la función MSIX & AppAttach o distribuirse a los hosts de sesión después de la implementación del grupo de hosts utilizando métodos tradicionales de distribución de software.", + "description": "Las aplicaciones se pueden preinstalar en las imágenes maestras, se pueden adjuntar mediante la función MSIX y AppAttach o se pueden distribuir a los hosts de sesión después de la implementación del grupo de hosts mediante métodos tradicionales de distribución de software.", "guid": "86ba2802-1459-4014-95d3-8e5309ccbd97", + "id": "B01.01", "link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-golden-image", "severity": "Alto", "subcategory": "Imágenes doradas", - "text": "Determinar cómo se implementarán las aplicaciones en los grupos de hosts AVD" + "text": "Determinar cómo se implementarán las aplicaciones en los grupos de hosts de AVD", + "waf": "Operaciones" }, { "category": "Calcular", - "description": "Se pueden requerir múltiples imágenes doradas para admitir diferentes versiones y / o configuraciones del sistema operativo, diferentes grupos de aplicaciones que deben separarse y no se pueden incluir en una sola imagen.", + "description": "Es posible que se requieran varias imágenes maestras para admitir diferentes versiones y/o configuraciones del sistema operativo, diferentes grupos de aplicaciones que deben separarse y no se pueden incluir en una sola imagen.", "guid": "9266bcca-274f-4aa1-abf3-9d95d44c7c89", + "id": "B01.02", "link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-golden-image", "severity": "Medio", "subcategory": "Imágenes doradas", - "text": "Estimar el número de imágenes doradas que se requerirán" + "text": "Calcule el número de imágenes áureas que se necesitarán", + "waf": "Operaciones" }, { "category": "Calcular", - "description": "Determine qué SO invitado se usará para implementar cada grupo de hosts: Windows 10 frente a Windows Server, Marketplace frente a imágenes personalizadas", + "description": "Determinar qué sistema operativo invitado se usará para implementar cada grupo de hosts: Windows 10 frente a Windows Server, Marketplace frente a imágenes personalizadas", "guid": "19ca1f6d-5315-4ae5-84ba-34d4585e2213", + "id": "B01.03", "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#operating-systems-and-licenses", "severity": "Medio", "subcategory": "Imágenes doradas", - "text": "Determinar qué imagenes del sistema operativo usará para la implementación del grupo de hosts" + "text": "Determine qué imágenes del sistema operativo usará para la implementación del grupo de hosts", + "waf": "Fiabilidad" }, { "category": "Calcular", - "description": "Las imágenes personalizadas de Azure VM se pueden crear y almacenar de diferentes maneras: en una Galería de proceso de Azure, como un objeto de imagen administrado o como un disco administrado en el almacenamiento. La forma recomendada es usar la Galería de proceso de Azure.", + "description": "Las imágenes personalizadas de máquinas virtuales de Azure se pueden crear y almacenar de diferentes maneras: en una instancia de Azure Compute Gallery, como un objeto de imagen administrada o como un disco administrado en el almacenamiento. La manera recomendada es usar Azure Compute Gallery.", "guid": "5a2adb2c-3e23-426b-b225-ca44e1696fdd", + "id": "B01.04", "link": "https://learn.microsoft.com/azure/virtual-machines/shared-image-galleries", "severity": "Bajo", "subcategory": "Imágenes doradas", - "text": "Seleccione la tienda adecuada para imágenes personalizadas" + "text": "Seleccione la tienda adecuada para imágenes personalizadas", + "waf": "Fiabilidad" }, { "category": "Calcular", - "description": "Si se van a usar imágenes personalizadas, planee un proceso de compilación automatizado. Si no existe una fábrica de software preexistente, considere la posibilidad de usar plantillas de imagen personalizadas o Azure Image Builder para automatizar el proceso de compilación.", + "description": "Si se van a usar imágenes personalizadas, planifique un proceso de compilación automatizado. Si no existe ninguna fábrica de software preexistente, considere la posibilidad de usar plantillas de imagen personalizadas o Azure Image Builder para automatizar el proceso de compilación.", "guid": "9bd7bb01-2f7b-495e-86e1-54e2aa359282", + "id": "B01.05", "link": "https://learn.microsoft.com/azure/virtual-desktop/create-custom-image-templates", "severity": "Bajo", "subcategory": "Imágenes doradas", - "text": "Diseñar el proceso de compilación para imágenes personalizadas" + "text": "Diseña tu proceso de compilación para imágenes personalizadas", + "waf": "Operaciones" }, { "category": "Calcular", - "description": "Hay algunas mejores prácticas y recomendaciones conocidas para la personalización de la imagen dorada, asegúrese de consultar el artículo al que se hace referencia.", + "description": "Hay algunas prácticas recomendadas y recomendaciones conocidas para la personalización de la imagen dorada, asegúrese de consultar el artículo al que se hace referencia.", "guid": "deace4cb-1dec-44c6-90c3-fc14eebb36a3", + "id": "B01.06", "link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-golden-image", "severity": "Medio", "subcategory": "Imágenes doradas", - "text": "Si se va a utilizar una imagen personalizada, consulta las prácticas recomendadas para AVD sobre cómo crear una imagen personalizada" + "text": "Si se va a usar una imagen personalizada, consulta las prácticas recomendadas para AVD sobre cómo crear una imagen personalizada", + "waf": "Operaciones" }, { "category": "Calcular", - "description": "La pila FSLogix instalada en hosts de sesión AVD no proporciona capacidad de actualización automática. Por esta razón, se recomienda descargar la última versión de FSLogix e incluirla en el proceso de actualización de la imagen dorada.", + "description": "La pila de FSLogix instalada en hosts de sesión de AVD no proporciona capacidad de actualización automática. Por esta razón, se recomienda descargar la última versión de FSLogix e incluirla en el proceso de actualización de la imagen dorada.", "guid": "ed5c9027-dd1a-4343-86ca-52b199223186", + "id": "B01.07", "link": "https://learn.microsoft.com/fslogix/how-to-install-fslogix", "severity": "Alto", "subcategory": "Imágenes doradas", - "text": "Incluir la última versión de FSLogix en el proceso de actualización de imagen dorada" + "text": "Incluir la versión más reciente de FSLogix en el proceso de actualización de la imagen maestra", + "waf": "Fiabilidad" }, { "category": "Calcular", - "description": "Este conjunto de herramientas se ha creado para aplicar automáticamente la configuración a la que se hace referencia en las notas del producto 'Optimización de Windows 10, versión 2004 para un rol de infraestructura de escritorio virtual (VDI)': https://docs.microsoft.com/windows-server/remote/remote-desktop-services/rds-vdi-recommendations-2004. Se debe considerar el uso de la herramienta y / o las optimizaciones mencionadas en el documento técnico. ", + "description": "Este conjunto de herramientas se ha creado para aplicar automáticamente la configuración a la que se hace referencia en las notas del producto \"Optimización de Windows 10, versión 2004 para un rol de infraestructura de escritorio virtual (VDI)\": https://docs.microsoft.com/windows-server/remote/remote-desktop-services/rds-vdi-recommendations-2004. Se debe tener en cuenta el uso de la herramienta y/o las optimizaciones mencionadas en el documento técnico. ", "guid": "829e3fec-2183-4687-a017-7a2b5945bda4", + "id": "B01.08", "link": "https://github.com/The-Virtual-Desktop-Team/Virtual-Desktop-Optimization-Tool", "severity": "Bajo", "subcategory": "Imágenes doradas", - "text": "Evaluar el uso de Virtual-Desktop-Optimization-Tool" + "text": "Evalúe el uso de Virtual-Desktop-Optimization-Tool", + "waf": "Rendimiento" }, { "category": "Calcular", - "description": "Si se usa OneDrive y se incluye en una imagen dorada, asegúrese de seguir el procedimiento de configuración indicado en el artículo complementario de la sección \"Más información\". No está en el alcance de esta lista de comprobación de AVD, pero las optimizaciones de OneDrive como 'Redirección de carpetas conocidas' y 'Archivos a petición' deben evaluarse para reducir el espacio utilizado en los perfiles de FSLogix y proporcionar una mejor experiencia de usuario. En la actualidad, OneDrive no es compatible con aplicaciones remotas.", + "description": "Si se usa OneDrive y se incluye en una imagen maestra, asegúrese de seguir el procedimiento de configuración que se indica en el artículo complementario de la sección \"Más información\". No está en el ámbito de esta lista de comprobación de AVD, pero las optimizaciones de OneDrive como \"Redirección de carpetas conocidas\" y \"Archivos a petición\" deben evaluarse para reducir el espacio utilizado en los perfiles de FSLogix y proporcionar una mejor experiencia de usuario. Actualmente, OneDrive no es compatible con aplicaciones remotas.", "guid": "e3d3e084-4276-4d4b-bc01-5bcf219e4a1e", + "id": "B01.09", "link": "https://learn.microsoft.com/azure/virtual-desktop/install-office-on-wvd-master-image#install-onedrive-in-per-machine-mode", "severity": "Bajo", "subcategory": "Imágenes doradas", - "text": "Determinar si Microsoft OneDrive formará parte de la implementación de AVD" + "text": "Determinar si Microsoft OneDrive formará parte de la implementación de AVD", + "waf": "Operaciones" }, { "category": "Calcular", - "description": "Asegúrese de revisar los requisitos y el procedimiento de configuración contenidos en el artículo complementario en la columna 'Más información'. Dado que las actualizaciones automáticas de Teams estarán deshabilitadas, se recomienda comprobar e incluir la última versión de Teams en el proceso de actualización de la imagen dorada.", + "description": "Asegúrese de revisar los requisitos y el procedimiento de configuración contenidos en el artículo complementario en la columna \"Más información\". Dado que las actualizaciones automáticas de Teams estarán deshabilitadas, se recomienda verificar e incluir la última versión de Teams en el proceso de actualización de la imagen dorada.", "guid": "b5887953-5d22-4788-9d30-b66c67be5951", + "id": "B01.10", "link": "https://learn.microsoft.com/azure/virtual-desktop/teams-on-AVD", "severity": "Bajo", "subcategory": "Imágenes doradas", - "text": "Determinar si Microsoft Teams formará parte de la implementación de AVD" + "text": "Determinar si Microsoft Teams formará parte de la implementación de AVD", + "waf": "Rendimiento" }, { "category": "Calcular", "description": "AVD puede admitir usuarios con diferentes requisitos de idioma y localización en el mismo grupo de hosts. Esto se puede hacer personalizando imágenes doradas para garantizar que los usuarios puedan seleccionar el idioma que necesiten. El procedimiento para configurar paquetes de idioma adicionales en Windows 11 se documenta en el artículo de referencia.", "guid": "7c336f3b-822a-498e-8cd1-667d1150df4a", + "id": "B01.11", "link": "https://learn.microsoft.com/azure/virtual-desktop/windows-11-language-packs", "severity": "Bajo", "subcategory": "Imágenes doradas", - "text": "Evaluar el requisito de admitir varios idiomas" + "text": "Evalúe el requisito de admitir varios idiomas", + "waf": "Fiabilidad" }, { "category": "Calcular", - "description": "Se recomienda encarecidamente utilizar cuentas de almacenamiento/recursos compartidos independientes para almacenar paquetes MSIX. Si es necesario, el almacenamiento puede escalar horizontalmente de forma independiente y no verse afectado por las actividades de E/S del perfil. Azure ofrece varias opciones de almacenamiento que se pueden usar para la conexión de aplicaciones MISX. Se recomienda usar Azure Files o Azure NetApp Files, ya que estas opciones ofrecen el mejor valor entre costo y gastos generales de administración. ", + "description": "Se recomienda encarecidamente usar cuentas de almacenamiento o recursos compartidos independientes para almacenar paquetes MSIX. Si es necesario, el almacenamiento se puede escalar horizontalmente de forma independiente y no se ve afectado por las actividades de E/S de perfil. Azure ofrece varias opciones de almacenamiento que se pueden usar para la conexión de aplicaciones MISX. Se recomienda usar Azure Files o Azure NetApp Files, ya que estas opciones ofrecen el mejor valor entre costo y sobrecarga de administración. ", "guid": "90083845-c587-4cb3-a1ec-16a1d076ef9f", + "id": "B02.01", "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-file-share", "severity": "Medio", "subcategory": "MSIX y AppAttach", - "text": "No utilice la misma cuenta/recurso compartido de almacenamiento que los perfiles de FSLogix" + "text": "No use la misma cuenta de almacenamiento o recurso compartido que los perfiles de FSLogix", + "waf": "Rendimiento" }, { "category": "Calcular", - "description": "En el artículo al que se hace referencia, informamos pocas pero importantes consideraciones de rendimiento para el uso de MSIX en el contexto AVD, asegúrese de revisarlo cuidadosamente.", + "description": "En el artículo al que se hace referencia, informamos sobre pocas pero importantes consideraciones de rendimiento para el uso de MSIX en el contexto de AVD, asegúrese de revisarlas detenidamente.", "guid": "241addce-5793-477b-adb3-751ab2ac1fad", + "id": "B02.02", "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-file-share", "severity": "Medio", "subcategory": "MSIX y AppAttach", - "text": "Revisar las consideraciones de rendimiento para MSIX" + "text": "Revisión de las consideraciones de rendimiento para MSIX", + "waf": "Rendimiento" }, { "category": "Calcular", - "description": "La conexión de la aplicación MSIX requiere permisos de solo lectura para acceder al recurso compartido de archivos. Si va a almacenar las aplicaciones MSIX en Azure Files, deberá asignar a todas las máquinas virtuales host de sesión permisos de control de acceso basado en roles (RBAC) de cuentas de almacenamiento y permisos del sistema de archivos de nueva tecnología (NTFS) en el recurso compartido.", + "description": "La conexión de la aplicación MSIX requiere permisos de solo lectura para acceder al recurso compartido de archivos. Si va a almacenar las aplicaciones MSIX en Azure Files, para los hosts de sesión, deberá asignar a todas las máquinas virtuales de host de sesión permisos de control de acceso basado en rol (RBAC) de cuenta de almacenamiento y de sistema de archivos de nueva tecnología (NTFS) en el recurso compartido.", "guid": "66e15d4d-5a2a-4db2-a3e2-326bf225ca41", + "id": "B02.03", "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-file-share", "severity": "Medio", "subcategory": "MSIX y AppAttach", - "text": "Comprobar los permisos de host de sesión adecuados para el recurso compartido MSIX" + "text": "Comprobación de los permisos de host de sesión adecuados para el recurso compartido MSIX", + "waf": "Seguridad" }, { "category": "Calcular", - "description": "El proveedor de software de 3rd party debe proporcionar un paquete MSIX, no se recomienda que el cliente intente el procedimiento de conversión sin el soporte adecuado del propietario de la aplicación.", + "description": "El proveedor de software de terceros debe proporcionar un paquete MSIX, no se recomienda que el cliente intente el procedimiento de conversión sin el soporte adecuado del propietario de la aplicación.", "guid": "bd362caa-ab79-4b19-adab-81932c9fc9d1", + "id": "B02.04", "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-faq", "severity": "Bajo", "subcategory": "MSIX y AppAttach", - "text": "Paquetes MSIX para aplicaciones de 3ª parte" + "text": "Paquetes MSIX para aplicaciones de terceros", + "waf": "Costar" }, { "category": "Calcular", - "description": "La aplicación MSIX adjunta no admite la actualización automática para aplicaciones MSIX, por lo que deben deshabilitarse.", + "description": "La conexión de aplicaciones MSIX no admite la actualización automática para aplicaciones MSIX, por lo que deben estar deshabilitadas.", "guid": "bb88037f-5e6b-4fbb-aed5-03547cc447e8", + "id": "B02.05", "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-faq", "severity": "Bajo", "subcategory": "MSIX y AppAttach", - "text": "Deshabilitar la actualización automática para paquetes MSIX" + "text": "Deshabilitar la actualización automática de paquetes MSIX", + "waf": "Operaciones" }, { "category": "Calcular", - "description": "Para aprovechar MSIX & App Attach, la imagen del SO invitado para el grupo de hosts AVD debe ser Windows 10/11 Enterprise o Windows 10/11 Enterprise Multi-session, versión 2004 o posterior.", + "description": "Para aprovechar MSIX y App Attach, la imagen del sistema operativo invitado para el grupo de hosts AVD debe ser Windows 10/11 Enterprise o Windows 10/11 Enterprise Multisesión, versión 2004 o posterior.", "guid": "26128a71-f0f1-4cac-9d9e-f1d5e832e42e", + "id": "B02.06", "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-faq", "severity": "Medio", "subcategory": "MSIX y AppAttach", - "text": "Revisar la compatibilidad con sistemas operativos" + "text": "Revisión de la compatibilidad con los sistemas operativos", + "waf": "Fiabilidad" }, { "category": "Calcular", - "description": "Una vez seleccionada la SKU de máquina virtual que se usará para la implementación del grupo de hosts, se recomienda usar el tipo Gen2 de la SKU para una mayor seguridad y capacidades mejoradas.", + "description": "Una vez seleccionada la SKU de máquina virtual que se usará para la implementación del grupo de hosts, se recomienda usar el tipo Gen2 de la SKU para obtener una mayor seguridad y capacidades mejoradas.", "guid": "e4633254-3185-40a1-b120-bd563a1c8e9d", + "id": "B03.01", "link": "https://docs.microsoft.com/azure/virtual-machines/generation-2", "severity": "Medio", - "subcategory": "Host de sesión", - "text": "Evaluar el uso de la máquina virtual Gen2 para la implementación del grupo de hosts" + "subcategory": "Anfitrión de la sesión", + "text": "Evaluación del uso de la máquina virtual Gen2 para la implementación del grupo de hosts", + "waf": "Rendimiento" }, { "category": "Calcular", - "description": "MMR redirige el contenido multimedia del host de sesión a su máquina local para un procesamiento y representación más rápidos. Solo funciona cuando reproduce contenido multimedia en Microsoft Edge o Google Chrome. Consulte URL vinculada para obtener más detalles.", + "description": "MMR redirige el contenido multimedia del host de sesión a su máquina local para un procesamiento y procesamiento más rápidos. Solo funciona cuando reproduce contenido multimedia en Microsoft Edge o Google Chrome. Consulte la URL vinculada para obtener más detalles.", "guid": "adecb27f-dc40-40f5-aca2-0090f633b1c9", + "id": "B03.02", "link": "https://learn.microsoft.com/azure/virtual-desktop/multimedia-redirection", "severity": "Bajo", - "subcategory": "Host de sesión", - "text": "Considere el uso de MMR (MultiMedia Redirection) para obtener un mejor rendimiento de video en el navegador" + "subcategory": "Anfitrión de la sesión", + "text": "Considere la posibilidad de utilizar MMR (MultiMedia Redirection) para obtener un mejor rendimiento de vídeo en el navegador", + "waf": "Rendimiento" }, { "category": "Fundación", - "description": "Un grupo de hosts es una colección de máquinas virtuales de Azure que se registran en Azure Virtual Desktop como hosts de sesión. Un grupo host puede ser de dos tipos: Personal y Agrupado. Qué tipo usar, y cuántos, es una decisión de diseño clave que debe documentarse y validarse. Consulte el artículo complementario en la columna 'Más información' para obtener más detalles.", + "description": "Un grupo de hosts es una colección de máquinas virtuales de Azure que se registran en Azure Virtual Desktop como hosts de sesión. Un grupo de hosts puede ser de dos tipos: Personal y Agrupado. Qué tipo usar, y cuántos, es una decisión de diseño clave que debe documentarse y validarse. Consulte el artículo complementario en la columna \"Más información\" para obtener más detalles.", "guid": "8468c55a-775c-46ee-a5b8-6ad8844ce3b2", + "id": "C01.01", "link": "https://learn.microsoft.com/azure/virtual-desktop/terminology#host-pools", "severity": "Alto", "subcategory": "Planificación de la capacidad", - "text": "Determinación del tipo de grupo de hosts que se va a usar" + "text": "Determinar el tipo de grupo de hosts que se va a utilizar", + "waf": "Costar" }, { "category": "Fundación", - "description": "Use los criterios de diseño para determinar el número de grupos de hosts que se van a implementar. Esto se basará en factores como diferentes imágenes del sistema operativo, compatibilidad con varias regiones, diferencias de hardware de VM invitada (como compatibilidad con GPU o no), diferentes expectativas de usuario y requisitos de tiempo de actividad (ejemplos pueden ser 'Ejecutivos', 'Trabajadores de oficina', 'Desarrolladores', etc.) y la configuración RDP del grupo de hosts (como la compatibilidad con la redirección de unidades). Estos determinarán el número de grupos de hosts, así como cuántos hosts habrá en cada grupo.", + "description": "Utilice los criterios de diseño para determinar el número de grupos de hosts que se van a implementar. Esto se basará en factores como las diferentes imágenes del sistema operativo, la compatibilidad con varias regiones, las diferencias de hardware de la máquina virtual invitada (como la compatibilidad o no con la GPU), las diferentes expectativas de los usuarios y los requisitos de tiempo de actividad (los ejemplos pueden ser \"Ejecutivos\", \"Trabajadores de oficina\", \"Desarrolladores\", etc.) y la configuración de RDP del grupo de hosts (como la compatibilidad con la redirección de unidades). Estos determinarán el número de grupos de hosts, así como el número de hosts que habrá en cada grupo.", "guid": "4e98495f-d3c0-4af2-aa59-a793395a32a7", + "id": "C01.02", "link": "https://learn.microsoft.com/azure/virtual-desktop/terminology?WT.mc_id=Portal-fx#host-pools", "severity": "Alto", "subcategory": "Planificación de la capacidad", - "text": "Estimar el número de grupos de hosts diferentes para implementar " + "text": "Estimación del número de grupos de hosts diferentes que se van a implementar ", + "waf": "Rendimiento" }, { "category": "Fundación", - "description": "Confirme que la diferencia entre asignación automática y directa se entiende bien y que la opción seleccionada es apropiada para el escenario en cuestión. Automático es la configuración predeterminada.", + "description": "Confirme que se entiende bien la diferencia entre la asignación automática y la directa y que la opción seleccionada es adecuada para el escenario en cuestión. Automático es la configuración predeterminada.", "guid": "b38b875b-a1cf-4204-a901-3a5d3ce474db", + "id": "C01.03", "link": "https://docs.microsoft.com/azure/virtual-desktop/configure-host-pool-personal-desktop-assignment-type", "severity": "Bajo", "subcategory": "Planificación de la capacidad", - "text": "En Personal Host Pool type (Tipo de grupo de hosts personales), seleccione el tipo de asignación adecuado" + "text": "En Personal Host Pool type (Tipo de grupo de hosts personales), seleccione el tipo de asignación adecuado", + "waf": "Operaciones" }, { "category": "Fundación", "description": "Compruebe cuál usar y las opciones disponibles, el escalado automático ignora los algoritmos de equilibrio de carga existentes.", "guid": "cbd8682a-6abc-4a2a-9fda-1dbf3dc95d48", + "id": "C01.04", "link": "https://docs.microsoft.com/azure/virtual-desktop/host-pool-load-balancing", "severity": "Bajo", "subcategory": "Planificación de la capacidad", - "text": "En Tipo de grupo de hosts agrupados, seleccione el mejor método de equilibrio de carga" + "text": "En Tipo de grupo de hosts agrupados, seleccione el mejor método de equilibrio de carga", + "waf": "Rendimiento" }, { "category": "Fundación", - "description": "El número de núcleos aumenta, la sobrecarga de sincronización del sistema también aumenta. Especialmente para el inicio de sesión de varios usuarios simultáneamente. Asegúrese de no usar una máquina virtual demasiado grande para el host de sesión", + "description": "El número de núcleos aumenta, la sobrecarga de sincronización del sistema también aumenta. Especialmente para el inicio de sesión de varios usuarios simultáneamente. Asegúrese de no usar una máquina virtual que sea demasiado grande para el host de sesión", "guid": "b3724959-4943-4577-a3a9-e10ff6345f24", + "id": "C01.05", "link": "https://learn.microsoft.com/windows-server/remote/remote-desktop-services/virtual-machine-recs", "severity": "Medio", "subcategory": "Planificación de la capacidad", - "text": "Para el tipo de grupo de hosts agrupados, las máquinas virtuales no deben tener más de 32 núcleos" + "text": "Para el tipo de grupo de hosts agrupados, las máquinas virtuales no deben tener más de 32 núcleos", + "waf": "Rendimiento" }, { "category": "Fundación", - "description": "AVD no admite la asignación de RemoteApp y el grupo de aplicaciones de escritorio (DAG) en un único grupo de hosts al mismo conjunto de usuarios. Si lo hace, un solo usuario tendrá dos sesiones de usuario en un solo grupo de hosts. Se supone que los usuarios no deben tener dos sesiones activas al mismo tiempo en el mismo grupo de hosts con el mismo perfil.", + "description": "AVD no admite la asignación de RemoteApp y el grupo de aplicaciones de escritorio (DAG) en un solo grupo de hosts al mismo conjunto de usuarios. Si lo hace, un solo usuario tendrá dos sesiones de usuario en un único grupo de hosts. Se supone que los usuarios no deben tener dos sesiones activas al mismo tiempo en el mismo grupo de hosts con el mismo perfil.", "guid": "b384b7ed-1cdd-457e-a2cd-c8d4d55bc144", + "id": "C01.06", "link": "https://learn.microsoft.com/azure/virtual-desktop/terminology?WT.mc_id=Portal-fx#application-groups", "severity": "Alto", "subcategory": "Planificación de la capacidad", - "text": "No use el mismo grupo de hosts para ofrecer escritorios completos (DAG) y aplicaciones remotas al mismo conjunto de usuarios" + "text": "No use el mismo grupo de hosts para ofrecer escritorios completos (DAG) y aplicaciones remotas al mismo conjunto de usuarios", + "waf": "Seguridad" }, { "category": "Fundación", - "description": "Hay un límite de 500 grupos de aplicaciones que se pueden crear en AVD para cada inquilino de Microsoft Entra ID (antiguo Azure AD). El límite se puede aumentar (consulte el enlace complementario para obtener más detalles), pero no se recomienda.", + "description": "Hay un límite de 500 grupos de aplicaciones que se pueden crear en AVD para cada inquilino de Microsoft Entra ID (anteriormente Azure AD). El límite se puede aumentar (consulte el enlace complementario para obtener más detalles), pero no se recomienda.", "guid": "971cc4a4-b1f7-4c12-90e0-1ad96808f00c", + "id": "C01.07", "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits#azure-virtual-desktop-service-limits", "severity": "Medio", "subcategory": "Planificación de la capacidad", - "text": "Calcular el número de grupos de aplicaciones necesarios en todos los grupos de hosts del inquilino de Microsoft Entra ID" + "text": "Calcular el número de grupos de aplicaciones necesarios en todos los grupos de hosts del inquilino de Microsoft Entra ID", + "waf": "Fiabilidad" }, { "category": "Fundación", - "description": "Las aplicaciones se agrupan en Grupos de aplicaciones como contenedores para publicar y asignar permisos: se recomienda no publicar más de 50 aplicaciones por grupo de aplicaciones.", + "description": "Las aplicaciones se agrupan en grupos de aplicaciones como contenedores para publicar y asignar permisos: se recomienda no publicar más de 50 aplicaciones por grupo de aplicaciones.", "guid": "fa9f2895-473d-439b-ab8e-5a5cf92c7f32", + "id": "C01.08", "link": "https://learn.microsoft.com/azure/architecture/example-scenario/wvd/windows-virtual-desktop#considerations", "severity": "Bajo", "subcategory": "Planificación de la capacidad", - "text": "Estimar el número de aplicaciones para cada grupo de aplicaciones" + "text": "Estimar el número de solicitudes para cada grupo de aplicaciones", + "waf": "Fiabilidad" }, { "category": "Fundación", - "description": "FSLogix no es necesario para los grupos de hosts personales, ya que cada máquina virtual se asigna estáticamente a un solo usuario, por lo que no hay necesidad inmediata de una solución de perfil móvil. En algunos escenarios de uso, FSLogix puede ayudar. Por ejemplo, se puede reasignar una máquina virtual, mover el usuario a otro escritorio, o usar un perfil móvil para guardar el perfil de usuario en una ubicación diferente para fines de recuperación ante desastres.", + "description": "FSLogix no es necesario para los grupos de hosts personales, ya que cada máquina virtual se asigna estáticamente a un solo usuario, por lo que no se necesita una solución de perfil móvil inmediata. En algunos escenarios de uso, FSLogix puede ayudar. Por ejemplo, se puede reasignar una máquina virtual, mover el usuario a otro escritorio o usar un perfil móvil para guardar el perfil de usuario en una ubicación diferente con fines de recuperación ante desastres.", "guid": "38b19ab6-0693-4992-9394-5590883916ec", - "link": "https://learn.microsoft.com/en-us/azure/virtual-desktop/configure-host-pool-personal-desktop-assignment-type?tabs=azure#reassign-a-personal-desktop", + "id": "C01.09", + "link": "https://learn.microsoft.com/azure/virtual-desktop/configure-host-pool-personal-desktop-assignment-type?tabs=azure#reassign-a-personal-desktop", "severity": "Bajo", "subcategory": "Planificación de la capacidad", - "text": "Evaluar el uso de FSLogix para grupos de hosts personales" + "text": "Evaluación del uso de FSLogix para grupos de hosts personales", + "waf": "Fiabilidad" }, { "category": "Fundación", - "description": "Utilice el enlace proporcionado para establecer un punto de partida para la decisión de SKU y, a continuación, valide mediante una prueba de rendimiento. Asegúrese de seleccionar un mínimo de cuatro núcleos para producción por host de sesión (sesión múltiple)", + "description": "Utilice el vínculo proporcionado para establecer un punto de partida para la decisión de SKU y, a continuación, valide mediante una prueba de rendimiento. Asegúrese de que se selecciona un mínimo de cuatro núcleos para producción por host de sesión (multisesión)", "guid": "e1112dbd-7ba0-412e-9b94-ef6e047d2ea2", + "id": "C01.10", "link": "https://docs.microsoft.com/windows-server/remote/remote-desktop-services/virtual-machine-recs", "severity": "Alto", "subcategory": "Planificación de la capacidad", - "text": "Ejecución de pruebas de rendimiento de carga de trabajo para determinar el mejor SKU de máquina virtual de Azure y el tamaño que se debe usar" + "text": "Ejecución de la prueba de rendimiento de la carga de trabajo para determinar la mejor SKU y tamaño de máquina virtual de Azure que se va a usar", + "waf": "Rendimiento" }, { "category": "Fundación", - "description": "Es fundamental comprobar la capacidad de AVD y los límites informados en el artículo al que se hace referencia. Se aplican límites y umbrales adicionales para la administración de redes, computación, almacenamiento y servicios. ", + "description": "Es fundamental verificar la capacidad y los límites de AVD informados en el artículo al que se hace referencia. Se aplican límites y umbrales adicionales para la administración de redes, computación, almacenamiento y servicios. ", "guid": "992b1cd6-d2f5-44b2-a769-e3a691e8838a", + "id": "C01.11", "link": "https://learn.microsoft.com/azure/architecture/example-scenario/wvd/windows-virtual-desktop#considerations", "severity": "Alto", "subcategory": "Planificación de la capacidad", - "text": "Comprobar los límites de escalabilidad de AVD para el entorno" + "text": "Verificar los límites de escalabilidad de AVD para el entorno", + "waf": "Fiabilidad" }, { "category": "Fundación", "description": "Los grupos de hosts con GPU requieren una configuración especial, asegúrese de revisar el artículo al que se hace referencia.", "guid": "c936667e-13c0-4056-94b1-e945a459837e", + "id": "C01.12", "link": "https://docs.microsoft.com/azure/virtual-desktop/configure-vm-gpu", "severity": "Bajo", "subcategory": "Planificación de la capacidad", - "text": "Determinar si los hosts de sesión requerirán GPU" + "text": "Determinar si los hosts de sesión requerirán GPU", + "waf": "Rendimiento" }, { "category": "Fundación", - "description": "Siempre que sea posible, se recomienda aprovechar las SKU de VM con la función de red acelerada. Esta característica requiere SKU / tamaño de VM específico y versiones del sistema operativo, consulte la lista y los requisitos en el artículo complementario.", + "description": "Siempre que sea posible, se recomienda aprovechar las SKU de máquina virtual con la característica de redes aceleradas. Esta característica requiere una SKU o tamaño de máquina virtual específicos y versiones del sistema operativo, consulte la lista y los requisitos en el artículo complementario.", "guid": "b47a393a-0803-4272-a479-8b1578b219a4", + "id": "C01.13", "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview", "severity": "Bajo", "subcategory": "Planificación de la capacidad", - "text": "Usar SKU de máquina virtual de Azure capaces de aprovechar las redes aceleradas" + "text": "Uso de SKU de máquina virtual de Azure capaces de aprovechar las redes aceleradas", + "waf": "Rendimiento" }, { "category": "Fundación", "description": "Para una planeación e implementación adecuadas, es importante evaluar el número máximo de usuarios simultáneos y totales para cada grupo de hosts. Además, los usuarios de diferentes regiones pueden requerir diferentes grupos de hosts para garantizar la mejor experiencia de usuario.", "guid": "bb91a33d-90ca-4e2c-a881-3706f7c0cb9f", + "id": "C02.01", "link": "https://learn.microsoft.com/azure/virtual-desktop/overview", "severity": "Medio", "subcategory": "Clientes y Usuarios", - "text": "Evaluar cuántos usuarios se conectarán a AVD y desde qué regiones" + "text": "Evalúe cuántos usuarios se conectarán a AVD y desde qué regiones", + "waf": "Rendimiento" }, { "category": "Fundación", - "description": "Se deben evaluar y revisar las dependencias de recursos externos al grupo de AVD, por ejemplo, Active Directory, recursos compartidos de archivos externos u otro almacenamiento, servicios y recursos locales, componentes de infraestructura de red como VPN o ExpressRoute, servicios externos y componentes de 3rd-party. Para todos estos recursos, es necesario evaluar la latencia del grupo de hosts AVD y considerar la conectividad. Además, las consideraciones de BCDR también deben aplicarse a estas dependencias.", + "description": "Se deben evaluar y revisar las dependencias de recursos externos al grupo de AVD, por ejemplo, Active Directory, recursos compartidos de archivos externos u otro almacenamiento, servicios y recursos locales, componentes de infraestructura de red como VPN o ExpressRoute, servicios externos y componentes de terceros. Para todos estos recursos, se debe evaluar la latencia del grupo de hosts AVD y tener en cuenta la conectividad. Además, las consideraciones de BCDR también deben aplicarse a estas dependencias.", "guid": "6abca2a4-fda1-4dbf-9dc9-5d48c7c791dc", + "id": "C02.02", "link": "https://learn.microsoft.com/azure/architecture/example-scenario/wvd/windows-virtual-desktop?toc=%2Fazure%2Fvirtual-desktop%2Ftoc.json&bc=%2Fazure%2Fvirtual-desktop%2Fbreadcrumb%2Ftoc.json", "severity": "Medio", "subcategory": "Clientes y Usuarios", - "text": "Evaluar las dependencias externas para cada grupo de hosts" + "text": "Evaluación de las dependencias externas para cada grupo de hosts", + "waf": "Rendimiento" }, { "category": "Fundación", - "description": "AVD ofrece una variedad de tipos de clientes (fat, thin, web) para conectarse a través de diferentes plataformas (Windows, MacOS, iOS, Android). Revise las limitaciones de cada cliente y compare múltiples opciones cuando sea posible.", + "description": "AVD ofrece una variedad de tipos de clientes (gruesos, delgados, web) para conectarse a través de diferentes plataformas (Windows, MacOS, iOS, Android). Revise las limitaciones de cada cliente y compare varias opciones cuando sea posible.", "guid": "a1f6d565-99e5-458b-a37d-4985e1112dbd", - "link": "https://learn.microsoft.com/en-us/azure/virtual-desktop/users/connect-windows", + "id": "C02.03", + "link": "https://learn.microsoft.com/azure/virtual-desktop/users/connect-windows", "severity": "Bajo", "subcategory": "Clientes y Usuarios", - "text": "Revisar el sistema operativo del cliente de usuario utilizado y el tipo de cliente AVD" + "text": "Revisar el sistema operativo del cliente de usuario utilizado y el tipo de cliente AVD", + "waf": "Rendimiento" }, { "category": "Fundación", - "description": "Dependiendo de las ubicaciones de los usuarios y la implementación de la región AVD, los usuarios pueden tener una experiencia no óptima, por lo tanto, es importante probar lo antes posible en un entorno PoC pequeño. Ejecute la herramienta 'Azure Virtual Desktop Experience Estimator' para seleccionar la mejor región de Azure para implementar grupos de hosts. Más allá de la latencia de 150 ms, la experiencia del usuario puede no ser óptima.", + "description": "Dependiendo de las ubicaciones de los usuarios y de la implementación de la región de AVD, es posible que los usuarios tengan una experiencia no óptima, por lo que es importante realizar pruebas lo antes posible en un entorno de PoC pequeño. Ejecute la herramienta \"Estimador de experiencia de Azure Virtual Desktop\" para seleccionar la mejor región de Azure para implementar grupos de hosts. Más allá de la latencia de 150 ms, la experiencia del usuario puede no ser óptima.", "guid": "d2f54b29-769e-43a6-a1e8-838ac936667e", + "id": "C02.04", "link": "https://azure.microsoft.com/services/virtual-desktop/assessment/", "severity": "Alto", "subcategory": "Clientes y Usuarios", - "text": "Ejecute una prueba de concepto para validar la experiencia del usuario de extremo a extremo y el impacto de la latencia de la red" + "text": "Ejecute una prueba de concepto para validar la experiencia del usuario de extremo a extremo y el impacto de la latencia de la red", + "waf": "Rendimiento" }, { "category": "Fundación", - "description": "Actualmente, la configuración de RDP solo se puede configurar en el nivel del grupo de hosts, no por usuario o grupo. Si se requieren diferentes configuraciones para diferentes conjuntos de usuarios, se recomienda crear varios grupos de hosts.", + "description": "Actualmente, la configuración de RDP solo se puede configurar en el nivel de grupo de hosts, no por usuario o grupo. Si se requiere una configuración diferente para diferentes conjuntos de usuarios, se recomienda crear varios grupos de hosts.", "guid": "3b365a5c-7acb-4e48-abe5-4cd79f2e8776", + "id": "C02.05", "link": "https://docs.microsoft.com/azure/virtual-desktop/customize-rdp-properties", "severity": "Bajo", "subcategory": "Clientes y Usuarios", - "text": "Evaluar y documentar la configuración de RDP para todos los grupos de usuarios" + "text": "Evalúe y documente la configuración de RDP para todos los grupos de usuarios", + "waf": "Seguridad" }, { "category": "Fundación", "description": "AVD es un servicio no regional, los grupos de hosts se pueden crear en cualquier región, la redirección automática desde el front-end más cercano se realizará automáticamente.", "guid": "42e52f47-21d9-428c-8b1b-d521e44a29a9", + "id": "C03.01", "link": "https://azure.microsoft.com/global-infrastructure/services/?products=virtual-desktop", "severity": "Alto", "subcategory": "General", - "text": "Determine en qué regiones de Azure se implementarán los grupos de hosts AVD." + "text": "Determine en qué regiones de Azure se implementarán los grupos de hosts de AVD.", + "waf": "Rendimiento" }, { "category": "Fundación", - "description": "AVD debe almacenar metadatos para admitir el servicio; Esto se almacena en la geografía especificada. Sin embargo, esto es independiente de las regiones donde se encuentran los grupos de servidores.", + "description": "AVD debe almacenar metadatos para admitir el servicio; Esto se almacena en la geografía especificada. Sin embargo, esto es independiente de las regiones en las que se encuentran los grupos de hosts.", "guid": "bad37ead-53cc-47ce-8d7a-aab3571449ab", + "id": "C03.02", "link": "https://docs.microsoft.com/azure/virtual-desktop/data-locations", "severity": "Medio", "subcategory": "General", - "text": "Determinar la ubicación de metadatos para el servicio AVD" + "text": "Determinar la ubicación de los metadatos para el servicio AVD", + "waf": "Fiabilidad" }, { "category": "Fundación", - "description": "Compruebe si hay SKU de máquina virtual específicas, especialmente si necesita GPU o SKU de especificaciones altas, y finalmente Azure NetApp Files si se usa.", + "description": "Compruebe si hay SKU de máquina virtual específicas, especialmente si necesita SKU de GPU o de especificaciones altas y, finalmente, Azure NetApp Files, si se usa.", "guid": "8053d89e-89dc-47b3-9be2-a1a27f7a9e91", + "id": "C03.03", "link": "https://docs.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits", "severity": "Bajo", "subcategory": "General", - "text": "Comprobar las cuotas y la disponibilidad de Azure para tamaños y tipos de máquinas virtuales específicos en las regiones seleccionadas" + "text": "Comprobación de las cuotas y la disponibilidad de Azure para tamaños y tipos de máquinas virtuales específicos en las regiones seleccionadas", + "waf": "Fiabilidad" }, { "category": "Identidad", - "description": "Se recomiendan los controladores de dominio de AD en Azure (al menos dos en zonas de disponibilidad diferentes) para reducir la latencia para los usuarios que inician sesión en hosts de sesión AVD y, finalmente, para Azure NetApp Files y la integración de AD. Un DC debe poder comunicarse con los controladores de dominio para TODOS los dominios secundarios. Como alternativa, se debe usar la conectividad local para llegar a los controladores de dominio de AD.", + "description": "Se recomiendan controladores de dominio de AD en Azure (al menos dos en diferentes zonas de disponibilidad) para reducir la latencia de los usuarios que inician sesión en hosts de sesión de AVD y, finalmente, para Azure NetApp Files y la integración de AD. Un controlador de dominio debe poder comunicarse con los controladores de dominio de TODOS los dominios secundarios. Como alternativa, se debe usar la conectividad local para llegar a los controladores de dominio de AD.", "guid": "c14aea7e-65e8-4d9a-9aec-218e6436b073", + "id": "D01.01", "link": "https://docs.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain", "severity": "Medio", "subcategory": "Active Directory", - "text": "Creación de al menos dos controladores de dominio (DC) de Active Directory en un entorno de red virtual de Azure cerca del grupo de hosts AVD" + "text": "Creación de al menos dos controladores de dominio (DC) de Active Directory en el entorno de red virtual de Azure cerca del grupo de hosts de AVD", + "waf": "Fiabilidad" }, { "category": "Identidad", - "description": "Se recomienda crear una unidad organizativa independiente por grupo de hosts en una jerarquía de unidades organizativas independiente. Estas unidades organizativas contendrán cuentas de máquina de hosts de sesión AVD. ", + "description": "Se recomienda crear una unidad organizativa independiente por grupo de hosts en una jerarquía de unidades organizativas independiente. Estas unidades organizativas contendrán cuentas de máquina de hosts de sesión de AVD. ", "guid": "6db55f57-9603-4334-adf9-cc23418db612", + "id": "D01.02", "link": "https://docs.microsoft.com/azure/virtual-desktop/create-host-pools-azure-marketplace", "severity": "Medio", "subcategory": "Active Directory", - "text": "Crear una unidad organizativa específica en Active Directory para cada grupo de hosts" + "text": "Creación de una unidad organizativa específica en Active Directory para cada grupo de hosts", + "waf": "Operaciones" }, { "category": "Identidad", - "description": "Revise detenidamente y, potencialmente, bloquee o filtre la herencia de GPO a las unidades organizativas que contienen grupos de hosts AVD. ", + "description": "Revisa detenidamente y, potencialmente, bloquea o filtra la herencia de GPO a las unidades organizativas que contienen grupos de hosts de AVD. ", "guid": "7126504b-b47a-4393-a080-327294798b15", + "id": "D01.03", "link": "https://docs.microsoft.com/previous-versions/windows/desktop/Policy/group-policy-hierarchy", "severity": "Medio", "subcategory": "Active Directory", - "text": "Revisar los GPO de dominio que se aplicarán a la unidad organizativa y que afectan a las funcionalidades de los hosts de sesión del grupo de hosts" + "text": "Revise los GPO de dominio que se aplicarán a la unidad organizativa y que afectan a las funcionalidades de hosts de sesión del grupo de hosts", + "waf": "Operaciones" }, { "category": "Identidad", - "description": "Si se usan GPO de dominio de Active Directory, se recomienda configurar FSLogix mediante la plantilla ADMX de GPO integrada a la que se hace referencia en el artículo complementario de la columna \"Más información\"", + "description": "Si se usan GPO de dominio de Active Directory, se recomienda configurar FSLogix mediante la plantilla ADMX de GPO proporcionada integrada a la que se hace referencia en el artículo complementario de la columna \"Más información\"", "guid": "2226a8e3-50a4-4ac3-8bd6-ee150553051f", + "id": "D01.04", "link": "https://learn.microsoft.com/fslogix/how-to-use-group-policy-templates", "severity": "Medio", "subcategory": "Active Directory", - "text": "Configurar las opciones de FSLogix mediante la plantilla ADMX de GPO integrada proporcionada" + "text": "Configuración de las opciones de FSLogix mediante la plantilla ADMX de GPO proporcionada integrada", + "waf": "Operaciones" }, { "category": "Identidad", "description": "Se recomienda tener una cuenta dedicada específica con permisos mínimos y sin la limitación predeterminada de 10 uniones. Revise el artículo complementario para obtener más detalles.", "guid": "347dc560-28a7-41ff-b1cd-15dd2f0d5e77", + "id": "D01.05", "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#session-hosts", "severity": "Medio", "subcategory": "Active Directory", - "text": "Crear una cuenta de usuario dedicada con solo permisos para unir la máquina virtual al dominio" + "text": "Cree una cuenta de usuario dedicada con solo permisos para unir la máquina virtual al dominio", + "waf": "Seguridad" }, { "category": "Identidad", - "description": "Evite conceder acceso por usuario, en su lugar use grupos de AD y replíquelos con el conector de Active Directory (ADC) en el identificador de Microsoft Entra (antiguo Azure AD). ", + "description": "Evite conceder acceso por usuario, en su lugar, use grupos de AD y replíquelos mediante el conector de Active Directory (ADC) en el identificador de Microsoft Entra (anteriormente Azure AD). ", "guid": "2d41e361-1cc5-47b4-a4b1-410d43958a8c", + "id": "D01.06", "link": "https://docs.microsoft.com/azure/virtual-desktop/manage-app-groups", "severity": "Medio", "subcategory": "Active Directory", - "text": "Crear un grupo de usuarios de dominio para cada conjunto de usuarios a los que se concederá acceso a cada grupo de aplicaciones del grupo de servidores host (DAG o RAG)" + "text": "Cree un grupo de usuarios de dominio para cada conjunto de usuarios a los que se concederá acceso a cada grupo de aplicaciones de grupo de hosts (DAG o RAG)", + "waf": "Seguridad" }, { "category": "Identidad", - "description": "Si se usa la integración de Azure Files Active Directory (AD), como parte del procedimiento de configuración, se creará una cuenta de AD para representar la cuenta de almacenamiento (recurso compartido de archivos). Puede elegir registrarse como cuenta de equipo o cuenta de inicio de sesión de servicio, consulte Preguntas frecuentes para obtener más información. Para las cuentas de equipo, hay una antigüedad de caducidad de contraseña predeterminada establecida en AD en 30 días. Del mismo modo, la cuenta de inicio de sesión del servicio puede tener una antigüedad de caducidad de contraseña predeterminada establecida en el dominio de AD o la unidad organizativa (OU). Para ambos tipos de cuenta, le recomendamos que compruebe la antigüedad de caducidad de la contraseña configurada en su entorno de AD y planee actualizar la contraseña de la identidad de la cuenta de almacenamiento de la cuenta de AD antes de la antigüedad máxima de la contraseña. Puede considerar la posibilidad de crear una nueva unidad organizativa (OU) de AD en AD y deshabilitar la directiva de caducidad de contraseñas en cuentas de equipo o cuentas de inicio de sesión de servicio en consecuencia.", + "description": "Si se usa la integración de Active Directory (AD) de Azure Files, como parte del procedimiento de configuración, se creará una cuenta de AD para representar la cuenta de almacenamiento (recurso compartido de archivos). Puede optar por registrarse como una cuenta de equipo o una cuenta de inicio de sesión de servicio, consulte las preguntas frecuentes para obtener más información. En el caso de las cuentas de equipo, hay una edad de expiración de contraseña predeterminada establecida en AD de 30 días. Del mismo modo, la cuenta de inicio de sesión del servicio puede tener una antigüedad de caducidad de contraseña predeterminada establecida en el dominio de AD o en la unidad organizativa (OU). Para ambos tipos de cuenta, se recomienda comprobar la antigüedad de expiración de la contraseña configurada en el entorno de AD y planear la actualización de la contraseña de la identidad de la cuenta de almacenamiento de la cuenta de AD antes de la antigüedad máxima de la contraseña. Puede considerar la posibilidad de crear una nueva unidad organizativa (OU) de AD en AD y deshabilitar la directiva de expiración de contraseñas en las cuentas de equipo o las cuentas de inicio de sesión de servicio según corresponda.", "guid": "2289b3d6-b57c-4fc6-9546-1e1a3e3453a3", + "id": "D01.07", "link": "https://docs.microsoft.com/azure/storage/files/storage-files-identity-ad-ds-enable", "severity": "Alto", "subcategory": "Active Directory", - "text": "Revisión de la directiva de expiración de contraseñas de la organización para las cuentas usadas por la integración de Azure Files AD" + "text": "Revisión de la directiva de expiración de contraseñas de la organización para las cuentas usadas por la integración de Azure Files AD", + "waf": "Seguridad" }, { "category": "Identidad", - "description": "Puede configurarlo mediante Active Directory Connect (ADC) o Servicios de dominio de Azure AD (para organizaciones híbridas o en la nube). Microsoft Entra ID es el nuevo nombre de Azure Active Directory (Azure AD).", + "description": "Puede configurarlo mediante Active Directory Connect (ADC) o Azure AD Domain Services (para organizaciones híbridas o en la nube). Microsoft Entra ID es el nuevo nombre de Azure Active Directory (Azure AD).", "guid": "5119bf8e-8f58-4542-a7d9-cec166cd072a", + "id": "D01.08", "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#identity", "severity": "Alto", "subcategory": "Active Directory", - "text": "Un bosque/dominio de Windows Server Active Directory debe estar sincronizado con Microsoft Entra ID" + "text": "Un bosque/dominio de Windows Server Active Directory debe estar sincronizado con el identificador de Microsoft Entra", + "waf": "Fiabilidad" }, { "category": "Identidad", - "description": "Si se usa Azure Files y se pueden cumplir los requisitos previos, se recomienda configurar la autenticación Kerberos (Microsoft Entra ID). Esta configuración permitirá almacenar perfiles FSLogix a los que pueden acceder las identidades de usuario híbridas desde hosts de sesión unidos a Azure AD sin necesidad de línea de visión de red para los controladores de dominio.", + "description": "Si se usa Azure Files y se pueden cumplir los requisitos previos, se recomienda configurar la autenticación Kerberos (identificador de Microsoft Entra). Esta configuración permitirá almacenar perfiles de FSLogix a los que pueden acceder las identidades de usuario híbrido desde hosts de sesión unidos a Azure AD sin necesidad de una línea de visión de red para los controladores de dominio.", "guid": "e777fd5e-c5f1-4d6e-8fa9-fc210b88e338", + "id": "D02.01", "link": "https://learn.microsoft.com/azure/storage/files/storage-files-identity-auth-hybrid-identities-enable", "severity": "Medio", - "subcategory": "Microsoft Entra ID", - "text": "Configuración del recurso compartido de Azure Files para el identificador de Microsoft Entra (antiguo Azure AD) Autenticación Kerberos en el escenario unido al identificador de Microsoft Entra" + "subcategory": "Id. de Microsoft Entra", + "text": "Configuración del recurso compartido de Azure Files para el identificador de Microsoft Entra (anteriormente Azure AD) Autenticación Kerberos en el escenario unido al identificador de Microsoft Entra", + "waf": "Seguridad" }, { "category": "Identidad", - "description": "Una suscripción de Azure debe estar vinculada al mismo inquilino de Microsoft Entra ID (antiguo Azure AD), que contiene una red virtual que contiene o está conectada a la instancia de Servicios de dominio de Windows Server Active Directory o Servicios de dominio de Microsoft Entra ID.", + "description": "Una suscripción de Azure debe estar asociada al mismo inquilino de Microsoft Entra ID (antiguo Azure AD), que contiene una red virtual que contiene o está conectada a la instancia de Windows Server Active Directory Domain Services o Microsoft Entra ID Domain Services.", "guid": "6ceb5443-5125-4922-9442-93bb628537a5", + "id": "D03.01", "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#identity", "severity": "Alto", "subcategory": "Requisitos", - "text": "Un inquilino de Microsoft Entra ID debe estar disponible con al menos una suscripción vinculada" + "text": "Un inquilino de Microsoft Entra ID debe estar disponible con al menos una suscripción vinculada", + "waf": "Fiabilidad" }, { "category": "Identidad", - "description": "Azure Virtual Desktop admite diferentes tipos de identidades en función de la configuración que elija. Revise los escenarios admitidos mencionados en el artículo \"Más información\" y documente la decisión de diseño en consecuencia en la columna \"Comentario\". Críticamente, las identidades externas (B2B o B2C) no son compatibles. Asegúrese de revisar también la lista de escenarios admitidos en https://learn.microsoft.com/en-us/azure/virtual-desktop/prerequisites?tabs=portal#supported-identity-scenarios.", + "description": "Azure Virtual Desktop admite diferentes tipos de identidades en función de la configuración que elija. Revise los escenarios admitidos mencionados en el artículo \"Más información\" y documente la decisión de diseño en consecuencia en la columna \"Comentario\". Fundamentalmente, las identidades externas (B2B o B2C) no son compatibles. Asegúrese de revisar también la lista de escenarios admitidos en https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#supported-identity-scenarios.", "guid": "b4ce4781-7557-4a1f-8043-332ae199d44c", + "id": "D03.02", "link": "https://learn.microsoft.com/azure/virtual-desktop/authentication", "severity": "Alto", "subcategory": "Requisitos", - "text": "Revisar y documentar el escenario de identidad" + "text": "Revisión y documentación del escenario de identidad", + "waf": "Seguridad" }, { "category": "Identidad", - "description": "Los usuarios necesitan cuentas que estén en Microsoft Entra ID (antiguo Azure AD). Si también usa AD DS o Servicios de dominio de Azure AD en la implementación de Azure Virtual Desktop, estas cuentas deberán ser identidades híbridas, lo que significa que las cuentas de usuario están sincronizadas. Si usa el identificador de Microsoft Entra con AD DS, deberá configurar Azure AD Connect para sincronizar los datos de identidad de usuario entre AD DS y el identificador de Microsoft entra. Si usa el identificador de Microsoft Entra con los Servicios de dominio de Azure AD, las cuentas de usuario se sincronizan de una manera desde el identificador de Microsoft Entra a los Servicios de dominio de Azure AD. Este proceso de sincronización es automático. AVD también admite cuentas nativas de Microsoft Entra ID con algunas restricciones. No se admiten identidades externas (B2B o B2C).", + "description": "Los usuarios necesitan cuentas que estén en el identificador de Microsoft Entra (anteriormente Azure AD). Si también usa AD DS o Azure AD Domain Services en la implementación de Azure Virtual Desktop, estas cuentas deberán ser identidades híbridas, lo que significa que las cuentas de usuario están sincronizadas. Si usa el identificador de Microsoft Entra con AD DS, deberá configurar Azure AD Connect para sincronizar los datos de identidad de usuario entre AD DS y el identificador de Microsoft Entra. Si usa el identificador de Microsoft Entra con Azure AD Domain Services, las cuentas de usuario se sincronizan de forma unidireccional desde el identificador de Microsoft Entra a Azure AD Domain Services. Este proceso de sincronización es automático. AVD también es compatible con las cuentas nativas de Microsoft Entra ID con algunas restricciones. No se admiten identidades externas (B2B o B2C).", "guid": "f9b141a8-98a5-435e-9378-97e71ca7da7b", + "id": "D03.03", "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#supported-identity-scenarios", "severity": "Medio", "subcategory": "Requisitos", - "text": "Evaluar los tipos y requisitos de la cuenta de usuario" + "text": "Evaluar los tipos y requisitos de cuentas de usuario", + "waf": "Seguridad" }, { "category": "Identidad", - "description": "AVD admite SSO mediante la autenticación de Servicios de federación de Active Directory (AD FS) o Microsoft Entra ID (anteriormente Azure AD). Esto último se recomienda, consulte los requisitos y la limitación en el artículo 'Más información'. El uso de AD FS podría ser una opción viable si ya está presente en el entorno del cliente, no se recomienda implementar una nueva infraestructura de ADFS solo para la implementación de AVD SSO.", + "description": "AVD admite el inicio de sesión único mediante los Servicios de federación de Active Directory (AD FS) o la autenticación de identificador de Microsoft Entra (anteriormente Azure AD). Esto último es recomendable, consulte los requisitos y la limitación en el artículo 'Más información'. El uso de AD FS podría ser una opción viable si ya está presente en el entorno del cliente, no se recomienda implementar una nueva infraestructura de ADFS solo para la implementación de AVD SSO.", "guid": "5f9f680a-ba07-4429-bbf7-93d7071561f4", + "id": "D03.04", "link": "https://learn.microsoft.com/azure/virtual-desktop/authentication#single-sign-on-sso", "severity": "Medio", "subcategory": "Requisitos", - "text": "Si el inicio de sesión único (SSO) es un requisito, revise los escenarios admitidos y los requisitos previos" + "text": "Si el inicio de sesión único (SSO) es un requisito, revise los escenarios admitidos y los requisitos previos", + "waf": "Fiabilidad" }, { "category": "Identidad", - "description": "Las máquinas virtuales pueden estar unidas a un dominio de Windows Active Directory (AD), a AD híbridas, a Microsoft Entra ID (anteriormente Azure AD) unidas o a los Servicios de dominio de Azure AD. Asegúrese de revisar los escenarios admitidos, las limitaciones y los requisitos del artículo al que se hace referencia.", + "description": "Las máquinas virtuales pueden estar unidas a un dominio de Windows Active Directory (AD), unidas a AD híbrido, unidas a Microsoft Entra ID (anteriormente Azure AD) unido o unido a Azure AD Domain Services. Asegúrese de revisar los escenarios, las limitaciones y los requisitos admitidos del artículo al que se hace referencia.", "guid": "ea962a15-9394-46da-a7cc-3923266b2258", + "id": "D03.05", "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#supported-identity-scenarios", "severity": "Alto", "subcategory": "Requisitos", - "text": "Seleccione el tipo de unión al dominio de host de sesión AVD adecuado" + "text": "Seleccione el tipo de unión de dominio de host de sesión AVD adecuado", + "waf": "Seguridad" }, { "category": "Identidad", - "description": "Comparar los Servicios de dominio de Windows Active Directory autoadministrados, el identificador de Microsoft Entra (anteriormente Azure AD) y los Servicios de dominio de Azure AD administrados (AAD-DS)", + "description": "Compare los servicios de dominio de Windows Active Directory autoadministrados, el identificador de Microsoft Entra (anteriormente Azure AD) y los servicios de dominio de Azure AD administrados (AAD-DS)", "guid": "6f4a1651-bddd-4ea8-a487-cdeb4861bc3b", + "id": "D03.06", "link": "https://docs.microsoft.com/azure/active-directory-domain-services/compare-identity-solutions", "severity": "Bajo", "subcategory": "Requisitos", - "text": "Antes de usar Servicios de dominio de Azure AD (AAD-D) para AVD, asegúrese de revisar las limitaciones." + "text": "Antes de usar Azure AD Domain Services (AAD-DS) para AVD, asegúrese de revisar las limitaciones.", + "waf": "Fiabilidad" }, { - "category": "Monitoreo y Gestión", - "description": "AVD proporciona plantillas administrativas para Intune y GPO de Active Directory. Usando estas plantillas es posible controlar centralmente varios ajustes de configuración de AVD: Registro de datos relacionados con gráficos, Protección de captura de pantalla, Shortpath RDP para redes administradas, Marca de agua. Consulte el artículo complementario en la columna 'Más información' para obtener más detalles. NOTA: FSLogix tiene su propia plantilla separada.", + "category": "Seguimiento y gestión", + "description": "AVD proporciona plantillas administrativas para Intune y GPO de Active Directory. Con estas plantillas es posible controlar de forma centralizada varios ajustes de configuración de AVD: registro de datos relacionados con gráficos, protección de captura de pantalla, RDP Shortpath para redes administradas, marca de agua. Consulte el artículo complementario en la columna 'Más información' para obtener más detalles. NOTA: FSLogix tiene su propia plantilla independiente.", "guid": "5549524b-36c0-4f1a-892b-ab3ca78f5db2", + "id": "E01.01", "link": "https://learn.microsoft.com/azure/virtual-desktop/administrative-template", "severity": "Bajo", "subcategory": "Administración", - "text": "Usar plantillas administrativas integradas para la configuración de AVD" + "text": "Usar las plantillas administrativas integradas proporcionadas para la configuración de AVD", + "waf": "Operaciones" }, { - "category": "Monitoreo y Gestión", - "description": "Determine si ya existe una herramienta de administración de configuración para administrar la configuración de la máquina virtual del grupo de hosts después de la implementación inicial, por ejemplo, SCCM/SCOM, Intune/ConfigurationManager, soluciones de 3rd-party.", + "category": "Seguimiento y gestión", + "description": "Determine si ya existe una herramienta de administración de la configuración para administrar la configuración de la máquina virtual del grupo de hosts después de la implementación inicial, por ejemplo, SCCM/SCOM, Intune/ConfigurationManager, soluciones de terceros.", "guid": "3334fdf9-1c23-4418-8b65-285269440b4b", + "id": "E01.02", "link": "https://learn.microsoft.com/azure/virtual-desktop/management", "severity": "Bajo", "subcategory": "Administración", - "text": "Planeación de la estrategia de administración de configuración de AVD Session Hosts" + "text": "Planeación de la estrategia de administración de la configuración de hosts de sesión de AVD", + "waf": "Operaciones" }, { - "category": "Monitoreo y Gestión", - "description": "Se recomienda usar Microsoft Intune, si se pueden cumplir los requisitos, para administrar el entorno de Azure Virtual Desktop. Revise los escenarios y requisitos admitidos para habilitar Intune para la administración de hosts de sesión AVD en el artículo al que se hace referencia en la columna \"Más información\". Documente su elección en la columna 'Comentario'. En ese artículo, revise los diferentes requisitos y capacidades para https://learn.microsoft.com/en-us/mem/intune/fundamentals/windows-virtual-desktop de sesión única y https://learn.microsoft.com/en-us/mem/intune/fundamentals/windows-virtual-desktop-multi-session de sesión múltiple AVD.", + "category": "Seguimiento y gestión", + "description": "Se recomienda usar Microsoft Intune, si se pueden cumplir los requisitos, para administrar el entorno de Azure Virtual Desktop. Revise los escenarios y requisitos admitidos para habilitar la administración de host de sesión de Intune para AVD en el artículo al que se hace referencia en la columna Más información. Documente su elección en la columna 'Comentario'. En ese artículo, revisa los diferentes requisitos y capacidades para el AVD de https://learn.microsoft.com/mem/intune/fundamentals/windows-virtual-desktop de sesión única y https://learn.microsoft.com/mem/intune/fundamentals/windows-virtual-desktop-multi-session de sesión múltiple.", "guid": "63a08be1-6004-4b4a-a79b-f3239faae113", + "id": "E01.03", "link": "https://learn.microsoft.com/mem/intune/fundamentals/azure-virtual-desktop", "severity": "Medio", "subcategory": "Administración", - "text": "Evaluar Intune para la administración de hosts de sesión AVD" + "text": "Evaluación de la administración de hosts de sesión de Intune para AVD", + "waf": "Operaciones" }, { - "category": "Monitoreo y Gestión", - "description": "La herramienta de escalado proporciona una opción de automatización de bajo costo para los clientes que desean optimizar los costos de la máquina virtual del host de sesión. Puede usar la herramienta de escalado para programar máquinas virtuales para que se inicien y detengan en función de las horas comerciales pico y fuera de pico, escalar horizontalmente máquinas virtuales en función del número de sesiones por núcleo de CPU, escalar en máquinas virtuales durante las horas de menor actividad, dejando en ejecución el número mínimo de máquinas virtuales host de sesión. Aún no está disponible para el tipo de grupo de hosts personales.", + "category": "Seguimiento y gestión", + "description": "La herramienta de escalado proporciona una opción de automatización de bajo costo para los clientes que desean optimizar los costos de la máquina virtual del host de sesión. Puede usar la herramienta de escalado para programar máquinas virtuales para que se inicien y detengan en función de las horas punta y las horas de menor actividad, escalar horizontalmente las máquinas virtuales en función del número de sesiones por núcleo de CPU, escalar las máquinas virtuales durante las horas de menor actividad, dejando el número mínimo de máquinas virtuales de host de sesión en ejecución. Todavía no está disponible para el tipo de grupo de anfitriones personales.", "guid": "7138b820-102c-4e16-be30-1e6e872e52e3", + "id": "E01.04", "link": "https://learn.microsoft.com/azure/virtual-desktop/autoscale-scenarios", "severity": "Medio", "subcategory": "Administración", - "text": "Evaluar los requisitos para la capacidad de escalado automático del grupo de hosts" + "text": "Evaluación de los requisitos para la capacidad de escalado automático del grupo de hosts", + "waf": "Fiabilidad" }, { - "category": "Monitoreo y Gestión", - "description": "Start VM On Connect le permite reducir los costos al permitir que los usuarios finales enciendan sus máquinas virtuales (VM) host de sesión solo cuando las necesiten. A continuación, puede desactivar las máquinas virtuales cuando no sean necesarias. Puede configurar Start VM on Connect para grupos de hosts personales o agrupados mediante Azure Portal o PowerShell. Iniciar máquina virtual al conectar es una configuración de todo el grupo de hosts.", + "category": "Seguimiento y gestión", + "description": "Start VM On Connect le permite reducir los costos al permitir que los usuarios finales enciendan sus máquinas virtuales (VM) de host de sesión solo cuando las necesiten. A continuación, puede desactivar las máquinas virtuales cuando no sean necesarias. Puede configurar Iniciar máquina virtual al conectarse para grupos de hosts personales o agrupados mediante Azure Portal o PowerShell. Iniciar máquina virtual al conectarse es una configuración de todo el grupo de hosts.", "guid": "55f612fe-f215-4f0d-a956-10e7dd96bcbc", + "id": "E01.05", "link": "https://learn.microsoft.com/azure/virtual-desktop/start-virtual-machine-connect", "severity": "Bajo", "subcategory": "Administración", - "text": "Considere el uso de Start VM on Connect for Personal Host Pools" + "text": "Considere la posibilidad de usar Iniciar máquina virtual en Connect para grupos de hosts personales", + "waf": "Costar" }, { - "category": "Monitoreo y Gestión", - "description": "'Start VM On Connect' proporciona una forma inteligente de iniciar automáticamente hosts de sesión previamente detenidos, pero no proporciona un mecanismo para apagar cuando no se usa. Se recomienda a los administradores que configuren directivas adicionales para cerrar la sesión de los usuarios en sus sesiones y ejecutar scripts de automatización de Azure para desasignar máquinas virtuales. No se debe permitir que los usuarios cierren sus hosts personales, ya que no podrán desasignar máquinas virtuales de Azure, por lo que la facturación seguirá activa sin reducción de costos.", + "category": "Seguimiento y gestión", + "description": "\"Iniciar VM al conectarse\" proporciona una forma inteligente de iniciar automáticamente hosts de sesión previamente detenidos, pero no proporciona un mecanismo para apagarse cuando no está en uso. Se recomienda a los administradores que configuren directivas adicionales para cerrar la sesión de los usuarios y ejecutar scripts de automatización de Azure para desasignar máquinas virtuales. No se debe permitir que los usuarios apaguen sus hosts personales, ya que no podrán desasignar máquinas virtuales de Azure, por lo que la facturación seguirá activa sin reducción de costos.", "guid": "79a686ea-d971-4ea0-a9a8-1aea074c94cb", + "id": "E01.06", "link": "https://learn.microsoft.com/azure/virtual-desktop/start-virtual-machine-connect-faq#are-vms-automatically-deallocated-when-a-user-stops-using-them", "severity": "Bajo", "subcategory": "Administración", - "text": "Evaluar la implementación de un mecanismo ad-hoc para cerrar los hosts de sesión de Personal AVD" + "text": "Evaluar la implementación de un mecanismo ad-hoc para cerrar los hosts de sesión de AVD personal", + "waf": "Costar" }, { - "category": "Monitoreo y Gestión", - "description": "La facturación de Azure Virtual Desktop se basa principalmente en el costo asociado a los recursos de proceso, redes y almacenamiento consumidos por los grupos de hosts. Además de esto, los costos pueden ser generados por recursos dependientes, por ejemplo, VPN o ExpressRoute o vWAN, controladores de dominio de Active Directory, DNS, etc. No hay ningún costo directo asociado a objetos AVD como espacios de trabajo, grupos de hosts o grupos de aplicaciones. Para que los costos asociados a AVD sean más evidentes y agrupados por grupo de hosts, se recomienda usar la etiqueta 'cm-resource-parent'. ", + "category": "Seguimiento y gestión", + "description": "La facturación de Azure Virtual Desktop se basa principalmente en el costo asociado a los recursos de proceso, redes y almacenamiento consumidos por los grupos de hosts. Además de esto, los costos pueden ser generados por recursos dependientes, por ejemplo, VPN o ExpressRoute o vWAN, controladores de dominio de Active Directory, DNS, etc. No hay ningún costo directo asociado a los objetos AVD, como áreas de trabajo, grupos de hosts o grupos de aplicaciones. Para que los costos asociados a AVD sean más evidentes y se agrupen por grupo de hosts, se recomienda usar la etiqueta 'cm-resource-parent'. ", "guid": "51bcafca-476a-48fa-9b91-9645a7679f20", + "id": "E01.07", "link": "https://learn.microsoft.com/azure/virtual-desktop/tag-virtual-desktop-resources", "severity": "Bajo", "subcategory": "Administración", - "text": "Revisar y adoptar las etiquetas de Azure sugeridas para Azure Virtual Desktop" + "text": "Revisión y adopción de las etiquetas de Azure sugeridas para Azure Virtual Desktop", + "waf": "Costar" }, { - "category": "Monitoreo y Gestión", - "description": "Azure Advisor analiza las configuraciones y la telemetría para ofrecer recomendaciones personalizadas para resolver problemas comunes. Con estas recomendaciones, puede optimizar sus recursos de Azure para ofrecer confiabilidad, seguridad, excelencia operativa, rendimiento y costo.", + "category": "Seguimiento y gestión", + "description": "Azure Advisor analiza las configuraciones y la telemetría para ofrecer recomendaciones personalizadas para resolver problemas comunes. Con estas recomendaciones, puede optimizar los recursos de Azure para la confiabilidad, la seguridad, la excelencia operativa, el rendimiento y el costo.", "guid": "611dd68c-5a4b-4252-8e44-a59a9c2399c4", + "id": "E01.08", "link": "https://learn.microsoft.com/azure/virtual-desktop/azure-advisor-recommendations", "severity": "Bajo", "subcategory": "Administración", - "text": "Comprobar periódicamente las recomendaciones de Azure Advisor para AVD" + "text": "Comprobación periódica de las recomendaciones de Azure Advisor para AVD", + "waf": "Operaciones" }, { - "category": "Monitoreo y Gestión", - "description": "Los clientes tienen varias opciones: Microsoft Configuration Manager, en este artículo se explica cómo aplicar automáticamente actualizaciones a hosts de sesión de Azure Virtual Desktop que ejecutan Windows 10/11: https://learn.microsoft.com/en-us/azure/virtual-desktop/configure-automatic-updates, Microsoft Intune: https://docs.microsoft.com/mem/intune/fundamentals/windows-virtual-desktop-multi-session, Azure Update Management y WSUS solo para SO de servidor Windows (SO cliente no compatible: https://learn.microsoft.com/en-us/azure/automation/update-management/operating-system-requirements), herramientas del 3er Partido. Fuera de una situación de parches de seguridad de emergencia, se recomienda alejarse de una estrategia de parches de actualización \"in situ\" y adoptar un enfoque de regeneración de imágenes.", + "category": "Seguimiento y gestión", + "description": "Los clientes tienen varias opciones: Microsoft Configuration Manager, en este artículo se explica cómo aplicar automáticamente actualizaciones a hosts de sesión de Azure Virtual Desktop que ejecutan Windows 10/11: https://learn.microsoft.com/azure/virtual-desktop/configure-automatic-updates, Microsoft Intune: https://docs.microsoft.com/mem/intune/fundamentals/windows-virtual-desktop-multi-session, Azure Update Management y WSUS solo para el sistema operativo Windows Server (no se admite el sistema operativo cliente): https://learn.microsoft.com/azure/automation/update-management/operating-system-requirements), herramientas de terceros. Fuera de una situación de parches de seguridad de emergencia, se recomienda alejarse de una estrategia de parches de actualización \"in situ\" y adoptar un enfoque de recreación de imágenes.", "guid": "04722da2-9c2b-41cd-922f-54b29bade3aa", + "id": "E01.09", "link": "https://learn.microsoft.com/mem/intune/fundamentals/azure-virtual-desktop-multi-session", "severity": "Medio", "subcategory": "Administración", - "text": "Planeación de una estrategia de actualización y revisión de emergencia del host de sesión" + "text": "Planeación de una estrategia de actualización y aplicación de parches de emergencia del host de sesión", + "waf": "Operaciones" }, { - "category": "Monitoreo y Gestión", - "description": "La función Actualizaciones programadas del agente le permite crear hasta dos ventanas de mantenimiento por grupo de hosts para actualizar los componentes de AVD en un momento conveniente. Se recomienda especificar ventanas de mantenimiento y luego no se realizará la actualización de los hosts de sesión durante las horas pico de trabajo. Las actualizaciones programadas del agente están deshabilitadas de forma predeterminada. Esto significa que, a menos que habilite esta configuración, el agente puede ser actualizado en cualquier momento por el servicio de vuelo de actualización del agente.", + "category": "Seguimiento y gestión", + "description": "La función Actualizaciones programadas del agente te permite crear hasta dos ventanas de mantenimiento por grupo de hosts para actualizar los componentes de AVD en un momento conveniente. Se recomienda especificar ventanas de mantenimiento y, a continuación, la actualización de los hosts de sesión no se realizará durante las horas de mayor actividad. Las actualizaciones programadas del agente están deshabilitadas de forma predeterminada. Esto significa que, a menos que habilite esta configuración, el servicio piloto de actualización del agente puede actualizarlo en cualquier momento.", "guid": "c067939b-e5ca-4698-b9ce-3bd91843e73f", + "id": "E01.10", "link": "https://learn.microsoft.com/azure/virtual-desktop/scheduled-agent-updates", "severity": "Bajo", "subcategory": "Administración", - "text": "Configurar la función Actualizaciones programadas del agente" + "text": "Configurar la función Actualizaciones programadas del agente", + "waf": "Fiabilidad" }, { - "category": "Monitoreo y Gestión", - "description": "Los grupos de servidores host son una colección de una o varias máquinas virtuales idénticas dentro del entorno de Azure Virtual Desktop. Se recomienda encarecidamente crear un grupo de hosts de validación donde se apliquen primero las actualizaciones de servicio. Esto le permite supervisar las actualizaciones del servicio antes de que el servicio las aplique a su entorno estándar o de no validación.", + "category": "Seguimiento y gestión", + "description": "Los grupos de hosts son una colección de una o varias máquinas virtuales idénticas dentro del entorno de Azure Virtual Desktop. Se recomienda encarecidamente crear un grupo de hosts de validación en el que se apliquen primero las actualizaciones de servicio. Esto le permite supervisar las actualizaciones del servicio antes de que el servicio las aplique a su entorno estándar o sin validación.", "guid": "d1e8c38e-c936-4667-913c-005674b1e944", + "id": "E01.11", "link": "https://docs.microsoft.com/azure/virtual-desktop/create-validation-host-pool", "severity": "Medio", "subcategory": "Administración", - "text": "Crear un grupo de hosts de validación (canario)" + "text": "Creación de un grupo de hosts de validación (canary)", + "waf": "Operaciones" }, { - "category": "Monitoreo y Gestión", - "description": "Un grupo de hosts AVD se puede implementar de varias maneras: Portal de Azure, plantillas de ARM, herramienta CLI de Azure, PowerShell, creación manual de máquinas virtuales con token de registro, Terraform, herramientas de 3rd-party. Es importante adoptar método(s) adecuados/s para soportar la implementación automática a través de herramientas de automatización y CI/CD.", + "category": "Seguimiento y gestión", + "description": "Un grupo de hosts de AVD se puede implementar de varias maneras: Azure Portal, plantillas de ARM, herramienta de la CLI de Azure, Powershell, creación manual de máquinas virtuales con token de registro, Terraform, herramientas de terceros. Es importante adoptar los métodos adecuados para admitir la implementación automática a través de herramientas de automatización y CI/CD.", "guid": "a459c373-e7ed-4616-83b3-65a917ecbe48", + "id": "E01.12", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/wvd/eslz-platform-automation-and-devops", "severity": "Medio", "subcategory": "Administración", - "text": "Determinación de la estrategia de implementación del grupo de hosts" + "text": "Determinación de la estrategia de implementación del grupo de hosts", + "waf": "Operaciones" }, { - "category": "Monitoreo y Gestión", - "description": "Después de registrar una máquina virtual en un grupo de hosts dentro del servicio Azure Virtual Desktop, el agente actualiza periódicamente el token de la máquina virtual siempre que la máquina virtual está activa. El certificado para el token de registro es válido durante 90 días. Debido a este límite de 90 días, recomendamos que las máquinas virtuales estén en línea durante 20 minutos cada 90 días para que la máquina pueda actualizar sus tokens y actualizar el agente y los componentes de la pila en paralelo.", + "category": "Seguimiento y gestión", + "description": "Después de registrar una máquina virtual en un grupo de hosts dentro del servicio Azure Virtual Desktop, el agente actualiza periódicamente el token de la máquina virtual cada vez que la máquina virtual está activa. El certificado del token de registro es válido durante 90 días. Debido a este límite de 90 días, se recomienda que las máquinas virtuales estén en línea durante 20 minutos cada 90 días para que la máquina pueda actualizar sus tokens y actualizar el agente y los componentes de la pila en paralelo.", "guid": "ebe54cd7-df2e-48bb-ac35-81559bb9153e", + "id": "E01.13", "link": "https://docs.microsoft.com/azure/virtual-desktop/faq", "severity": "Medio", "subcategory": "Administración", - "text": "Activar las máquinas virtuales host de sesión al menos cada 90 días para la actualización de tokens" + "text": "Activar las máquinas virtuales de host de sesión al menos cada 90 días para la actualización de tokens", + "waf": "Operaciones" }, { - "category": "Monitoreo y Gestión", - "description": "Azure Virtual Desktop Insights es un panel basado en libros de Azure Monitor que ayuda a los profesionales de TI a comprender sus entornos de Azure Virtual Desktop. Lea el artículo al que se hace referencia para obtener información sobre cómo configurar Azure Monitor para Azure Virtual Desktop para supervisar los entornos AVD.", + "category": "Seguimiento y gestión", + "description": "Azure Virtual Desktop Insights es un panel basado en libros de Azure Monitor que ayuda a los profesionales de TI a comprender sus entornos de Azure Virtual Desktop. Lea el artículo al que se hace referencia para obtener información sobre cómo configurar Azure Monitor para Azure Virtual Desktop para supervisar los entornos de AVD.", "guid": "63cfff1c-ac59-49ef-8d5a-83dd4de36c1c", + "id": "E02.01", "link": "https://learn.microsoft.com/azure/virtual-desktop/insights", "severity": "Alto", "subcategory": "Monitorización", - "text": "Habilitar la supervisión para AVD" + "text": "Habilitación de la supervisión de AVD", + "waf": "Fiabilidad" }, { - "category": "Monitoreo y Gestión", - "description": "Azure Virtual Desktop usa Azure Monitor y Log Analytics para la supervisión y las alertas como muchos otros servicios de Azure. Esto permite a los administradores identificar problemas a través de una única interfaz. El servicio crea registros de actividad para las acciones administrativas y de usuario. Cada registro de actividad se divide en las siguientes categorías: Administración, Fuente, Conexiones, Registro de host, Errores, Puntos de control. ", + "category": "Seguimiento y gestión", + "description": "Azure Virtual Desktop usa Azure Monitor y Log Analytics para la supervisión y las alertas, como muchos otros servicios de Azure. Esto permite a los administradores identificar problemas a través de una única interfaz. El servicio crea registros de actividad para las acciones administrativas y de usuario. Cada registro de actividad se divide en las siguientes categorías: Administración, Fuente, Conexiones, Registro de host, Errores, Puntos de control. ", "guid": "81770afb-c4c0-4e43-a186-58d2857ed671", + "id": "E02.02", "link": "https://docs.microsoft.com/azure/virtual-desktop/diagnostics-log-analytics", "severity": "Medio", "subcategory": "Monitorización", - "text": "Habilitar la configuración de diagnóstico para áreas de trabajo, grupos de hosts, grupos de aplicaciones y máquinas virtuales host en el área de trabajo de Log Analytics" + "text": "Habilitación de la configuración de diagnóstico para áreas de trabajo, grupos de hosts, grupos de aplicaciones y máquinas virtuales host en el área de trabajo de Log Analytics", + "waf": "Fiabilidad" }, { - "category": "Monitoreo y Gestión", + "category": "Seguimiento y gestión", "description": "Consulte el artículo al que se hace referencia y este adicional para configurar la supervisión y las alertas adecuadas para el almacenamiento: https://docs.microsoft.com/azure/storage/files/storage-troubleshooting-files-performance. ", "guid": "2463cffe-179c-4599-be0d-5973dd4ce32c", + "id": "E02.03", "link": "https://docs.microsoft.com/azure/storage/files/storage-files-monitoring?tabs=azure-portal", "severity": "Medio", "subcategory": "Monitorización", - "text": "Crear alertas en el almacenamiento del perfil para recibir alertas en caso de uso elevado y limitación" + "text": "Crear alertas en el almacenamiento de perfiles para recibir alertas en caso de uso elevado y limitación", + "waf": "Fiabilidad" }, { - "category": "Monitoreo y Gestión", - "description": "Puede usar Azure Service Health para supervisar problemas de servicio y avisos de mantenimiento para Azure Virtual Desktop. Azure Service Health puede notificarle con diferentes tipos de alertas (por ejemplo, correo electrónico o SMS), ayudarle a comprender el efecto de un problema y mantenerle actualizado a medida que se resuelve el problema.", + "category": "Seguimiento y gestión", + "description": "Puede usar Azure Service Health para supervisar los problemas de servicio y los avisos de estado de Azure Virtual Desktop. Azure Service Health puede notificarle con diferentes tipos de alertas (por ejemplo, correo electrónico o SMS), ayudarle a comprender el efecto de un problema y mantenerlo actualizado a medida que se resuelve el problema.", "guid": "18813706-f7c4-4c0d-9e51-4548d2457ed6", + "id": "E02.04", "link": "https://docs.microsoft.com/azure/virtual-desktop/set-up-service-alerts", "severity": "Medio", "subcategory": "Monitorización", - "text": "Configuración del estado del servicio de Azure para alertas AVD " + "text": "Configuración de Azure Service Health para alertas de AVD ", + "waf": "Fiabilidad" }, { "category": "Gestión de redes", - "description": "Si es necesario conectarse al entorno local, evalúe la opción de conectividad actual o planee la conectividad necesaria (ExpressRoute, Azure S2S o VPN NVA de terceros). ", + "description": "Si es necesario para conectarse a un entorno local, evalúe la opción de conectividad actual o planee la conectividad necesaria (ExpressRoute, Azure S2S o VPN de NVA de terceros). ", "guid": "dd399cfd-7b28-4dc8-9555-6202bfe4563b", + "id": "F01.01", "link": "https://docs.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/", "severity": "Medio", "subcategory": "Gestión de redes", - "text": "Determinar si se requiere conectividad híbrida para conectarse al entorno local" + "text": "Determinar si se requiere conectividad híbrida para conectarse al entorno local", + "waf": "Fiabilidad" }, { "category": "Gestión de redes", - "description": "Los grupos de hosts AVD se pueden implementar en Azure Virtual WAN o en topologías de red tradicionales 'Hub & Spoke'. Se recomienda implementar cada grupo de hosts en una red virtual \"radial\" independiente, no se recomienda usar 'hub'.", + "description": "Los grupos de hosts de AVD se pueden implementar en Azure Virtual WAN o en topologías de red tradicionales de \"Hub & Spoke\". Se recomienda implementar cada grupo de hosts en una red virtual de \"radio\" independiente, no se recomienda usar \"concentrador\".", "guid": "c8639648-a652-4d6c-85e5-02965388e5de", + "id": "F01.02", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/wvd/eslz-network-topology-and-connectivity", "severity": "Medio", "subcategory": "Gestión de redes", - "text": "Determinación de la ubicación de la red virtual de Azure (VNet) para cada grupo de hosts AVD" + "text": "Determinación de la ubicación de Azure Virtual Network (VNet) para cada grupo de hosts de AVD", + "waf": "Rendimiento" }, { "category": "Gestión de redes", - "description": "Evalúe los requisitos de ancho de banda, asegúrese de que el ancho de banda VPN / ER sea suficiente, asegúrese de que se implementen las reglas de enrutamiento y firewall adecuadas, pruebe la latencia de extremo a extremo. ", + "description": "Evalúe los requisitos de ancho de banda, asegúrese de que el ancho de banda de VPN/ER sea suficiente, asegúrese de que se implementen las reglas de enrutamiento y firewall adecuadas, pruebe la latencia de extremo a extremo. ", "guid": "d227dd14-2b06-4c21-a799-9a646f4389a7", + "id": "F01.03", "link": "https://docs.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/", "severity": "Medio", "subcategory": "Gestión de redes", - "text": "Evaluar qué recursos locales se requieren de los grupos de hosts AVD" + "text": "Evalúe qué recursos locales se requieren de los grupos de hosts de AVD", + "waf": "Fiabilidad" }, { "category": "Gestión de redes", - "description": "Hay varias opciones disponibles. Puede usar Azure Firewall o servidores NVA, grupo de seguridad de red (NSG) o proxy equivalentes de 3ª parte. NSG no puede habilitar/deshabilitar por URL, solo puertos y protocolos. El proxy debe usarse solo como configuración explícita en el navegador del usuario. Los detalles sobre el uso de Azure Firewall Premium con AVD se indican en el artículo complementario de la columna \"Más información\". Asegúrese de permitir el acceso adecuado a las URL AVD requeridas. No se recomienda la tunelización forzada a las instalaciones.", + "description": "Hay varias opciones disponibles. Puede usar Azure Firewall o servidores equivalentes de NVA, grupo de seguridad de red (NSG) o servidores proxy. El grupo de seguridad de red no puede habilitar o deshabilitar por dirección URL, solo puertos y protocolos. El proxy solo debe usarse como configuración explícita en el navegador del usuario. Los detalles sobre el uso de Azure Firewall Premium con AVD se informan en el artículo complementario de la columna \"Más información\". Asegúrate de permitir el acceso adecuado a las URL de AVD requeridas. No se recomienda la tunelización forzada en el entorno local.", "guid": "fc4972cd-3cd2-41bf-9703-6e5e6b4bed3d", - "link": " https://docs.microsoft.com/azure/firewall/protect-windows-virtual-desktop", + "id": "F01.04", + "link": "https://docs.microsoft.com/azure/firewall/protect-windows-virtual-desktop", "severity": "Medio", "subcategory": "Gestión de redes", - "text": "¿Necesita controlar/restringir el tráfico saliente de Internet para los hosts AVD?" + "text": "¿Necesitas controlar o restringir el tráfico saliente de Internet para los hosts AVD?", + "waf": "Seguridad" }, { "category": "Gestión de redes", - "description": "Las URL necesarias para el acceso al plano de control AVD por parte de los hosts de sesión se documentan aquí: https://docs.microsoft.com/azure/virtual-desktop/safe-url-list. Hay disponible una herramienta de comprobación para verificar la conectividad de los hosts de sesión: https://docs.microsoft.com/azure/virtual-desktop/safe-url-list#required-url-check-tool. No se recomienda la tunelización forzada a las instalaciones.", + "description": "Las URL necesarias para el acceso al plano de control de AVD por parte de los hosts de sesión se documentan aquí: https://docs.microsoft.com/azure/virtual-desktop/safe-url-list. Hay disponible una herramienta de comprobación para verificar la conectividad de los hosts de sesión: https://docs.microsoft.com/azure/virtual-desktop/safe-url-list#required-url-check-tool. No se recomienda la tunelización forzada en el entorno local.", "guid": "65c7acbe-45bb-4e60-ad89-f2e87778424d", + "id": "F01.05", "link": "https://docs.microsoft.com/azure/virtual-desktop/safe-url-list", "severity": "Alto", "subcategory": "Gestión de redes", - "text": "Asegúrese de que los puntos finales del plano de control AVD sean accesibles" + "text": "Asegúrese de que los puntos de conexión del plano de control de AVD sean accesibles", + "waf": "Fiabilidad" }, { "category": "Gestión de redes", - "description": "Tenga en cuenta el uso de Azure Defender Endpoint o agentes similares de 3rd party para controlar la navegación web del usuario, consulte la sección Seguridad para obtener más detalles.", + "description": "Tenga en cuenta el uso de Azure Defender Endpoint o agentes de terceros similares para controlar la navegación web del usuario, consulte la sección Seguridad para obtener más información.", "guid": "73676ae4-6691-4e88-95ad-a42223e13810", + "id": "F01.06", "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/onboard-windows-multi-session-device?view=o365-worldwide", "severity": "Medio", "subcategory": "Gestión de redes", - "text": "¿Necesita controlar/restringir el tráfico saliente de Internet solo para usuarios en hosts AVD? " + "text": "¿Necesita controlar o restringir el tráfico saliente de Internet solo para los usuarios de hosts AVD? ", + "waf": "Seguridad" }, { "category": "Gestión de redes", - "description": "UDR y NSG personalizados se pueden aplicar a subredes del grupo de hosts AVD, por ejemplo, para redirigir a Azure Firewall o NVA, o para filtrar o bloquear el tráfico de red. En este caso se recomienda revisar cuidadosamente para asegurarse de que se utiliza la ruta óptima para el tráfico saliente al plano de control AVD. Las etiquetas de servicio ahora se pueden usar con UDR y NSG, luego el tráfico del plano de administración AVD se puede permitir fácilmente: https://learn.microsoft.com/en-us/azure/virtual-desktop/safe-url-list.", + "description": "La UDR y el grupo de seguridad de red personalizados se pueden aplicar a las subredes del grupo de hosts de AVD, por ejemplo, para redirigir a Azure Firewall o NVA, o para filtrar o bloquear el tráfico de red. En este caso, se recomienda revisar cuidadosamente para asegurarse de que se utiliza una ruta óptima para el tráfico saliente al plano de control AVD. Las etiquetas de servicio ahora se pueden usar con UDR y NSG, por lo que el tráfico del plano de administración de AVD se puede permitir fácilmente: https://learn.microsoft.com/azure/virtual-desktop/safe-url-list.", "guid": "523181a9-4174-4158-93ff-7ae7c6d37431", + "id": "F01.07", "link": "https://docs.microsoft.com/azure/firewall/protect-windows-virtual-desktop", "severity": "Bajo", "subcategory": "Gestión de redes", - "text": "Revisar UDR y NSG personalizados para subredes de grupos de hosts AVD" + "text": "Revisión de UDR y NSG personalizados para subredes de grupo de hosts AVD", + "waf": "Seguridad" }, { "category": "Gestión de redes", - "description": "El tráfico de red desde las máquinas virtuales host de sesión AVD al plano de control AVD debe ser lo más directo posible. Redirigir este tráfico a través de un proxy o firewall con inspección profunda de paquetes y / o terminación SSL podría causar problemas graves y una mala experiencia del cliente. Se recomienda omitir Proxy y Firewall solo para el plano de control AVD. El tráfico generado por el usuario que navega por la web en su lugar, debe ser filtrado por el Firewall y / o redirigido a un Proxy. Para obtener detalles y directrices, consulte el artículo complementario en la columna \"Más información\".", + "description": "El tráfico de red de las máquinas virtuales del host de sesión de AVD al plano de control de AVD debe ser lo más directo posible. Redirigir este tráfico a través de un proxy o firewall con inspección profunda de paquetes y/o terminación SSL podría causar problemas graves y una mala experiencia del cliente. Se recomienda omitir el proxy y el firewall solo para el plano de control del AVD. En cambio, el tráfico generado por el usuario que navega por la web debe ser filtrado por el Firewall y/o redirigido a un Proxy. Para obtener más información y directrices, consulte el artículo complementario en la columna \"Más información\".", "guid": "cc6edca0-aeca-4566-9e92-cf246f1465af", + "id": "F01.08", "link": "https://learn.microsoft.com/azure/virtual-desktop/proxy-server-support", "severity": "Alto", "subcategory": "Gestión de redes", - "text": "No utilice servidores proxy, terminación SSL e inspección profunda de paquetes para el tráfico del plano de control AVD" + "text": "No utilice servidores proxy, terminación SSL e inspección profunda de paquetes para el tráfico del plano de control AVD", + "waf": "Fiabilidad" }, { "category": "Gestión de redes", "description": "Se recomienda evaluar y revisar los requisitos de ancho de banda de red para los usuarios, en función del tipo de carga de trabajo específico. El artículo al que se hace referencia proporciona estimaciones y recomendaciones generales, pero se requieren medidas específicas para un tamaño adecuado. ", "guid": "516785c6-fa96-4c96-ad88-408f372734c8", + "id": "F01.09", "link": "https://learn.microsoft.com/azure/virtual-desktop/rdp-bandwidth", "severity": "Bajo", "subcategory": "Gestión de redes", - "text": "Compruebe el ancho de banda de red necesario para cada usuario y, en total, para la SKU de máquina virtual" + "text": "Compruebe el ancho de banda de red necesario para cada usuario y en total para la SKU de la máquina virtual", + "waf": "Rendimiento" }, { "category": "Gestión de redes", - "description": "Si se va a usar el recurso compartido SMB de Azure Files para almacenar perfiles de usuario a través de FSLogix, se recomienda el uso de Private Endpoint (PE) para el acceso privado al almacenamiento. Los hosts de sesión AVD accederán al almacenamiento mediante una IP privada en la misma red virtual, se recomienda una subred independiente. Esta característica tiene un costo adicional que debe ser evaluado. Si no se va a utilizar PE, al menos se recomienda Service Endpoint (sin costo asociado).", + "description": "Si se va a usar el recurso compartido SMB de Azure Files para almacenar perfiles de usuario a través de FSLogix, se recomienda el uso de Private Endpoint (PE) para el acceso privado al almacenamiento. Los hosts de sesión de AVD accederán al almacenamiento mediante una dirección IP privada en la misma red virtual, se recomienda una subred independiente. Esta característica tiene un costo adicional que debe ser evaluado. Si no se va a usar PE, se recomienda al menos el punto de conexión de servicio (sin costo asociado).", "guid": "ec27d589-9178-426d-8df2-ff60020f30a6", + "id": "F01.10", "link": "https://learn.microsoft.com/azure/storage/files/storage-files-networking-endpoints", "severity": "Medio", "subcategory": "Gestión de redes", - "text": "Evaluación del uso del punto de conexión privado para el recurso compartido de Azure Files" + "text": "Evaluación del uso del punto de conexión privado para el recurso compartido de Azure Files", + "waf": "Seguridad" }, { "category": "Gestión de redes", - "description": "Las conexiones a Azure Virtual Desktop pueden usar TCP o UDP. RDP Shortpath es una característica de AVD que establece un transporte directo basado en UDP entre un cliente de Escritorio remoto de Windows compatible y un host de sesión. si los clientes tienen línea de visión a los hosts de sesión AVD desde la red interna (no se recomienda el uso de VPN), esta característica puede proporcionar una latencia más baja y el mejor rendimiento, como se explica en https://learn.microsoft.com/en-us/azure/virtual-desktop/rdp-shortpath?tabs=managed-networks#key-benefits.", + "description": "Las conexiones a Azure Virtual Desktop pueden usar TCP o UDP. RDP Shortpath es una característica de AVD que establece un transporte directo basado en UDP entre un cliente de Escritorio remoto de Windows compatible y un host de sesión. si los clientes tienen línea de visión a los hosts de sesión AVD desde la red interna (no se recomienda el uso de VPN), esta función puede proporcionar una latencia más baja y los mejores rendimientos, como se explica en https://learn.microsoft.com/azure/virtual-desktop/rdp-shortpath?tabs=managed-networks#key-benefits.", "guid": "b2074747-d01a-4f61-b1aa-92ad793d9ff4", + "id": "F01.11", "link": "https://docs.microsoft.com/azure/virtual-desktop/shortpath", "severity": "Medio", "subcategory": "Gestión de redes", - "text": "Evaluar el uso de RDP ShortPath para clientes que se conectan desde redes internas administradas" + "text": "Evaluar el uso de RDP ShortPath para clientes que se conectan desde redes internas administradas", + "waf": "Rendimiento" }, { "category": "Seguridad", "description": "Se deben usar los mecanismos de seguridad proporcionados por GPO, si están disponibles. Por ejemplo, es posible imponer el bloqueo de pantalla del escritorio y el tiempo de desconexión de la sesión inactiva. Los GPO existentes aplicados al entorno local deben revisarse y, finalmente, aplicarse también para proteger también los hosts AVD cuando se unen al dominio.", "guid": "a135e337-897e-431c-97d6-8cb6a22ac19f", + "id": "G01.01", "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#establish-maximum-inactive-time-and-disconnection-policies", "severity": "Medio", "subcategory": "Active Directory", - "text": "Revisar el GPO de Active Directory para proteger las sesiones RDP" + "text": "Revisión del GPO de Active Directory para proteger las sesiones de RDP", + "waf": "Seguridad" }, { "category": "Seguridad", - "description": "Microsoft Defender para Endpoint admite Azure Virtual Desktop para Windows 10/11 Enterprise multisesión. Consulte el artículo para la incorporación de dispositivos de infraestructura de escritorio virtual (VDI) no persistentes: https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi", + "description": "Microsoft Defender para punto de conexión admite Azure Virtual Desktop para Windows 10/11 Enterprise multisesión. Consulte el artículo para la incorporación de dispositivos de infraestructura de escritorio virtual (VDI) no persistentes: https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi", "guid": "b1172576-9ef6-4691-a483-5ac932223ece", + "id": "G02.01", "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/deployment-vdi-microsoft-defender-antivirus", "severity": "Alto", "subcategory": "Configuración del host", - "text": "Asegúrese de que se utilizan soluciones antivirus y antimalware" + "text": "Asegúrese de que se utilizan soluciones antivirus y antimalware", + "waf": "Seguridad" }, { "category": "Seguridad", - "description": "Los discos de Azure ya están cifrados en reposo de forma predeterminada con claves administradas por Microsoft. El cifrado de disco del sistema operativo de máquina virtual host es posible y se admite mediante Azure Disk Encryption (ADE - BitLocker) y Disk Encryption Set (DES - Server Side Encryption), este último recomendado. El cifrado del almacenamiento FSLogix mediante Azure Files se puede realizar mediante SSE en Azure Storage. Para el cifrado de OneDrive, consulta este artículo: https://docs.microsoft.com/compliance/assurance/assurance-encryption-for-microsoft-365-services.", + "description": "Los discos de Azure ya están cifrados en reposo de forma predeterminada con claves administradas de Microsoft. El cifrado de disco del sistema operativo de la máquina virtual host es posible y compatible con Azure Disk Encryption (ADE - BitLocker) y Disk Encryption Set (DES - Server Side Encryption), este último se recomienda. El cifrado del almacenamiento de FSLogix mediante Azure Files se puede realizar mediante SSE en Azure Storage. Para obtener información sobre el cifrado de OneDrive, consulte este artículo: https://docs.microsoft.com/compliance/assurance/assurance-encryption-for-microsoft-365-services.", "guid": "0fd32907-98bc-4178-adc5-a06ca7144351", + "id": "G02.02", "link": "https://learn.microsoft.com/azure/virtual-machines/disk-encryption-overview", "severity": "Bajo", "subcategory": "Configuración del host", - "text": "Evaluar los requisitos de cifrado de disco para los hosts de sesión AVD" + "text": "Evaluar los requisitos de cifrado de disco para hosts de sesión de AVD", + "waf": "Seguridad" }, { "category": "Seguridad", - "description": "El lanzamiento de confianza son las máquinas virtuales Gen2 Azure con características de seguridad mejoradas destinadas a proteger contra las amenazas de la \"parte inferior de la pila\" a través de vectores de ataque como rootkits, kits de arranque y malware de nivel de kernel. Se recomienda habilitar y aprovechar el arranque seguro, el TPM virtual (vTPM) y la supervisión de integridad.", + "description": "El lanzamiento seguro son las máquinas virtuales de Azure Gen2 con características de seguridad mejoradas destinadas a proteger contra las amenazas de la parte inferior de la pila a través de vectores de ataque como rootkits, kits de arranque y malware a nivel de kernel. Se recomienda habilitar y aprovechar el arranque seguro, el TPM virtual (vTPM) y la supervisión de integridad.", "guid": "36a5a67f-bb9e-4d5b-9547-8c4479816b28", + "id": "G02.03", "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#azure-virtual-desktop-support-for-trusted-launch", "severity": "Medio", "subcategory": "Configuración del host", - "text": "Habilitación del inicio de confianza en hosts de sesión de máquina virtual de Azure Gen2" + "text": "Habilitación del inicio seguro en hosts de sesión de máquina virtual de Azure Gen2", + "waf": "Seguridad" }, { "category": "Seguridad", - "description": "Trusted Launch y Gen2 VM no solo son características de mejora de la seguridad y el rendimiento, sino también requisitos del sistema para Windows 11. Al crear un entorno AVD basado en Windows 11, es esencial habilitar estas características.", + "description": "Trusted Launch y Gen2 VM no solo son características que mejoran la seguridad y el rendimiento, sino también requisitos del sistema para Windows 11. Al crear un entorno AVD basado en Windows 11, es esencial habilitar estas funciones.", "guid": "135d3899-4b31-44d3-bc8f-028871a359d8", + "id": "G02.04", "link": "https://learn.microsoft.com/windows/whats-new/windows-11-requirements", "severity": "Alto", "subcategory": "Configuración del host", - "text": "Habilitar Trusted Launch y usar la imagen Gen2 son requisitos del sistema para Windows 11" + "text": "Habilitar el inicio seguro y usar la imagen Gen2 son requisitos del sistema para Windows 11", + "waf": "Seguridad" }, { "category": "Seguridad", - "description": "El contenido mostrado se bloqueará u ocultará automáticamente en las capturas de pantalla. Tenga en cuenta que el uso compartido de pantalla también se bloqueará cuando use Teams u otro software de colaboración que use el uso compartido de pantalla.", + "description": "El contenido mostrado se bloqueará u ocultará automáticamente en las capturas de pantalla. Tenga en cuenta que el uso compartido de pantalla también se bloqueará cuando se use Teams u otro software de colaboración que use el uso compartido de pantalla.", "guid": "a49dc137-7896-4343-b2bc-1a31bf1d30b6", + "id": "G02.05", "link": "https://learn.microsoft.com/azure/virtual-desktop/screen-capture-protection", "severity": "Bajo", "subcategory": "Configuración del host", - "text": "Considere habilitar la protección de captura de pantalla para evitar que se capture información confidencial" + "text": "Considere la posibilidad de habilitar la protección de captura de pantalla para evitar que se capture información confidencial", + "waf": "Seguridad" }, { "category": "Seguridad", - "description": "Si no es absolutamente necesario, la redirección de unidades, impresoras y dispositivos USB al dispositivo local de un usuario en una sesión de escritorio remoto debe estar deshabilitada o muy restringida. Restringir el acceso del Explorador de Windows ocultando las asignaciones de unidades locales y remotas también es una medida segura para evitar que los usuarios descubran información no deseada sobre la configuración del sistema y los usuarios.", + "description": "Si no es absolutamente necesario, la redirección de unidades, impresoras y dispositivos USB al dispositivo local de un usuario en una sesión de escritorio remoto debe estar deshabilitada o muy restringida. Restringir el acceso al Explorador de Windows ocultando las asignaciones de unidades locales y remotas también es una medida segura para adoptar que evita que los usuarios descubran información no deseada sobre la configuración del sistema y los usuarios.", "guid": "7ce2cd20-85b4-4f82-828e-6558736ede6a", + "id": "G02.06", "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#other-security-tips-for-session-hosts", "severity": "Medio", "subcategory": "Configuración del host", - "text": "Restringir la redirección de dispositivos y la asignación de unidades" + "text": "Restrinja la redirección de dispositivos y la asignación de unidades", + "waf": "Seguridad" }, { "category": "Seguridad", - "description": "Al elegir un modelo de implementación, puede proporcionar a los usuarios remotos acceso a escritorios virtuales completos o solo a aplicaciones seleccionadas. Las aplicaciones remotas, o RemoteApps, proporcionan una experiencia perfecta a medida que el usuario trabaja con aplicaciones en su escritorio virtual. RemoteApps reduce el riesgo al permitir que el usuario trabaje solo con un subconjunto del equipo remoto expuesto por la aplicación.", + "description": "Al elegir un modelo de implementación, puede proporcionar a los usuarios remotos acceso a escritorios virtuales completos o solo a aplicaciones seleccionadas. Las aplicaciones remotas, o RemoteApps, proporcionan una experiencia fluida a medida que el usuario trabaja con aplicaciones en su escritorio virtual. RemoteApps reduce el riesgo al permitir que el usuario solo trabaje con un subconjunto de la máquina remota expuesta por la aplicación.", "guid": "4e25d70e-3924-44f4-b66f-d6cdd4f4a973", + "id": "G03.01", "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/web-protection-overview", "severity": "Medio", "subcategory": "Administración", - "text": "Cuando sea posible, prefiera las aplicaciones remotas a los escritorios completos (DAG)" + "text": "Cuando sea posible, prefiera las aplicaciones remotas en lugar de los escritorios completos (DAG)", + "waf": "Seguridad" }, { "category": "Seguridad", - "description": "La característica de filtrado de contenido web proporcionada por la funcionalidad de protección web de Microsoft Defender para Endpoint se puede usar para controlar la navegación web del usuario. Si se utiliza esta herramienta, se recomienda configurar el filtrado web para la navegación web del usuario. Se debe garantizar el acceso del sistema de SO invitado a las URL del plano de control AVD requeridas.", + "description": "La característica de filtrado de contenido web proporcionada por la funcionalidad de protección web de Microsoft Defender para punto de conexión se puede usar para controlar la navegación web del usuario. Si se utiliza esta herramienta, se recomienda configurar el filtrado web para la navegación web del usuario. Se debe garantizar el acceso del sistema SO invitado a las URL del plano de control AVD requeridas.", "guid": "e19dd344-29eb-4722-a237-a151c5bb4e4f", + "id": "G03.02", "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/web-protection-overview", "severity": "Medio", "subcategory": "Administración", - "text": "¿Necesita controlar/restringir la navegación del usuario por Internet desde los hosts de sesión AVD?" + "text": "¿Necesita controlar o restringir la navegación por Internet de los usuarios desde los hosts de sesión de AVD?", + "waf": "Seguridad" }, { "category": "Seguridad", - "description": "Le recomendamos que no conceda a los usuarios acceso de administrador a escritorios virtuales. Si necesita paquetes de software, le recomendamos que los ponga a disposición a través de utilidades de administración de configuración.", + "description": "Le recomendamos que no conceda a los usuarios acceso de administrador a los escritorios virtuales. Si necesita paquetes de software, le recomendamos que los ponga a su disposición a través de las utilidades de administración de configuración.", "guid": "a0cdb3b5-4eb2-4eb0-9dda-a3592718e2ed", + "id": "G03.03", "link": "https://docs.microsoft.com/azure/virtual-desktop/security-guide", "severity": "Alto", "subcategory": "Administración", - "text": "Asegúrese de que los usuarios de AVD no tengan privilegios de administrador local en los hosts AVD" + "text": "Asegúrate de que los usuarios de AVD no tengan privilegios de administrador local en los hosts de AVD", + "waf": "Seguridad" }, { "category": "Seguridad", - "description": "Le recomendamos que habilite Defender for Cloud para las suscripciones, máquinas virtuales, almacenes de claves y cuentas de almacenamiento utilizadas por AVD. Con esta herramienta es posible evaluar y gestionar vulnerabilidades, evaluar el cumplimiento de marcos comunes como PCI, fortalecer la seguridad general de su entorno AVD y medirla a lo largo del tiempo utilizando 'Secure Score': https://learn.microsoft.com/en-us/azure/virtual-desktop/security-guide#improve-your-secure-score.", + "description": "Se recomienda habilitar Defender for Cloud para las suscripciones, las máquinas virtuales, los almacenes de claves y las cuentas de almacenamiento que usa AVD. Con esta herramienta es posible evaluar y gestionar las vulnerabilidades, evaluar el cumplimiento de marcos comunes como PCI, reforzar la seguridad general de tu entorno AVD y medirla a lo largo del tiempo utilizando 'Secure Score': https://learn.microsoft.com/azure/virtual-desktop/security-guide#improve-your-secure-score.", "guid": "1814387e-5ca9-4c26-a9b3-2ab5bdfc6998", + "id": "G03.04", "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#enable-microsoft-defender-for-cloud", "severity": "Medio", "subcategory": "Administración", - "text": "Habilitar Microsoft Defender para la nube para administrar la postura de seguridad de los hosts de sesión AVD" + "text": "Habilitación de Microsoft Defender for Cloud para administrar la posición de seguridad de hosts de sesión de AVD", + "waf": "Seguridad" }, { "category": "Seguridad", - "description": "La habilitación de la recopilación de registros de auditoría le permite ver la actividad de usuarios y administradores relacionada con Azure Virtual Desktop y almacenarla en un repositorio central como el área de trabajo de Log Analytics. ", + "description": "La habilitación de la recopilación de registros de auditoría le permite ver la actividad de usuario y administrador relacionada con Azure Virtual Desktop y almacenarla en un repositorio central, como el área de trabajo de Log Analytics. ", "guid": "a0916a76-4980-4ad0-b278-ee293c1bc352", + "id": "G03.05", "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#collect-audit-logs", "severity": "Medio", "subcategory": "Administración", - "text": "Habilitar el registro de diagnóstico y auditoría" + "text": "Habilitación del registro de diagnóstico y auditoría", + "waf": "Seguridad" }, { "category": "Seguridad", - "description": "Asigne el privilegio mínimo necesario definiendo roles administrativos, de operaciones e ingeniería a roles RBAC de Azure. Para limitar el acceso a roles con privilegios altos dentro de la zona de aterrizaje de Azure Virtual Desktop, considere la posibilidad de integrarlos con Azure Privileged Identity Management (PIM). Mantener el conocimiento de qué equipo es responsable de cada área administrativa concreta le ayuda a determinar los roles y la configuración del control de acceso basado en rol (RBAC) de Azure.", + "description": "Asigne los privilegios mínimos necesarios mediante la definición de roles administrativos, de operaciones y de ingeniería a los roles de RBAC de Azure. Para limitar el acceso a roles con privilegios elevados dentro de la zona de aterrizaje de Azure Virtual Desktop, considere la posibilidad de integrarse con Azure Privileged Identity Management (PIM). Mantener el conocimiento de qué equipo es responsable de cada área administrativa determinada le ayuda a determinar los roles y la configuración del control de acceso basado en rol (RBAC) de Azure.", "guid": "baaab757-1849-4ab8-893d-c9fc9d1bb73b", + "id": "G03.06", "link": "https://docs.microsoft.com/azure/virtual-desktop/rbac", "severity": "Bajo", "subcategory": "Administración", - "text": "Evaluar el requisito de usar roles RBAC personalizados para la administración de AVD" + "text": "Evaluar el requisito de usar roles RBAC personalizados para la administración de AVD", + "waf": "Seguridad" }, { "category": "Seguridad", - "description": "Los usuarios de AVD no deben tener permiso para instalar la aplicación. Si es necesario, el Control de aplicaciones de Windows Defender (WDAC) se puede usar para controlar qué controladores y aplicaciones pueden ejecutarse en sus clientes Windows. ", + "description": "Los usuarios de AVD no deben tener permiso para instalar la aplicación. Si es necesario, el Control de aplicaciones de Windows Defender (WDAC) se puede usar para controlar qué controladores y aplicaciones pueden ejecutarse en sus clientes de Windows. ", "guid": "b9ea80c8-0628-49fc-ae63-125aa4c0a284", + "id": "G03.07", "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#windows-defender-application-control", "severity": "Medio", "subcategory": "Administración", - "text": "Restringir a los usuarios la instalación de aplicaciones no autorizadas" + "text": "Impedir que los usuarios instalen aplicaciones no autorizadas", + "waf": "Seguridad" }, { "category": "Seguridad", - "description": "Habilitar MFA y CA le permite administrar los riesgos antes de conceder a los usuarios acceso a su entorno AVD. Al decidir a qué usuarios conceder acceso, le recomendamos que también tenga en cuenta quién es el usuario, cómo inicia sesión y qué dispositivo está usando. En el artículo complementario se proporcionan detalles adicionales y procedimientos de configuración. Microsoft Entra ID es el nuevo nombre de Azure Active Directory (Azure AD).", + "description": "La habilitación de MFA y CA te permite administrar los riesgos antes de otorgar a los usuarios acceso a tu entorno de AVD. A la hora de decidir a qué usuarios conceder acceso, te recomendamos que también tengas en cuenta quién es el usuario, cómo inicia sesión y qué dispositivo utiliza. En el artículo complementario se proporcionan detalles adicionales y procedimientos de configuración. Microsoft Entra ID es el nuevo nombre de Azure Active Directory (Azure AD).", "guid": "916d697d-8ead-4ed2-9bdd-186f1ac252b9", + "id": "G04.01", "link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-mfa", "severity": "Medio", - "subcategory": "Microsoft Entra ID", - "text": "Evaluar el uso de Multi-Factor Authentication (MFA) y acceso condicional (CA) para usuarios de AVD" + "subcategory": "Id. de Microsoft Entra", + "text": "Evaluar el uso de la autenticación multifactor (MFA) y el acceso condicional (CA) para los usuarios de AVD", + "waf": "Seguridad" }, { "category": "Seguridad", - "description": "Si Zero Trust es un requisito, revise el artículo complementario en la columna 'Más información'. Proporciona los pasos para aplicar los principios de confianza cero a una implementación de Azure Virtual Desktop.", + "description": "Si Zero Trust es un requisito, revisa el artículo complementario en la columna \"Más información\". Proporciona pasos para aplicar los principios de Confianza cero a una implementación de Azure Virtual Desktop.", "guid": "221102d0-90af-49fc-b2b7-8d3fe397e43", + "id": "G05.01", "link": "https://learn.microsoft.com/security/zero-trust/azure-infrastructure-avd", "severity": "Medio", "subcategory": "Confianza cero", - "text": "Revisar y aplicar los principios y la orientación de Zero Trust" + "text": "Revisar y aplicar los principios y la guía de Zero Trust", + "waf": "Seguridad" }, { "category": "Almacenamiento", "description": "Si se utiliza, asegúrese de consultar la lista de prácticas recomendadas y recomendaciones descritas en el artículo al que se hace referencia.", "guid": "9164e990-9ae2-48c8-9c33-b6b7808bafe6", + "id": "H01.01", "link": "https://learn.microsoft.com/azure/virtual-desktop/fslogix-containers-azure-files#best-practices-for-azure-virtual-desktop", "severity": "Medio", "subcategory": "Archivos de Azure", - "text": "Comprobar los procedimientos recomendados para Azure Files" + "text": "Comprobación de los procedimientos recomendados para Azure Files", + "waf": "Rendimiento" }, { "category": "Almacenamiento", - "description": "SMB Multichannel permite a los clientes utilizar múltiples conexiones de red que proporcionan un mayor rendimiento al tiempo que reducen el costo de propiedad. El aumento del rendimiento se logra mediante la agregación de ancho de banda en varias NIC y el uso de la compatibilidad con Receive Side Scaling (RSS) para que las NIC distribuyan la carga de E/S entre varias CPU.", + "description": "SMB Multichannel permite a los clientes utilizar varias conexiones de red que proporcionan un mayor rendimiento a la vez que reducen el coste de propiedad. El aumento del rendimiento se logra a través de la agregación de ancho de banda en varias NIC y el uso de la compatibilidad con el escalado del lado de recepción (RSS) para que las NIC distribuyan la carga de E/S entre varias CPU.", "guid": "5784b6ca-5e9e-4bcf-8b54-c95459ea7369", + "id": "H01.02", "link": "https://learn.microsoft.com/azure/storage/files/storage-files-smb-multichannel-performance", "severity": "Bajo", "subcategory": "Archivos de Azure", - "text": "Habilite SMB multicanal cuando use un recurso compartido de archivos premium para hospedar contenedores de perfiles FSLogix." + "text": "Habilite SMB multicanal cuando use un recurso compartido de archivos premium para hospedar contenedores de perfiles de FSLogix.", + "waf": "Rendimiento" }, { "category": "Almacenamiento", - "description": "Si se requiere una segunda región para fines de DR, verifique también la disponibilidad de NetApp.", + "description": "Si se requiere una segunda región para fines de recuperación ante desastres, compruebe también la disponibilidad de NetApp allí.", "guid": "4a359836-ee79-4d6c-9d3a-364a5b7abae3", + "id": "H02.01", "link": "https://azure.microsoft.com/global-infrastructure/services/", "severity": "Medio", - "subcategory": "Archivos de Azure NetApp", - "text": "Si se requiere almacenamiento de archivos de NetApp, compruebe la disponibilidad del servicio de almacenamiento en su región específica." + "subcategory": "Azure NetApp Files", + "text": "Si se requiere almacenamiento de NetApp Files, compruebe la disponibilidad del servicio de almacenamiento en su región específica.", + "waf": "Fiabilidad" }, { "category": "Almacenamiento", - "description": "La opción CA es una configuración recomendada en el escenario FSLogix, ya que permite una sesión SMB más resistente entre el host de sesión y los archivos de NetApp.", + "description": "La opción CA es una configuración recomendada en el escenario de FSLogix, ya que permite una sesión SMB más resistente entre el host de sesión y los archivos de NetApp.", "guid": "a2661898-866a-4c8d-9d1f-8cfc86e88024", + "id": "H02.02", "link": "https://learn.microsoft.com/azure/virtual-desktop/create-fslogix-profile-container", "severity": "Medio", - "subcategory": "Archivos de Azure NetApp", - "text": "Si se utiliza el almacenamiento de archivos de NetApp, habilite la opción CA (disponibilidad continua) para aumentar la resiliencia" + "subcategory": "Azure NetApp Files", + "text": "Si se utiliza el almacenamiento de archivos de NetApp, habilite la opción CA (disponibilidad continua) para aumentar la resiliencia", + "waf": "Fiabilidad" }, { "category": "Almacenamiento", - "description": "Se debe crear un sitio de Active Directory para el entorno de red virtual de Azure donde se creará la subred Azure NetApp Files (ANF) y ese nombre de sitio debe especificarse en la propiedad de conexión ANF al ejecutar el procedimiento de unión, como se explica en el artículo de referencia.", + "description": "Se debe crear un sitio de Active Directory para el entorno de red virtual de Azure en el que se creará la subred de Azure NetApp Files (ANF), y ese nombre de sitio debe especificarse en la propiedad de conexión ANF al ejecutar el procedimiento de combinación, como se explica en el artículo de referencia.", "guid": "6647e977-db49-48a8-bc35-743f17499d42", + "id": "H02.03", "link": "https://docs.microsoft.com/azure/azure-netapp-files/create-active-directory-connections", "severity": "Alto", - "subcategory": "Archivos de Azure NetApp", - "text": "Si se usa el almacenamiento de Azure NetApp Files, compruebe la configuración del nombre del sitio de Active Directory en la configuración de conexión de Active Directory" + "subcategory": "Azure NetApp Files", + "text": "Si se usa el almacenamiento de Azure NetApp Files, compruebe la configuración del nombre del sitio de Active Directory en la configuración de conexión de Active Directory", + "waf": "Fiabilidad" }, { "category": "Almacenamiento", - "description": "Opciones posibles: HDD estándar, SSD estándar o SSD premium. Los discos efímeros no son compatibles, no se recomiendan Ultra-Disks. Se recomienda evaluar Premium para el disco del sistema operativo si la densidad de usuarios no es baja y si se utilizará Cloud Cache. ", + "description": "Opciones posibles: HDD estándar, SSD estándar o SSD premium. Los discos efímeros no son compatibles, no se recomiendan los discos Ultra. Se recomienda evaluar Premium para el disco del sistema operativo si la densidad de usuarios no es baja y si se usará Cloud Cache. ", "guid": "3611c818-b0a0-4bc5-80e4-3a18a9cd289c", + "id": "H03.01", "link": "https://docs.microsoft.com/azure/virtual-machines/disks-types", "severity": "Medio", "subcategory": "Planificación de la capacidad", - "text": "Determinar qué tipo de disco administrado se utilizará para los hosts de sesión" + "text": "Determinar qué tipo de disco administrado se usará para los hosts de sesión", + "waf": "Rendimiento" }, { "category": "Almacenamiento", - "description": "Las opciones posibles son: Azure NetApp Files, Azure Files, servidor de archivos basado en VM. No se recomienda el servidor de archivos. Azure Files Premium suele ser un buen punto de partida. Por lo general, NetApp se requiere para entornos de gran escala / alto rendimiento. Para una comparación detallada, consulte el artículo en la columna 'Más información'.", + "description": "Las opciones posibles son: Azure NetApp Files, Azure Files, servidor de archivos basado en máquina virtual. File-server no se recomienda. Azure Files Premium suele ser un buen punto de partida. Por lo general, NetApp es necesario para entornos a gran escala y de alto rendimiento. Para obtener una comparación detallada, consulte el artículo en la columna 'Más información'.", "guid": "ed6b17db-8255-4462-b2ae-e4553afc8339", + "id": "H03.02", "link": "https://docs.microsoft.com/azure/virtual-desktop/store-fslogix-profile", "severity": "Alto", "subcategory": "Planificación de la capacidad", - "text": "Determinar qué solución back-end de almacenamiento se utilizará para los perfiles FSLogix" + "text": "Determinar qué solución de back-end de almacenamiento se usará para los perfiles de FSLogix", + "waf": "Rendimiento" }, { "category": "Almacenamiento", - "description": "Cada grupo de hosts debe usar un conjunto independiente de cuentas/volúmenes de almacenamiento (al menos uno) y recursos compartidos. Los usuarios deben tener un perfil diferente para cada grupo de hosts, ya que los ajustes y configuraciones son específicos de cada grupo de hosts. Además, el acceso a diferentes grupos de hosts al mismo tiempo puede provocar errores en el VHD/X del perfil de usuario compartido. También se recomienda escalar de forma independiente el uso de diferentes cuentas o volúmenes de almacenamiento para varios recursos compartidos.", + "description": "Cada grupo de hosts debe usar un conjunto independiente de cuentas o volúmenes de almacenamiento (al menos uno) y recursos compartidos. Los usuarios deben tener un perfil diferente para cada grupo de hosts, ya que los ajustes y las configuraciones son específicos de cada grupo de hosts. Además, el acceso a diferentes grupos de hosts al mismo tiempo puede provocar errores en el VHD/X del perfil de usuario compartido. También se recomienda el uso de diferentes cuentas de almacenamiento o volúmenes para varios recursos compartidos para escalar de forma independiente.", "guid": "2fad62bd-5004-453c-ace4-64d862e7f5a4", + "id": "H03.03", "link": "https://learn.microsoft.com/azure/virtual-desktop/store-fslogix-profile", "severity": "Alto", "subcategory": "Planificación de la capacidad", - "text": "No compartir almacenamiento y perfiles entre diferentes grupos de hosts" + "text": "No comparta el almacenamiento y los perfiles entre diferentes grupos de hosts", + "waf": "Rendimiento" }, { "category": "Almacenamiento", - "description": "Como punto de partida para estimar los requisitos de rendimiento de almacenamiento de contenedores de perfiles, se recomienda asumir 10 IOPS por usuario en estado estable y 50 IOPS por usuario durante el inicio y cierre de sesión. Los requisitos de espacio se obtienen simplemente en función del tamaño máximo de perfiles en FSLogix por el número total de usuarios para cada grupo de hosts. Se pueden usar varias cuentas de almacenamiento para el mismo grupo de hosts si es necesario.", + "description": "Como punto de partida para calcular los requisitos de rendimiento del almacenamiento de contenedores de perfiles, se recomienda suponer 10 IOPS por usuario en el estado estable y 50 IOPS por usuario durante el inicio y cierre de sesión. Los requisitos de espacio se obtienen simplemente en función del tamaño máximo de perfiles en FSLogix por el número total de usuarios para cada grupo de hosts. Se pueden usar varias cuentas de almacenamiento para el mismo grupo de hosts si es necesario.", "guid": "680e7828-9c93-4665-9d02-bff4564b0d93", + "id": "H03.04", "link": "https://learn.microsoft.com/azure/virtual-desktop/faq#what-s-the-largest-profile-size-fslogix-can-handle-", "severity": "Alto", "subcategory": "Planificación de la capacidad", - "text": "Comprobar los límites de escalabilidad del almacenamiento y los requisitos del grupo de hosts" + "text": "Verifique los límites de escalabilidad del almacenamiento y los requisitos del grupo de hosts", + "waf": "Fiabilidad" }, { "category": "Almacenamiento", "description": "Evite introducir latencia y costos adicionales asociados con el tráfico de red entre regiones siempre que sea posible.", "guid": "8aad53cc-79e2-4e86-9673-57c549675c5e", + "id": "H03.05", "link": "https://docs.microsoft.com/azure/virtual-desktop/fslogix-containers-azure-files", "severity": "Alto", "subcategory": "Planificación de la capacidad", - "text": "Para un rendimiento óptimo, la solución de almacenamiento y el contenedor de perfiles de FSLogix deben estar en la misma región de Azure." + "text": "Para obtener un rendimiento óptimo, la solución de almacenamiento y el contenedor de perfiles de FSLogix deben estar en la misma región de Azure.", + "waf": "Rendimiento" }, { "category": "Almacenamiento", - "description": "La recomendación de Azure Virtual Desktop es usar el contenedor de perfiles sin división del contenedor de Office (ODFC), a menos que esté planeando escenarios específicos de continuidad empresarial y recuperación ante desastres (BCDR), como se describe en la sección Recuperación ante desastres a continuación. https://docs.microsoft.com/fslogix/profile-container-office-container-cncpt ", + "description": "La recomendación en Azure Virtual Desktop es usar el contenedor de perfiles sin la división del contenedor de Office (ODFC) a menos que esté planeando escenarios específicos de continuidad empresarial y recuperación ante desastres (BCDR), como se describe en la sección Recuperación ante desastres a continuación. https://docs.microsoft.com/fslogix/profile-container-office-container-cncpt ", "guid": "df47d2d9-2881-4b1c-b5d1-e54a29759e39", + "id": "H04.01", "link": "https://learn.microsoft.com/fslogix/concepts-container-types#when-to-use-profile-and-odfc-containers", "severity": "Alto", "subcategory": "FSLogix", - "text": "No utilice contenedores de Office (ODFC) si no es estrictamente necesario y justificado" + "text": "No use contenedores de Office (ODFC) si no es estrictamente necesario y justificado", + "waf": "Fiabilidad" }, { "category": "Almacenamiento", - "description": "Asegúrese de configurar las siguientes exclusiones antivirus para las unidades de disco duro virtuales FSLogix Profile Container, como se documenta en el artículo al que se hace referencia en la columna 'Más información'.", + "description": "Asegúrese de configurar las siguientes exclusiones de antivirus para los discos duros virtuales de FSLogix Profile Container, como se documenta en el artículo al que se hace referencia en la columna \"Más información\".", "guid": "83f63047-22ee-479d-9b5c-3632054b69ba", + "id": "H04.02", "link": "https://learn.microsoft.com/fslogix/overview-prerequisites#configure-antivirus-file-and-folder-exclusions", "severity": "Medio", "subcategory": "FSLogix", - "text": "Configure las exclusiones antivirus recomendadas para FSLogix (incluye no analizar archivos VHD(x) al conectarse)." + "text": "Configure las exclusiones de antivirus recomendadas para FSLogix (incluye no analizar archivos VHD(x) al conectarse).", + "waf": "Seguridad" }, { "category": "Almacenamiento", - "description": "Los contenedores de perfiles tienen un tamaño máximo predeterminado de 30 GB. Si se anticipan contenedores de perfiles grandes y los clientes quieren intentar mantenerlos pequeños, considere la posibilidad de usar OneDrive para hospedar archivos de Office 365 fuera del perfil de FSLogix.", + "description": "Los contenedores de perfiles tienen un tamaño máximo predeterminado de 30 GB. Si se prevén contenedores de perfiles grandes y los clientes quieren intentar mantenerlos pequeños, considere la posibilidad de usar OneDrive para hospedar archivos de Office 365 fuera del perfil de FSLogix.", "guid": "01e6a84d-e5df-443d-8992-481718d5d1e5", + "id": "H04.03", "link": "https://docs.microsoft.com/fslogix/profile-container-configuration-reference", "severity": "Alto", "subcategory": "FSLogix", - "text": "Revisar y confirmar el tamaño máximo de perfil configurado en FSLogix" + "text": "Revise y confirme el tamaño máximo de perfil configurado en FSLogix", + "waf": "Costar" }, { "category": "Almacenamiento", - "description": "Los valores predeterminados y la configuración recomendada se informan en el artículo complementario de la columna \"Más información\". Si no se deben usar claves y/o valores recomendados, asegúrese de revisar con un experto de Microsoft AVD y documentar claramente sus elecciones.", + "description": "Los valores predeterminados y la configuración recomendada se indican en el artículo complementario de la columna \"Más información\". Si no se deben usar claves o valores recomendados, asegúrese de revisar con un experto en AVD de Microsoft y documentar claramente sus opciones.", "guid": "d34aad5e-8c78-4e1d-9666-7313c405674c", + "id": "H04.04", "link": "https://learn.microsoft.com/fslogix/concepts-configuration-examples", "severity": "Alto", "subcategory": "FSLogix", - "text": "Revise las claves del Registro FSLogix y determine cuáles aplicar" + "text": "Revise las claves del Registro de FSLogix y determine cuáles aplicar", + "waf": "Fiabilidad" }, { "category": "Almacenamiento", - "description": "No se recomiendan conexiones simultáneas o varias en Azure Virtual Desktop. Las conexiones simultáneas tampoco son compatibles con los hosts de sesión que se ejecutan en un grupo de hosts de escritorio virtual de Azure. OneDrive, si se usa, no admite conexiones simultáneas o múltiples con el mismo contenedor, bajo ninguna circunstancia. Para varias conexiones, no se recomienda el uso del mismo disco de perfil.", + "description": "No se recomiendan las conexiones simultáneas o varias en Azure Virtual Desktop. Las conexiones simultáneas tampoco son compatibles con los hosts de sesión que se ejecutan en un grupo de hosts de Azure Virtual Desktop. OneDrive, si se usa, no admite conexiones simultáneas o varias con el mismo contenedor, bajo ninguna circunstancia. Para varias conexiones, no se recomienda el uso del mismo disco de perfil.", "guid": "5e985b85-9c77-43e7-b261-623b775a917e", + "id": "H04.05", "link": "https://learn.microsoft.com/fslogix/concepts-multi-concurrent-connections", "severity": "Alto", "subcategory": "FSLogix", - "text": "Evite el uso de conexiones simultáneas o múltiples" + "text": "Evite el uso de conexiones simultáneas o múltiples", + "waf": "Fiabilidad" }, { "category": "Almacenamiento", - "description": "Cloud Cache utiliza la unidad del sistema operativo como almacenamiento en caché local y puede generar mucha presión en el disco de la máquina virtual. Según el SKU de la máquina virtual y el tamaño utilizado, la unidad temporal de la máquina virtual puede ser una solución viable y de alto rendimiento donde reubicar el contenido en caché de Cloud Cache. Antes de adoptar esta solución, se deben ejecutar pruebas para confirmar el rendimiento y la estabilidad. Puede encontrar más detalles sobre Cloud Cache aquí: https://learn.microsoft.com/en-us/fslogix/concepts-fslogix-cloud-cache. ", + "description": "Cloud Cache usa la unidad del sistema operativo como almacenamiento de caché local y puede generar mucha presión en el disco de la máquina virtual. Según la SKU y el tamaño de la máquina virtual usada, la unidad temporal de la máquina virtual puede ser una solución viable y eficaz para reubicar el contenido almacenado en caché de Cloud Cache. Antes de adoptar esta solución, se deben ejecutar pruebas para confirmar el rendimiento y la estabilidad. Puede encontrar más detalles sobre Cloud Cache aquí: https://learn.microsoft.com/fslogix/concepts-fslogix-cloud-cache. ", "guid": "b2d1215a-e114-4ba3-9df5-85ecdcd9bd3b", + "id": "H04.06", "link": "https://docs.microsoft.com/fslogix/cloud-cache-configuration-reference", "severity": "Bajo", "subcategory": "FSLogix", - "text": "Si se usa FSLogix Cloud Cache, considere mover el directorio de caché a la unidad temporal de la máquina virtual." + "text": "Si se usa la caché en la nube de FSLogix, considere la posibilidad de mover el directorio de caché a la unidad temporal de la máquina virtual.", + "waf": "Rendimiento" }, { "category": "Almacenamiento", - "description": "REDIRECTION.XML archivo se utiliza para controlar qué carpetas se redirigen fuera del contenedor de perfiles a la unidad 'C:'. Las exclusiones deben ser la excepción y nunca deben usarse a menos que la exclusión específica sea completamente entendida por la persona que configura la exclusión. Las exclusiones siempre deben probarse completamente en el entorno donde se pretende implementar. La configuración de exclusiones puede afectar a la funcionalidad, la estabilidad y el rendimiento.", + "description": "El archivo REDIRECTION.XML se utiliza para controlar qué carpetas se redirigen fuera del contenedor de perfiles a la unidad 'C:'. Las exclusiones deben ser la excepción y nunca deben usarse a menos que la persona que configura la exclusión específica comprenda completamente la exclusión. Las exclusiones siempre deben probarse completamente en el entorno en el que se pretende implementar. La configuración de exclusiones puede afectar a la funcionalidad, la estabilidad y el rendimiento.", "guid": "0b50ca97-b1d2-473c-b4d9-6e98b0f912de", + "id": "H04.07", "link": "https://docs.microsoft.com/fslogix/manage-profile-content-cncpt#redirectionsxml", "severity": "Medio", "subcategory": "FSLogix", - "text": "Revise el uso de la redirección FSLogix." + "text": "Revise el uso de la redirección de FSLogix.", + "waf": "Costar" } ], "metadata": { "name": "Azure Virtual Desktop Review", "state": "GA", - "timestamp": "July 14, 2023" + "timestamp": "November 09, 2023" }, "severities": [ { @@ -1224,7 +1483,7 @@ "name": "Abrir" }, { - "description": "Esta comprobación se ha comprobado y no hay más elementos de acción asociados a ella", + "description": "Esta comprobación se ha verificado y no hay más elementos de acción asociados a ella", "name": "Cumplido" }, { @@ -1235,5 +1494,30 @@ "description": "No aplicable para el diseño actual", "name": "N/A" } + ], + "waf": [ + { + "name": "Fiabilidad" + }, + { + "name": "Seguridad" + }, + { + "name": "Costar" + }, + { + "name": "Operaciones" + }, + { + "name": "Rendimiento" + } + ], + "yesno": [ + { + "name": "Sí" + }, + { + "name": "No" + } ] } \ No newline at end of file diff --git a/checklists/avd_checklist.ja.json b/checklists/avd_checklist.ja.json index fc01aa5ba..3a244b916 100644 --- a/checklists/avd_checklist.ja.json +++ b/checklists/avd_checklist.ja.json @@ -1,5 +1,4 @@ { - "$schema": "checklist.schema.json", "categories": [ { "name": "財団" @@ -29,1179 +28,1439 @@ "items": [ { "category": "ビジネス継続性と災害復旧", - "description": "AVD コントロールプレーンは、返金制度のあるサービスレベル契約を提供していません。マイクロソフトは、Azure 仮想デスクトップ サービス URL の可用性を 99.9% 以上確保するよう努めています。サブスクリプション内のセッション ホスト仮想マシンの可用性は、仮想マシン SLA の対象となります。グローバルな高可用性要件を適切に満たすには、依存するリソース/サービスとインフラストラクチャの可用性も考慮する必要があります。", + "description": "AVD コントロール プレーンは、金銭的な裏付けのあるサービス レベル アグリーメントを提供しません。Microsoft は、Azure Virtual Desktop サービス URL の可用性を 99.9% 以上達成するよう努めています。サブスクリプション内のセッション ホスト仮想マシンの可用性は、Virtual Machines SLA の対象となります。依存するリソース/サービスとインフラストラクチャの可用性も、グローバルな高可用性要件を適切に満たすために考慮する必要があります。", "guid": "56c57ba5-9119-4bf8-b8f5-c586c7d9cdc1", + "id": "A01.01", "link": "https://azure.microsoft.com/support/legal/sla/virtual-desktop/v1_0/", "severity": "高い", "subcategory": "計算する", - "text": "AVD を通じて公開されたアプリケーション/デスクトップの予想される高可用性 SLA を決定する" + "text": "AVD を介して公開されるアプリケーション/デスクトップに期待される高可用性 SLA を決定する", + "waf": "確実" }, { "category": "ビジネス継続性と災害復旧", - "description": "「アクティブ/アクティブ」モデルは、異なるリージョンの複数のホストプールで実現できます。異なるリージョンの VM を含む単一のホスト プールは推奨されません。同じユーザーに対して複数のプールを使用する場合は、ユーザー プロファイルを同期/レプリケートする方法の問題を解決する必要があります。FSLogix Cloud Cache を使用することもできますが、慎重に確認して計画する必要があります。または、同期/レプリケートをまったく行わないことをお客様が決定できます。\"アクティブ/パッシブ\" は、Azure Site Recovery (ASR) または自動化されたメカニズムを使用したオンデマンド プール デプロイを使用して実現できます。マルチリージョンBCDRの詳細については、「詳細情報」列とこのFSLogix関連ページの関連記事をお読みください https://learn.microsoft.com/en-us/fslogix/concepts-container-recovery-business-continuity。", + "description": "\"アクティブ/アクティブ\" モデルは、異なるリージョンの複数のホスト プールで実現できます。異なるリージョンの VM を含む 1 つのホスト プールはお勧めしません。同じユーザーに対して複数のプールを使用する場合は、ユーザープロファイルの同期/複製方法の問題を解決する必要があります。FSLogix Cloud Cache を使用できますが、慎重に確認して計画するか、同期/レプリケートをまったく行わないことをお客様が決定できます。\"アクティブ/パッシブ\" は、Azure Site Recovery (ASR) または自動化されたメカニズムによるオンデマンド プール デプロイを使用して実現できます。複数リージョンの BCDR の詳細については、「詳細情報」列の関連記事と FSLogix 関連ページ (https://learn.microsoft.com/fslogix/concepts-container-recovery-business-continuity) を参照してください。", "guid": "6acc076e-f9b1-441a-a989-579e76b897e7", + "id": "A01.02", "link": "https://learn.microsoft.com/azure/architecture/example-scenario/wvd/azure-virtual-desktop-multi-region-bcdr", "severity": "中程度", "subcategory": "計算する", - "text": "AVD ホストプールの geo ディザスタリカバリ要件の評価" + "text": "AVD ホスト プールの Geo ディザスター リカバリー要件を評価する", + "waf": "確実" }, { "category": "ビジネス継続性と災害復旧", - "description": "Azure 仮想デスクトップ BCDR の計画と設計に取り組む前に、AVD を通じて使用されるアプリケーションが重要であることを最初に検討することが重要です。重要でないアプリから分離し、異なるディザスター リカバリーのアプローチと機能を備えた別のホスト プールを使用することをお勧めします。", + "description": "Azure Virtual Desktop BCDR の計画と設計に取り組む前に、AVD を介して使用されるどのアプリケーションが重要であるかを最初に検討することが重要です。重要でないアプリから分離し、異なるディザスター リカバリーのアプローチと機能を持つ別のホスト プールを使用することもできます。", "guid": "10a7da7b-e996-46e1-9d3c-4ada97cc3d13", + "id": "A01.03", "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery", "severity": "低い", "subcategory": "計算する", - "text": "重要なアプリケーションを異なる AVD ホストプールに分離" + "text": "重要なアプリケーションを異なる AVD ホストプールに分離", + "waf": "確実" }, { "category": "ビジネス継続性と災害復旧", - "description": "各ホスト プールは、可用性ゾーン (AZ) または可用性セット (AS) を使用してデプロイできます。回復性を最大化するには、AZ の使用をお勧めします。 ホストプールの作成時に、ホストプールセッションホストを使用可能なすべての AZ に分散することを決定できます。 AS を使用しても単一のデータセンターの障害から保護されないため、AZ が使用できないリージョンでのみ使用する必要があります。AZ と AVD の詳細については、関連記事を参照してください。AZとASの比較については、ここで読むことができます:https://learn.microsoft.com/en-us/azure/virtual-machines/availability。", + "description": "各ホスト プールは、Availability Zones (AZ) または可用性セット (AS) を使用してデプロイできます。回復性を最大化するには、AZ の使用をお勧めします。 ホスト プールの作成時に、ホスト プール セッション ホストを使用可能なすべての AZ に分散することを決定できます。 AS を使用しても、1 つのデータセンターの障害から保護されないため、AZ を使用できないリージョンでのみ使用する必要があります。AZ と AVD の詳細については、関連記事を参照してください。AZ と AS の比較については、https://learn.microsoft.com/azure/virtual-machines/availability を参照してください。", "guid": "25ab225c-6f4e-4168-9fdd-dea8a4b7cdeb", + "id": "A01.04", "link": "https://techcommunity.microsoft.com/t5/azure-virtual-desktop-blog/announcing-general-availability-of-support-for-azure/ba-p/3636262", "severity": "高い", "subcategory": "計算する", - "text": "AVD ホストプール展開に最適な復元力オプションを計画する" + "text": "AVD ホスト プールのデプロイに最適な耐障害性オプションを計画する", + "waf": "確実" }, { "category": "ビジネス継続性と災害復旧", - "description": "Azure Backup を使用して、ホスト プール VM を保護できます。プールされたプールの場合、ステートレスである必要があるため、これは必要ありません。代わりに、このオプションは個人用ホスト プールに対して検討できます。", + "description": "Azure Backup を使用して、ホスト プールの VM を保護できます。プールされたプールの場合、ステートレスである必要があるため、これは必要ありません。代わりに、このオプションは個人用ホスト プールで検討できます。", "guid": "4c61fc3f-c14e-4ea6-b69e-8d9a3eec218e", + "id": "A01.05", "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery", "severity": "中程度", "subcategory": "計算する", - "text": "AVD セッションホスト VM をバックアップする要件を評価する" + "text": "AVD セッション ホスト VM をバックアップするための要件を評価する", + "waf": "確実" }, { "category": "ビジネス継続性と災害復旧", - "description": "個人用プールの場合でも、利用可能な場合はアベイラビリティーゾーンを使用することをお勧めします。リージョン内 DR 戦略には 3 つの戦略が考えられますが、コスト、RTO/RPO、および VM OS ディスク全体を保存することが本当に必要な場合は、(1) 特定のゾーン (AZ) に各セッション ホストを作成し、Azure Site Recovery (ASR) を使用して別のゾーンにレプリケートします。(2) Azure Backup を使用して、別の AZ にある特定のセッション ホストをバックアップおよび復元します。 (3) 別の AZ に新しいセッション ホストを作成し、FSLogix や OneDrive を使用してデータと設定を新しいコンピューターで使用できるようにします。すべてのオプションでは、DR に対する管理者の介入と、ホスト プール レベルでの直接のユーザー割り当てが必要であり、事前に計画および構成する必要があります。", + "description": "パーソナルプールの場合でも、アベイラビリティーゾーン(利用可能な場合)の使用をお勧めします。リージョン内 DR 戦略には 3 つあり、コスト、RTO/RPO、および VM OS ディスク全体を保存することが本当に必要な場合は、(1) 特定のゾーン (AZ) に各セッション ホストを作成し、Azure Site Recovery (ASR) を使用して別のゾーンにレプリケートするなど、最適な戦略を選択することをお勧めします。(2) Azure Backup を使用して、別の AZ で特定のセッション ホストをバックアップおよび復元します。 (3) 別の AZ に新しいセッション ホストを作成し、FSLogix や OneDrive を使用して、新しいマシンでデータと設定を使用できるようにします。すべてのオプションでは、DR とホスト プール レベルでの直接ユーザー割り当てのために管理者の介入が必要であり、事前に計画して構成する必要があります。", "guid": "5da58639-ca3a-4961-890b-29663c5e10d", + "id": "A01.06", "link": "https://learn.microsoft.com/azure/site-recovery/azure-to-azure-how-to-enable-zone-to-zone-disaster-recovery", "severity": "中程度", "subcategory": "計算する", - "text": "パーソナルホストプールセッションホストのローカルDR戦略を準備する" + "text": "個人用ホスト プール セッション ホストのローカル DR 戦略を準備する", + "waf": "確実" }, { "category": "ビジネス継続性と災害復旧", - "description": "カスタムイメージを使用して AVD ホストプール VM を展開する場合は、AVD が展開されているすべてのリージョンでそれらのアーティファクトを使用できることを確認することが重要です。Azure コンピューティング ギャラリー サービスを使用すると、ホスト プールがデプロイされているすべてのリージョンで、冗長ストレージと複数のコピーでイメージをレプリケートできます。Azure コンピューティング ギャラリー サービスはグローバル リソースではないことに注意してください。障害復旧シナリオでは、異なるリージョンに少なくとも 2 つのギャラリーを配置することをお勧めします。", + "description": "カスタム イメージを使用して AVD ホスト プール VM をデプロイする場合は、AVD がデプロイされているすべてのリージョンでそれらのアーティファクトを使用できるようにすることが重要です。Azure Compute Gallery サービスを使用すると、ホスト プールがデプロイされているすべてのリージョンに、冗長ストレージと複数のコピーでイメージをレプリケートできます。Azure Compute Gallery サービスはグローバル リソースではないことに注意してください。ディザスター リカバリーのシナリオでは、ベスト プラクティスは、異なるリージョンに少なくとも 2 つのギャラリーを持つことです。", "guid": "dd2e0d5d-771d-441e-9610-cc57b4a4a141", + "id": "A02.01", "link": "https://learn.microsoft.com/azure/virtual-machines/azure-compute-gallery", "severity": "低い", "subcategory": "依存 関係", - "text": "ゴールデン イメージのリージョン間の可用性を計画する" + "text": "ゴールデン イメージのリージョン間の可用性を計画する", + "waf": "確実" }, { "category": "ビジネス継続性と災害復旧", - "description": "AVD インフラストラクチャのユーザがオンプレミスのリソースアクセスを必要とする場合、接続に必要なネットワークインフラストラクチャの高可用性も重要であり、考慮する必要があります。認証インフラストラクチャの回復性を評価および評価する必要があります。依存アプリケーションやその他のリソースの BCDR の側面は、セカンダリ DR の場所の可用性を確保するために考慮する必要があります。", + "description": "AVD インフラストラクチャのユーザーがオンプレミスのリソース アクセスを必要とする場合、接続に必要なネットワーク インフラストラクチャの高可用性も重要であり、考慮する必要があります。認証インフラストラクチャの回復性を評価し、評価する必要があります。依存するアプリケーションやその他のリソースの BCDR の側面を考慮して、セカンダリ DR の場所の可用性を確保する必要があります。", "guid": "fd339489-8c12-488b-9c6a-57cfb644451e", + "id": "A02.02", "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery", "severity": "中程度", "subcategory": "依存 関係", - "text": "インフラストラクチャとアプリケーションの依存関係を評価する" + "text": "インフラストラクチャとアプリケーションの依存関係の評価", + "waf": "確実" }, { "category": "ビジネス継続性と災害復旧", - "description": "FSLogix ユーザー プロファイル内のすべてのデータが、障害から保護する必要があるわけではありません。さらに、OneDrive やファイル サーバー/共有などの外部ストレージが使用されている場合、FSLogix プロファイルに残っているものは最小限であり、極端な状況では失われる可能性があります。また、プロファイル内のデータを他のストレージ (キャッシュ モードの Outlook 受信トレイなど) から再構築できる場合もあります。", + "description": "FSLogix ユーザー プロファイル内のすべてのデータが障害からの保護に値するとは限りません。さらに、OneDrive やファイル サーバー/共有などの外部ストレージが使用されている場合、FSLogix プロファイルに残るものは最小限であり、極端な状況で失われる可能性があります。また、プロファイル内のデータを他のストレージ (キャッシュ モードの Outlook 受信トレイなど) から再構築できる場合もあります。", "guid": "687ab077-adb5-49e5-a960-3334fdf8cc23", + "id": "A03.01", "link": "https://docs.microsoft.com/fslogix/manage-profile-content-cncpt", "severity": "中程度", "subcategory": "貯蔵", - "text": "プロファイルコンテナとオフィスコンテナで保護する必要があるデータを評価します" + "text": "プロファイル コンテナーと Office コンテナーで保護する必要があるデータを評価する", + "waf": "確実" }, { "category": "ビジネス継続性と災害復旧", - "description": "重要なユーザーデータのデータ損失を防ぐことは重要であり、最初のステップは、どのデータを保存して保護する必要があるかを評価することです。OneDriveまたはその他の外部ストレージを使用している場合は、ユーザープロファイルやOfficeコンテナのデータを保存する必要がない場合があります。重要なユーザー データを保護するには、適切なメカニズムを検討する必要があります。Azure Backup サービスは、Azure Files Standard レベルと Premium レベルに格納されているときに、プロファイルとオフィス コンテナーのデータを保護するために使用できます。Azure NetApp Files Snapshots と Policies は、Azure NetApp Files (すべての層) に使用できます。", + "description": "重要なユーザーデータのデータ損失を防ぐことは重要であり、最初のステップは、どのデータを保存して保護する必要があるかを評価することです。OneDrive またはその他の外部ストレージを使用している場合、ユーザー プロファイルや Office コンテナー データの保存は必要ない場合があります。重要なユーザーデータを保護するために、適切なメカニズムを検討する必要があります。Azure Backup サービスを使用すると、Azure Files の Standard レベルと Premium レベルに格納されているプロファイルと Office コンテナーのデータを保護できます。Azure NetApp Files のスナップショットとポリシーは、Azure NetApp Files (すべてのレベル) に使用できます。", "guid": "fc4972cc-3cd2-45bf-a707-6e9eab4bed32", + "id": "A03.02", "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery", "severity": "中程度", "subcategory": "貯蔵", - "text": "プロファイルコンテナとオフィスコンテナのバックアップ保護戦略を構築する" + "text": "プロファイル コンテナーと Office コンテナーのバックアップ保護戦略を構築する", + "waf": "確実" }, { "category": "ビジネス継続性と災害復旧", - "description": "AVD では、FSLogix コンテナーに存在するユーザー データに複数のレプリケーション メカニズムと戦略を使用できます。 [プロファイル パターン #1]: ネイティブの Azure ストレージ レプリケーション メカニズム (Azure Files Standard GRS レプリケーション、Azure NetApp Files クロスリージョン レプリケーションなど)。Azure Files には、ゾーン レプリケート ストレージ (ZRS) または geo レプリケート ストレージ (GRS) を使用することをお勧めします。ローカルのみの回復性を備えた LRS は、ゾーン/リージョンの保護が必要ない場合に使用できます。注: Azure ファイル共有標準は LRS/ZRS/GRS ですが、100 TB の大容量サポートが有効になっている場合は LRS/ZRS のみがサポートされます。[プロファイル パターン #2]: FSLogix Cloud Cache は、異なる (最大 4 つの) ストレージ アカウント間でコンテナーをレプリケートする自動メカニズムで構築されています。Cloud Cache は、(1) ユーザー プロファイルまたは Office コンテナーのデータ可用性が必要 高可用性 SLA が重要であり、リージョンの障害に対する回復力が必要な場合にのみ使用してください。(2) 選択したストレージ オプションは、BCDR 要件を満たすことができません。たとえば、Azure ファイル共有プレミアム レベル、または大きなファイルのサポートが有効になっている Azure ファイル共有標準では、GRS は使用できません。(3) 異種ストレージ間でのレプリケーションが必要な場合。[プロファイル パターン #3]: ユーザー データ/プロファイル コンテナーではなく、アプリケーション データに対してのみ geo ディザスター リカバリーを設定する: 重要なアプリケーション データを、OneDrive や独自の組み込み DR メカニズムを備えたその他の外部ストレージなどの個別のストレージに格納します。", + "description": "AVD では、FSLogix コンテナーに存在するユーザー データに対して、複数のレプリケーション メカニズムと戦略を使用できます。 [プロファイル パターン #1]: ネイティブの Azure Storage レプリケーション メカニズム (Azure Files Standard GRS レプリケーション、Azure NetApp Files リージョン間レプリケーションなど)。Azure Files には、ゾーン レプリケート ストレージ (ZRS) または Geo レプリケート ストレージ (GRS) を使用することをお勧めします。ローカルのみの回復性を持つ LRS は、ゾーン/リージョン保護が不要な場合に使用できます。注: Azure Files Share Standard は LRS/ZRS/GRS ですが、100 TB の大規模サポートを有効にすると、LRS/ZRS のみがサポートされます。[プロファイル パターン #2]: FSLogix Cloud Cache には、異なる (最大 4 つ) ストレージ アカウント間でコンテナーをレプリケートする自動メカニズムが組み込まれています。Cloud Cache は、(1) ユーザー プロファイルまたは Office コンテナーのデータ可用性が必要で、高可用性 SLA が重要であり、リージョンの障害に対する回復性がある必要がある場合にのみ使用する必要があります。(2) 選択したストレージ オプションが BCDR 要件を満たすことができません。たとえば、Azure File Share Premium レベル、または大きなファイルのサポートが有効になっている Azure File Share Standard では、GRS は使用できません。(3) 異種ストレージ間でのレプリケーションが必要な場合[プロファイル パターン #3]: geo ディザスター リカバリーはアプリケーション データに対してのみ設定し、ユーザー データ/プロファイル コンテナーには設定しない: 重要なアプリケーション データを、OneDrive や独自の組み込み DR メカニズムを備えた他の外部ストレージなどの個別のストレージに格納します。", "guid": "9f7547c1-746d-4c56-868a-714435bd09dd", + "id": "A03.03", "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery", "severity": "中程度", "subcategory": "貯蔵", - "text": "BCDRを目的としたプロファイルコンテナストレージレプリケーションの要件と回復性を評価する" + "text": "BCDR の目的でのプロファイル コンテナー ストレージのレプリケーション要件と回復性を評価する", + "waf": "確実" }, { "category": "ビジネス継続性と災害復旧", - "description": "ローカルのディザスター リカバリーには、Azure ファイルの Azure Backup を使用できます。リージョン間の geo ディザスター リカバリーの場合: GRS for Azure Files は、Standard SKU でのみ使用でき、大規模な共有のサポートはないため、ほとんどのお客様のシナリオには適していません。Azure ファイル共有プレミアムで geo レプリケーションが必要な場合は、FSLogix クラウド キャッシュを使用したレプリケーションを評価するか、\"リージョン内\" 可用性ゾーン (AZ) のみの回復性を検討する必要があります。", + "description": "ローカルのディザスター リカバリーには、Azure Backup for Azure Files を使用できます。リージョン間の geo ディザスター リカバリーの場合: Azure Files の GRS は Standard SKU でのみ使用でき、大規模な共有のサポートは提供されないため、ほとんどの顧客シナリオには適していません。Azure File Share Premium で geo レプリケーションが必要な場合は、FSLogix Cloud Cache を使用したレプリケーションを評価するか、\"リージョン内\" 可用性ゾーン (AZ) のみの回復性を考慮する必要があります。", "guid": "3d4f3537-c134-46dc-9602-7a71efe1bd05", + "id": "A03.04", "link": "https://docs.microsoft.com/azure/backup/backup-afs", "severity": "中程度", "subcategory": "貯蔵", - "text": "Azure ファイルのディザスター リカバリー戦略を確認する" + "text": "Azure Files のディザスター リカバリー戦略を確認する", + "waf": "確実" }, { "category": "ビジネス継続性と災害復旧", - "description": "ゾーン冗長ストレージは、ユーザー プロファイル データのリージョン内の回復性を最大化します。ZRS は、\"FileStorage\" ストレージ アカウントの種類を通じてプレミアム ファイル共有でサポートされます。ZRS は、標準の汎用 v2 ストレージ アカウントでサポートされています。ゾーン冗長ストレージの使用は、各ホスト プール内のセッション ホストのゾーン冗長展開と組み合わせる必要があります。", + "description": "ゾーン冗長ストレージは、ユーザー プロファイル データのリージョン内の回復性を最大化します。ZRS は、\"FileStorage\" ストレージ アカウントの種類を通じて Premium ファイル共有でサポートされています。ZRS は、標準の汎用 v2 ストレージ アカウントでサポートされています。ゾーン冗長ストレージの使用は、各ホスト プールでのセッション ホストのゾーン冗長デプロイと組み合わせる必要があります。", "guid": "10d4e875-d502-4142-a795-f2b6eff34f88", + "id": "A03.05", "link": "https://learn.microsoft.com/azure/storage/files/files-redundancy#zone-redundant-storage", "severity": "高い", "subcategory": "貯蔵", - "text": "Azure Files にゾーン冗長ストレージ (ZRS) を使用して回復性を最大化する" + "text": "Azure Files のゾーン冗長ストレージ (ZRS) を使用して回復性を最大化する", + "waf": "確実" }, { "category": "ビジネス継続性と災害復旧", - "description": "ローカルのディザスター リカバリーには、Azure ネットアップ ファイル (ANF) ネイティブ バックアップを使用できます。ANF は基本的にローカル冗長であるため、リージョン間の geo ディザスター リカバリーでは、クロスリージョン レプリケーション (CRR) https://learn.microsoft.com/en-us/azure/azure-netapp-files/cross-region-replication-create-peering という追加のメカニズムを使用する必要があります。現在、ANF は異なるアベイラビリティーゾーン (AZ) 間でのレプリケーションも冗長性も提供せず、ANF ボリュームを配置する単一の AZ を選択する可能性のみを提供します。 https://learn.microsoft.com/en-us/azure/azure-netapp-files/manage-availability-zone-volume-placement。", + "description": "ローカルのディザスター リカバリーには、Azure NetApp Files (ANF) のネイティブ バックアップを使用できます。ANF は基本的にローカル冗長であるため、リージョン間の geo ディザスター リカバリーでは、リージョン間レプリケーション (CRR) https://learn.microsoft.com/azure/azure-netapp-files/cross-region-replication-create-peering である追加のメカニズムを使用する必要があります。現在、ANF は異なるアベイラビリティーゾーン (AZ) 間でのレプリケーションや冗長性を提供しておらず、ANF ボリュームを配置する単一の AZ を選択する可能性のみを提供します: https://learn.microsoft.com/azure/azure-netapp-files/manage-availability-zone-volume-placement。", "guid": "23429db7-2281-4376-85cc-57b4a4b18142", + "id": "A03.06", "link": "https://learn.microsoft.com/azure/azure-netapp-files/cross-region-replication-create-peering", "severity": "中程度", "subcategory": "貯蔵", - "text": "Azure ネットアップ ファイルのディザスター リカバリー戦略を確認する" + "text": "Azure NetApp Files のディザスター リカバリー戦略を確認する", + "waf": "確実" }, { "category": "計算する", - "description": "アプリケーションは、ゴールデン イメージにプレインストールすることも、MSIX & AppAttach 機能を使用してアタッチすることも、ホスト プールの展開後に従来のソフトウェア配布方法を使用してセッション ホストに配布することもできます。", + "description": "アプリケーションは、ゴールド イメージにプレインストールしたり、MSIX & AppAttach 機能を使用してアタッチしたり、ホスト プールのデプロイ後に従来のソフトウェア配布方法を使用してセッション ホストに配布したりできます。", "guid": "86ba2802-1459-4014-95d3-8e5309ccbd97", + "id": "B01.01", "link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-golden-image", "severity": "高い", - "subcategory": "ゴールデン画像", - "text": "アプリケーションを AVD ホストプールに展開する方法を決定する" + "subcategory": "ゴールデンイメージ", + "text": "アプリケーションを AVD ホストプールにデプロイする方法を決定する", + "waf": "オペレーションズ" }, { "category": "計算する", - "description": "異なる OS バージョンや設定、分離する必要があり、1 つのイメージに含めることができないアプリケーションの異なるグループをサポートするには、複数のゴールデン イメージが必要になる場合があります。", + "description": "異なる OS バージョンや設定、分離する必要があり、1 つのイメージに含めることができない異なるアプリケーション グループをサポートするには、複数のゴールド イメージが必要になる場合があります。", "guid": "9266bcca-274f-4aa1-abf3-9d95d44c7c89", + "id": "B01.02", "link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-golden-image", "severity": "中程度", - "subcategory": "ゴールデン画像", - "text": "必要なゴールデン画像の数を見積もる" + "subcategory": "ゴールデンイメージ", + "text": "必要なゴールド イメージの数を見積もる", + "waf": "オペレーションズ" }, { "category": "計算する", - "description": "各ホスト プールの展開に使用するゲスト OS を決定します: Windows 10 と Windows Server、マーケットプレースとカスタム イメージ", + "description": "各ホスト プールのデプロイに使用するゲスト OS を決定する: Windows 10 と Windows Server、Marketplace とカスタム イメージ", "guid": "19ca1f6d-5315-4ae5-84ba-34d4585e2213", + "id": "B01.03", "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#operating-systems-and-licenses", "severity": "中程度", - "subcategory": "ゴールデン画像", - "text": "ホスト プールの展開に使用する OS イメージを決定する" + "subcategory": "ゴールデンイメージ", + "text": "ホスト プールのデプロイに使用する OS イメージを決定する", + "waf": "確実" }, { "category": "計算する", - "description": "Azure VM カスタム イメージは、Azure コンピューティング ギャラリー、マネージド イメージ オブジェクト、ストレージ内のマネージド ディスクなど、さまざまな方法で作成および保存できます。推奨される方法は、Azure コンピューティング ギャラリーを使用することです。", + "description": "Azure VM カスタム イメージは、Azure Compute Gallery、マネージド イメージ オブジェクト、ストレージ内のマネージド ディスクなど、さまざまな方法で作成および格納できます。推奨される方法は、Azure Compute Gallery を使用することです。", "guid": "5a2adb2c-3e23-426b-b225-ca44e1696fdd", + "id": "B01.04", "link": "https://learn.microsoft.com/azure/virtual-machines/shared-image-galleries", "severity": "低い", - "subcategory": "ゴールデン画像", - "text": "カスタム イメージの適切なストアを選択する" + "subcategory": "ゴールデンイメージ", + "text": "カスタム イメージの適切なストアを選択する", + "waf": "確実" }, { "category": "計算する", "description": "カスタム イメージを使用する場合は、自動ビルド プロセスを計画します。既存のソフトウェア ファクトリが存在しない場合は、カスタム イメージ テンプレートや Azure Image Builder を使用してビルド プロセスを自動化することを検討してください。", "guid": "9bd7bb01-2f7b-495e-86e1-54e2aa359282", + "id": "B01.05", "link": "https://learn.microsoft.com/azure/virtual-desktop/create-custom-image-templates", "severity": "低い", - "subcategory": "ゴールデン画像", - "text": "カスタム イメージのビルド プロセスを設計する" + "subcategory": "ゴールデンイメージ", + "text": "カスタムイメージのビルドプロセスを設計する", + "waf": "オペレーションズ" }, { "category": "計算する", - "description": "ゴールデンイメージのカスタマイズに関するいくつかの既知のベストプラクティスと推奨事項がありますので、参照されている記事を確認してください。", + "description": "ゴールドイメージのカスタマイズに関する既知のベストプラクティスと推奨事項がいくつかありますので、参照されている記事を確認してください。", "guid": "deace4cb-1dec-44c6-90c3-fc14eebb36a3", + "id": "B01.06", "link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-golden-image", "severity": "中程度", - "subcategory": "ゴールデン画像", - "text": "カスタムイメージを使用する場合は、カスタムイメージの構築方法に関する AVD の推奨ベストプラクティスを確認してください" + "subcategory": "ゴールデンイメージ", + "text": "カスタムイメージを使用する場合は、カスタムイメージの構築方法について、AVD の推奨ベスト プラクティスを確認してください", + "waf": "オペレーションズ" }, { "category": "計算する", - "description": "AVD セッションホストにインストールされている FSLogix スタックは、自動更新機能を提供しません。このため、最新バージョンのFSLogixをダウンロードし、ゴールデンイメージの更新プロセスに含めることをお勧めします。", + "description": "AVD セッション ホストにインストールされた FSLogix スタックでは、自動更新機能は提供されません。このため、最新バージョンの FSLogix をダウンロードし、ゴールド イメージの更新プロセスに含めることをお勧めします。", "guid": "ed5c9027-dd1a-4343-86ca-52b199223186", + "id": "B01.07", "link": "https://learn.microsoft.com/fslogix/how-to-install-fslogix", "severity": "高い", - "subcategory": "ゴールデン画像", - "text": "ゴールデン イメージ更新プロセスに最新バージョンの FSLogix を含める" + "subcategory": "ゴールデンイメージ", + "text": "最新バージョンの FSLogix をゴールド イメージの更新プロセスに含める", + "waf": "確実" }, { "category": "計算する", - "description": "このツール セットは、ホワイト ペーパー「仮想デスクトップ インフラストラクチャ (VDI) の役割に対する Windows 10 バージョン 2004 の最適化」で参照されている設定を自動的に適用するために作成されました https://docs.microsoft.com/windows-server/remote/remote-desktop-services/rds-vdi-recommendations-2004。ホワイトペーパーに記載されているツールの使用および/または最適化を検討する必要があります。", + "description": "このツール セットは、ホワイト ペーパー「仮想デスクトップ インフラストラクチャ (VDI) の役割に対する Windows 10 バージョン 2004 の最適化」: https://docs.microsoft.com/windows-server/remote/remote-desktop-services/rds-vdi-recommendations-2004 で参照されている設定を自動的に適用するために作成されました。ホワイトペーパーに記載されているツールの使用や最適化を検討する必要があります。", "guid": "829e3fec-2183-4687-a017-7a2b5945bda4", + "id": "B01.08", "link": "https://github.com/The-Virtual-Desktop-Team/Virtual-Desktop-Optimization-Tool", "severity": "低い", - "subcategory": "ゴールデン画像", - "text": "仮想デスクトップ最適化ツールの使用状況を評価する" + "subcategory": "ゴールデンイメージ", + "text": "Virtual-Desktop-Optimization-Tool の使用状況を評価する", + "waf": "パフォーマンス" }, { "category": "計算する", - "description": "OneDriveが使用され、ゴールデンイメージに含まれている場合は、「詳細情報」セクションの関連記事に記載されている構成手順に従ってください。この AVD チェックリストの範囲外ですが、FSLogix プロファイルで使用される領域を削減し、ユーザー エクスペリエンスを向上させるために、\"既知のフォルダー リダイレクト\" や \"ファイル オンデマンド\" などの OneDrive の最適化を評価する必要があります。現在の OneDrive は、リモート アプリではサポートされていません。", + "description": "OneDrive が使用され、ゴールド イメージに含まれている場合は、関連記事の「詳細」セクションで報告されている構成手順に必ず従ってください。この AVD チェックリストの範囲外ですが、FSLogix プロファイルで使用される領域を減らし、ユーザー エクスペリエンスを向上させるために、\"既知のフォルダー リダイレクト\" や \"ファイル オンデマンド\" などの OneDrive の最適化を使用して評価する必要があります。現在、OneDrive は Remote Apps ではサポートされていません。", "guid": "e3d3e084-4276-4d4b-bc01-5bcf219e4a1e", + "id": "B01.09", "link": "https://learn.microsoft.com/azure/virtual-desktop/install-office-on-wvd-master-image#install-onedrive-in-per-machine-mode", "severity": "低い", - "subcategory": "ゴールデン画像", - "text": "Microsoft OneDrive が AVD 展開の一部になるかどうかを判断する" + "subcategory": "ゴールデンイメージ", + "text": "Microsoft OneDrive を AVD デプロイの一部にするかどうかを決定する", + "waf": "オペレーションズ" }, { "category": "計算する", - "description": "「詳細情報」列の関連記事に含まれている要件と構成手順を必ず確認してください。Teams の自動更新は無効になるため、Teams の最新バージョンを確認してゴールデン イメージ更新プロセスに含めることをお勧めします。", + "description": "関連記事の「詳細情報」列に記載されている要件と構成手順を必ず確認してください。Teams の自動更新は無効になるため、ゴールデン イメージの更新プロセスに Teams の最新バージョンを確認して含めることをお勧めします。", "guid": "b5887953-5d22-4788-9d30-b66c67be5951", + "id": "B01.10", "link": "https://learn.microsoft.com/azure/virtual-desktop/teams-on-AVD", "severity": "低い", - "subcategory": "ゴールデン画像", - "text": "Microsoft Teams が AVD 展開の一部になるかどうかを判断する" + "subcategory": "ゴールデンイメージ", + "text": "Microsoft Teams が AVD デプロイの一部になるかどうかを判断する", + "waf": "パフォーマンス" }, { "category": "計算する", - "description": "AVD は、同じホストプール内で異なる言語とローカリゼーション要件を持つユーザをサポートできます。これは、ゴールデンイメージをカスタマイズして、ユーザーが必要な言語を選択できるようにすることができます。Windows 11で追加の言語パックを構成する手順は、リファレンス記事に記載されています。", + "description": "AVD は、同じホストプールで異なる言語とローカリゼーションの要件を持つユーザーをサポートできます。これは、ユーザーが必要な言語を選択できるように、ゴールデンイメージをカスタマイズして行うことができます。Windows 11 で追加の言語パックを構成する手順は、リファレンス記事に記載されています。", "guid": "7c336f3b-822a-498e-8cd1-667d1150df4a", + "id": "B01.11", "link": "https://learn.microsoft.com/azure/virtual-desktop/windows-11-language-packs", "severity": "低い", - "subcategory": "ゴールデン画像", - "text": "複数の言語をサポートするための要件を評価する" + "subcategory": "ゴールデンイメージ", + "text": "複数の言語をサポートするための要件を評価する", + "waf": "確実" }, { "category": "計算する", - "description": "MSIX パッケージを格納するには、個別のストレージ アカウント/共有を使用することを強くお勧めします。必要に応じて、ストレージは個別にスケールアウトでき、プロファイル I/O アクティビティの影響を受けません。Azure には、MISX アプリのアタッチに使用できる複数のストレージ オプションが用意されています。Azure Files または Azure NetApp Files は、コストと管理オーバーヘッドの間で最適な価値を提供するため、これらのオプションを使用することをお勧めします。", + "description": "個別のストレージ アカウント/共有を使用して MSIX パッケージを格納することを強くお勧めします。必要に応じて、ストレージは個別にスケールアウトでき、プロファイル I/O アクティビティの影響を受けません。Azure には、MISX アプリのアタッチに使用できる複数のストレージ オプションが用意されています。Azure Files または Azure NetApp Files を使用すると、コストと管理オーバーヘッドの間で最適な価値が得られるため、これらのオプションを使用することをお勧めします。", "guid": "90083845-c587-4cb3-a1ec-16a1d076ef9f", + "id": "B02.01", "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-file-share", "severity": "中程度", - "subcategory": "MSIX & AppAttach", - "text": "FSLogix プロファイルと同じストレージ アカウント/共有を使用しないでください" + "subcategory": "MSIX と AppAttach", + "text": "FSLogix プロファイルと同じストレージ アカウント/共有を使用しないでください", + "waf": "パフォーマンス" }, { "category": "計算する", - "description": "参照記事では、AVD コンテキストでの MSIX の使用に関するパフォーマンスに関する考慮事項はほとんどありませんが、慎重に確認してください。", + "description": "参照されている記事では、AVD コンテキストでの MSIX の使用に関する重要なパフォーマンスに関する考慮事項をいくつか報告しましたが、慎重に確認してください。", "guid": "241addce-5793-477b-adb3-751ab2ac1fad", + "id": "B02.02", "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-file-share", "severity": "中程度", - "subcategory": "MSIX & AppAttach", - "text": "MSIX のパフォーマンスに関する考慮事項を確認する" + "subcategory": "MSIX と AppAttach", + "text": "MSIX のパフォーマンスに関する考慮事項を確認する", + "waf": "パフォーマンス" }, { "category": "計算する", - "description": "MSIX アプリのアタッチには、ファイル共有にアクセスするための読み取り専用アクセス許可が必要です。MSIX アプリケーションを Azure Files に格納する場合は、セッション ホストに対して、すべてのセッション ホスト VM に、共有に対するストレージ アカウント ロールベースのアクセス制御 (RBAC) とファイル共有の新技術ファイル システム (NTFS) アクセス許可の両方を割り当てる必要があります。", + "description": "MSIX アプリのアタッチには、ファイル共有にアクセスするための読み取り専用アクセス許可が必要です。MSIX アプリケーションを Azure Files に格納する場合は、セッション ホストに対して、すべてのセッション ホスト VM に、共有に対するストレージ アカウントのロールベースのアクセス制御 (RBAC) とファイル共有の New Technology File System (NTFS) アクセス許可の両方を割り当てる必要があります。", "guid": "66e15d4d-5a2a-4db2-a3e2-326bf225ca41", + "id": "B02.03", "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-file-share", "severity": "中程度", - "subcategory": "MSIX & AppAttach", - "text": "MSIX 共有の適切なセッション ホストのアクセス許可を確認する" + "subcategory": "MSIX と AppAttach", + "text": "MSIX 共有の適切なセッション ホストのアクセス許可を確認する", + "waf": "安全" }, { "category": "計算する", - "description": "3番目のパーティのソフトウェアベンダーは、MIXパッケージを提供する必要があります、それは顧客アプリケーションの所有者からの適切なサポートなしで変換手順を試みることはお勧めしません。", + "description": "サード パーティのソフトウェア ベンダーは MSIX パッケージを提供する必要があり、アプリケーション所有者からの適切なサポートなしに変換手順を試行することはお勧めしません。", "guid": "bd362caa-ab79-4b19-adab-81932c9fc9d1", + "id": "B02.04", "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-faq", "severity": "低い", - "subcategory": "MSIX & AppAttach", - "text": "3番目のパーティ製アプリケーション用の MSIX パッケージ" + "subcategory": "MSIX と AppAttach", + "text": "サード パーティ アプリケーション用の MSIX パッケージ", + "waf": "費用" }, { "category": "計算する", - "description": "MSIX アプリのアタッチでは MSIX アプリケーションの自動更新がサポートされていないため、無効にする必要があります。", + "description": "MSIX アプリのアタッチでは、MSIX アプリケーションの自動更新がサポートされていないため、無効にする必要があります。", "guid": "bb88037f-5e6b-4fbb-aed5-03547cc447e8", + "id": "B02.05", "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-faq", "severity": "低い", - "subcategory": "MSIX & AppAttach", - "text": "MSIX パッケージの自動更新を無効にする" + "subcategory": "MSIX と AppAttach", + "text": "MSIX パッケージの自動更新を無効にする", + "waf": "オペレーションズ" }, { "category": "計算する", - "description": "MSIX & App Attach を利用するには、AVD ホスト プールのゲスト OS イメージが Windows 10/11 Enterprise または Windows 10/11 Enterprise Multi-session バージョン 2004 以降である必要があります。", + "description": "MSIX & App Attach を利用するには、AVD ホスト プールのゲスト OS イメージが Windows 10/11 Enterprise または Windows 10/11 Enterprise マルチセッション バージョン 2004 以降である必要があります。", "guid": "26128a71-f0f1-4cac-9d9e-f1d5e832e42e", + "id": "B02.06", "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-faq", "severity": "中程度", - "subcategory": "MSIX & AppAttach", - "text": "オペレーティング システムのサポートを確認する" + "subcategory": "MSIX と AppAttach", + "text": "オペレーティング システムのサポートを確認する", + "waf": "確実" }, { "category": "計算する", - "description": "ホスト プールのデプロイに使用する VM SKU を選択したら、セキュリティを強化し、機能を向上させるために、Gen2 タイプの SKU を使用することをお勧めします。", + "description": "ホスト プールのデプロイに使用する VM SKU を選択したら、セキュリティと機能を強化するために、Gen2 タイプの SKU を使用することをお勧めします。", "guid": "e4633254-3185-40a1-b120-bd563a1c8e9d", + "id": "B03.01", "link": "https://docs.microsoft.com/azure/virtual-machines/generation-2", "severity": "中程度", "subcategory": "セッション ホスト", - "text": "ホスト プールの展開のための Gen2 VM の使用状況を評価する" + "text": "ホスト プールのデプロイのための Gen2 VM の使用状況を評価する", + "waf": "パフォーマンス" }, { "category": "計算する", - "description": "MMR は、メディア コンテンツをセッション ホストからローカル コンピューターにリダイレクトして、処理とレンダリングを高速化します。Microsoft EdgeまたはGoogle Chromeでメディアコンテンツを再生する場合にのみ機能します。詳細については、リンク先の URL を参照してください。", + "description": "MMR は、処理とレンダリングを高速化するために、メディア コンテンツをセッション ホストからローカル コンピューターにリダイレクトします。Microsoft Edge または Google Chrome でメディア コンテンツを再生する場合にのみ機能します。詳細については、リンク先のURLを参照してください。", "guid": "adecb27f-dc40-40f5-aca2-0090f633b1c9", + "id": "B03.02", "link": "https://learn.microsoft.com/azure/virtual-desktop/multimedia-redirection", "severity": "低い", "subcategory": "セッション ホスト", - "text": "MMR(マルチメディアリダイレクト)を使用して、ブラウザでのビデオパフォーマンスを向上させることを検討してください" + "text": "MMR(マルチメディアリダイレクト)を使用して、ブラウザーでのビデオパフォーマンスを向上させることを検討してください", + "waf": "パフォーマンス" }, { "category": "財団", - "description": "ホスト プールは、セッション ホストとして Azure 仮想デスクトップに登録される Azure 仮想マシンのコレクションです。ホスト プールは、個人用とプール型の 2 種類のいずれかになります。使用する型とその数は、文書化および検証する必要がある重要な設計上の決定事項です。詳細については、「詳細情報」列の関連記事を参照してください。", + "description": "ホスト プールは、セッション ホストとして Azure Virtual Desktop に登録される Azure 仮想マシンのコレクションです。ホスト プールは、個人用とプールの 2 種類のいずれかになります。どの型をいくつ使用するかは、文書化して検証する必要がある重要な設計上の決定事項です。詳細については、「詳細情報」列の関連記事を参照してください。", "guid": "8468c55a-775c-46ee-a5b8-6ad8844ce3b2", + "id": "C01.01", "link": "https://learn.microsoft.com/azure/virtual-desktop/terminology#host-pools", "severity": "高い", - "subcategory": "キャパシティ プランニング", - "text": "使用するホスト・プール・タイプの決定" + "subcategory": "キャパシティプランニング", + "text": "使用するホスト プールの種類を決定する", + "waf": "費用" }, { "category": "財団", - "description": "設計基準を使用して、展開するホスト プールの数を決定します。これは、さまざまな OS イメージ、マルチリージョンのサポート、ゲスト VM ハードウェアの違い (GPU のサポートの有無など)、さまざまなユーザーの期待と稼働時間の要件 (\"エグゼクティブ\"、\"オフィス ワーカー\"、\"開発者\" など)、ホスト プールの RDP 設定 (ドライブ リダイレクトのサポートなど) などの要因に基づきます。これらにより、ホスト プールの数と、各プールに含まれるホストの数が決まります。", + "description": "設計基準を使用して、デプロイするホスト プールの数を決定します。これは、異なる OS イメージ、マルチリージョン サポート、ゲスト VM ハードウェアの違い (GPU サポートの有無など)、ユーザーの期待とアップタイム要件の違い (例: 'Executives'、'Office Workers'、'Developers' など)、ホスト プールの RDP 設定 (ドライブ リダイレクトのサポートなど) などの要因に基づきます。これにより、ホスト プールの数と、各プールに含まれるホストの数が決まります。", "guid": "4e98495f-d3c0-4af2-aa59-a793395a32a7", + "id": "C01.02", "link": "https://learn.microsoft.com/azure/virtual-desktop/terminology?WT.mc_id=Portal-fx#host-pools", "severity": "高い", - "subcategory": "キャパシティ プランニング", - "text": "展開するさまざまなホスト プールの数を見積もる" + "subcategory": "キャパシティプランニング", + "text": "デプロイする異なるホスト プールの数を見積もる", + "waf": "パフォーマンス" }, { "category": "財団", - "description": "自動割り当てと直接割り当ての違いがよく理解されており、選択したオプションが問題のシナリオに適していることを確認します。[自動] が既定の設定です。", + "description": "自動割り当てと直接割り当ての違いが十分に理解されており、選択したオプションが問題のシナリオに適していることを確認します。「自動」がデフォルト設定です。", "guid": "b38b875b-a1cf-4204-a901-3a5d3ce474db", + "id": "C01.03", "link": "https://docs.microsoft.com/azure/virtual-desktop/configure-host-pool-personal-desktop-assignment-type", "severity": "低い", - "subcategory": "キャパシティ プランニング", - "text": "[パーソナル ホスト プールの種類] で、適切な割り当ての種類を選択します。" + "subcategory": "キャパシティプランニング", + "text": "[個人用ホスト プールの種類] で、適切な割り当ての種類を選択します", + "waf": "オペレーションズ" }, { "category": "財団", - "description": "使用するものと使用可能なオプションを確認すると、自動スケーリングでは既存の負荷分散アルゴリズムは無視されます。", + "description": "使用するアルゴリズムと使用可能なオプションを確認すると、自動スケーリングでは既存の負荷分散アルゴリズムが無視されます。", "guid": "cbd8682a-6abc-4a2a-9fda-1dbf3dc95d48", + "id": "C01.04", "link": "https://docs.microsoft.com/azure/virtual-desktop/host-pool-load-balancing", "severity": "低い", - "subcategory": "キャパシティ プランニング", - "text": "[プールされたホスト プールの種類] で、最適な負荷分散方法を選択します。" + "subcategory": "キャパシティプランニング", + "text": "[プールされたホスト プールの種類] で、最適な負荷分散方法を選択します", + "waf": "パフォーマンス" }, { "category": "財団", - "description": "コアの数が増えると、システムの同期オーバーヘッドも増加します。特に、複数のユーザーが同時にサインインする場合。セッション ホストに対して大きすぎる VM を使用しないようにする", + "description": "コア数が増えると、システムの同期オーバーヘッドも増加します。特に、複数のユーザーが同時にサインインする場合。セッション ホストに対して大きすぎる VM を使用しないようにしてください", "guid": "b3724959-4943-4577-a3a9-e10ff6345f24", + "id": "C01.05", "link": "https://learn.microsoft.com/windows-server/remote/remote-desktop-services/virtual-machine-recs", "severity": "中程度", - "subcategory": "キャパシティ プランニング", - "text": "プールされたホスト プールの種類の場合、VM のコア数は 32 を超えないようにしてください" + "subcategory": "キャパシティプランニング", + "text": "プールされたホスト プールの種類の場合、VM のコア数は 32 を超えないようにする必要があります", + "waf": "パフォーマンス" }, { "category": "財団", - "description": "AVD は、1 つのホスト プール内の RemoteApp とデスクトップ アプリケーション グループ(DAG)の両方を同じユーザー セットに割り当てることをサポートしていません。これにより、1 人のユーザーが 1 つのホスト プールに 2 つのユーザー セッションを持つことになります。ユーザーは、同じプロファイルを使用して、同じホスト プール内で同時に 2 つのアクティブなセッションを持つことはできません。", + "description": "AVD では、1 つのホスト プール内の RemoteApp とデスクトップ アプリケーション グループ (DAG) の両方を同じユーザー セットに割り当てることはできません。これを行うと、1 人のユーザーが 1 つのホスト プールに 2 つのユーザー セッションを持つことになります。ユーザーは、同じプロファイルを使用して、同じホスト プールで同時に 2 つのアクティブなセッションを持つことは想定されていません。", "guid": "b384b7ed-1cdd-457e-a2cd-c8d4d55bc144", + "id": "C01.06", "link": "https://learn.microsoft.com/azure/virtual-desktop/terminology?WT.mc_id=Portal-fx#application-groups", "severity": "高い", - "subcategory": "キャパシティ プランニング", - "text": "同じホスト プールを使用して、フル デスクトップ (DAG) とリモート アプリの両方を同じユーザー セットに提供しないでください。" + "subcategory": "キャパシティプランニング", + "text": "同じホスト プールを使用して、フル デスクトップ (DAG) と Remote Apps の両方を同じユーザー セットに提供しないでください", + "waf": "安全" }, { "category": "財団", - "description": "AVD で作成できるアプリケーション グループは、Microsoft Entra ID(以前の Azure AD) テナントごとに 500 個に制限されています。制限を増やすことはできますが(詳細については、コンパニオンリンクを参照してください)、推奨されません。", + "description": "Microsoft Entra ID (旧称 Azure AD) テナントごとに AVD で作成できるアプリケーション グループ数は 500 個に制限されています。制限を増やすことはできますが(詳細については、コンパニオンリンクを参照してください)、お勧めしません。", "guid": "971cc4a4-b1f7-4c12-90e0-1ad96808f00c", + "id": "C01.07", "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits#azure-virtual-desktop-service-limits", "severity": "中程度", - "subcategory": "キャパシティ プランニング", - "text": "Microsoft Entra ID テナント内のすべてのホスト プールで必要なアプリケーション グループの数を見積もる" + "subcategory": "キャパシティプランニング", + "text": "Microsoft Entra ID テナント内のすべてのホスト プールで必要なアプリケーション グループの数を見積もる", + "waf": "確実" }, { "category": "財団", - "description": "アプリケーションは、アクセス許可を発行および割り当てるためのコンテナーとして [アプリケーション グループ] の下にグループ化されます: アプリケーション グループごとに 50 を超えるアプリケーションを発行しないことをお勧めします。", + "description": "アプリケーションは、アクセス許可を発行および割り当てるためのコンテナーとして [アプリケーション グループ] にグループ化されます: アプリケーション グループごとに 50 を超えるアプリケーションを公開しないことをお勧めします。", "guid": "fa9f2895-473d-439b-ab8e-5a5cf92c7f32", + "id": "C01.08", "link": "https://learn.microsoft.com/azure/architecture/example-scenario/wvd/windows-virtual-desktop#considerations", "severity": "低い", - "subcategory": "キャパシティ プランニング", - "text": "各アプリケーショングループのアプリケーション数を見積もる" + "subcategory": "キャパシティプランニング", + "text": "各アプリケーショングループのアプリケーション数を見積もる", + "waf": "確実" }, { "category": "財団", - "description": "個人用ホスト プールでは、各 VM が 1 人のユーザーに静的に割り当てられるため、移動プロファイル ソリューションがすぐに必要ないため、FSLogix は必要ありません。一部の使用シナリオでは、FSLogix が役立ちます。たとえば、VM を再割り当てしたり、ユーザーを別のデスクトップに移動したり、移動プロファイルを使用して DR 目的でユーザー プロファイルを別の場所に保存したりできます。", + "description": "FSLogix は、各 VM が 1 人のユーザーに静的に割り当てられるため、個人用ホスト プールには必要ありません。一部の使用シナリオでは、FSLogix が役立ちます。たとえば、仮想マシンを再割り当てしたり、ユーザーを別のデスクトップに移動したり、移動プロファイルを使用してユーザープロファイルをDRの目的で別の場所に保存したりできます。", "guid": "38b19ab6-0693-4992-9394-5590883916ec", - "link": "https://learn.microsoft.com/en-us/azure/virtual-desktop/configure-host-pool-personal-desktop-assignment-type?tabs=azure#reassign-a-personal-desktop", + "id": "C01.09", + "link": "https://learn.microsoft.com/azure/virtual-desktop/configure-host-pool-personal-desktop-assignment-type?tabs=azure#reassign-a-personal-desktop", "severity": "低い", - "subcategory": "キャパシティ プランニング", - "text": "パーソナル ホスト プールの FSLogix の使用を評価する" + "subcategory": "キャパシティプランニング", + "text": "個人用ホスト プールでの FSLogix の使用状況を評価する", + "waf": "確実" }, { "category": "財団", - "description": "提供されているリンクを使用して SKU 決定の開始点を設定し、パフォーマンス テストを使用して検証します。本番用に少なくとも4つのコアがセッション・ホストごとに選択されていることを確認します(マルチセッション)", + "description": "提供されているリンクを使用して SKU 決定の開始点を設定し、パフォーマンス テストを使用して検証します。セッション ホストごとに運用用に少なくとも 4 つのコアが選択されていることを確認します (マルチセッション)", "guid": "e1112dbd-7ba0-412e-9b94-ef6e047d2ea2", + "id": "C01.10", "link": "https://docs.microsoft.com/windows-server/remote/remote-desktop-services/virtual-machine-recs", "severity": "高い", - "subcategory": "キャパシティ プランニング", - "text": "ワークロード パフォーマンス テストを実行して、使用する最適な Azure VM SKU とサイズを決定する" + "subcategory": "キャパシティプランニング", + "text": "ワークロードのパフォーマンス テストを実行して、使用する最適な Azure VM SKU とサイズを決定する", + "waf": "パフォーマンス" }, { "category": "財団", - "description": "参照記事で報告されている AVD の容量と制限を確認することが重要です。追加の制限としきい値は、ネットワーク、コンピューティング、ストレージ、およびサービスの管理に適用されます。", + "description": "参照記事で報告されている AVD の容量と制限を確認することが重要です。ネットワーク、コンピューティング、ストレージ、サービス管理には、追加の制限としきい値が適用されます。", "guid": "992b1cd6-d2f5-44b2-a769-e3a691e8838a", + "id": "C01.11", "link": "https://learn.microsoft.com/azure/architecture/example-scenario/wvd/windows-virtual-desktop#considerations", "severity": "高い", - "subcategory": "キャパシティ プランニング", - "text": "環境の AVD スケーラビリティの制限を確認する" + "subcategory": "キャパシティプランニング", + "text": "環境の AVD スケーラビリティの制限を確認する", + "waf": "確実" }, { "category": "財団", - "description": "GPU を搭載したホスト プールには特別な構成が必要ですので、参照先の記事を必ず確認してください。", + "description": "GPU を使用するホスト プールには特別な構成が必要ですので、参照されている記事を必ず確認してください。", "guid": "c936667e-13c0-4056-94b1-e945a459837e", + "id": "C01.12", "link": "https://docs.microsoft.com/azure/virtual-desktop/configure-vm-gpu", "severity": "低い", - "subcategory": "キャパシティ プランニング", - "text": "セッション ホストに GPU が必要かどうかを判断する" + "subcategory": "キャパシティプランニング", + "text": "セッション ホストに GPU が必要かどうかを判断する", + "waf": "パフォーマンス" }, { "category": "財団", - "description": "可能な限り、高速ネットワーク機能を備えた VM SKU を活用することをお勧めします。この機能には、特定の VM SKU/サイズと OS バージョンが必要です。関連記事の一覧と要件を参照してください。", + "description": "可能な限り、高速ネットワーク機能を備えた VM SKU を活用することをお勧めします。この機能には、特定の VM SKU/サイズと OS バージョンが必要ですが、関連記事の一覧と要件を参照してください。", "guid": "b47a393a-0803-4272-a479-8b1578b219a4", + "id": "C01.13", "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview", "severity": "低い", - "subcategory": "キャパシティ プランニング", - "text": "高速ネットワークを活用できる Azure VM SKU を使用する" + "subcategory": "キャパシティプランニング", + "text": "高速ネットワークを活用できる Azure VM SKU を使用する", + "waf": "パフォーマンス" }, { "category": "財団", - "description": "適切な計画と展開を行うには、各ホスト プールの同時ユーザーの最大数と合計ユーザー数を評価することが重要です。さらに、異なるリージョンのユーザーは、最適なユーザー エクスペリエンスを確保するために異なるホスト プールを必要とする場合があります。", + "description": "適切な計画とデプロイのためには、各ホスト プールの同時ユーザーの最大数と合計ユーザー数を評価することが重要です。さらに、異なるリージョンのユーザーは、最適なユーザー エクスペリエンスを確保するために、異なるホスト プールを必要とする場合があります。", "guid": "bb91a33d-90ca-4e2c-a881-3706f7c0cb9f", + "id": "C02.01", "link": "https://learn.microsoft.com/azure/virtual-desktop/overview", "severity": "中程度", "subcategory": "クライアントとユーザー", - "text": "AVD に接続するユーザーの数と、どのリージョンから接続するかを評価する" + "text": "AVD に接続するユーザー数とリージョンを評価する", + "waf": "パフォーマンス" }, { "category": "財団", - "description": "AVD プールの外部のリソース(Active Directory、外部ファイル共有またはその他のストレージ、オンプレミスのサービスとリソース、VPN や ExpressRoute などのネットワーク インフラストラクチャ コンポーネント、外部サービス、サードパーティ コンポーネントなど)への依存関係を評価および確認する必要があります。これらすべてのリソースについて、AVD ホストプールからの遅延を評価し、接続を考慮する必要があります。さらに、BCDR に関する考慮事項をこれらの依存関係にも適用する必要があります。", + "description": "Active Directory、外部ファイル共有やその他のストレージ、オンプレミスのサービスやリソース、VPN や ExpressRoute などのネットワーク インフラストラクチャ コンポーネント、外部サービス、サードパーティ コンポーネントなど、AVD プールの外部にあるリソースへの依存関係を評価および確認する必要があります。これらすべてのリソースについて、AVD ホスト プールからの待機時間を評価し、接続性を考慮する必要があります。さらに、BCDR に関する考慮事項もこれらの依存関係に適用する必要があります。", "guid": "6abca2a4-fda1-4dbf-9dc9-5d48c7c791dc", + "id": "C02.02", "link": "https://learn.microsoft.com/azure/architecture/example-scenario/wvd/windows-virtual-desktop?toc=%2Fazure%2Fvirtual-desktop%2Ftoc.json&bc=%2Fazure%2Fvirtual-desktop%2Fbreadcrumb%2Ftoc.json", "severity": "中程度", "subcategory": "クライアントとユーザー", - "text": "各ホスト プールの外部依存関係を評価する" + "text": "各ホスト プールの外部依存関係を評価する", + "waf": "パフォーマンス" }, { "category": "財団", - "description": "AVDは、さまざまなプラットフォーム(ウィンドウズ、MacOS、iOS、アンドロイド)を介して接続するためのさまざまなクライアントタイプ(ファット、シン、ウェブ)を提供します。各クライアントの制限事項を確認し、可能な場合は複数のオプションを比較します。", + "description": "AVD には、さまざまなプラットフォーム(Windows、MacOS、iOS、Android)で接続するためのさまざまなクライアント タイプ(ファット、シン、ウェブ)が用意されています。各クライアントの制限事項を確認し、可能な場合は複数のオプションを比較します。", "guid": "a1f6d565-99e5-458b-a37d-4985e1112dbd", - "link": "https://learn.microsoft.com/en-us/azure/virtual-desktop/users/connect-windows", + "id": "C02.03", + "link": "https://learn.microsoft.com/azure/virtual-desktop/users/connect-windows", "severity": "低い", "subcategory": "クライアントとユーザー", - "text": "使用されているユーザクライアント OS と AVD クライアントタイプを確認する" + "text": "使用するユーザー クライアント OS と AVD クライアント タイプを確認する", + "waf": "パフォーマンス" }, { "category": "財団", - "description": "ユーザーの場所と AVD リージョンの展開によっては、ユーザーのエクスペリエンスが最適でない場合があるため、小規模な PoC 環境でできるだけ早くテストすることが重要です。\"Azure 仮想デスクトップ エクスペリエンス推定ツール\" ツールを実行して、ホスト プールをデプロイするのに最適な Azure リージョンを選択します。150 ミリ秒を超える待機時間を超えると、ユーザー エクスペリエンスが最適でなくなる可能性があります。", + "description": "ユーザーの場所や AVD リージョンのデプロイによっては、ユーザーのエクスペリエンスが最適でない可能性があるため、小規模な PoC 環境でできるだけ早くテストすることが重要です。\"Azure Virtual Desktop エクスペリエンス見積もりツール\" ツールを実行して、ホスト プールをデプロイするのに最適な Azure リージョンを選択します。レイテンシーが 150 ミリ秒を超えると、ユーザー エクスペリエンスが最適でなくなる可能性があります。", "guid": "d2f54b29-769e-43a6-a1e8-838ac936667e", + "id": "C02.04", "link": "https://azure.microsoft.com/services/virtual-desktop/assessment/", "severity": "高い", "subcategory": "クライアントとユーザー", - "text": "PoC を実行して、エンドツーエンドのユーザー エクスペリエンスとネットワーク遅延の影響を検証します" + "text": "PoCを実行して、エンドツーエンドのユーザーエクスペリエンスとネットワーク遅延の影響を検証", + "waf": "パフォーマンス" }, { "category": "財団", - "description": "RDP 設定は、現在、ユーザー/グループごとではなく、ホスト プール レベルでのみ構成できます。ユーザー セットごとに異なる設定が必要な場合は、複数のホスト プールを作成することをお勧めします。", + "description": "現在、RDP 設定は、ユーザー/グループごとではなく、ホスト プール レベルでのみ構成できます。ユーザーのセットごとに異なる設定が必要な場合は、複数のホスト プールを作成することをお勧めします。", "guid": "3b365a5c-7acb-4e48-abe5-4cd79f2e8776", + "id": "C02.05", "link": "https://docs.microsoft.com/azure/virtual-desktop/customize-rdp-properties", "severity": "低い", "subcategory": "クライアントとユーザー", - "text": "すべてのユーザー グループの RDP 設定を評価して文書化する" + "text": "すべてのユーザーグループのRDP設定を評価して文書化する", + "waf": "安全" }, { "category": "財団", - "description": "AVDは非地域サービスであり、ホストプールは任意のリージョンで作成でき、最も近いフロントエンドからの自動リダイレクトが自動的に行われます。", + "description": "AVD は非リージョン サービスであり、ホスト プールは任意のリージョンに作成でき、最も近いフロントエンドからの自動リダイレクトが自動的に行われます。", "guid": "42e52f47-21d9-428c-8b1b-d521e44a29a9", + "id": "C03.01", "link": "https://azure.microsoft.com/global-infrastructure/services/?products=virtual-desktop", "severity": "高い", "subcategory": "全般", - "text": "AVD ホスト プールをデプロイする Azure リージョンを決定します。" + "text": "AVD ホスト プールをデプロイする Azure リージョンを決定します。", + "waf": "パフォーマンス" }, { "category": "財団", "description": "AVD は、サービスをサポートするためにメタデータを保存する必要があります。これは、指定された地域に格納されます。ただし、これはホスト プールが配置されているリージョンとは無関係です。", "guid": "bad37ead-53cc-47ce-8d7a-aab3571449ab", + "id": "C03.02", "link": "https://docs.microsoft.com/azure/virtual-desktop/data-locations", "severity": "中程度", "subcategory": "全般", - "text": "AVD サービスのメタデータの場所を決定する" + "text": "AVD サービスのメタデータの場所を決定する", + "waf": "確実" }, { "category": "財団", - "description": "特定の VM SKU を確認し (特に GPU またはハイスペックの SKU が必要な場合は)、最終的には Azure NetApp Files を使用します。", + "description": "特定の VM SKU (特に GPU またはハイスペックの SKU が必要な場合は) を確認し、最終的には Azure NetApp Files (使用されている場合) を確認します。", "guid": "8053d89e-89dc-47b3-9be2-a1a27f7a9e91", + "id": "C03.03", "link": "https://docs.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits", "severity": "低い", "subcategory": "全般", - "text": "選択したリージョンの特定の VM サイズと種類の Azure クォータと可用性を確認する" + "text": "選択したリージョンの特定の VM のサイズと種類の Azure のクォータと可用性を確認する", + "waf": "確実" }, { "category": "同一性", - "description": "AVD セッションホストにログインするユーザーのレイテンシーを短縮し、最終的には Azure NetApp Files と AD 統合のために、Azure の AD DC (異なる AZ に少なくとも 2 つ)することをお勧めします。DC は、すべての子ドメインの DC と通信できる必要があります。別の方法として、オンプレミス接続を使用して AD DC に到達する必要があります。", + "description": "Azure の AD DC は、AVD セッション ホストにログインするユーザーの待機時間を短縮し、最終的には Azure NetApp Files と AD 統合のために推奨されます (異なる AZ に少なくとも 2 つ)。DC は、すべての子ドメインの DC と通信できる必要があります。別の方法として、オンプレミス接続を使用して AD DC に到達する必要があります。", "guid": "c14aea7e-65e8-4d9a-9aec-218e6436b073", + "id": "D01.01", "link": "https://docs.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain", "severity": "中程度", - "subcategory": "アクティブディレクトリ", - "text": "AVD ホスト プールに近い Azure VNet 環境に少なくとも 2 つのアクティブ ディレクトリ ドメイン コントローラー (DC) を作成する" + "subcategory": "Active Directory", + "text": "AVD ホスト プールに近い Azure VNet 環境に少なくとも 2 つの Active Directory ドメイン コントローラー (DC) を作成します", + "waf": "確実" }, { "category": "同一性", - "description": "別の OU 階層の下にホスト プールごとに個別の OU を作成することをお勧めします。これらの OU には、AVD セッションホストのマシンアカウントが含まれます。", + "description": "ホスト プールごとに個別の OU を個別の OU 階層の下に作成することをお勧めします。これらの OU には、AVD セッションホストのマシン アカウントが含まれます。", "guid": "6db55f57-9603-4334-adf9-cc23418db612", + "id": "D01.02", "link": "https://docs.microsoft.com/azure/virtual-desktop/create-host-pools-azure-marketplace", "severity": "中程度", - "subcategory": "アクティブディレクトリ", - "text": "ホスト プールごとにアクティブ ディレクトリに特定の OU を作成する" + "subcategory": "Active Directory", + "text": "ホスト プールごとに Active Directory に特定の OU を作成するCreate a specific OU in Active Directory for each Host Pool", + "waf": "オペレーションズ" }, { "category": "同一性", - "description": "慎重に確認し、AVD ホストプールを含む OU への GPO の継承をブロック/フィルタリングする可能性があります。", + "description": "AVD ホスト プールを含む OU への GPO の継承を慎重に確認し、場合によってはブロックまたはフィルター処理します。", "guid": "7126504b-b47a-4393-a080-327294798b15", + "id": "D01.03", "link": "https://docs.microsoft.com/previous-versions/windows/desktop/Policy/group-policy-hierarchy", "severity": "中程度", - "subcategory": "アクティブディレクトリ", - "text": "OU に適用され、ホスト プール セッション ホストの機能に影響を与えるドメイン GPO を確認する" + "subcategory": "Active Directory", + "text": "OU に適用され、ホスト プール セッション ホストの機能に影響を与えるドメイン GPO を確認する", + "waf": "オペレーションズ" }, { "category": "同一性", - "description": "Active Directory ドメイン GPO を使用する場合は、「詳細情報」列の関連記事で参照されている組み込みの GPO ADMX テンプレートを使用して FSLogix を構成することをお勧めします。", + "description": "Active Directory ドメインの GPO を使用する場合は、関連記事の「詳細」列で参照されている組み込みの GPO ADMX テンプレートを使用して FSLogix を構成することをお勧めします", "guid": "2226a8e3-50a4-4ac3-8bd6-ee150553051f", + "id": "D01.04", "link": "https://learn.microsoft.com/fslogix/how-to-use-group-policy-templates", "severity": "中程度", - "subcategory": "アクティブディレクトリ", - "text": "組み込みの GPO ADMX テンプレートを使用して FSLogix 設定を構成する" + "subcategory": "Active Directory", + "text": "組み込みの GPO ADMX テンプレートを使用して FSLogix 設定を構成する", + "waf": "オペレーションズ" }, { "category": "同一性", - "description": "最小限の権限を持ち、デフォルトの10回の参加制限のない特定の専用アカウントを使用することをお勧めします。詳細については、関連記事を参照してください。", + "description": "最小限のアクセス許可を持ち、既定の 10 回の参加制限のない特定の専用アカウントを持つことをお勧めします。詳細については、関連記事を参照してください。", "guid": "347dc560-28a7-41ff-b1cd-15dd2f0d5e77", + "id": "D01.05", "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#session-hosts", "severity": "中程度", - "subcategory": "アクティブディレクトリ", - "text": "VM をドメインに参加させるためのアクセス許可のみを持つ専用ユーザー アカウントを作成する" + "subcategory": "Active Directory", + "text": "VM をドメインに参加させるためのアクセス許可のみを持つ専用ユーザー アカウントを作成します", + "waf": "安全" }, { "category": "同一性", - "description": "ユーザーごとにアクセスを許可するのではなく、AD グループを使用し、Microsoft Entra ID (以前の Azure AD) の Active Directory コネクタ (ADC) を使用してレプリケートします。", + "description": "ユーザーごとにアクセス権を付与するのではなく、AD グループを使用し、Microsoft Entra ID (旧称 Azure AD) の Active Directory コネクタ (ADC) を使用してレプリケートします。", "guid": "2d41e361-1cc5-47b4-a4b1-410d43958a8c", + "id": "D01.06", "link": "https://docs.microsoft.com/azure/virtual-desktop/manage-app-groups", "severity": "中程度", - "subcategory": "アクティブディレクトリ", - "text": "各ホスト プール アプリケーション グループ (DAG または RAG) へのアクセスが許可されるユーザーのセットごとにドメイン ユーザー グループを作成します。" + "subcategory": "Active Directory", + "text": "各ホスト プール アプリケーション グループ (DAG または RAG) へのアクセス権を付与するユーザーのセットごとにドメイン ユーザー グループを作成します", + "waf": "安全" }, { "category": "同一性", - "description": "Azure Files Active Directory (AD) 統合を使用する場合は、構成手順の一部として、ストレージ アカウント (ファイル共有) を表す AD アカウントが作成されます。コンピューター アカウントまたはサービス ログオン アカウントとして登録することを選択できます (詳細については、FAQ を参照してください)。コンピューター アカウントの場合、AD には既定のパスワードの有効期限が 30 日に設定されています。同様に、サービス ログオン アカウントには、AD ドメインまたは組織単位 (OU) に既定のパスワード有効期限が設定されている場合があります。どちらのアカウントの種類でも、AD 環境で構成されているパスワードの有効期限を確認し、パスワードの最大有効期間の前に AD アカウントのストレージ アカウント ID のパスワードを更新することを計画することをお勧めします。AD に新しい AD 組織単位 (OU) を作成し、それに応じてコンピューター アカウントまたはサービス ログオン アカウントのパスワード有効期限ポリシーを無効にすることを検討できます。", + "description": "Azure Files Active Directory (AD) 統合を使用する場合は、構成手順の一部として、ストレージ アカウント (ファイル共有) を表す AD アカウントが作成されます。コンピューター アカウントまたはサービス ログオン アカウントとして登録することを選択できます (詳細については、「FAQ」を参照してください)。コンピューター アカウントの場合、AD には既定のパスワードの有効期限が 30 日に設定されています。同様に、サービス ログオン アカウントには、AD ドメインまたは組織単位 (OU) に既定のパスワードの有効期限が設定されている場合があります。どちらの種類のアカウントでも、AD 環境で構成されているパスワードの有効期限を確認し、パスワードの最大有効期間の前に AD アカウントのストレージ アカウント ID のパスワードを更新することをお勧めします。AD で新しい AD 組織単位 (OU) を作成し、それに応じてコンピューター アカウントまたはサービス ログオン アカウントのパスワード有効期限ポリシーを無効にすることを検討できます。", "guid": "2289b3d6-b57c-4fc6-9546-1e1a3e3453a3", + "id": "D01.07", "link": "https://docs.microsoft.com/azure/storage/files/storage-files-identity-ad-ds-enable", "severity": "高い", - "subcategory": "アクティブディレクトリ", - "text": "Azure Files AD 統合で使用されるアカウントの組織のパスワード有効期限ポリシーを確認する" + "subcategory": "Active Directory", + "text": "Azure Files AD 統合で使用されるアカウントの組織のパスワード有効期限ポリシーを確認する", + "waf": "安全" }, { "category": "同一性", - "description": "これは、Active Directory Connect (ADC) または Azure AD ドメイン サービス (ハイブリッド組織またはクラウド組織の場合) を使用して構成できます。Microsoft Entra ID は、Azure Active Directory (Azure AD) の新しい名前です。", + "description": "これは、Active Directory Connect (ADC) または Azure AD Domain Services (ハイブリッド組織またはクラウド組織の場合) を使用して構成できます。Microsoft Entra ID は、Azure Active Directory (Azure AD) の新しい名前です。", "guid": "5119bf8e-8f58-4542-a7d9-cec166cd072a", + "id": "D01.08", "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#identity", "severity": "高い", - "subcategory": "アクティブディレクトリ", - "text": "Windows Server Active Directory フォレスト/ドメインは、Microsoft Entra ID と同期している必要があります。" + "subcategory": "Active Directory", + "text": "Windows Server Active Directory フォレスト/ドメインは、Microsoft Entra ID と同期している必要があります", + "waf": "確実" }, { "category": "同一性", - "description": "Azure Files が使用され、前提条件が満たされている場合は、(Microsoft Entra ID) Kerberos 認証を構成することをお勧めします。この構成により、ドメイン コントローラーへのネットワーク通信を必要とせずに、Azure AD 参加済みセッション ホストからハイブリッド ユーザー ID でアクセスできる FSLogix プロファイルを格納できます。", + "description": "Azure Files を使用していて、前提条件を満たすことができる場合は、(Microsoft Entra ID) Kerberos 認証を構成することをお勧めします。この構成により、ドメイン コントローラーへのネットワーク通信経路を必要とせずに、Azure AD に参加しているセッション ホストからハイブリッド ユーザー ID からアクセスできる FSLogix プロファイルを格納できます。", "guid": "e777fd5e-c5f1-4d6e-8fa9-fc210b88e338", + "id": "D02.01", "link": "https://learn.microsoft.com/azure/storage/files/storage-files-identity-auth-hybrid-identities-enable", "severity": "中程度", - "subcategory": "マイクロソフト エントラ ID", - "text": "Microsoft Entra ID (以前の Azure AD) Kerberos 認証の Azure Files Share を Microsoft Entra ID Join シナリオ用に構成する" + "subcategory": "Microsoft Entra ID", + "text": "Microsoft Entra ID Joined シナリオで Microsoft Entra ID (旧称 Azure AD) Kerberos 認証用に Azure Files 共有を構成する", + "waf": "安全" }, { "category": "同一性", - "description": "Azure サブスクリプションは、Windows Server Active Directory ドメイン サービスまたは Microsoft Entra ID ドメイン サービス インスタンスを含む、または接続されている仮想ネットワークを含む、同じ Microsoft Entra ID (以前の Azure AD) テナントの親である必要があります。", + "description": "Azure サブスクリプションは、Windows Server Active Directory Domain Services または Microsoft Entra ID Domain Services インスタンスを含む、または接続されている仮想ネットワークを含む、同じ Microsoft Entra ID (旧称 Azure AD) テナントを親にする必要があります。", "guid": "6ceb5443-5125-4922-9442-93bb628537a5", + "id": "D03.01", "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#identity", "severity": "高い", "subcategory": "必要条件", - "text": "Microsoft Entra ID テナントは、少なくとも 1 つのサブスクリプションがリンクされている必要があります" + "text": "Microsoft Entra ID テナントは、少なくとも 1 つのサブスクリプションがリンクされている必要があります", + "waf": "確実" }, { "category": "同一性", - "description": "Azure 仮想デスクトップでは、選択した構成に応じてさまざまな種類の ID がサポートされています。「詳細情報」の記事に記載されているサポートされているシナリオを確認し、それに応じて「コメント」列に設計上の決定を文書化してください。重要なことに、外部 ID (B2B または B2C) はサポートされていません。https://learn.microsoft.com/en-us/azure/virtual-desktop/prerequisites?tabs=portal#supported-identity-scenarios でサポートされているシナリオの一覧も必ず確認してください。", + "description": "Azure Virtual Desktop では、選択した構成に応じて、さまざまな種類の ID がサポートされます。「詳細情報」の記事に記載されているサポートされているシナリオを確認し、それに応じて設計上の決定を「コメント」列に文書化してください。重要なのは、外部 ID (B2B または B2C) がサポートされていないことです。https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#supported-identity-scenarios でサポートされているシナリオの一覧も必ず確認してください。", "guid": "b4ce4781-7557-4a1f-8043-332ae199d44c", + "id": "D03.02", "link": "https://learn.microsoft.com/azure/virtual-desktop/authentication", "severity": "高い", "subcategory": "必要条件", - "text": "ID シナリオを確認して文書化する" + "text": "ID シナリオを確認して文書化する", + "waf": "安全" }, { "category": "同一性", - "description": "ユーザーには、Microsoft Entra ID (以前の Azure AD) にあるアカウントが必要です。Azure Virtual Desktop のデプロイで AD DS または Azure AD ドメイン サービスも使用している場合、これらのアカウントはハイブリッド ID である必要があり、ユーザー アカウントが同期されていることを意味します。AD DS で Microsoft Entra ID を使用している場合は、AD DS と Microsoft Entra ID の間でユーザー ID データを同期するように Azure AD Connect を構成する必要があります。Azure AD Domain Services で Microsoft Entra ID を使用している場合、ユーザー アカウントは Microsoft Entra ID から Azure AD Domain Services に一方向で同期されます。この同期プロセスは自動的に行われます。AVD は、Microsoft Entra ID ネイティブ アカウントもサポートしていますが、いくつかの制限があります。外部 ID (B2B または B2C) はサポートされていません。", + "description": "ユーザーには、Microsoft Entra ID (旧称 Azure AD) のアカウントが必要です。Azure Virtual Desktop のデプロイで AD DS または Azure AD Domain Services も使用している場合、これらのアカウントはハイブリッド ID である必要があり、これはユーザー アカウントが同期されていることを意味します。AD DS で Microsoft Entra ID を使用している場合は、AD DS と Microsoft Entra ID の間でユーザー ID データを同期するように Azure AD Connect を構成する必要があります。Azure AD Domain Services で Microsoft Entra ID を使用している場合、ユーザー アカウントは Microsoft Entra ID から Azure AD Domain Services への一方向で同期されます。この同期プロセスは自動的に行われます。AVD は、いくつかの制限付きで Microsoft Entra ID ネイティブ アカウントもサポートしています。外部 ID (B2B または B2C) はサポートされていません。", "guid": "f9b141a8-98a5-435e-9378-97e71ca7da7b", + "id": "D03.03", "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#supported-identity-scenarios", "severity": "中程度", "subcategory": "必要条件", - "text": "ユーザー アカウントの種類と要件を評価する" + "text": "ユーザー アカウントの種類と要件を評価する", + "waf": "安全" }, { "category": "同一性", - "description": "AVD は、Active Directory Federation Services (AD FS) または Microsoft Entra ID(以前の Azure AD) 認証のいずれかを使用した SSO をサポートしています。後者をお勧めしますので、「詳細情報」の記事で要件と制限を確認してください。AD FS の使用は、お客様の環境にすでに存在する場合は実行可能な選択肢となる可能性があるため、AVD SSO 実装のためだけに新しい ADFS インフラストラクチャを展開することはお勧めしません。", + "description": "AVD は、Active Directory フェデレーション サービス (AD FS) または Microsoft Entra ID (旧称 Azure AD) 認証を使用した SSO をサポートします。後者をお勧めしますので、「詳細情報」の記事で要件と制限を確認してください。AD FS の使用は、お客様の環境に既に存在する場合は実行可能な選択肢となる可能性がありますが、AVD SSO 実装のためだけにまったく新しい ADFS インフラストラクチャを展開することはお勧めしません。", "guid": "5f9f680a-ba07-4429-bbf7-93d7071561f4", + "id": "D03.04", "link": "https://learn.microsoft.com/azure/virtual-desktop/authentication#single-sign-on-sso", "severity": "中程度", "subcategory": "必要条件", - "text": "シングル サインオン (SSO) が必要な場合は、サポートされているシナリオと前提条件を確認してください" + "text": "シングル サインオン (SSO) が要件である場合は、サポートされているシナリオと前提条件を確認してください", + "waf": "確実" }, { "category": "同一性", - "description": "VM は、Windows Active Directory (AD) ドメイン参加済み、ハイブリッド AD 参加済み、Microsoft Entra ID (以前の Azure AD) 参加済み、または Azure AD ドメイン サービスに参加している場合があります。サポートされているシナリオ、制限事項、および要件については、参照されている記事から確認してください。", + "description": "VM は、Windows Active Directory (AD) ドメイン参加済み、ハイブリッド AD 参加済み、Microsoft Entra ID (旧称 Azure AD) 参加済み、または Azure AD Domain Services 参加済みにすることができます。参照されている記事のサポートされているシナリオ、制限事項、要件を必ず確認してください。", "guid": "ea962a15-9394-46da-a7cc-3923266b2258", + "id": "D03.05", "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#supported-identity-scenarios", "severity": "高い", "subcategory": "必要条件", - "text": "適切な AVD セッションホストドメイン参加タイプの選択" + "text": "適切な AVD セッション ホストのドメイン参加タイプを選択します", + "waf": "安全" }, { "category": "同一性", - "description": "セルフマネージド型の Windows Active Directory Domain Services、Microsoft Entra ID (旧 Azure AD)、マネージド型の Azure AD Domain Services (AAD-DS) を比較する", + "description": "自己管理型 Windows Active Directory Domain Services、Microsoft Entra ID (旧称 Azure AD)、マネージド Azure AD Domain Services (AAD-DS) の比較", "guid": "6f4a1651-bddd-4ea8-a487-cdeb4861bc3b", + "id": "D03.06", "link": "https://docs.microsoft.com/azure/active-directory-domain-services/compare-identity-solutions", "severity": "低い", "subcategory": "必要条件", - "text": "AVD に Azure AD ドメイン サービス (AAD-DS) を使用する前に、制限事項を確認してください。" + "text": "AVD に Azure AD Domain Services (AAD-DS) を使用する前に、必ず制限事項を確認してください。", + "waf": "確実" }, { "category": "監視と管理", - "description": "AVD は、Intune および Active Directory GPO 用の管理用テンプレートを提供します。これらのテンプレートを使用すると、グラフィックス関連のデータロギング、画面キャプチャ保護、管理対象ネットワークのRDPショートパス、透かしなど、いくつかのAVD構成設定を集中的に制御できます。詳細については、「詳細情報」コラムの関連記事を参照してください。注: FSLogix には独自のテンプレートがあります。", + "description": "AVD には、Intune と Active Directory GPO 用の管理用テンプレートが用意されています。これらのテンプレートを使用すると、グラフィックス関連のデータ ログ、画面キャプチャ保護、マネージド ネットワークの RDP Shortpath、ウォーターマークなど、複数の AVD 構成設定を一元的に制御できます。詳細については、「詳細情報」列の関連記事を参照してください。注: FSLogix には、独自の個別のテンプレートがあります。", "guid": "5549524b-36c0-4f1a-892b-ab3ca78f5db2", + "id": "E01.01", "link": "https://learn.microsoft.com/azure/virtual-desktop/administrative-template", "severity": "低い", "subcategory": "管理", - "text": "AVD 設定の構成に組み込みの管理用テンプレートを使用する" + "text": "付属の組み込み管理用テンプレートを使用して AVD 設定の構成を行う", + "waf": "オペレーションズ" }, { "category": "監視と管理", - "description": "初期展開後にホスト プール VM の構成を管理するための構成管理ツールが既に配置されているかどうかを確認します (SCCM/SCOM、Intune/ConfigurationManager、第 3 パーティのソリューションなど)。", + "description": "初期デプロイ後にホスト プール VM 構成を管理するための構成管理ツール (SCCM/SCOM、Intune/ConfigurationManager、サード パーティ ソリューションなど) が既に配置されているかどうかを確認します。", "guid": "3334fdf9-1c23-4418-8b65-285269440b4b", + "id": "E01.02", "link": "https://learn.microsoft.com/azure/virtual-desktop/management", "severity": "低い", "subcategory": "管理", - "text": "AVD セッションホストの構成管理戦略の計画" + "text": "AVD セッションホストの構成管理戦略を計画する", + "waf": "オペレーションズ" }, { "category": "監視と管理", - "description": "要件を満たすことができる場合は、Microsoft Intune を使用して Azure 仮想デスクトップ環境を管理することをお勧めします。AVD セッション ホスト管理用に Intune を有効にするためのサポートされているシナリオと要件については、「詳細情報」列の参照記事を参照してください。[コメント] 列に選択内容を記入します。この記事では、シングルセッション https://learn.microsoft.com/en-us/mem/intune/fundamentals/windows-virtual-desktop とマルチセッション https://learn.microsoft.com/en-us/mem/intune/fundamentals/windows-virtual-desktop-multi-session AVD のさまざまな要件と機能を確認します。", + "description": "要件を満たすことができる場合は、Microsoft Intune を使用して Azure Virtual Desktop 環境を管理することをお勧めします。AVD セッション ホスト管理のために Intune を有効にするためにサポートされているシナリオと要件については、参照されている記事の [詳細情報] 列を参照してください。選択内容を「コメント」列に記入します。その記事では、シングルセッション https://learn.microsoft.com/mem/intune/fundamentals/windows-virtual-desktop とマルチセッション https://learn.microsoft.com/mem/intune/fundamentals/windows-virtual-desktop-multi-session AVD のさまざまな要件と機能を確認してください。", "guid": "63a08be1-6004-4b4a-a79b-f3239faae113", + "id": "E01.03", "link": "https://learn.microsoft.com/mem/intune/fundamentals/azure-virtual-desktop", "severity": "中程度", "subcategory": "管理", - "text": "AVD セッション ホスト管理のための Intune の評価" + "text": "Intune for AVD セッション ホストの管理を評価する", + "waf": "オペレーションズ" }, { "category": "監視と管理", - "description": "スケーリング ツールは、セッション ホスト VM のコストを最適化したいお客様向けに、低コストの自動化オプションを提供します。スケーリング ツールを使用して、ピーク時とオフピーク時の営業時間に基づいて VM を起動および停止するようにスケジュールしたり、CPU コアあたりのセッション数に基づいて VM をスケールアウトしたり、オフピーク時に VM をスケールインしたりして、セッション ホスト VM の最小数を実行したままにすることができます。パーソナルホストプールタイプではまだ使用できません。", + "description": "スケーリング ツールは、セッション ホスト VM のコストを最適化したいお客様に低コストの自動化オプションを提供します。スケーリング ツールを使用して、ピーク時とオフピーク時の営業時間に基づいて VM の開始と停止をスケジュールしたり、CPU コアあたりのセッション数に基づいて VM をスケールアウトしたり、オフピーク時に VM をスケールインしたりして、セッション ホスト VM の最小数を実行したままにすることができます。個人用ホスト プールの種類ではまだ使用できません。", "guid": "7138b820-102c-4e16-be30-1e6e872e52e3", + "id": "E01.04", "link": "https://learn.microsoft.com/azure/virtual-desktop/autoscale-scenarios", "severity": "中程度", "subcategory": "管理", - "text": "ホスト プールの自動スケーリング機能の要件を評価する" + "text": "ホスト プールの自動スケーリング機能の要件を評価する", + "waf": "確実" }, { "category": "監視と管理", - "description": "VM On Connect を起動すると、エンド ユーザーが必要なときにのみセッション ホスト仮想マシン (VM) をオンにできるようにすることで、コストを削減できます。その後、不要なときに VM をオフにすることができます。Azure ポータルまたは PowerShell を使用して、個人用またはプールされたホスト プールに対して接続時に VM を起動するように構成できます。[接続時に VM を起動する] は、ホスト プール全体の設定です。", + "description": "Start VM On Connect を使用すると、エンド ユーザーが必要なときにのみセッション ホスト仮想マシン (VM) をオンにできるようにすることで、コストを削減できます。その後、不要な VM をオフにすることができます。個人用またはプールされたホスト プールの Start VM on Connect は、Azure portal または PowerShell を使用して構成できます。[Start VM on Connect](接続時に VM を起動する) は、ホスト プール全体の設定です。", "guid": "55f612fe-f215-4f0d-a956-10e7dd96bcbc", + "id": "E01.05", "link": "https://learn.microsoft.com/azure/virtual-desktop/start-virtual-machine-connect", "severity": "低い", "subcategory": "管理", - "text": "個人用ホスト プールの接続時に VM を起動する の使用を検討する" + "text": "個人用ホストプールの Connect での VM の起動の使用を検討する", + "waf": "費用" }, { "category": "監視と管理", - "description": "「接続時にVMを起動する」は、以前に停止したセッションホストを自動的に起動するスマートな方法を提供しますが、使用されていないときにシャットダウンするメカニズムは提供しません。管理者は、追加のポリシーを構成してユーザーをセッションからサインアウトし、Azure 自動化スクリプトを実行して VM の割り当てを解除することをお勧めします。 Azure VM の割り当てを解除できないため、ユーザーは個人用ホストをシャットダウンできないようにする必要があります。", + "description": "「Start VM On Connect」は、以前に停止したセッションホストを自動的に起動するスマートな方法を提供しますが、使用されていないときにシャットダウンするメカニズムは提供しません。管理者は、追加のポリシーを構成して、ユーザーをセッションからサインアウトし、Azure Automation スクリプトを実行して VM の割り当てを解除することをお勧めします。 ユーザーは Azure VM の割り当てを解除できないため、個人用ホストをシャットダウンすることはできませんが、その場合、コスト削減なしで課金は引き続き有効になります。", "guid": "79a686ea-d971-4ea0-a9a8-1aea074c94cb", + "id": "E01.06", "link": "https://learn.microsoft.com/azure/virtual-desktop/start-virtual-machine-connect-faq#are-vms-automatically-deallocated-when-a-user-stops-using-them", "severity": "低い", "subcategory": "管理", - "text": "パーソナル AVD セッションホストをシャットダウンするアドホックメカニズムの実装を評価する" + "text": "アドホック メカニズムの実装を評価して、パーソナル AVD セッション ホストをシャットダウンします", + "waf": "費用" }, { "category": "監視と管理", - "description": "Azure Virtual Desktop の課金は、主にホスト プールによって消費されるコンピューティング、ネットワーク、およびストレージ リソースに関連するコストに基づきます。これに加えて、コストは、VPN や ExpressRoute や vWAN、Active Directory ドメイン コントローラー、DNS などの依存リソースによって生成される可能性があります。ワークスペース、ホストプール、アプリケーショングループなどの AVD オブジェクトに関連する直接コストはありません。AVD に関連するコストをより明確にし、ホスト プールごとにグループ化するには、「cm-resource-parent」タグを使用することをお勧めします。", + "description": "Azure Virtual Desktop の課金は、主に、ホスト プールによって消費されるコンピューティング、ネットワーク、ストレージ リソースに関連するコストに基づいています。これに加えて、VPN、ExpressRoute、vWAN、Active Directory ドメイン コントローラー、DNS などの依存リソースによってコストが発生する可能性があります。ワークスペース、ホストプール、アプリケーション グループなどの AVD オブジェクトに関連する直接コストはありません。AVD 関連のコストをより明確にし、ホスト プールごとにグループ化するには、「cm-resource-parent」タグを使用することをお勧めします。", "guid": "51bcafca-476a-48fa-9b91-9645a7679f20", + "id": "E01.07", "link": "https://learn.microsoft.com/azure/virtual-desktop/tag-virtual-desktop-resources", "severity": "低い", "subcategory": "管理", - "text": "Azure 仮想デスクトップ用に推奨される Azure タグを確認して採用する" + "text": "Azure Virtual Desktop に推奨される Azure タグを確認して導入する", + "waf": "費用" }, { "category": "監視と管理", - "description": "Azure Advisor は、構成とテレメトリを分析して、一般的な問題を解決するためのパーソナライズされた推奨事項を提供します。これらの推奨事項を使用すると、信頼性、セキュリティ、オペレーショナル エクセレンス、パフォーマンス、コストに関して Azure リソースを最適化できます。", + "description": "Azure Advisor は、構成とテレメトリを分析して、一般的な問題を解決するためのパーソナライズされた推奨事項を提供します。これらの推奨事項を使用すると、信頼性、セキュリティ、オペレーショナル エクセレンス、パフォーマンス、コストのために Azure リソースを最適化できます。", "guid": "611dd68c-5a4b-4252-8e44-a59a9c2399c4", + "id": "E01.08", "link": "https://learn.microsoft.com/azure/virtual-desktop/azure-advisor-recommendations", "severity": "低い", "subcategory": "管理", - "text": "AVD に関する Azure アドバイザーの推奨事項を定期的に確認する" + "text": "AVD に関する Azure Advisor の推奨事項を定期的に確認する", + "waf": "オペレーションズ" }, { "category": "監視と管理", - "description": "お客様にはいくつかのオプションがあります。 Microsoft 構成マネージャー、この記事では、Windows 10/11: https://learn.microsoft.com/en-us/azure/virtual-desktop/configure-automatic-updates、Microsoft Intune: https://docs.microsoft.com/mem/intune/fundamentals/windows-virtual-desktop-multi-session、Azure Update Management、および Windows Server OS のみの WSUS を実行している Azure 仮想デスクトップ セッション ホストに更新プログラムを自動的に適用する方法について説明します (クライアント OS はサポートされていません)。 https://learn.microsoft.com/en-us/azure/automation/update-management/operating-system-requirements)、第三者のツール。緊急のセキュリティパッチ適用状況以外では、「インプレース」更新戦略パッチ適用戦略から離れ、再イメージングアプローチを採用することをお勧めします。", + "description": "お客様にはいくつかのオプションがあります。 Microsoft Configuration Manager、この記事では、Windows 10/11 を実行している Azure Virtual Desktop セッション ホストに更新プログラムを自動的に適用する方法について説明します: https://learn.microsoft.com/azure/virtual-desktop/configure-automatic-updates、Microsoft Intune: https://docs.microsoft.com/mem/intune/fundamentals/windows-virtual-desktop-multi-session、Azure Update Management、WSUS for Windows Server OS のみ (クライアント OS はサポートされていません。 https://learn.microsoft.com/azure/automation/update-management/operating-system-requirements)、3rdパーティツール。緊急のセキュリティ修正プログラムの適用状況以外では、\"インプレース\" 更新戦略の修正プログラムの適用戦略から離れ、再イメージ化アプローチを採用することをお勧めします。", "guid": "04722da2-9c2b-41cd-922f-54b29bade3aa", + "id": "E01.09", "link": "https://learn.microsoft.com/mem/intune/fundamentals/azure-virtual-desktop-multi-session", "severity": "中程度", "subcategory": "管理", - "text": "セッションホストの緊急パッチ適用と更新戦略を計画する" + "text": "セッション ホストの緊急パッチ適用と更新戦略を計画する", + "waf": "オペレーションズ" }, { "category": "監視と管理", - "description": "スケジュールされたエージェントアップデート機能を使用すると、ホストプールごとに最大 2 つのメンテナンスウィンドウを作成して、都合の良いときに AVD コンポーネントを更新できます。メンテナンスウィンドウを指定すると、セッションホストのアップグレードは営業時間のピーク時に行われません。スケジュールされたエージェントのアップデートは、デフォルトでは無効になっています。つまり、この設定を有効にしない限り、エージェント更新フライティングサービスによってエージェントをいつでも更新できます。", + "description": "スケジュールされたエージェントの更新機能を使用すると、ホスト プールごとに最大 2 つのメンテナンス ウィンドウを作成して、都合の良いときに AVD コンポーネントを更新できます。メンテナンス期間を指定して、セッション ホストのアップグレードが営業時間のピーク時に行われないようにすることをお勧めします。スケジュールされたエージェントの更新は、デフォルトでは無効になっています。つまり、この設定を有効にしない限り、エージェントはエージェント更新フライティング サービスによっていつでも更新できます。", "guid": "c067939b-e5ca-4698-b9ce-3bd91843e73f", + "id": "E01.10", "link": "https://learn.microsoft.com/azure/virtual-desktop/scheduled-agent-updates", "severity": "低い", "subcategory": "管理", - "text": "スケジュールされたエージェント更新機能の構成" + "text": "スケジュールされたエージェント更新機能を構成する", + "waf": "確実" }, { "category": "監視と管理", - "description": "ホスト プールは、Azure 仮想デスクトップ環境内の 1 つ以上の同一の仮想マシンのコレクションです。サービス更新プログラムが最初に適用される検証ホスト プールを作成することを強くお勧めします。これにより、サービスの更新を標準環境または非検証環境に適用する前に監視できます。", + "description": "ホスト プールは、Azure Virtual Desktop 環境内の 1 つ以上の同一の仮想マシンのコレクションです。サービスの更新が最初に適用される検証ホスト プールを作成することを強くお勧めします。これにより、サービスが標準環境または非検証環境に適用する前に、サービスの更新を監視できます。", "guid": "d1e8c38e-c936-4667-913c-005674b1e944", + "id": "E01.11", "link": "https://docs.microsoft.com/azure/virtual-desktop/create-validation-host-pool", "severity": "中程度", "subcategory": "管理", - "text": "検証 (カナリア) ホスト プールを作成する" + "text": "検証 (カナリア) ホスト プールを作成するCreate a validation (Canary) Host Pool", + "waf": "オペレーションズ" }, { "category": "監視と管理", - "description": "AVD ホスト プールは、Azure ポータル、ARM テンプレート、Azure CLI ツール、Powershell、登録トークンを使用した手動 VM 作成、Terraform、3 番目のパーティ製ツールなど、いくつかの方法で展開できます。自動化および CI/CD ツールによる自動デプロイをサポートするために、適切な方法を採用することが重要です。", + "description": "AVD ホスト プールは、Azure Portal、ARM テンプレート、Azure CLI ツール、Powershell、登録トークンを使用した手動 VM 作成、Terraform、サードパーティ ツールなど、いくつかの方法でデプロイできます。自動化ツールと CI/CD ツールによる自動デプロイをサポートするには、適切な方法を採用することが重要です。", "guid": "a459c373-e7ed-4616-83b3-65a917ecbe48", + "id": "E01.12", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/wvd/eslz-platform-automation-and-devops", "severity": "中程度", "subcategory": "管理", - "text": "ホスト プールの展開戦略を決定する" + "text": "ホスト プールのデプロイ戦略を決定する", + "waf": "オペレーションズ" }, { "category": "監視と管理", "description": "Azure Virtual Desktop サービス内のホスト プールに VM を登録すると、VM がアクティブになるたびに、エージェントによって VM のトークンが定期的に更新されます。登録トークンの証明書は 90 日間有効です。この 90 日間の制限のため、マシンがトークンを更新し、エージェントとサイド バイ サイド スタック コンポーネントを更新できるように、VM を 90 日ごとに 20 分間オンラインにすることをお勧めします。", "guid": "ebe54cd7-df2e-48bb-ac35-81559bb9153e", + "id": "E01.13", "link": "https://docs.microsoft.com/azure/virtual-desktop/faq", "severity": "中程度", "subcategory": "管理", - "text": "トークンの更新のために少なくとも 90 日ごとにセッション ホスト VM をオンにする" + "text": "トークンの更新のために少なくとも 90 日ごとにセッション ホスト VM を有効にするTurn on Session Host VMs at least 90 days for token refresh", + "waf": "オペレーションズ" }, { "category": "監視と管理", - "description": "Azure Virtual Desktop Insights は、Azure Monitor ブック上に構築されたダッシュボードであり、IT プロフェッショナルが Azure Virtual Desktop 環境を理解するのに役立ちます。AVD 環境を監視するように Azure 仮想デスクトップ用 Azure Monitor を設定する方法については、参照されている記事をお読みください。", + "description": "Azure Virtual Desktop 分析情報は、IT プロフェッショナルが Azure Virtual Desktop 環境を理解するのに役立つ、Azure Monitor ブック上に構築されたダッシュボードです。AVD 環境を監視するために Azure Virtual Desktop 用に Azure Monitor を設定する方法については、参照されている記事をお読みください。", "guid": "63cfff1c-ac59-49ef-8d5a-83dd4de36c1c", + "id": "E02.01", "link": "https://learn.microsoft.com/azure/virtual-desktop/insights", "severity": "高い", "subcategory": "モニタリング", - "text": "AVD のモニタリングを有効にする" + "text": "AVD のモニタリングを有効にする", + "waf": "確実" }, { "category": "監視と管理", - "description": "Azure Virtual Desktop では、他の多くの Azure サービスと同様に、監視とアラートに Azure Monitor と Log Analytics が使用されます。これにより、管理者は単一のインターフェイスから問題を特定できます。このサービスは、ユーザー操作と管理者操作の両方のアクティビティ ログを作成します。 各アクティビティ ログは、管理、フィード、接続、ホスト登録、エラー、チェックポイントのカテゴリに分類されます。", + "description": "Azure Virtual Desktop では、他の多くの Azure サービスと同様に、監視とアラートに Azure Monitor と Log Analytics を使用します。これにより、管理者は 1 つのインターフェイスで問題を特定できます。このサービスは、ユーザー操作と管理操作の両方のアクティビティ ログを作成します。 各アクティビティ ログは、管理、フィード、接続、ホスト登録、エラー、チェックポイントのカテゴリに分類されます。", "guid": "81770afb-c4c0-4e43-a186-58d2857ed671", + "id": "E02.02", "link": "https://docs.microsoft.com/azure/virtual-desktop/diagnostics-log-analytics", "severity": "中程度", "subcategory": "モニタリング", - "text": "ワークスペース、ホスト プール、アプリケーション グループ、および Log Analytics ワークスペースへのホスト VM の診断設定を有効にする" + "text": "ワークスペース、ホスト プール、アプリケーション グループ、ホスト VM の診断設定を Log Analytics ワークスペースで有効にする", + "waf": "確実" }, { "category": "監視と管理", - "description": "参照されている記事と、ストレージの適切な監視とアラートを設定するには、次の追加の記事を参照してください。 https://docs.microsoft.com/azure/storage/files/storage-troubleshooting-files-performance。", + "description": "ストレージの適切な監視とアラートを設定するには、参照されている記事とこの追加の記事を参照してください: https://docs.microsoft.com/azure/storage/files/storage-troubleshooting-files-performance。", "guid": "2463cffe-179c-4599-be0d-5973dd4ce32c", + "id": "E02.03", "link": "https://docs.microsoft.com/azure/storage/files/storage-files-monitoring?tabs=azure-portal", "severity": "中程度", "subcategory": "モニタリング", - "text": "プロファイルストレージにアラートを作成して、使用率とスロットリングが高い場合にアラートを受け取る" + "text": "プロファイルストレージに関するアラートを作成して、使用率が高く、調整された場合にアラートを受け取る", + "waf": "確実" }, { "category": "監視と管理", - "description": "Azure サービス正常性を使用して、Azure 仮想デスクトップのサービスの問題と正常性アドバイザリを監視できます。Azure Service Health では、さまざまな種類のアラート (電子メールや SMS など) で通知し、問題の影響を理解し、問題の解決時に最新情報を入手できます。", + "description": "Azure Service Health を使用して、Azure Virtual Desktop のサービスの問題と正常性アドバイザリを監視できます。Azure Service Health では、さまざまな種類のアラート (電子メールや SMS など) で通知し、問題の影響を理解し、問題が解決したときに最新情報を入手できます。", "guid": "18813706-f7c4-4c0d-9e51-4548d2457ed6", + "id": "E02.04", "link": "https://docs.microsoft.com/azure/virtual-desktop/set-up-service-alerts", "severity": "中程度", "subcategory": "モニタリング", - "text": "AVD アラートの Azure サービス正常性を構成する" + "text": "AVD アラート用に Azure Service Health を構成する", + "waf": "確実" }, { "category": "ネットワーキング", - "description": "オンプレミス環境に接続する必要がある場合は、現在の接続オプションを評価するか、必要な接続 (ExpressRoute、Azure S2S、または第 3 パーティの NVA VPN) を計画します。", + "description": "オンプレミス環境に接続する必要がある場合は、現在の接続オプションを評価するか、必要な接続 (ExpressRoute、Azure S2S、またはサード パーティの NVA VPN) を計画します。", "guid": "dd399cfd-7b28-4dc8-9555-6202bfe4563b", + "id": "F01.01", "link": "https://docs.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/", "severity": "中程度", "subcategory": "ネットワーキング", - "text": "オンプレミス環境への接続にハイブリッド接続が必要かどうかを判断する" + "text": "オンプレミス環境への接続にハイブリッド接続が必要かどうかを判断する", + "waf": "確実" }, { "category": "ネットワーキング", - "description": "AVD ホスト プールは、Azure Virtual WAN または従来の「ハブ&スポーク」ネットワーク トポロジのいずれかにデプロイできます。各ホスト プールを個別の \"スポーク\" VNet にデプロイすることをお勧めしますが、\"hub\" を使用することはお勧めしません。", + "description": "AVD ホスト プールは、Azure Virtual WAN または従来の \"ハブ & スポーク\" ネットワーク トポロジのいずれかにデプロイできます。各ホスト プールを個別の \"スポーク\" VNet にデプロイすることをお勧めしますが、\"ハブ\" を使用することはお勧めしません。", "guid": "c8639648-a652-4d6c-85e5-02965388e5de", + "id": "F01.02", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/wvd/eslz-network-topology-and-connectivity", "severity": "中程度", "subcategory": "ネットワーキング", - "text": "各 AVD ホスト プールの Azure 仮想ネットワーク (VNet) の配置を決定する" + "text": "各 AVD ホスト プールの Azure Virtual Network (VNet) の配置を決定する", + "waf": "パフォーマンス" }, { "category": "ネットワーキング", - "description": "帯域幅要件を評価し、VPN/ER帯域幅が十分であることを確認し、適切なルーティングとファイアウォールルールが設定されていることを確認し、エンドツーエンドの遅延をテストします。", + "description": "帯域幅要件を評価し、VPN/ER 帯域幅が十分であることを確認し、適切なルーティングとファイアウォール ルールが設定されていることを確認し、エンドツーエンドの待機時間をテストします。", "guid": "d227dd14-2b06-4c21-a799-9a646f4389a7", + "id": "F01.03", "link": "https://docs.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/", "severity": "中程度", "subcategory": "ネットワーキング", - "text": "AVD ホストプールから必要なオンプレミスリソースを評価する" + "text": "AVD ホストプールから必要なオンプレミス リソースを評価する", + "waf": "確実" }, { "category": "ネットワーキング", - "description": "いくつかのオプションを使用できます。Azure Firewall または同等のサードパーティの NVA、ネットワーク セキュリティ グループ (NSG)、プロキシ サーバーを使用できます。NSG では、URL による有効化/無効化はできず、ポートとプロトコルのみが可能です。プロキシは、ユーザーブラウザの明示的な設定としてのみ使用する必要があります。AVD での Azure Firewall Premium の使用の詳細については、関連記事の「詳細情報」列で報告されています。必要な AVD URL への適切なアクセスを許可してください。オンプレミスへの強制トンネリングは推奨されません。", + "description": "いくつかのオプションを使用できます。Azure Firewall または同等のサード パーティの NVA、ネットワーク セキュリティ グループ (NSG)、プロキシ サーバーを使用できます。NSG では、URL による有効化/無効化はできず、ポートとプロトコルのみを有効化/無効化できます。プロキシは、ユーザーのブラウザーで明示的に設定するためにのみ使用する必要があります。AVD での Azure Firewall Premium の使用の詳細については、関連記事の「詳細情報」列を参照してください。必要な AVD URL への適切なアクセスを許可してください。オンプレミスへの強制トンネリングは推奨されません。", "guid": "fc4972cd-3cd2-41bf-9703-6e5e6b4bed3d", - "link": " https://docs.microsoft.com/azure/firewall/protect-windows-virtual-desktop", + "id": "F01.04", + "link": "https://docs.microsoft.com/azure/firewall/protect-windows-virtual-desktop", "severity": "中程度", "subcategory": "ネットワーキング", - "text": "AVD ホストのインターネットアウトバウンドトラフィックを制御/制限する必要がありますか?" + "text": "AVD ホストのインターネット アウトバウンド トラフィックを制御/制限する必要がありますか?", + "waf": "安全" }, { "category": "ネットワーキング", - "description": "セッションホストによる AVD コントロールプレーンアクセスに必要な URL については、次の https://docs.microsoft.com/azure/virtual-desktop/safe-url-list を参照してください。セッション ホストからの接続を確認するためのチェック ツールを使用できます。 https://docs.microsoft.com/azure/virtual-desktop/safe-url-list#required-url-check-tool。オンプレミスへの強制トンネリングは推奨されません。", + "description": "セッションホストによる AVD コントロールプレーンアクセスに必要な URL については、https://docs.microsoft.com/azure/virtual-desktop/safe-url-list を参照してください。セッション ホストからの接続を確認するためのチェック ツールを使用できます: https://docs.microsoft.com/azure/virtual-desktop/safe-url-list#required-url-check-tool。オンプレミスへの強制トンネリングは推奨されません。", "guid": "65c7acbe-45bb-4e60-ad89-f2e87778424d", + "id": "F01.05", "link": "https://docs.microsoft.com/azure/virtual-desktop/safe-url-list", "severity": "高い", "subcategory": "ネットワーキング", - "text": "AVD コントロールプレーンエンドポイントにアクセスできることを確認する" + "text": "AVD コントロール プレーンのエンドポイントにアクセスできることを確認する", + "waf": "確実" }, { "category": "ネットワーキング", - "description": "Azure Defender エンドポイントまたは同様の第三者エージェントを使用してユーザーの Web ナビゲーションを制御することを検討してください。詳細については、「セキュリティ」セクションを参照してください。", + "description": "Azure Defender エンドポイントまたは同様のサード パーティ エージェントを使用してユーザーの Web ナビゲーションを制御することを検討してください (詳細については、「セキュリティ」セクションを参照してください)。", "guid": "73676ae4-6691-4e88-95ad-a42223e13810", + "id": "F01.06", "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/onboard-windows-multi-session-device?view=o365-worldwide", "severity": "中程度", "subcategory": "ネットワーキング", - "text": "AVD ホスト上のユーザに対してのみインターネットアウトバウンドトラフィックを制御/制限する必要がありますか?" + "text": "AVD ホスト上のユーザーに対してのみ、インターネットの送信トラフィックを制御/制限する必要がありますか?", + "waf": "安全" }, { "category": "ネットワーキング", - "description": "カスタム UDR と NSG は、Azure ファイアウォールや NVA へのリダイレクトや、ネットワーク トラフィックのフィルター処理/ブロックなど、AVD ホスト プール サブネットに適用できます。この場合、AVD コントロールプレーンへのアウトバウンドトラフィックの最適なパスが使用されていることを慎重に確認することをお勧めします。サービスタグをUDRおよびNSGで使用できるようになり、AVD管理プレーントラフィックを簡単に許可できるようになりました https://learn.microsoft.com/en-us/azure/virtual-desktop/safe-url-list。", + "description": "カスタム UDR と NSG は、Azure Firewall や NVA へのリダイレクトや、ネットワーク トラフィックのフィルター処理やブロックなどのために、AVD ホスト プールのサブネットに適用できます。この場合、AVD コントロール プレーンへの送信トラフィックの最適なパスが使用されていることを確認するために、慎重に確認することをお勧めします。サービス タグを UDR と NSG で使用できるようになり、AVD 管理プレーンのトラフィックを簡単に許可できるようになりました https://learn.microsoft.com/azure/virtual-desktop/safe-url-list。", "guid": "523181a9-4174-4158-93ff-7ae7c6d37431", + "id": "F01.07", "link": "https://docs.microsoft.com/azure/firewall/protect-windows-virtual-desktop", "severity": "低い", "subcategory": "ネットワーキング", - "text": "AVD ホストプールサブネットのカスタム UDR および NSG を確認する" + "text": "AVD ホスト プール サブネットのカスタム UDR と NSG を確認する", + "waf": "安全" }, { "category": "ネットワーキング", - "description": "AVD セッションホスト VM から AVD コントロールプレーンへのネットワークトラフィックは、可能な限り直接的にする必要があります。ディープパケットインスペクションやSSLターミネーションを使用してプロキシまたはファイアウォールを介してこのトラフィックをリダイレクトすると、深刻な問題やカスタマーエクスペリエンスの低下を引き起こす可能性があります。AVD コントロールプレーンのためだけにプロキシとファイアウォールをバイパスすることを推奨します。代わりに、Webサーフィンを行うユーザー生成トラフィックは、ファイアウォールによってフィルタリングされるか、プロキシにリダイレクトされる必要があります。詳細とガイドラインについては、[詳細情報] 列の関連記事をご覧ください。", + "description": "AVD セッション ホスト VM から AVD コントロール プレーンへのネットワーク トラフィックは、できるだけ直接的に行う必要があります。ディープ パケット インスペクションや SSL ターミネーションを使用してプロキシまたはファイアウォールを介してこのトラフィックをリダイレクトすると、深刻な問題が発生し、カスタマー エクスペリエンスが低下する可能性があります。プロキシとファイアウォールは、AVD コントロール プレーンのためだけにバイパスすることをお勧めします。代わりに、Webを閲覧するユーザー生成トラフィックは、ファイアウォールによってフィルタリングされるか、プロキシにリダイレクトされる必要があります。詳細とガイドラインについては、「詳細情報」列の関連記事を参照してください。", "guid": "cc6edca0-aeca-4566-9e92-cf246f1465af", + "id": "F01.08", "link": "https://learn.microsoft.com/azure/virtual-desktop/proxy-server-support", "severity": "高い", "subcategory": "ネットワーキング", - "text": "AVD コントロールプレーントラフィックにプロキシサーバ、SSL ターミネーション、ディープパケットインスペクションを使用しないでください" + "text": "AVD コントロール プレーン トラフィックにプロキシ サーバー、SSL ターミネーション、ディープ パケット インスペクションを使用しないでください", + "waf": "確実" }, { "category": "ネットワーキング", - "description": "特定のワークロードの種類に基づいて、ユーザーのネットワーク帯域幅要件を評価および確認することをお勧めします。参照されている記事は一般的な見積もりと推奨事項を提供しますが、適切なサイズ設定には特定の手段が必要です。", + "description": "特定のワークロードの種類に基づいて、ユーザーのネットワーク帯域幅要件を評価および確認することをお勧めします。参照されている記事には、一般的な見積もりと推奨事項が記載されていますが、適切なサイジングには特定の対策が必要です。", "guid": "516785c6-fa96-4c96-ad88-408f372734c8", + "id": "F01.09", "link": "https://learn.microsoft.com/azure/virtual-desktop/rdp-bandwidth", "severity": "低い", "subcategory": "ネットワーキング", - "text": "VM SKU の各ユーザーおよび合計に必要なネットワーク帯域幅を確認する" + "text": "各ユーザーに必要なネットワーク帯域幅と、VM SKU の合計を確認する", + "waf": "パフォーマンス" }, { "category": "ネットワーキング", - "description": "Azure Files SMB 共有を使用して FSLogix 経由でユーザー プロファイルを格納する場合は、ストレージへのプライベート アクセスにプライベート エンドポイント (PE) を使用することをお勧めします。AVD セッションホストは、同じ VNet 内のプライベート IP を使用してストレージにアクセスするため、別のサブネットをお勧めします。この機能には、評価が必要な追加コストがあります。PE を使用しない場合は、少なくともサービス エンドポイントをお勧めします (コストは関連付けられません)。", + "description": "Azure Files SMB 共有を使用して FSLogix 経由でユーザー プロファイルを格納する場合は、ストレージへのプライベート アクセスにプライベート エンドポイント (PE) を使用することをお勧めします。AVD セッション ホストは、同じ VNet 内のプライベート IP を使用してストレージにアクセスするため、別のサブネットをお勧めします。この機能には、評価が必要な追加コストがあります。PE を使用しない場合は、少なくともサービス エンドポイントをお勧めします (コストはかかりません)。", "guid": "ec27d589-9178-426d-8df2-ff60020f30a6", + "id": "F01.10", "link": "https://learn.microsoft.com/azure/storage/files/storage-files-networking-endpoints", "severity": "中程度", "subcategory": "ネットワーキング", - "text": "Azure ファイル共有のプライベート エンドポイントの使用状況を評価する" + "text": "Azure Files 共有の使用状況プライベート エンドポイントを評価する", + "waf": "安全" }, { "category": "ネットワーキング", - "description": "Azure 仮想デスクトップへの接続では、TCP または UDP を使用できます。RDP ショートパスは、サポートされている Windows リモートデスクトップクライアントとセッションホスト間の直接 UDP ベースのトランスポートを確立する AVD の機能です。クライアントが内部ネットワークから AVD セッションホストへの通信経路を持っている場合(VPN の使用は推奨されません)、https://learn.microsoft.com/en-us/azure/virtual-desktop/rdp-shortpath?tabs=managed-networks#key-benefits で説明されているように、この機能はより低い遅延と最高のパフォーマンスを提供できます。", + "description": "Azure Virtual Desktop への接続には、TCP または UDP を使用できます。RDP Shortpath は、サポートされている Windows リモート デスクトップ クライアントとセッション ホストの間に直接 UDP ベースのトランスポートを確立する AVD の機能です。クライアントが内部ネットワークから AVD セッションホストを通信できる場合(VPN の使用は推奨されません)、この機能により、https://learn.microsoft.com/azure/virtual-desktop/rdp-shortpath?tabs=managed-networks#key-benefits で説明するように、レイテンシが低く、最高のパフォーマンスが得られます。", "guid": "b2074747-d01a-4f61-b1aa-92ad793d9ff4", + "id": "F01.11", "link": "https://docs.microsoft.com/azure/virtual-desktop/shortpath", "severity": "中程度", "subcategory": "ネットワーキング", - "text": "管理された内部ネットワークから接続するクライアントに対する RDP ShortPath の使用を評価する" + "text": "管理された内部ネットワークから接続するクライアントの RDP ShortPath の使用状況を評価する", + "waf": "パフォーマンス" }, { "category": "安全", - "description": "GPO によって提供されるセキュリティ メカニズムがある場合は、使用する必要があります。たとえば、デスクトップ画面ロックとアイドルセッション切断時間を課すことができます。オンプレミス環境に適用された既存の GPO を確認し、最終的にはドメインに参加したときに AVD ホストもセキュリティで保護するためにも適用する必要があります。", + "description": "GPO によって提供されるセキュリティ メカニズムがある場合は、それを使用する必要があります。たとえば、デスクトップ画面のロックやアイドル状態のセッション切断時間を課すことができます。オンプレミス環境に適用されている既存の GPO を確認し、最終的にドメインに参加しているときに AVD ホストも保護するために適用する必要があります。", "guid": "a135e337-897e-431c-97d6-8cb6a22ac19f", + "id": "G01.01", "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#establish-maximum-inactive-time-and-disconnection-policies", "severity": "中程度", - "subcategory": "アクティブディレクトリ", - "text": "RDP セッションをセキュリティで保護するためのアクティブ ディレクトリ GPO の確認" + "subcategory": "Active Directory", + "text": "Active Directory GPO を確認して RDP セッションをセキュリティで保護する", + "waf": "安全" }, { "category": "安全", - "description": "Microsoft Defender for Endpoint は、Windows 10/11 Enterprise マルチセッション用の Azure Virtual Desktop をサポートしています。非永続的な仮想デスクトップ インフラストラクチャ (VDI) デバイスのオンボードに関する記事を確認してください: https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi", + "description": "Microsoft Defender for Endpointでは、Windows 10/11 Enterprise マルチセッション用のAzure Virtual Desktopがサポートされています。非永続的な仮想デスクトップ インフラストラクチャ (VDI) デバイスのオンボードに関する記事を確認してください: https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi", "guid": "b1172576-9ef6-4691-a483-5ac932223ece", + "id": "G02.01", "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/deployment-vdi-microsoft-defender-antivirus", "severity": "高い", "subcategory": "ホスト構成", - "text": "ウイルス対策およびマルウェア対策ソリューションが使用されていることを確認する" + "text": "ウイルス対策およびマルウェア対策ソリューションが使用されていることを確認する", + "waf": "安全" }, { "category": "安全", - "description": "Azure のディスクは、既定では Microsoft マネージド キーを使用して保存時に既に暗号化されています。ホスト VM OS ディスク暗号化は、Azure ディスク暗号化 (ADE - BitLocker) とディスク暗号化セット (DES - サーバー側暗号化) を使用して可能であり、サポートされていますが、後者をお勧めします。Azure Files を使用した FSLogix ストレージの暗号化は、Azure Storage 上の SSE を使用して実行できます。OneDrive の暗号化については、次の記事を参照してください https://docs.microsoft.com/compliance/assurance/assurance-encryption-for-microsoft-365-services。", + "description": "Azure のディスクは、既定で Microsoft マネージド キーを使用して保存時に既に暗号化されています。ホスト VM OS ディスクの暗号化は、Azure Disk Encryption (ADE - BitLocker) とディスク暗号化セット (DES - サーバー側暗号化) を使用して可能であり、サポートされていますが、後者をお勧めします。Azure Files を使用した FSLogix ストレージの暗号化は、Azure Storage で SSE を使用して行うことができます。OneDrive の暗号化については、こちらの記事を参照してください: https://docs.microsoft.com/compliance/assurance/assurance-encryption-for-microsoft-365-services。", "guid": "0fd32907-98bc-4178-adc5-a06ca7144351", + "id": "G02.02", "link": "https://learn.microsoft.com/azure/virtual-machines/disk-encryption-overview", "severity": "低い", "subcategory": "ホスト構成", - "text": "AVD セッションホストのディスク暗号化要件を評価する" + "text": "AVD セッションホストのディスク暗号化要件を評価する", + "waf": "安全" }, { "category": "安全", - "description": "トラステッド起動は、ルートキット、ブート キット、カーネル レベルのマルウェアなどの攻撃ベクトルによる \"スタックの最下位\" の脅威から保護することを目的とした、強化されたセキュリティ機能を備えた Gen2 Azure VM です。セキュアブート、仮想TPM(vTPM)、および変更監視を有効にして活用することをお勧めします。", + "description": "トラステッド起動は、ルートキット、ブート キット、カーネル レベルのマルウェアなどの攻撃ベクトルによるスタックの下部の脅威から保護することを目的とした、強化されたセキュリティ機能を備えた Gen2 Azure VM です。セキュアブート、仮想TPM (vTPM)、および変更監視を有効にして活用することをお勧めします。", "guid": "36a5a67f-bb9e-4d5b-9547-8c4479816b28", + "id": "G02.03", "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#azure-virtual-desktop-support-for-trusted-launch", "severity": "中程度", "subcategory": "ホスト構成", - "text": "Azure Gen2 VM セッション ホストでの信頼された起動を有効にする" + "text": "Azure Gen2 VM セッション ホストでのトラステッド起動の有効化", + "waf": "安全" }, { "category": "安全", - "description": "トラステッド起動と Gen2 VM は、セキュリティとパフォーマンスを向上させる機能であるだけでなく、Windows 11 のシステム要件でもあります。Windows 11に基づいてAVD環境を構築する場合は、これらの機能を有効にすることが不可欠です。", + "description": "トラステッド起動と Gen2 VM は、セキュリティとパフォーマンスを強化する機能であるだけでなく、Windows 11 のシステム要件でもあります。Windows 11 に基づいて AVD 環境を構築する場合は、これらの機能を有効にすることが不可欠です。", "guid": "135d3899-4b31-44d3-bc8f-028871a359d8", + "id": "G02.04", "link": "https://learn.microsoft.com/windows/whats-new/windows-11-requirements", "severity": "高い", "subcategory": "ホスト構成", - "text": "トラステッド起動を有効にしてGen2イメージを使用するのは、Windows11のシステム要件です" + "text": "トラステッド起動を有効にし、Gen2 イメージを使用するのは、Windows 11 のシステム要件です", + "waf": "安全" }, { "category": "安全", - "description": "表示されたコンテンツは、スクリーンショットで自動的にブロックまたは非表示になります。画面共有を使用するTeamsやその他のコラボレーションソフトウェアを使用する場合も、画面共有がブロックされることに注意してください。", + "description": "表示されるコンテンツは、スクリーンショットで自動的にブロックまたは非表示になります。画面共有を使用するTeamsまたはその他のコラボレーションソフトウェアを使用する場合も、画面共有がブロックされることに注意してください。", "guid": "a49dc137-7896-4343-b2bc-1a31bf1d30b6", + "id": "G02.05", "link": "https://learn.microsoft.com/azure/virtual-desktop/screen-capture-protection", "severity": "低い", "subcategory": "ホスト構成", - "text": "機密情報がキャプチャされないように、画面キャプチャ保護を有効にすることを検討してください" + "text": "機密情報がキャプチャされるのを防ぐために、画面キャプチャ保護を有効にすることを検討してください", + "waf": "安全" }, { "category": "安全", - "description": "絶対に必要でない場合は、リモート デスクトップ セッションでドライブ、プリンター、および USB デバイスをユーザーのローカル デバイスにリダイレクトすることを無効にするか、厳しく制限する必要があります。ローカルおよびリモートのドライブマッピングを非表示にしてWindowsエクスプローラーへのアクセスを制限することも、ユーザーがシステム構成とユーザーに関する不要な情報を発見するのを防ぐための安全な手段です。", + "description": "どうしても必要でない場合は、リモートデスクトップセッションでドライブ、プリンター、およびUSBデバイスをユーザーのローカルデバイスにリダイレクトすることを無効にするか、厳しく制限する必要があります。ローカルとリモートのドライブマッピングを非表示にしてWindowsエクスプローラーへのアクセスを制限することも、ユーザーがシステム構成とユーザーに関する不要な情報を発見するのを防ぐための安全な手段です。", "guid": "7ce2cd20-85b4-4f82-828e-6558736ede6a", + "id": "G02.06", "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#other-security-tips-for-session-hosts", "severity": "中程度", "subcategory": "ホスト構成", - "text": "デバイスのリダイレクトとドライブマッピングを制限する" + "text": "デバイスのリダイレクトとドライブマッピングを制限する", + "waf": "安全" }, { "category": "安全", - "description": "導入モデルを選択するときは、リモートユーザーに仮想デスクトップ全体へのアクセスを提供するか、選択したアプリケーションのみを提供できます。リモート アプリケーション (RemoteApps) は、ユーザーが仮想デスクトップ上のアプリを操作するときにシームレスなエクスペリエンスを提供します。RemoteApp は、アプリケーションによって公開されているリモート コンピューターのサブセットのみをユーザーが操作できるようにすることで、リスクを軽減します。", + "description": "展開モデルを選択するときは、仮想デスクトップ全体へのリモート ユーザーへのアクセスを提供するか、選択したアプリケーションのみを許可するかを選択できます。リモート アプリケーション (RemoteApp) は、ユーザーが仮想デスクトップ上のアプリを操作するときにシームレスなエクスペリエンスを提供します。RemoteApp は、アプリケーションによって公開されているリモート コンピューターのサブセットのみをユーザーが操作できるようにすることで、リスクを軽減します。", "guid": "4e25d70e-3924-44f4-b66f-d6cdd4f4a973", + "id": "G03.01", "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/web-protection-overview", "severity": "中程度", "subcategory": "管理", - "text": "可能な場合は、フルデスクトップ (DAG) よりもリモート アプリを優先する" + "text": "可能な場合は、フル デスクトップ (DAG) よりもリモート アプリを優先します", + "waf": "安全" }, { "category": "安全", - "description": "エンドポイントの Microsoft Defender の Web 保護機能によって提供される Web コンテンツ フィルター機能を使用して、ユーザーの Web ナビゲーションを制御できます。このツールを使用する場合は、ユーザーのインターネット閲覧用にWebフィルタリングを設定することをお勧めします。ゲスト OS システムによる必要な AVD コントロールプレーン URL へのアクセスを保証する必要があります。", + "description": "Microsoft Defender for Endpointの Web 保護機能によって提供される Web コンテンツ フィルター機能を使用して、ユーザーの Web ナビゲーションを制御できます。このツールを使用する場合は、ユーザーのインターネット閲覧用にWebフィルタリングを設定することをお勧めします。ゲスト OS システムから必要な AVD コントロール プレーン URL へのアクセスを保証する必要があります。", "guid": "e19dd344-29eb-4722-a237-a151c5bb4e4f", + "id": "G03.02", "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/web-protection-overview", "severity": "中程度", "subcategory": "管理", - "text": "AVD セッションホストからのユーザーのインターネットナビゲーションを制御/制限する必要がありますか?" + "text": "AVD セッション ホストからのユーザーのインターネット ナビゲーションを制御/制限する必要がありますか?", + "waf": "安全" }, { "category": "安全", - "description": "仮想デスクトップへの管理者アクセス権をユーザーに付与しないことをお勧めします。ソフトウェアパッケージが必要な場合は、構成管理ユーティリティを使用して使用できるようにすることをお勧めします。", + "description": "仮想デスクトップへの管理者アクセス権をユーザーに付与しないことをお勧めします。ソフトウェアパッケージが必要な場合は、構成管理ユーティリティから利用できるようにすることをお勧めします。", "guid": "a0cdb3b5-4eb2-4eb0-9dda-a3592718e2ed", + "id": "G03.03", "link": "https://docs.microsoft.com/azure/virtual-desktop/security-guide", "severity": "高い", "subcategory": "管理", - "text": "AVD ユーザーが AVD ホストのローカル管理者権限を持たないことを確認します" + "text": "AVD ユーザーが AVD ホストのローカル管理者権限を持たないようにします。", + "waf": "安全" }, { "category": "安全", - "description": "AVD で使用されるサブスクリプション、仮想マシン、キー コンテナー、ストレージ アカウントに対して Defender for Cloud を有効にすることをお勧めします。このツールを使用すると、脆弱性の評価と管理、PCIなどの一般的なフレームワークへのコンプライアンスの評価、AVD環境の全体的なセキュリティの強化、「セキュアスコア」を使用して経時的に測定することができます https://learn.microsoft.com/en-us/azure/virtual-desktop/security-guide#improve-your-secure-score。", + "description": "AVD で使用されるサブスクリプション、仮想マシン、キー コンテナー、ストレージ アカウントに対して Defender for Cloud を有効にすることをお勧めします。このツールを使用すると、脆弱性の評価と管理、PCIなどの一般的なフレームワークへの準拠の評価、AVD環境の全体的なセキュリティの強化、および「セキュリティスコア」を使用して経時的に測定することができます:https://learn.microsoft.com/azure/virtual-desktop/security-guide#improve-your-secure-score。", "guid": "1814387e-5ca9-4c26-a9b3-2ab5bdfc6998", + "id": "G03.04", "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#enable-microsoft-defender-for-cloud", "severity": "中程度", "subcategory": "管理", - "text": "クラウド用 Microsoft Defender を有効にして AVD セッション ホストのセキュリティ体制を管理できるようにする" + "text": "Microsoft Defender for Cloud で AVD セッション ホストのセキュリティ体制を管理できるようにする", + "waf": "安全" }, { "category": "安全", "description": "監査ログの収集を有効にすると、Azure Virtual Desktop に関連するユーザーと管理者のアクティビティを表示し、Log Analytics ワークスペースなどの中央リポジトリに格納できます。", "guid": "a0916a76-4980-4ad0-b278-ee293c1bc352", + "id": "G03.05", "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#collect-audit-logs", "severity": "中程度", "subcategory": "管理", - "text": "診断ログと監査ログを有効にする" + "text": "診断ログと監査ログを有効にする", + "waf": "安全" }, { "category": "安全", - "description": "管理、運用、エンジニアリングのロールを Azure RBAC ロールに定義することで、必要な最小限の特権を割り当てます。Azure 仮想デスクトップ ランディング ゾーン内の高い特権ロールへのアクセスを制限するには、Azure 特権 ID 管理 (PIM) との統合を検討してください。特定の管理領域ごとにどのチームが担当しているかを把握しておくと、Azure のロールベースのアクセス制御 (RBAC) のロールと構成を決定するのに役立ちます。", + "description": "管理、運用、エンジニアリングのロールを Azure RBAC ロールに定義することで、必要最小限の特権を割り当てます。Azure Virtual Desktop ランディング ゾーン内の高い特権ロールへのアクセスを制限するには、Azure Privileged Identity Management (PIM) との統合を検討してください。特定の各管理領域を担当するチームを把握することは、Azure ロールベースのアクセス制御 (RBAC) のロールと構成を決定するのに役立ちます。", "guid": "baaab757-1849-4ab8-893d-c9fc9d1bb73b", + "id": "G03.06", "link": "https://docs.microsoft.com/azure/virtual-desktop/rbac", "severity": "低い", "subcategory": "管理", - "text": "AVD 管理にカスタム RBAC ロールを使用する要件を評価する" + "text": "AVD 管理にカスタム RBAC ロールを使用するための要件を評価する", + "waf": "安全" }, { "category": "安全", - "description": "AVD ユーザには、アプリケーションをインストールする権限があってはなりません。必要に応じて、Windows Defender アプリケーション制御 (WDAC) を使用して、Windows クライアントでの実行を許可するドライバーとアプリケーションを制御できます。", + "description": "AVD ユーザーには、アプリケーションをインストールする権限を与えないでください。必要に応じて、Windows Defender アプリケーション制御 (WDAC) を使用して、Windows クライアントでの実行を許可するドライバーとアプリケーションを制御できます。", "guid": "b9ea80c8-0628-49fc-ae63-125aa4c0a284", + "id": "G03.07", "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#windows-defender-application-control", "severity": "中程度", "subcategory": "管理", - "text": "承認されていないアプリケーションのインストールをユーザーに制限する" + "text": "ユーザーによる未承認のアプリケーションのインストールを制限する", + "waf": "安全" }, { "category": "安全", - "description": "MFA と CA を有効にすると、ユーザーに AVD 環境へのアクセスを許可する前にリスクを管理できます。アクセスを許可するユーザーを決定するときは、ユーザーが誰であるか、サインインする方法、使用しているデバイスも考慮することをお勧めします。追加の詳細と構成手順については、関連記事を参照してください。Microsoft Entra ID は、Azure Active Directory (Azure AD) の新しい名前です。", + "description": "MFA と CA を有効にすると、ユーザーに AVD 環境へのアクセス権を付与する前にリスクを管理できます。アクセス権を付与するユーザーを決定する際には、ユーザーが誰であるか、どのようにサインインするか、どのデバイスを使用しているかも考慮することをお勧めします。詳細と構成手順については、関連記事を参照してください。Microsoft Entra ID は、Azure Active Directory (Azure AD) の新しい名前です。", "guid": "916d697d-8ead-4ed2-9bdd-186f1ac252b9", + "id": "G04.01", "link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-mfa", "severity": "中程度", - "subcategory": "マイクロソフト エントラ ID", - "text": "AVD ユーザーの多要素認証(MFA)と条件付きアクセス(CA)の使用を評価する" + "subcategory": "Microsoft Entra ID", + "text": "AVD ユーザーの Multi-Factor Authentication(MFA)と条件付きアクセス(CA)の使用状況を評価する", + "waf": "安全" }, { "category": "安全", - "description": "ゼロ トラストが要件の場合は、[詳細情報] 列の関連記事を確認してください。ゼロ トラストの原則を Azure 仮想デスクトップのデプロイに適用する手順について説明します。", + "description": "ゼロ トラストが要件である場合は、「詳細情報」列の関連記事を確認してください。ゼロ トラストの原則を Azure Virtual Desktop のデプロイに適用する手順について説明します。", "guid": "221102d0-90af-49fc-b2b7-8d3fe397e43", + "id": "G05.01", "link": "https://learn.microsoft.com/security/zero-trust/azure-infrastructure-avd", "severity": "中程度", "subcategory": "ゼロトラスト", - "text": "ゼロ トラストの原則とガイダンスを確認して適用する" + "text": "ゼロトラストの原則とガイダンスを確認して適用する", + "waf": "安全" }, { "category": "貯蔵", - "description": "使用する場合は、参照記事で説明されているベスト プラクティスと推奨事項の一覧を確認してください。", + "description": "使用する場合は、参照されている記事で説明されているベスト プラクティスと推奨事項の一覧を必ず確認してください。", "guid": "9164e990-9ae2-48c8-9c33-b6b7808bafe6", + "id": "H01.01", "link": "https://learn.microsoft.com/azure/virtual-desktop/fslogix-containers-azure-files#best-practices-for-azure-virtual-desktop", "severity": "中程度", - "subcategory": "アズールファイル", - "text": "Azure ファイルのベスト プラクティスを確認する" + "subcategory": "Azure ファイル", + "text": "Azure Files のベスト プラクティスを確認する", + "waf": "パフォーマンス" }, { "category": "貯蔵", - "description": "SMB マルチチャネルを使用すると、クライアントは複数のネットワーク接続を使用して、所有コストを削減しながらパフォーマンスを向上させることができます。パフォーマンスの向上は、複数の NIC に帯域幅を集約し、NIC の受信側スケーリング (RSS) サポートを利用して複数の CPU に IO 負荷を分散することで実現されます。", + "description": "SMB マルチチャネルを使用すると、クライアントは複数のネットワーク接続を使用して、所有コストを削減しながらパフォーマンスを向上させることができます。パフォーマンスの向上は、複数の NIC で帯域幅を集約し、NIC の Receive Side Scaling (RSS) サポートを利用して IO 負荷を複数の CPU に分散することで実現されます。", "guid": "5784b6ca-5e9e-4bcf-8b54-c95459ea7369", + "id": "H01.02", "link": "https://learn.microsoft.com/azure/storage/files/storage-files-smb-multichannel-performance", "severity": "低い", - "subcategory": "アズールファイル", - "text": "Premium ファイル共有を使用して FSLogix プロファイル コンテナーをホストする場合は、SMB マルチチャネルを有効にします。" + "subcategory": "Azure ファイル", + "text": "Premium ファイル共有を使用して FSLogix プロファイル コンテナーをホストする場合は、SMB マルチチャネルを有効にします。", + "waf": "パフォーマンス" }, { "category": "貯蔵", - "description": "DRの目的で2番目のリージョンが必要な場合は、そこでもネットアップの可用性を確認します。", + "description": "DR の目的で 2 つ目のリージョンが必要な場合は、そこでもネットアップの可用性を確認します。", "guid": "4a359836-ee79-4d6c-9d3a-364a5b7abae3", + "id": "H02.01", "link": "https://azure.microsoft.com/global-infrastructure/services/", "severity": "中程度", "subcategory": "Azure NetApp Files", - "text": "NetApp Files ストレージが必要な場合は、特定のリージョンのストレージサービスの可用性を確認してください。" + "text": "NetApp Files ストレージが必要な場合は、特定のリージョンでストレージ サービスの可用性を確認してください。", + "waf": "確実" }, { "category": "貯蔵", - "description": "CA オプションは、セッションホストとネットアップファイル間のより回復力のある SMB セッションを可能にするため、FSLogix シナリオで推奨される設定です。", + "description": "CA オプションは、セッション ホストとネットアップ ファイル間の回復性を高める SMB セッションを可能にするため、FSLogix シナリオで推奨される設定です。", "guid": "a2661898-866a-4c8d-9d1f-8cfc86e88024", + "id": "H02.02", "link": "https://learn.microsoft.com/azure/virtual-desktop/create-fslogix-profile-container", "severity": "中程度", "subcategory": "Azure NetApp Files", - "text": "NetApp Files ストレージを使用している場合は、 CA (継続的可用性)オプションを有効にして復元力を高めます" + "text": "NetApp Files ストレージを使用する場合は、 CA (継続的可用性)オプションを有効にして耐障害性を高めます", + "waf": "確実" }, { "category": "貯蔵", - "description": "Azure NetApp Files (ANF) サブネットが作成される Azure 仮想ネットワーク環境用に Active Directory サイトを作成し、リファレンス記事で説明されているように、参加手順を実行するときにそのサイト名を ANF 接続プロパティで指定する必要があります。", + "description": "Azure NetApp Files (ANF) サブネットが作成される Azure 仮想ネットワーク環境に対して Active Directory サイトを作成し、リファレンス記事で説明されているように、参加手順を実行するときにそのサイト名を ANF 接続プロパティで指定する必要があります。", "guid": "6647e977-db49-48a8-bc35-743f17499d42", + "id": "H02.03", "link": "https://docs.microsoft.com/azure/azure-netapp-files/create-active-directory-connections", "severity": "高い", "subcategory": "Azure NetApp Files", - "text": "Azure NetApp Files ストレージを使用している場合は、アクティブディレクトリ接続構成の Active Directory サイト名の設定を確認してください" + "text": "Azure NetApp Files ストレージを使用している場合は、Active Directory 接続構成の Active Directory サイト名の設定を確認します", + "waf": "確実" }, { "category": "貯蔵", - "description": "可能なオプション:標準HDD、標準SSD、またはプレミアムSSD。エフェメラルディスクはサポートされておらず、ウルトラディスクは推奨されません。ユーザー密度が低くない場合、およびクラウド キャッシュを使用する場合は、OS ディスクの Premium を評価することをお勧めします。", + "description": "使用可能なオプション: Standard HDD、Standard SSD、または Premium SSD。エフェメラル ディスクはサポートされておらず、Ultra ディスクは推奨されません。ユーザー密度が低くなく、Cloud Cache を使用する場合は、Premium for OS ディスクを評価することをお勧めします。", "guid": "3611c818-b0a0-4bc5-80e4-3a18a9cd289c", + "id": "H03.01", "link": "https://docs.microsoft.com/azure/virtual-machines/disks-types", "severity": "中程度", - "subcategory": "キャパシティ プランニング", - "text": "セッション・ホストに使用する管理対象ディスクのタイプを決定する" + "subcategory": "キャパシティプランニング", + "text": "セッション・ホストに使用する管理対象ディスクのタイプを決定する", + "waf": "パフォーマンス" }, { "category": "貯蔵", - "description": "可能なオプションは、Azure NetApp Files、Azure Files、VM ベースのファイル サーバーです。ファイルサーバー推奨されません。通常、Azure Files Premium は出発点として適しています。ネットアップは通常、大規模で高パフォーマンスの環境に必要です。詳細な比較については、「詳細情報」列の記事を参照してください。", + "description": "使用可能なオプションは、Azure NetApp Files、Azure Files、VM ベースのファイル サーバーです。File-server は推奨されません。Azure Files Premium は、通常、出発点として適しています。NetAppは通常、大規模で高パフォーマンスの環境に必要です。詳細な比較については、「詳細情報」列の記事を参照してください。", "guid": "ed6b17db-8255-4462-b2ae-e4553afc8339", + "id": "H03.02", "link": "https://docs.microsoft.com/azure/virtual-desktop/store-fslogix-profile", "severity": "高い", - "subcategory": "キャパシティ プランニング", - "text": "FSLogix プロファイルに使用するストレージ バックエンド ソリューションを決定する" + "subcategory": "キャパシティプランニング", + "text": "FSLogix プロファイルに使用するストレージ バックエンド ソリューションを決定する", + "waf": "パフォーマンス" }, { "category": "貯蔵", "description": "すべてのホスト プールでは、ストレージ アカウント/ボリューム (少なくとも 1 つ) と共有の個別のセットを使用する必要があります。設定と構成は各ホスト プールに固有であるため、ユーザーはホスト プールごとに異なるプロファイルを持つ必要があります。さらに、異なるホスト プールに同時にアクセスすると、共有ユーザー プロファイル VHD/X でエラーが発生する可能性があります。 複数の共有に対して異なるストレージ アカウント/ボリュームを使用して、個別にスケーリングすることもお勧めします。", "guid": "2fad62bd-5004-453c-ace4-64d862e7f5a4", + "id": "H03.03", "link": "https://learn.microsoft.com/azure/virtual-desktop/store-fslogix-profile", "severity": "高い", - "subcategory": "キャパシティ プランニング", - "text": "異なるホスト プール間でストレージとプロファイルを共有しない" + "subcategory": "キャパシティプランニング", + "text": "異なるホスト プール間でストレージとプロファイルを共有しない", + "waf": "パフォーマンス" }, { "category": "貯蔵", - "description": "プロファイル コンテナーのストレージ要件を見積もるための開始点として、定常状態ではユーザーあたり 10 IOPS、サインイン/サインアウト時にはユーザーあたり 50 IOPS を想定することをお勧めします。領域要件は、各ホスト プールのユーザーの合計数あたりの FSLogix の最大プロファイル サイズに基づいて取得されます。必要に応じて、同じホスト プールに複数のストレージ アカウントを使用できます。", + "description": "プロファイル コンテナー ストレージのパフォーマンス要件を見積もるための出発点として、定常状態ではユーザーあたり 10 IOPS、サインイン/サインアウト中はユーザーあたり 50 IOPS を想定することをお勧めします。領域要件は、各ホスト プールのユーザーの合計数あたりの FSLogix の最大プロファイル サイズに基づいて簡単に取得されます。必要に応じて、同じホスト プールに複数のストレージ アカウントを使用できます。", "guid": "680e7828-9c93-4665-9d02-bff4564b0d93", + "id": "H03.04", "link": "https://learn.microsoft.com/azure/virtual-desktop/faq#what-s-the-largest-profile-size-fslogix-can-handle-", "severity": "高い", - "subcategory": "キャパシティ プランニング", - "text": "ストレージのスケーラビリティの制限とホスト・プールの要件を確認する" + "subcategory": "キャパシティプランニング", + "text": "ストレージのスケーラビリティの制限とホスト プールの要件を確認する", + "waf": "確実" }, { "category": "貯蔵", - "description": "可能な限り、リージョン間のネットワーク トラフィックに関連する追加の待機時間とコストを発生させないようにします。", + "description": "可能な限り、リージョン間のネットワーク トラフィックに関連する追加の待機時間とコストが発生しないようにします。", "guid": "8aad53cc-79e2-4e86-9673-57c549675c5e", + "id": "H03.05", "link": "https://docs.microsoft.com/azure/virtual-desktop/fslogix-containers-azure-files", "severity": "高い", - "subcategory": "キャパシティ プランニング", - "text": "最適なパフォーマンスを得るには、ストレージ ソリューションと FSLogix プロファイル コンテナーを同じ Azure リージョンに配置する必要があります。" + "subcategory": "キャパシティプランニング", + "text": "最適なパフォーマンスを得るには、ストレージ ソリューションと FSLogix プロファイル コンテナーを同じ Azure リージョンに配置する必要があります。", + "waf": "パフォーマンス" }, { "category": "貯蔵", - "description": "Azure Virtual Desktop での推奨事項は、以下の「ディザスター リカバリー」セクションで説明されている特定のビジネス継続性とディザスター リカバリー (BCDR) シナリオを計画していない限り、Office コンテナー (ODFC) 分割なしでプロファイル コンテナーを使用することです。https://docs.microsoft.com/fslogix/profile-container-office-container-cncpt", + "description": "Azure Virtual Desktop では、以下の「ディザスター リカバリー」セクションで説明するように、特定のビジネス継続性とディザスター リカバリー (BCDR) シナリオを計画していない限り、Office コンテナー (ODFC) 分割なしでプロファイル コンテナーを使用することをお勧めします。https://docs.microsoft.com/fslogix/profile-container-office-container-cncpt", "guid": "df47d2d9-2881-4b1c-b5d1-e54a29759e39", + "id": "H04.01", "link": "https://learn.microsoft.com/fslogix/concepts-container-types#when-to-use-profile-and-odfc-containers", "severity": "高い", - "subcategory": "FSLogix", - "text": "オフィスコンテナ(ODFC)は、厳密に必要かつ正当化されない場合は使用しないでください" + "subcategory": "FSLogix (英語)", + "text": "Office コンテナー (ODFC) は、厳密に必要で正当化されない場合は使用しないでください", + "waf": "確実" }, { "category": "貯蔵", - "description": "FSLogix プロファイル コンテナーの仮想ハード ドライブに対して、参照されている記事の [詳細情報] 列に記載されているように、次のウイルス対策の除外を構成してください。", + "description": "FSLogix プロファイル コンテナーの仮想ハード ドライブに対して、次のウイルス対策の除外を構成してください (参照記事の「詳細」列に記載されているように)。", "guid": "83f63047-22ee-479d-9b5c-3632054b69ba", + "id": "H04.02", "link": "https://learn.microsoft.com/fslogix/overview-prerequisites#configure-antivirus-file-and-folder-exclusions", "severity": "中程度", - "subcategory": "FSLogix", - "text": "FSLogix の推奨されるウイルス対策除外を構成します (接続時に VHD(x) ファイルをスキャンしないことを含む)。" + "subcategory": "FSLogix (英語)", + "text": "FSLogix の推奨されるウイルス対策の除外を構成します (接続時に VHD(x) ファイルをスキャンしないことを含む)。", + "waf": "安全" }, { "category": "貯蔵", - "description": "プロファイルコンテナのデフォルトの最大サイズは30GBです。大きなプロファイル コンテナーが予想され、お客様がそれらを小さく保とうとする場合は、OneDrive を使用して FSLogix プロファイルの外部で Office 365 ファイルをホストすることを検討してください。", + "description": "プロファイル コンテナーの既定の最大サイズは 30 GB です。大きなプロファイル コンテナーが予想され、お客様がそれらを小さく保つことを試みる場合は、OneDrive を使用して FSLogix プロファイルの外部で Office 365 ファイルをホストすることを検討してください。", "guid": "01e6a84d-e5df-443d-8992-481718d5d1e5", + "id": "H04.03", "link": "https://docs.microsoft.com/fslogix/profile-container-configuration-reference", "severity": "高い", - "subcategory": "FSLogix", - "text": "FSLogix で構成された最大プロファイル サイズを確認して確認する" + "subcategory": "FSLogix (英語)", + "text": "FSLogix で構成された最大プロファイル サイズを確認して確認する", + "waf": "費用" }, { "category": "貯蔵", - "description": "既定値と推奨設定は、関連記事の [詳細情報] 列で報告されます。推奨されていないキーや値を使用する必要がある場合は、Microsoft AVD の専門家に確認し、選択内容を明確に文書化してください。", + "description": "既定値と推奨設定については、関連記事の「詳細情報」列に記載されています。推奨されないキーや値を使用する必要がある場合は、必ず Microsoft AVD のエキスパートに確認し、選択内容を明確に文書化してください。", "guid": "d34aad5e-8c78-4e1d-9666-7313c405674c", + "id": "H04.04", "link": "https://learn.microsoft.com/fslogix/concepts-configuration-examples", "severity": "高い", - "subcategory": "FSLogix", - "text": "FSLogix レジストリ キーを確認し、適用するレジストリ キーを決定する" + "subcategory": "FSLogix (英語)", + "text": "FSLogix レジストリ キーを確認し、適用するレジストリ キーを決定します", + "waf": "確実" }, { "category": "貯蔵", - "description": "同時接続または複数接続は、Azure 仮想デスクトップでは推奨されません。同時接続は、Azure 仮想デスクトップ ホスト プールで実行されているセッション ホストでもサポートされません。OneDrive を使用する場合、どのような状況でも、同じコンテナーを使用する同時接続または複数の接続はサポートされません。複数の接続の場合、同じプロファイル ディスクの使用はお勧めしません。", + "description": "同時接続または複数接続は、Azure Virtual Desktop では推奨されません。同時接続は、Azure Virtual Desktop ホスト プールで実行されているセッション ホストでもサポートされません。OneDrive を使用する場合、どのような状況でも、同じコンテナーを使用した同時接続または複数接続はサポートされません。複数の接続の場合、同じプロファイル ディスクの使用はお勧めしません。", "guid": "5e985b85-9c77-43e7-b261-623b775a917e", + "id": "H04.05", "link": "https://learn.microsoft.com/fslogix/concepts-multi-concurrent-connections", "severity": "高い", - "subcategory": "FSLogix", - "text": "同時接続または複数の接続の使用を避ける" + "subcategory": "FSLogix (英語)", + "text": "同時接続または複数接続の使用を避ける", + "waf": "確実" }, { "category": "貯蔵", - "description": "クラウドキャッシュはOSドライブをローカルキャッシュストレージとして使用し、VMディスクに大きな負荷をかける可能性があります。使用する VM SKU とサイズによっては、VM 一時ドライブが、Cloud Cache のキャッシュされたコンテンツを再配置する実行可能でパフォーマンスの高いソリューションになる可能性があります。このソリューションを採用する前に、テストを実行してパフォーマンスと安定性を確認する必要があります。クラウドキャッシュの詳細については、こちらをご覧ください:https://learn.microsoft.com/en-us/fslogix/concepts-fslogix-cloud-cache。", + "description": "Cloud Cache は OS ドライブをローカル キャッシュ ストレージとして使用し、VM ディスクに大きな負荷をかける可能性があります。使用する VM SKU とサイズによっては、VM 一時ドライブが Cloud Cache のキャッシュ コンテンツを再配置する実行可能でパフォーマンスの高いソリューションになる場合があります。このソリューションを採用する前に、テストを実行してパフォーマンスと安定性を確認する必要があります。Cloud Cache の詳細については、https://learn.microsoft.com/fslogix/concepts-fslogix-cloud-cache を参照してください。", "guid": "b2d1215a-e114-4ba3-9df5-85ecdcd9bd3b", + "id": "H04.06", "link": "https://docs.microsoft.com/fslogix/cloud-cache-configuration-reference", "severity": "低い", - "subcategory": "FSLogix", - "text": "FSLogix クラウド キャッシュを使用する場合は、キャッシュ ディレクトリを VM の一時ドライブに移動することを検討してください。" + "subcategory": "FSLogix (英語)", + "text": "FSLogix Cloud Cache を使用する場合は、キャッシュ ディレクトリを VM の一時ドライブに移動することを検討してください。", + "waf": "パフォーマンス" }, { "category": "貯蔵", - "description": "REDIRECTION.XMLファイルは、プロファイルコンテナから「C:」ドライブにリダイレクトされるフォルダを制御するために使用されます。除外は例外であるべきであり、除外を構成するユーザーが特定の除外を完全に理解しない限り、決して使用しないでください。除外は、実装が意図されている環境で常に完全にテストする必要があります。除外を構成すると、機能、安定性、パフォーマンスに影響を与える可能性があります。", + "description": "リダイレクト.XMLファイルは、プロファイルコンテナから「C:」ドライブにリダイレクトされるフォルダを制御するために使用されます。除外は例外であるべきであり、除外を構成するユーザーが特定の除外を完全に理解しない限り、決して使用しないでください。除外は、実装する予定の環境で常に完全にテストする必要があります。除外を設定すると、機能、安定性、パフォーマンスに影響を与える可能性があります。", "guid": "0b50ca97-b1d2-473c-b4d9-6e98b0f912de", + "id": "H04.07", "link": "https://docs.microsoft.com/fslogix/manage-profile-content-cncpt#redirectionsxml", "severity": "中程度", - "subcategory": "FSLogix", - "text": "FSLogix リダイレクトの使用法を確認します。" + "subcategory": "FSLogix (英語)", + "text": "FSLogix リダイレクトの使用状況を確認します。", + "waf": "費用" } ], "metadata": { "name": "Azure Virtual Desktop Review", "state": "GA", - "timestamp": "July 14, 2023" + "timestamp": "November 09, 2023" }, "severities": [ { @@ -1216,24 +1475,49 @@ ], "status": [ { - "description": "このチェックはまだ確認されていません", + "description": "このチェックはまだ検討されていません", "name": "未確認" }, { - "description": "このチェックに関連付けられているアクションアイテムがあります", + "description": "このチェックにはアクションアイテムが関連付けられています", "name": "開ける" }, { - "description": "このチェックは検証済みであり、それ以上のアクションアイテムは関連付けられていません", + "description": "このチェックは検証済みで、これ以上のアクションアイテムは関連付けられていません", "name": "達成" }, { - "description": "推奨事項は理解されていますが、現在の要件では必要ありません", - "name": "必須ではありません" + "description": "推奨事項は理解されているが、現在の要件では不要", + "name": "必要なし" }, { - "description": "現在のデザインには適用できません", + "description": "現在のデザインには適用されません", "name": "該当なし" } + ], + "waf": [ + { + "name": "確実" + }, + { + "name": "安全" + }, + { + "name": "費用" + }, + { + "name": "オペレーションズ" + }, + { + "name": "パフォーマンス" + } + ], + "yesno": [ + { + "name": "はい" + }, + { + "name": "いいえ" + } ] } \ No newline at end of file diff --git a/checklists/avd_checklist.ko.json b/checklists/avd_checklist.ko.json index 7f17dfaf3..17a3d2adf 100644 --- a/checklists/avd_checklist.ko.json +++ b/checklists/avd_checklist.ko.json @@ -1,5 +1,4 @@ { - "$schema": "checklist.schema.json", "categories": [ { "name": "토대" @@ -29,1179 +28,1439 @@ "items": [ { "category": "비즈니스 연속성 및 재해 복구", - "description": "AVD 컨트롤 플레인은 재정적으로 지원되는 서비스수준계약을 제공하지 않습니다. Microsoft는 Azure Virtual Desktop 서비스 URL에 대해 최소 99.9%의 가용성을 달성하기 위해 노력하고 있습니다. 구독에서 세션 호스트 가상 머신의 가용성은 Virtual Machines SLA의 적용을 받습니다. 종속 리소스/서비스 및 인프라 가용성도 글로벌 고가용성 요구 사항을 적절하게 충족하기 위해 고려해야 합니다.", + "description": "AVD 컨트롤 플레인은 재정적으로 지원되는 서비스 수준 계약을 제공하지 않습니다. Microsoft는 Azure Virtual Desktop 서비스 URL에 대해 99.9% 이상의 가용성을 달성하기 위해 노력하고 있습니다. 구독에서 세션 호스트 가상 머신의 가용성은 Virtual Machines SLA에 포함됩니다. 종속 리소스/서비스 및 인프라 가용성도 글로벌 고가용성 요구 사항을 적절하게 충족하기 위해 고려해야 합니다.", "guid": "56c57ba5-9119-4bf8-b8f5-c586c7d9cdc1", + "id": "A01.01", "link": "https://azure.microsoft.com/support/legal/sla/virtual-desktop/v1_0/", "severity": "높다", "subcategory": "계산", - "text": "AVD를 통해 게시된 애플리케이션/데스크톱에 대해 예상되는 고가용성 SLA 결정" + "text": "AVD를 통해 게시된 애플리케이션/데스크톱에 대해 예상되는 고가용성 SLA 확인", + "waf": "신뢰도" }, { "category": "비즈니스 연속성 및 재해 복구", - "description": "'활성-활성' 모델은 서로 다른 지역의 여러 호스트 풀을 사용하여 달성할 수 있습니다. 다른 지역의 VM이 있는 단일 호스트 풀은 권장되지 않습니다. 동일한 사용자에 대해 여러 풀을 사용하는 경우 사용자 프로필을 동기화/복제하는 방법에 대한 문제를 해결해야 합니다. FSLogix Cloud Cache를 사용할 수 있지만 신중하게 검토하고 계획해야 하거나 고객이 동기화/복제를 전혀 수행하지 않기로 결정할 수 있습니다. '활성-패시브'는 자동화된 메커니즘이 있는 ASR(Azure Site Recovery) 또는 주문형 풀 배포를 사용하여 달성할 수 있습니다. 다중 지역 BCDR에 대한 자세한 내용은 '추가 정보' 열의 동반 문서와 이 FSLogix 관련 페이지(https://learn.microsoft.com/en-us/fslogix/concepts-container-recovery-business-continuity)를 참조하세요.", + "description": "'액티브-액티브' 모델은 서로 다른 지역의 여러 호스트 풀을 사용하여 달성할 수 있습니다. 다른 지역의 VM이 있는 단일 호스트 풀은 권장되지 않습니다. 동일한 사용자에 대해 여러 풀을 사용하는 경우 사용자 프로필을 동기화/복제하는 방법의 문제를 해결해야 합니다. FSLogix Cloud Cache를 사용할 수 있지만 신중하게 검토하고 계획해야 하거나 고객이 동기화/복제를 전혀 수행하지 않도록 결정할 수 있습니다. '액티브-패시브'는 ASR(Azure Site Recovery) 또는 자동화된 메커니즘이 있는 주문형 풀 배포를 사용하여 달성할 수 있습니다. 다중 지역 BCDR에 대한 자세한 내용은 '추가 정보' 열의 도우미 문서와 FSLogix 관련 페이지(https://learn.microsoft.com/fslogix/concepts-container-recovery-business-continuity)를 참조하세요.", "guid": "6acc076e-f9b1-441a-a989-579e76b897e7", + "id": "A01.02", "link": "https://learn.microsoft.com/azure/architecture/example-scenario/wvd/azure-virtual-desktop-multi-region-bcdr", "severity": "보통", "subcategory": "계산", - "text": "AVD 호스트 풀에 대한 지역 재해 복구 요구사항 평가" + "text": "AVD 호스트 풀에 대한 지역 재해 복구 요구 사항 평가", + "waf": "신뢰도" }, { "category": "비즈니스 연속성 및 재해 복구", - "description": "Azure Virtual Desktop BCDR 계획 및 디자인에 접근하기 전에 먼저 AVD를 통해 사용되는 애플리케이션이 중요한지 고려하는 것이 중요합니다. 중요하지 않은 앱과 분리하고 다른 재해 복구 접근 방식 및 기능을 가진 별도의 호스트 풀을 사용할 수 있습니다.", + "description": "Azure Virtual Desktop BCDR 계획 및 디자인에 접근하기 전에 처음에 AVD를 통해 사용되는 애플리케이션이 중요한지 고려하는 것이 중요합니다. 중요하지 않은 앱과 분리하고 다른 재해 복구 접근 방식 및 기능을 가진 별도의 호스트 풀을 사용할 수 있습니다.", "guid": "10a7da7b-e996-46e1-9d3c-4ada97cc3d13", + "id": "A01.03", "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery", "severity": "낮다", "subcategory": "계산", - "text": "서로 다른 AVD 호스트 풀에서 중요한 애플리케이션 분리" + "text": "서로 다른 AVD 호스트 풀에서 중요한 애플리케이션 분리", + "waf": "신뢰도" }, { "category": "비즈니스 연속성 및 재해 복구", - "description": "각 호스트 풀은 AZ(가용 영역) 또는 AS(가용성 집합)를 사용하여 배포할 수 있습니다. 복원력을 최대화하려면 AZ를 사용하는 것이 좋습니다. 호스트 풀을 만들 때 호스트 풀 세션 호스트를 사용 가능한 모든 AZ에 분산하도록 결정할 수 있습니다. AS를 사용하면 단일 데이터 센터 오류로부터 보호되지 않으므로 AZ를 사용할 수 없는 지역에서만 사용해야 합니다. AZ 및 AVD에 대한 자세한 내용은 동반 문서를 참조하세요. AZ와 AS를 비교하려면 https://learn.microsoft.com/en-us/azure/virtual-machines/availability 에서 확인할 수 있습니다.", + "description": "각 호스트 풀은 AZ(가용성 영역) 또는 AS(가용성 집합)를 사용하여 배포할 수 있습니다. 복원력을 최대화하려면 AZ를 사용하는 것이 좋으며, 호스트 풀을 만들 때 사용 가능한 모든 AZ에 호스트 풀 세션 호스트를 분산하도록 결정할 수 있습니다. AS를 사용하면 단일 데이터 센터 오류로부터 보호되지 않으므로 AZ를 사용할 수 없는 지역에서만 사용해야 합니다. AZ 및 AVD에 대한 자세한 내용은 동반 도움말을 참조하세요. AZ와 AS의 비교는 여기에서 읽을 수 있습니다 : https://learn.microsoft.com/azure/virtual-machines/availability.", "guid": "25ab225c-6f4e-4168-9fdd-dea8a4b7cdeb", + "id": "A01.04", "link": "https://techcommunity.microsoft.com/t5/azure-virtual-desktop-blog/announcing-general-availability-of-support-for-azure/ba-p/3636262", "severity": "높다", "subcategory": "계산", - "text": "AVD 호스트 풀 구축을 위한 최상의 복원력 옵션 계획" + "text": "AVD 호스트 풀 배포를 위한 최상의 복원력 옵션 계획", + "waf": "신뢰도" }, { "category": "비즈니스 연속성 및 재해 복구", - "description": "Azure Backup을 사용하여 호스트 풀 VM을 보호할 수 있습니다. 풀링된 풀의 경우 상태 비저장이어야 하므로 필요하지 않습니다. 대신 개인 호스트 풀에 대해 이 옵션을 고려할 수 있습니다.", + "description": "Azure Backup을 사용하여 호스트 풀 VM을 보호할 수 있습니다. 풀링된 풀의 경우 상태 비저장이어야 하므로 이 작업이 필요하지 않습니다. 대신 개인 호스트 풀에 대해 이 옵션을 고려할 수 있습니다.", "guid": "4c61fc3f-c14e-4ea6-b69e-8d9a3eec218e", + "id": "A01.05", "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery", "severity": "보통", "subcategory": "계산", - "text": "AVD 세션 호스트 VM을 백업하기 위한 요구 사항 평가" + "text": "AVD 세션 호스트 VM 백업에 대한 요구 사항 평가", + "waf": "신뢰도" }, { "category": "비즈니스 연속성 및 재해 복구", - "description": "개인 풀의 경우에도 가능한 경우 가용 영역을 사용하는 것이 좋습니다. 세 가지 가능한 지역 내 DR 전략이 가능하며, 비용, RTO/RPO 및 전체 VM OS 디스크를 저장해야 하는 경우 (1) 특정 영역(AZ)에 각 세션 호스트를 만든 다음, ASR(Azure Site Recovery)을 사용하여 다른 영역에 복제하는 데 가장 적합한 전략을 선택하는 것이 좋습니다. (2) Azure Backup을 사용하여 다른 AZ에서 특정 세션 호스트를 백업 및 복원합니다. (3) 다른 AZ에 새 세션 호스트를 만들고 FSLogix 및/또는 OneDrive를 사용하여 새 컴퓨터에서 데이터 및 설정을 사용할 수 있도록 합니다. 모든 옵션은 호스트 풀 수준에서 DR 및 직접 사용자 할당을 위해 관리자 개입이 필요하며, 그런 다음 미리 계획하고 구성해야 합니다.", + "description": "개인 풀의 경우에도 사용 가능한 경우 가용 영역을 사용하는 것이 좋습니다. 세 가지 가능한 지역 내 DR 전략이 가능하며, 비용, RTO/RPO 및 전체 VM OS 디스크를 저장해야 하는 경우에 따라 가장 적합한 전략을 선택하는 것이 좋습니다. (1) 특정 영역(AZ)에 각 세션 호스트를 만든 다음, ASR(Azure Site Recovery)을 사용하여 다른 영역에 복제합니다. (2) Azure Backup을 사용하여 다른 AZ에서 특정 세션 호스트를 백업 및 복원합니다. (3) 다른 AZ에 새 세션 호스트를 만들고 FSLogix 및/또는 OneDrive를 사용하여 새 컴퓨터에서 데이터 및 설정을 사용할 수 있도록 합니다. 모든 옵션은 DR에 대한 관리자 개입이 필요하고 호스트 풀 수준에서 직접 사용자 할당이 필요하며, 그런 다음 미리 계획하고 구성해야 합니다.", "guid": "5da58639-ca3a-4961-890b-29663c5e10d", + "id": "A01.06", "link": "https://learn.microsoft.com/azure/site-recovery/azure-to-azure-how-to-enable-zone-to-zone-disaster-recovery", "severity": "보통", "subcategory": "계산", - "text": "개인 호스트 풀 세션 호스트에 대한 로컬 DR 전략 준비" + "text": "개인 호스트 풀 세션 호스트에 대한 로컬 DR 전략 준비", + "waf": "신뢰도" }, { "category": "비즈니스 연속성 및 재해 복구", - "description": "커스텀 이미지를 사용하여 AVD 호스트 풀 VM을 구축하는 경우 AVD가 구축된 모든 리전에서 해당 아티팩트를 사용할 수 있도록 하는 것이 중요합니다. Azure Compute Gallery 서비스를 사용하여 호스트 풀이 배포된 모든 지역에서 중복 스토리지 및 여러 복사본으로 이미지를 복제할 수 있습니다. Azure Compute Gallery 서비스는 전역 리소스가 아닙니다. 재해 복구 시나리오의 경우 가장 좋은 방법은 서로 다른 지역에 두 개 이상의 갤러리가 있는 것입니다.", + "description": "커스텀 이미지를 사용하여 AVD 호스트 풀 VM을 배포하는 경우 AVD가 배포된 모든 리전에서 해당 아티팩트를 사용할 수 있는지 확인하는 것이 중요합니다. Azure Compute Gallery 서비스를 사용하여 호스트 풀이 배포된 모든 지역에서 중복 스토리지 및 여러 복사본으로 이미지를 복제할 수 있습니다. Azure Compute Gallery 서비스는 전역 리소스가 아닙니다. 재해 복구 시나리오의 경우 가장 좋은 방법은 서로 다른 지역에 두 개 이상의 갤러리를 두는 것입니다.", "guid": "dd2e0d5d-771d-441e-9610-cc57b4a4a141", + "id": "A02.01", "link": "https://learn.microsoft.com/azure/virtual-machines/azure-compute-gallery", "severity": "낮다", "subcategory": "종속성", - "text": "Golden Image 지역 간 가용성 계획" + "text": "Golden Image 지역 간 가용성 계획", + "waf": "신뢰도" }, { "category": "비즈니스 연속성 및 재해 복구", - "description": "AVD 인프라 사용자가 온프레미스 리소스 액세스가 필요한 경우 연결에 필요한 네트워크 인프라의 고가용성도 중요하므로 고려해야 합니다. 인증 인프라의 복원력을 평가하고 평가해야 합니다. 종속 응용 프로그램 및 기타 리소스에 대한 BCDR 측면은 보조 DR 위치에서 가용성을 보장하기 위해 고려해야 합니다.", + "description": "AVD 인프라 사용자에게 온프레미스 리소스 액세스가 필요한 경우 연결에 필요한 네트워크 인프라의 고가용성도 중요하므로 고려해야 합니다. 인증 인프라의 복원력을 평가하고 평가해야 합니다. 종속 애플리케이션 및 기타 리소스에 대한 BCDR 측면은 보조 DR 위치의 가용성을 보장하기 위해 고려해야 합니다.", "guid": "fd339489-8c12-488b-9c6a-57cfb644451e", + "id": "A02.02", "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery", "severity": "보통", "subcategory": "종속성", - "text": "인프라 및 응용 프로그램 종속성 평가Assess Infrastructure & Application dependencies " + "text": "인프라 및 응용 프로그램 종속성 평가 ", + "waf": "신뢰도" }, { "category": "비즈니스 연속성 및 재해 복구", - "description": "FSLogix 사용자 프로필 내의 모든 데이터가 재해로부터 보호받을 자격이 있는 것은 아닙니다. 또한 OneDrive 또는 파일 서버/공유와 같은 외부 스토리지를 사용하는 경우 FSLogix 프로필에 남아 있는 항목은 최소이며 일부 극단적인 상황에서 손실될 수 있습니다. 다른 경우에는 프로필 내의 데이터를 다른 저장소(예: 캐시된 모드의 Outlook 받은 편지함)에서 다시 작성할 수 있습니다.", + "description": "FSLogix 사용자 프로필 내의 모든 데이터가 재해로부터 보호되어야 하는 것은 아닙니다. 또한 외부 스토리지(예: OneDrive 또는 파일 서버/공유)를 사용하는 경우 FSLogix 프로필에 남아 있는 항목은 최소한이며 일부 극단적인 상황에서 손실될 수 있습니다. 다른 경우에는 프로필 내의 데이터를 다른 저장소(예: 캐시된 모드의 Outlook 받은 편지함)에서 다시 작성할 수 있습니다.", "guid": "687ab077-adb5-49e5-a960-3334fdf8cc23", + "id": "A03.01", "link": "https://docs.microsoft.com/fslogix/manage-profile-content-cncpt", "severity": "보통", "subcategory": "보관", - "text": "프로필 및 Office 컨테이너에서 보호해야 하는 데이터 평가" + "text": "프로필 및 Office 컨테이너에서 보호해야 하는 데이터 평가", + "waf": "신뢰도" }, { "category": "비즈니스 연속성 및 재해 복구", "description": "중요한 사용자 데이터에 대한 데이터 손실을 방지하는 것이 중요하며, 첫 번째 단계는 저장하고 보호해야 하는 데이터를 평가하는 것입니다. OneDrive 또는 기타 외부 저장소를 사용하는 경우 사용자 프로필 및/또는 Office 컨테이너 데이터를 저장할 필요가 없을 수 있습니다. 중요한 사용자 데이터를 보호하기 위해 적절한 메커니즘을 고려해야 합니다. Azure Backup 서비스는 Azure Files 표준 및 프리미엄 계층에 저장될 때 프로필 및 Office 컨테이너 데이터를 보호하는 데 사용할 수 있습니다. Azure NetApp Files 스냅샷 및 정책은 Azure NetApp Files(모든 계층)에 사용할 수 있습니다.", "guid": "fc4972cc-3cd2-45bf-a707-6e9eab4bed32", + "id": "A03.02", "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery", "severity": "보통", "subcategory": "보관", - "text": "프로필 및 Office 컨테이너에 대한 백업 보호 전략 구축" + "text": "프로필 및 Office 컨테이너에 대한 백업 보호 전략 구축", + "waf": "신뢰도" }, { "category": "비즈니스 연속성 및 재해 복구", - "description": "AVD에서는 FSLogix 컨테이너에 있는 사용자 데이터에 대해 여러 복제 메커니즘 및 전략을 사용할 수 있습니다. [프로필 패턴 #1]: 네이티브 Azure Storage 복제 메커니즘(예: Azure Files 표준 GRS 복제, Azure NetApp Files 지역 간 복제)입니다. Azure Files에는 ZRS(영역 복제 스토리지) 또는 GRS(지역 복제 스토리지)를 사용하는 것이 좋습니다. 영역/지역 보호가 필요하지 않은 경우 로컬 전용 복원력이 있는 LRS를 사용할 수 있습니다. 참고: Azure Files 공유 표준은 LRS/ZRS/GRS이지만 100TB의 대규모 지원을 사용하도록 설정하면 LRS/ZRS만 지원됩니다. [프로필 패턴 #2]: FSLogix Cloud Cache는 서로 다른(최대 4개) 스토리지 계정 간에 컨테이너를 복제하는 자동 메커니즘으로 빌드됩니다. 클라우드 캐시는 다음과 같은 경우에만 사용해야 합니다.(1) 사용자 프로필 또는 Office 컨테이너 데이터 가용성이 필요하고, 고가용성 SLA가 중요하며, 지역 오류에 대한 복원력이 있어야 합니다. (2) 선택한 스토리지 옵션이 BCDR 요구 사항을 충족할 수 없습니다. 예를 들어 Azure 파일 공유 프리미엄 계층 또는 대용량 파일 지원이 포함된 Azure 파일 공유 표준을 사용하도록 설정하면 GRS를 사용할 수 없습니다. (3) 서로 다른 스토리지 간의 복제가 필요한 경우. [프로필 패턴 #3]: 사용자 데이터/프로필 컨테이너가 아닌 애플리케이션 데이터에 대해서만 지역 재해 복구를 설정: 중요한 애플리케이션 데이터를 OneDrive 또는 자체 기본 제공 DR 메커니즘이 있는 기타 외부 스토리지와 같은 별도의 스토리지에 저장합니다.", + "description": "AVD에서는 FSLogix 컨테이너에 있는 사용자 데이터에 여러 복제 메커니즘 및 전략을 사용할 수 있습니다. [프로필 패턴 #1]: 네이티브 Azure Storage 복제 메커니즘(예: Azure Files 표준 GRS 복제, Azure NetApp Files 지역 간 복제)입니다. Azure Files에 ZRS(영역 복제 스토리지) 또는 GRS(지역 복제 스토리지)를 사용하는 것이 좋습니다. 영역/지역 보호가 필요하지 않은 경우 로컬 전용 복원력이 있는 LRS를 사용할 수 있습니다. 참고: Azure Files 공유 표준은 LRS/ZRS/GRS이지만 100TB 대규모 지원을 사용하도록 설정하면 LRS/ZRS만 지원됩니다. [프로필 패턴 #2]: FSLogix Cloud Cache는 서로 다른(최대 4개) 스토리지 계정 간에 컨테이너를 복제하는 자동 메커니즘으로 기본 제공됩니다. 클라우드 캐시는 다음과 같은 경우에만 사용해야 합니다.(1) 사용자 프로필 또는 Office 컨테이너 데이터 가용성 필요 고가용성 SLA는 중요하며 지역 오류에 대한 복원력이 있어야 합니다. (2) 선택한 스토리지 옵션이 BCDR 요구 사항을 충족할 수 없습니다. 예를 들어 Azure 파일 공유 프리미엄 계층 또는 대용량 파일 지원을 사용하도록 설정된 Azure 파일 공유 표준에서는 GRS를 사용할 수 없습니다. (3) 서로 다른 스토리지 간의 복제가 필요한 경우. [프로필 패턴 #3]: 사용자 데이터/프로필 컨테이너가 아닌 애플리케이션 데이터에 대해서만 지리적 재해 복구 설정: 중요한 애플리케이션 데이터를 OneDrive 또는 자체 기본 제공 DR 메커니즘이 있는 기타 외부 저장소와 같은 별도의 저장소에 저장합니다.", "guid": "9f7547c1-746d-4c56-868a-714435bd09dd", + "id": "A03.03", "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery", "severity": "보통", "subcategory": "보관", - "text": "BCDR 용도에 대한 프로필 컨테이너 저장소 복제 요구 사항 및 복원력 평가" + "text": "BCDR 목적을 위한 프로필 컨테이너 스토리지 복제 요구 사항 및 복원력 평가", + "waf": "신뢰도" }, { "category": "비즈니스 연속성 및 재해 복구", - "description": "로컬 재해 복구의 경우 Azure Files용 Azure Backup을 사용할 수 있습니다. 지역 간 지역 재해 복구의 경우: Azure Files용 GRS는 표준 SKU에서만 사용할 수 있으며 대규모 공유 지원은 없으므로 대부분의 고객 시나리오에 적합하지 않습니다. Azure 파일 공유 프리미엄에 지역 복제가 필요한 경우 FSLogix Cloud Cache를 사용한 복제를 평가하거나 '지역 내' AZ(가용성 영역) 전용 복원력을 고려해야 합니다.", + "description": "로컬 재해 복구의 경우 Azure Files용 Azure Backup을 사용할 수 있습니다. 지역 간 지역 재해 복구의 경우: Azure Files용 GRS는 표준 SKU에서만 사용할 수 있으며 대규모 공유 지원은 없으므로 대부분의 고객 시나리오에는 적합하지 않습니다. Azure 파일 공유 프리미엄에서 지역 복제가 필요한 경우 FSLogix Cloud Cache를 사용한 복제를 평가하거나 '지역 내' AZ(가용성 영역) 복원력만 고려해야 합니다.", "guid": "3d4f3537-c134-46dc-9602-7a71efe1bd05", + "id": "A03.04", "link": "https://docs.microsoft.com/azure/backup/backup-afs", "severity": "보통", "subcategory": "보관", - "text": "Azure Files 재해 복구 전략 검토" + "text": "Azure Files 재해 복구 전략 검토", + "waf": "신뢰도" }, { "category": "비즈니스 연속성 및 재해 복구", - "description": "영역 중복 스토리지는 사용자 프로필 데이터에 대한 지역 내 복원력을 최대화합니다. ZRS는 'FileStorage' 스토리지 계정 종류를 통해 프리미엄 파일 공유에 대해 지원됩니다. ZRS는 표준 범용 v2 스토리지 계정에서 지원됩니다. 영역 중복 저장소의 사용은 각 호스트 풀에 있는 세션 호스트의 영역 중복 배포와 쌍을 이루어야 합니다. ", + "description": "영역 중복 스토리지는 사용자 프로필 데이터에 대한 지역 내 복원력을 최대화합니다. ZRS는 'FileStorage' 스토리지 계정 종류를 통해 프리미엄 파일 공유에 대해 지원됩니다. ZRS는 표준 범용 v2 스토리지 계정에서 지원됩니다. 영역 중복 저장소의 사용은 각 호스트 풀에서 세션 호스트의 영역 중복 배포와 쌍을 이루어야 합니다. ", "guid": "10d4e875-d502-4142-a795-f2b6eff34f88", + "id": "A03.05", "link": "https://learn.microsoft.com/azure/storage/files/files-redundancy#zone-redundant-storage", "severity": "높다", "subcategory": "보관", - "text": "Azure Files용 ZRS(영역 중복 스토리지)를 사용하여 복원력 최대화" + "text": "Azure Files용 ZRS(영역 중복 스토리지)를 사용하여 복원력 최대화", + "waf": "신뢰도" }, { "category": "비즈니스 연속성 및 재해 복구", - "description": "로컬 재해 복구의 경우 ANF(Azure NetApp Files) 네이티브 백업을 사용할 수 있습니다. ANF는 기본적으로 로컬 중복이며, 지역 간 지역 재해 복구의 경우 CRR(지역 간 복제) https://learn.microsoft.com/en-us/azure/azure-netapp-files/cross-region-replication-create-peering 인 추가 메커니즘을 사용해야 합니다. 현재 ANF는 서로 다른 가용 영역(AZ) 간에 복제나 중복성을 제공하지 않으며, ANF 볼륨을 배치할 단일 AZ를 선택할 수 있는 가능성만 https://learn.microsoft.com/en-us/azure/azure-netapp-files/manage-availability-zone-volume-placement.", + "description": "로컬 재해 복구의 경우 ANF(Azure NetApp Files) 네이티브 백업을 사용할 수 있습니다. ANF는 기본적으로 로컬로 중복되며, 지역 간 지역 재해 복구의 경우 CRR(지역 간 복제) https://learn.microsoft.com/azure/azure-netapp-files/cross-region-replication-create-peering 인 추가 메커니즘을 사용해야 합니다. 현재 ANF는 서로 다른 AZ(가용 영역)에서 복제 또는 중복성을 제공하지 않으며, ANF 볼륨을 배치할 단일 AZ를 선택할 수 있는 가능성만 https://learn.microsoft.com/azure/azure-netapp-files/manage-availability-zone-volume-placement.", "guid": "23429db7-2281-4376-85cc-57b4a4b18142", + "id": "A03.06", "link": "https://learn.microsoft.com/azure/azure-netapp-files/cross-region-replication-create-peering", "severity": "보통", "subcategory": "보관", - "text": "Azure NetApp Files 재해 복구 전략을 검토합니다" + "text": "Azure NetApp Files 재해 복구 전략 검토", + "waf": "신뢰도" }, { "category": "계산", - "description": "애플리케이션은 골든 이미지에 사전 설치되거나, MSIX 및 AppAttach 기능을 사용하여 연결되거나, 기존 소프트웨어 배포 방법을 사용하여 호스트 풀 배포 후 세션 호스트에 배포될 수 있습니다.", + "description": "애플리케이션은 골든 이미지에 미리 설치하거나, MSIX 및 AppAttach 기능을 사용하여 연결하거나, 기존 소프트웨어 배포 방법을 사용하여 호스트 풀 배포 후 세션 호스트에 배포할 수 있습니다.", "guid": "86ba2802-1459-4014-95d3-8e5309ccbd97", + "id": "B01.01", "link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-golden-image", "severity": "높다", - "subcategory": "골든 이미지", - "text": "AVD 호스트 풀에 애플리케이션을 배포하는 방법 결정" + "subcategory": "황금 이미지", + "text": "애플리케이션이 AVD 호스트 풀에 배포되는 방법 결정", + "waf": "작업" }, { "category": "계산", - "description": "서로 다른 OS 버전 및/또는 설정, 분리해야 하고 단일 이미지에 포함할 수 없는 서로 다른 애플리케이션 그룹을 지원하기 위해 여러 골든 이미지가 필요할 수 있습니다.", + "description": "서로 다른 OS 버전 및/또는 설정, 분리해야 하며 단일 이미지에 포함할 수 없는 서로 다른 애플리케이션 그룹을 지원하려면 여러 골든 이미지가 필요할 수 있습니다.", "guid": "9266bcca-274f-4aa1-abf3-9d95d44c7c89", + "id": "B01.02", "link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-golden-image", "severity": "보통", - "subcategory": "골든 이미지", - "text": "필요한 골든 이미지 수를 추정합니다." + "subcategory": "황금 이미지", + "text": "필요한 골든 이미지 수를 예측합니다", + "waf": "작업" }, { "category": "계산", - "description": "각 호스트 풀을 배포하는 데 사용할 게스트 OS 결정: Windows 10 및 Windows Server, Marketplace 및 사용자 지정 이미지", + "description": "각 호스트 풀을 배포하는 데 사용할 게스트 OS 결정: Windows 10 및 Windows Server, 마켓플레이스 및 사용자 지정 이미지", "guid": "19ca1f6d-5315-4ae5-84ba-34d4585e2213", + "id": "B01.03", "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#operating-systems-and-licenses", "severity": "보통", - "subcategory": "골든 이미지", - "text": "호스트 풀 배포에 사용할 OS 이미지 결정" + "subcategory": "황금 이미지", + "text": "호스트 풀 배포에 사용할 OS 이미지 결정", + "waf": "신뢰도" }, { "category": "계산", - "description": "Azure VM 사용자 지정 이미지는 Azure Compute Gallery에서 관리되는 이미지 개체 또는 스토리지의 관리 디스크로 다양한 방법으로 만들고 저장할 수 있습니다. 권장되는 방법은 Azure Compute Gallery를 사용하는 것입니다.", + "description": "Azure VM 사용자 지정 이미지는 Azure Compute Gallery, 관리되는 이미지 개체 또는 스토리지의 관리 디스크와 같은 다양한 방법으로 만들고 저장할 수 있습니다. 권장되는 방법은 Azure Compute Gallery를 사용하는 것입니다.", "guid": "5a2adb2c-3e23-426b-b225-ca44e1696fdd", + "id": "B01.04", "link": "https://learn.microsoft.com/azure/virtual-machines/shared-image-galleries", "severity": "낮다", - "subcategory": "골든 이미지", - "text": "사용자 지정 이미지에 적합한 저장소 선택" + "subcategory": "황금 이미지", + "text": "사용자 지정 이미지에 적합한 저장소 선택", + "waf": "신뢰도" }, { "category": "계산", "description": "사용자 지정 이미지를 사용할 경우 자동화된 빌드 프로세스를 계획합니다. 기존 소프트웨어 팩터리가 없는 경우 사용자 지정 이미지 템플릿 및/또는 Azure Image Builder를 사용하여 빌드 프로세스를 자동화하는 것이 좋습니다.", "guid": "9bd7bb01-2f7b-495e-86e1-54e2aa359282", + "id": "B01.05", "link": "https://learn.microsoft.com/azure/virtual-desktop/create-custom-image-templates", "severity": "낮다", - "subcategory": "골든 이미지", - "text": "사용자 지정 이미지에 대한 빌드 프로세스 디자인Design your build process for custom images" + "subcategory": "황금 이미지", + "text": "사용자 지정 이미지에 대한 빌드 프로세스 디자인", + "waf": "작업" }, { "category": "계산", "description": "골든 이미지 사용자 지정에 대한 몇 가지 알려진 모범 사례 및 권장 사항이 있으므로 참조된 문서를 확인하십시오.", "guid": "deace4cb-1dec-44c6-90c3-fc14eebb36a3", + "id": "B01.06", "link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-golden-image", "severity": "보통", - "subcategory": "골든 이미지", - "text": "커스텀 이미지를 사용할 경우 커스텀 이미지를 빌드하는 방법에 대한 AVD의 권장 권장사항을 확인하세요" + "subcategory": "황금 이미지", + "text": "맞춤 이미지를 사용할 경우 맞춤 이미지를 빌드하는 방법에 대한 AVD 권장사항을 확인하세요", + "waf": "작업" }, { "category": "계산", "description": "AVD 세션 호스트에 설치된 FSLogix 스택은 자동 업데이트 기능을 제공하지 않습니다. 이러한 이유로 최신 버전의 FSLogix를 다운로드하고 골든 이미지 업데이트 프로세스에 포함하는 것이 좋습니다.", "guid": "ed5c9027-dd1a-4343-86ca-52b199223186", + "id": "B01.07", "link": "https://learn.microsoft.com/fslogix/how-to-install-fslogix", "severity": "높다", - "subcategory": "골든 이미지", - "text": "골든 이미지 업데이트 프로세스에 최신 버전의 FSLogix를 포함합니다" + "subcategory": "황금 이미지", + "text": "골든 이미지 업데이트 프로세스에 최신 버전의 FSLogix 포함", + "waf": "신뢰도" }, { "category": "계산", - "description": "이 도구 집합은 백서 'VDI(가상 데스크톱 인프라) 역할에 대한 Windows 10 버전 2004 최적화': https://docs.microsoft.com/windows-server/remote/remote-desktop-services/rds-vdi-recommendations-2004 에서 참조하는 설정을 자동으로 적용하기 위해 만들어졌습니다. 백서에 언급된 도구 및/또는 최적화의 사용을 고려해야 합니다. ", + "description": "이 도구 집합은 백서 'VDI(가상 데스크톱 인프라) 역할에 대한 Windows 10 버전 2004 최적화': https://docs.microsoft.com/windows-server/remote/remote-desktop-services/rds-vdi-recommendations-2004 에 참조된 설정을 자동으로 적용하기 위해 만들어졌습니다. 백서에 언급된 도구 및/또는 최적화의 사용을 고려해야 합니다. ", "guid": "829e3fec-2183-4687-a017-7a2b5945bda4", + "id": "B01.08", "link": "https://github.com/The-Virtual-Desktop-Team/Virtual-Desktop-Optimization-Tool", "severity": "낮다", - "subcategory": "골든 이미지", - "text": "Virtual-Desktop-Optimization-Tool의 사용량 평가" + "subcategory": "황금 이미지", + "text": "Virtual-Desktop-Optimization-Tool 사용 평가", + "waf": "공연" }, { "category": "계산", - "description": "OneDrive를 사용하고 골든 이미지에 포함된 경우 '추가 정보' 섹션의 동반 문서에 보고된 구성 절차를 따라야 합니다. 이 AVD 검사 목록에는 포함되지 않지만 '알려진 폴더 리디렉션' 및 '주문형 파일'과 같은 OneDrive 최적화를 사용하여 FSLogix 프로필에 사용되는 공간을 줄이고 더 나은 사용자 환경을 제공하는 데 사용해야 합니다. 현재 OneDrive는 원격 앱에 대해 지원되지 않습니다.", + "description": "OneDrive를 사용하고 골든 이미지에 포함된 경우 '추가 정보' 섹션의 첨부 문서에 보고된 구성 절차를 따라야 합니다. 이 AVD 검사 목록의 범위에는 없지만 FSLogix 프로필에 사용되는 공간을 줄이고 더 나은 사용자 환경을 제공하기 위해 '알려진 폴더 리디렉션' 및 '주문형 파일'과 같은 OneDrive 최적화를 평가해야 합니다. 현재 OneDrive는 원격 앱에서 지원되지 않습니다.", "guid": "e3d3e084-4276-4d4b-bc01-5bcf219e4a1e", + "id": "B01.09", "link": "https://learn.microsoft.com/azure/virtual-desktop/install-office-on-wvd-master-image#install-onedrive-in-per-machine-mode", "severity": "낮다", - "subcategory": "골든 이미지", - "text": "Microsoft OneDrive가 AVD 배포의 일부가 될지 결정" + "subcategory": "황금 이미지", + "text": "Microsoft OneDrive가 AVD 배포의 일부가 될지 확인", + "waf": "작업" }, { "category": "계산", - "description": "'추가 정보' 열의 동반 문서에 포함된 요구 사항 및 구성 절차를 검토해야 합니다. Teams 자동 업데이트가 비활성화되므로 골든 이미지 업데이트 프로세스에 Teams 최신 버전을 확인하고 포함하는 것이 좋습니다.", + "description": "'추가 정보' 열의 동반 문서에 포함된 요구 사항 및 구성 절차를 검토해야 합니다. Teams 자동 업데이트가 비활성화되므로 골든 이미지 업데이트 프로세스에서 Teams 최신 버전을 확인하고 포함하는 것이 좋습니다.", "guid": "b5887953-5d22-4788-9d30-b66c67be5951", + "id": "B01.10", "link": "https://learn.microsoft.com/azure/virtual-desktop/teams-on-AVD", "severity": "낮다", - "subcategory": "골든 이미지", - "text": "Microsoft Teams가 AVD 배포의 일부가 될지 확인" + "subcategory": "황금 이미지", + "text": "Microsoft Teams가 AVD 배포의 일부가 될지 확인", + "waf": "공연" }, { "category": "계산", - "description": "AVD는 동일한 호스트 풀에서 언어 및 현지화 요구사항이 다른 사용자를 지원할 수 있습니다. 사용자가 필요한 언어를 선택할 수 있도록 골든 이미지를 사용자 지정할 수 있습니다. Windows 11 추가 언어 팩을 구성하는 절차는 참조 문서에 설명되어 있습니다.", + "description": "AVD는 동일한 호스트 풀에서 언어 및 지역화 요구 사항이 다른 사용자를 지원할 수 있습니다. 사용자가 필요한 언어를 선택할 수 있도록 골든 이미지를 사용자 지정할 수 있습니다. Windows 11에서 추가 언어 팩을 구성하는 절차는 참조 문서에 설명되어 있습니다.", "guid": "7c336f3b-822a-498e-8cd1-667d1150df4a", + "id": "B01.11", "link": "https://learn.microsoft.com/azure/virtual-desktop/windows-11-language-packs", "severity": "낮다", - "subcategory": "골든 이미지", - "text": "여러 언어를 지원하기 위한 요구 사항 평가" + "subcategory": "황금 이미지", + "text": "다국어 지원을 위한 요구 사항 평가", + "waf": "신뢰도" }, { "category": "계산", - "description": "별도의 스토리지 계정/공유를 사용하여 MSIX 패키지를 저장하는 것이 좋습니다. 필요한 경우 저장소는 독립적으로 확장할 수 있으며 프로필 I/O 작업의 영향을 받지 않습니다. Azure는 MISX 앱 연결에 사용할 수 있는 여러 스토리지 옵션을 제공합니다. Azure Files 또는 Azure NetApp Files는 비용과 관리 오버헤드 간에 최상의 가치를 제공하므로 이러한 옵션을 사용하는 것이 좋습니다. ", + "description": "별도의 스토리지 계정/공유를 사용하여 MSIX 패키지를 저장하는 것이 좋습니다. 필요한 경우 스토리지는 독립적으로 확장할 수 있으며 프로필 I/O 작업의 영향을 받지 않습니다. Azure는 MISX 앱 연결에 사용할 수 있는 여러 스토리지 옵션을 제공합니다. 이러한 옵션은 비용과 관리 오버헤드 간에 최상의 가치를 제공하므로 Azure Files 또는 Azure NetApp Files를 사용하는 것이 좋습니다. ", "guid": "90083845-c587-4cb3-a1ec-16a1d076ef9f", + "id": "B02.01", "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-file-share", "severity": "보통", - "subcategory": "MSIX & AppAttach", - "text": "FSLogix 프로필과 동일한 스토리지 계정/공유를 사용하지 마세요." + "subcategory": "MSIX 및 AppAttach", + "text": "FSLogix 프로필과 동일한 스토리지 계정/공유를 사용하지 마세요.", + "waf": "공연" }, { "category": "계산", - "description": "참조된 문서에서는 AVD 컨텍스트에서 MSIX 사용에 대한 몇 가지 중요한 성능 고려 사항을 보고했으므로 신중하게 검토해야 합니다.", + "description": "참조된 문서에서는 AVD 컨텍스트에서 MSIX 사용에 대한 몇 가지 중요한 성능 고려 사항을 보고했으며, 신중하게 검토해야 합니다.", "guid": "241addce-5793-477b-adb3-751ab2ac1fad", + "id": "B02.02", "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-file-share", "severity": "보통", - "subcategory": "MSIX & AppAttach", - "text": "MSIX에 대한 성능 고려 사항 검토" + "subcategory": "MSIX 및 AppAttach", + "text": "MSIX에 대한 성능 고려 사항 검토", + "waf": "공연" }, { "category": "계산", - "description": "MSIX 앱 연결에는 파일 공유에 액세스하기 위한 읽기 전용 권한이 필요합니다. MSIX 애플리케이션을 Azure Files에 저장하는 경우 세션 호스트에 대해 모든 세션 호스트 VM에 공유에 대한 스토리지 계정 RBAC(역할 기반 액세스 제어) 및 파일 공유 NTFS(New Technology File System) 권한을 모두 할당해야 합니다.", + "description": "MSIX 앱 연결에는 파일 공유에 액세스할 수 있는 읽기 전용 권한이 필요합니다. MSIX 애플리케이션을 Azure Files에 저장하는 경우 세션 호스트의 경우 모든 세션 호스트 VM에 공유에 대한 스토리지 계정 RBAC(역할 기반 액세스 제어) 및 파일 공유 NTFS(신기술 파일 시스템) 권한을 모두 할당해야 합니다.", "guid": "66e15d4d-5a2a-4db2-a3e2-326bf225ca41", + "id": "B02.03", "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-file-share", "severity": "보통", - "subcategory": "MSIX & AppAttach", - "text": "MSIX 공유에 대한 적절한 세션 호스트 권한 확인" + "subcategory": "MSIX 및 AppAttach", + "text": "MSIX 공유에 대한 적절한 세션 호스트 권한 확인", + "waf": "안전" }, { "category": "계산", - "description": "타사 소프트웨어 공급업체는 MSIX 패키지를 제공해야 하며, 고객이 애플리케이션 소유자의 적절한 지원 없이 변환 절차를 시도하는 것은 권장되지 않습니다.", + "description": "타사 소프트웨어 공급업체는 MSIX 패키지를 제공해야 하며, 고객이 애플리케이션 소유자의 적절한 지원 없이 변환 절차를 시도하지 않는 것이 좋습니다.", "guid": "bd362caa-ab79-4b19-adab-81932c9fc9d1", + "id": "B02.04", "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-faq", "severity": "낮다", - "subcategory": "MSIX & AppAttach", - "text": "제3자 애플리케이션용 MSIX 패키지MSIX packages for 3rd-party applications" + "subcategory": "MSIX 및 AppAttach", + "text": "제3자 애플리케이션용 MSIX 패키지", + "waf": "비용" }, { "category": "계산", "description": "MSIX 앱 연결은 MSIX 애플리케이션에 대한 자동 업데이트를 지원하지 않으므로 사용하지 않도록 설정해야 합니다.", "guid": "bb88037f-5e6b-4fbb-aed5-03547cc447e8", + "id": "B02.05", "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-faq", "severity": "낮다", - "subcategory": "MSIX & AppAttach", - "text": "MSIX 패키지에 대한 자동 업데이트 사용 안 함" + "subcategory": "MSIX 및 AppAttach", + "text": "MSIX 패키지에 대한 자동 업데이트 사용 안 함", + "waf": "작업" }, { "category": "계산", - "description": "MSIX & 앱 연결을 활용하려면 AVD 호스트 풀의 게스트 OS 이미지가 Windows 10/11 Enterprise 또는 Windows 10/11 Enterprise 다중 세션 버전 2004 이상이어야 합니다.", + "description": "MSIX 및 앱 연결을 활용하려면 AVD 호스트 풀에 대한 게스트 OS 이미지가 Windows 10/11 Enterprise 또는 Windows 10/11 Enterprise 다중 세션 버전 2004 이상이어야 합니다.", "guid": "26128a71-f0f1-4cac-9d9e-f1d5e832e42e", + "id": "B02.06", "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-faq", "severity": "보통", - "subcategory": "MSIX & AppAttach", - "text": "운영 체제 지원 검토" + "subcategory": "MSIX 및 AppAttach", + "text": "운영 체제 지원 검토", + "waf": "신뢰도" }, { "category": "계산", - "description": "호스트 풀 배포에 사용할 VM SKU를 선택한 후에는 더 높은 보안 및 향상된 기능을 위해 Gen2 유형의 SKU를 사용하는 것이 좋습니다.", + "description": "호스트 풀 배포에 사용할 VM SKU를 선택한 후에는 보안 강화 및 기능 향상을 위해 Gen2 유형의 SKU를 사용하는 것이 좋습니다.", "guid": "e4633254-3185-40a1-b120-bd563a1c8e9d", + "id": "B03.01", "link": "https://docs.microsoft.com/azure/virtual-machines/generation-2", "severity": "보통", "subcategory": "세션 호스트", - "text": "호스트 풀 배포를 위한 Gen2 VM의 사용량 평가" + "text": "호스트 풀 배포를 위한 Gen2 VM 사용량 평가", + "waf": "공연" }, { "category": "계산", "description": "MMR은 더 빠른 처리 및 렌더링을 위해 세션 호스트에서 로컬 컴퓨터로 미디어 콘텐츠를 리디렉션합니다. Microsoft Edge 또는 Google Chrome에서 미디어 콘텐츠를 재생할 때만 작동합니다. 자세한 내용은 링크된 URL을 참조하세요.", "guid": "adecb27f-dc40-40f5-aca2-0090f633b1c9", + "id": "B03.02", "link": "https://learn.microsoft.com/azure/virtual-desktop/multimedia-redirection", "severity": "낮다", "subcategory": "세션 호스트", - "text": "브라우저에서 더 나은 비디오 성능을 얻으려면 MMR(멀티미디어 리디렉션)을 사용하는 것이 좋습니다." + "text": "MMR(MultiMedia Redirection)을 사용하여 브라우저에서 더 나은 비디오 성능을 얻는 것이 좋습니다.", + "waf": "공연" }, { "category": "토대", - "description": "호스트 풀은 Azure Virtual Desktop에 세션 호스트로 등록하는 Azure 가상 머신의 컬렉션입니다. 호스트 풀은 개인 및 풀의 두 가지 유형 중 하나일 수 있습니다. 어떤 유형을 얼마나 많이 사용할지는 문서화하고 유효성을 검사해야 하는 주요 디자인 결정입니다. 자세한 내용은 '추가 정보' 열의 동반 문서를 참조하세요.", + "description": "호스트 풀은 Azure Virtual Desktop에 세션 호스트로 등록하는 Azure 가상 머신의 컬렉션입니다. 호스트 풀은 개인 및 풀링의 두 가지 유형 중 하나일 수 있습니다. 어떤 형식을 얼마나 많이 사용할지는 문서화하고 유효성을 검사해야 하는 중요한 디자인 결정입니다. 자세한 내용은 '추가 정보' 열의 동반 문서를 참조하십시오.", "guid": "8468c55a-775c-46ee-a5b8-6ad8844ce3b2", + "id": "C01.01", "link": "https://learn.microsoft.com/azure/virtual-desktop/terminology#host-pools", "severity": "높다", "subcategory": "용량 계획", - "text": "사용할 호스트 풀 유형 결정" + "text": "사용할 호스트 풀 유형 결정", + "waf": "비용" }, { "category": "토대", - "description": "디자인 기준을 사용하여 배포할 호스트 풀의 수를 결정합니다. 이는 다양한 OS 이미지, 다중 지역 지원, 게스트 VM 하드웨어 차이(예: GPU 지원 여부), 다양한 사용자 기대치 및 작동 시간 요구 사항(예: '임원', 'Office Workers', '개발자' 등) 및 호스트 풀 RDP 설정(예: 드라이브 리디렉션 지원)과 같은 요인을 기반으로 합니다. 이에 따라 호스트 풀의 수와 각 풀에 있는 호스트 수가 결정됩니다.", + "description": "디자인 조건을 사용하여 배포할 호스트 풀 수를 결정합니다. 이는 다양한 OS 이미지, 다중 지역 지원, 게스트 VM 하드웨어 차이(예: GPU 지원 여부), 다양한 사용자 기대치 및 작동 시간 요구 사항(예: '임원', '사무실 직원', '개발자' 등) 및 호스트 풀 RDP 설정(예: 드라이브 리디렉션 지원)과 같은 요소를 기반으로 합니다. 호스트 풀의 수와 각 풀에 포함될 호스트 수를 결정합니다.", "guid": "4e98495f-d3c0-4af2-aa59-a793395a32a7", + "id": "C01.02", "link": "https://learn.microsoft.com/azure/virtual-desktop/terminology?WT.mc_id=Portal-fx#host-pools", "severity": "높다", "subcategory": "용량 계획", - "text": "배포할 서로 다른 호스트 풀의 수를 예측합니다 " + "text": "배포할 다양한 호스트 풀의 수를 예측합니다 ", + "waf": "공연" }, { "category": "토대", "description": "자동 할당과 직접 할당의 차이점을 잘 이해하고 선택한 옵션이 해당 시나리오에 적합한지 확인합니다. 자동이 기본 설정입니다.", "guid": "b38b875b-a1cf-4204-a901-3a5d3ce474db", + "id": "C01.03", "link": "https://docs.microsoft.com/azure/virtual-desktop/configure-host-pool-personal-desktop-assignment-type", "severity": "낮다", "subcategory": "용량 계획", - "text": "개인 호스트 풀 유형에서 적절한 할당 유형을 선택합니다" + "text": "개인 호스트 풀 유형에서 적절한 할당 유형을 선택합니다", + "waf": "작업" }, { "category": "토대", - "description": "사용할 옵션과 사용 가능한 옵션을 확인하면 자동 크기 조정은 기존 부하 분산 알고리즘을 무시합니다.", + "description": "사용할 항목과 사용 가능한 옵션을 확인하면 자동 크기 조정은 기존 부하 분산 알고리즘을 무시합니다.", "guid": "cbd8682a-6abc-4a2a-9fda-1dbf3dc95d48", + "id": "C01.04", "link": "https://docs.microsoft.com/azure/virtual-desktop/host-pool-load-balancing", "severity": "낮다", "subcategory": "용량 계획", - "text": "풀링된 호스트 풀 유형의 경우 최상의 부하 분산 방법을 선택합니다" + "text": "풀링된 호스트 풀 유형의 경우 최상의 부하 분산 방법을 선택합니다", + "waf": "공연" }, { "category": "토대", "description": "코어 수가 증가하면 시스템의 동기화 오버헤드도 증가합니다. 특히 여러 사용자가 동시에 로그인하는 경우. 세션 호스트에 비해 너무 큰 VM을 사용하지 않도록 합니다", "guid": "b3724959-4943-4577-a3a9-e10ff6345f24", + "id": "C01.05", "link": "https://learn.microsoft.com/windows-server/remote/remote-desktop-services/virtual-machine-recs", "severity": "보통", "subcategory": "용량 계획", - "text": "풀링된 호스트 풀 유형의 경우 VM에는 32개 이상의 코어가 없어야 합니다" + "text": "풀링된 호스트 풀 유형의 경우 VM에는 32개 이상의 코어가 없어야 합니다.", + "waf": "공연" }, { "category": "토대", "description": "AVD는 단일 호스트 풀의 RemoteApp 및 DAG(데스크톱 애플리케이션 그룹)를 동일한 사용자 집합에 할당하는 것을 지원하지 않습니다. 이렇게 하면 단일 사용자가 단일 호스트 풀에 두 개의 사용자 세션을 갖게 됩니다. 사용자는 동일한 프로필을 사용하여 동일한 호스트 풀에서 동시에 두 개의 활성 세션을 가질 수 없습니다.", "guid": "b384b7ed-1cdd-457e-a2cd-c8d4d55bc144", + "id": "C01.06", "link": "https://learn.microsoft.com/azure/virtual-desktop/terminology?WT.mc_id=Portal-fx#application-groups", "severity": "높다", "subcategory": "용량 계획", - "text": "동일한 호스트 풀을 사용하여 동일한 사용자 집합에 DAG(전체 데스크톱)와 원격 앱을 모두 제공하지 마세요" + "text": "동일한 호스트 풀을 사용하여 동일한 사용자 집합에 전체 데스크톱(DAG)과 원격 앱을 모두 제공하지 마세요", + "waf": "안전" }, { "category": "토대", "description": "각 Microsoft Entra ID(이전 Azure AD) 테넌트에 대해 AVD에서 만들 수 있는 애플리케이션 그룹은 500개로 제한됩니다. 한도를 늘릴 수 있지만(자세한 내용은 컴패니언 링크 참조) 권장되지는 않습니다.", "guid": "971cc4a4-b1f7-4c12-90e0-1ad96808f00c", + "id": "C01.07", "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits#azure-virtual-desktop-service-limits", "severity": "보통", "subcategory": "용량 계획", - "text": "Microsoft Entra ID 테넌트의 모든 호스트 풀에 필요한 애플리케이션 그룹 수 예측Estimate the number of Application Groups required across all Host Pools in the Microsoft Entra ID tenant" + "text": "Microsoft Entra ID 테넌트의 모든 호스트 풀에 필요한 애플리케이션 그룹 수 예측", + "waf": "신뢰도" }, { "category": "토대", - "description": "응용 프로그램은 사용 권한을 게시하고 할당하기 위한 컨테이너로 응용 프로그램 그룹 아래에 그룹화됨: 응용 프로그램 그룹당 50개 이상의 응용 프로그램을 게시하지 않는 것이 좋습니다.", + "description": "응용 프로그램은 응용 프로그램 그룹 아래에 사용 권한을 게시하고 할당하기 위한 컨테이너로 그룹화됩니다: 응용 프로그램 그룹당 50개 이상의 응용 프로그램을 게시하지 않는 것이 좋습니다.", "guid": "fa9f2895-473d-439b-ab8e-5a5cf92c7f32", + "id": "C01.08", "link": "https://learn.microsoft.com/azure/architecture/example-scenario/wvd/windows-virtual-desktop#considerations", "severity": "낮다", "subcategory": "용량 계획", - "text": "각 응용 프로그램 그룹에 대한 응용 프로그램 수 추정" + "text": "각 응용 프로그램 그룹에 대한 응용 프로그램 수 추정", + "waf": "신뢰도" }, { "category": "토대", - "description": "FSLogix는 각 VM이 단일 사용자에게 정적으로 할당되므로 개인 호스트 풀에 필요하지 않으며 로밍 프로필 솔루션이 즉시 필요하지 않습니다. 일부 사용 시나리오에서는 FSLogix가 도움이 될 수 있습니다. 예를 들어 VM을 다시 할당하거나, 사용자를 다른 데스크톱으로 이동하거나, 로밍 프로필을 사용하여 DR을 위해 사용자 프로필을 다른 위치에 저장할 수 있습니다.", + "description": "각 VM이 단일 사용자에게 정적으로 할당되므로 개인 호스트 풀에는 FSLogix가 필요하지 않으므로 로밍 프로필 솔루션이 즉시 필요하지 않습니다. 일부 사용 시나리오에서는 FSLogix가 도움이 될 수 있습니다. 예를 들어 VM을 다시 할당하거나, 사용자를 다른 데스크톱으로 이동하거나, 로밍 프로파일을 사용하여 DR을 위해 사용자 프로파일을 다른 위치에 저장할 수 있습니다.", "guid": "38b19ab6-0693-4992-9394-5590883916ec", - "link": "https://learn.microsoft.com/en-us/azure/virtual-desktop/configure-host-pool-personal-desktop-assignment-type?tabs=azure#reassign-a-personal-desktop", + "id": "C01.09", + "link": "https://learn.microsoft.com/azure/virtual-desktop/configure-host-pool-personal-desktop-assignment-type?tabs=azure#reassign-a-personal-desktop", "severity": "낮다", "subcategory": "용량 계획", - "text": "개인 호스트 풀에 대한 FSLogix 사용량 평가" + "text": "개인 호스트 풀에 대한 FSLogix 사용량 평가", + "waf": "신뢰도" }, { "category": "토대", - "description": "제공된 링크를 사용하여 SKU 결정의 시작점을 설정한 다음, 성능 테스트를 사용하여 유효성을 검사합니다. 세션 호스트(다중 세션)당 프로덕션에 대해 최소 4개의 코어가 선택되었는지 확인합니다.", + "description": "제공된 링크를 사용하여 SKU 결정의 시작점을 설정한 다음, 성능 테스트를 사용하여 유효성을 검사합니다. 세션 호스트당 프로덕션에 대해 최소 4개의 코어가 선택되었는지 확인합니다(다중 세션).", "guid": "e1112dbd-7ba0-412e-9b94-ef6e047d2ea2", + "id": "C01.10", "link": "https://docs.microsoft.com/windows-server/remote/remote-desktop-services/virtual-machine-recs", "severity": "높다", "subcategory": "용량 계획", - "text": "워크로드 성능 테스트를 실행하여 사용할 최상의 Azure VM SKU 및 크기 결정" + "text": "워크로드 성능 테스트를 실행하여 사용할 최상의 Azure VM SKU 및 크기 결정", + "waf": "공연" }, { "category": "토대", - "description": "참조된 도움말에 보고된 AVD 용량 및 한도를 확인하는 것이 중요합니다. 추가 제한 및 임계값은 네트워크, 컴퓨팅, 스토리지 및 서비스 관리에 적용됩니다. ", + "description": "참조된 문서에 보고된 AVD 용량 및 한도를 확인하는 것이 중요합니다. 추가 제한 및 임계값은 네트워크, 컴퓨팅, 스토리지 및 서비스 관리에 적용됩니다. ", "guid": "992b1cd6-d2f5-44b2-a769-e3a691e8838a", + "id": "C01.11", "link": "https://learn.microsoft.com/azure/architecture/example-scenario/wvd/windows-virtual-desktop#considerations", "severity": "높다", "subcategory": "용량 계획", - "text": "환경에 대한 AVD 확장성 제한 확인" + "text": "환경에 대한 AVD 확장성 제한 확인", + "waf": "신뢰도" }, { "category": "토대", - "description": "GPU가 있는 호스트 풀에는 특별한 구성이 필요하므로 참조된 문서를 검토해야 합니다.", + "description": "GPU가 있는 호스트 풀에는 특별한 구성이 필요하며, 참조된 문서를 검토해야 합니다.", "guid": "c936667e-13c0-4056-94b1-e945a459837e", + "id": "C01.12", "link": "https://docs.microsoft.com/azure/virtual-desktop/configure-vm-gpu", "severity": "낮다", "subcategory": "용량 계획", - "text": "세션 호스트에 GPU가 필요한지 확인" + "text": "세션 호스트에 GPU가 필요한지 확인", + "waf": "공연" }, { "category": "토대", - "description": "가능하면 가속화된 네트워킹 기능이 있는 VM SKU를 활용하는 것이 좋습니다. 이 기능에는 특정 VM SKU/크기 및 OS 버전이 필요하며, 동반 문서의 목록 및 요구 사항을 참조하세요.", + "description": "가능하면 가속화된 네트워킹 기능이 있는 VM SKU를 활용하는 것이 좋습니다. 이 기능을 사용하려면 특정 VM SKU/크기 및 OS 버전이 필요하며, 도우미 문서의 목록 및 요구 사항을 참조하세요.", "guid": "b47a393a-0803-4272-a479-8b1578b219a4", + "id": "C01.13", "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview", "severity": "낮다", "subcategory": "용량 계획", - "text": "가속화된 네트워킹을 활용할 수 있는 Azure VM SKU 사용" + "text": "가속화된 네트워킹을 활용할 수 있는 Azure VM SKU 사용", + "waf": "공연" }, { "category": "토대", - "description": "적절한 계획 및 배포를 위해서는 각 호스트 풀에 대한 최대 동시 및 총 사용자 수를 평가하는 것이 중요합니다. 또한 다른 지역의 사용자는 최상의 사용자 환경을 보장하기 위해 다른 호스트 풀이 필요할 수 있습니다.", + "description": "적절한 계획 및 배포를 위해서는 각 호스트 풀에 대한 최대 동시 사용자 수와 총 사용자 수를 평가하는 것이 중요합니다. 또한 다른 지역의 사용자는 최상의 사용자 환경을 보장하기 위해 다른 호스트 풀이 필요할 수 있습니다.", "guid": "bb91a33d-90ca-4e2c-a881-3706f7c0cb9f", + "id": "C02.01", "link": "https://learn.microsoft.com/azure/virtual-desktop/overview", "severity": "보통", - "subcategory": "클라이언트 및 사용자", - "text": "AVD에 연결할 사용자 수와 지역 평가" + "subcategory": "클라이언트 & 사용자", + "text": "AVD에 연결할 사용자 수와 리전 평가", + "waf": "공연" }, { "category": "토대", - "description": "AVD 풀 외부의 리소스(예: Active Directory, 외부 파일 공유 또는 기타 스토리지, 온-프레미스 서비스 및 리소스, VPN 및/또는 ExpressRoute와 같은 네트워크 인프라 구성 요소, 외부 서비스 및 타사 구성 요소)에 대한 종속성을 평가하고 검토해야 합니다. 이러한 모든 리소스에 대해 AVD 호스트 풀의 지연 시간을 평가하고 연결을 고려해야 합니다. 또한 BCDR 고려 사항도 이러한 종속성에 적용해야 합니다.", + "description": "AVD 풀 외부의 리소스에 대한 종속성(예: Active Directory, 외부 파일 공유 또는 기타 스토리지, 온프레미스 서비스 및 리소스, VPN 및/또는 ExpressRoute와 같은 네트워크 인프라 구성요소, 외부 서비스, 타사 구성요소)을 평가하고 검토해야 합니다. 이러한 모든 리소스에 대해 AVD 호스트 풀의 지연 시간을 평가하고 연결을 고려해야 합니다. 또한 BCDR 고려 사항은 이러한 종속성에도 적용해야 합니다.", "guid": "6abca2a4-fda1-4dbf-9dc9-5d48c7c791dc", + "id": "C02.02", "link": "https://learn.microsoft.com/azure/architecture/example-scenario/wvd/windows-virtual-desktop?toc=%2Fazure%2Fvirtual-desktop%2Ftoc.json&bc=%2Fazure%2Fvirtual-desktop%2Fbreadcrumb%2Ftoc.json", "severity": "보통", - "subcategory": "클라이언트 및 사용자", - "text": "각 호스트 풀에 대한 외부 종속성 평가" + "subcategory": "클라이언트 & 사용자", + "text": "각 호스트 풀에 대한 외부 종속성 평가", + "waf": "공연" }, { "category": "토대", - "description": "AVD는 다양한 플랫폼(Windows, MacOS, iOS, Android)을 통해 연결할 수 있는 다양한 클라이언트 유형(fat, thin, web)을 제공합니다. 각 클라이언트의 제한 사항을 검토하고 가능한 경우 여러 옵션을 비교합니다.", + "description": "AVD는 다양한 플랫폼(Windows, MacOS, iOS, Android)을 통해 연결할 수 있는 다양한 클라이언트 유형(팻, 씬, 웹)을 제공합니다. 각 클라이언트의 제한 사항을 검토하고 가능한 경우 여러 옵션을 비교합니다.", "guid": "a1f6d565-99e5-458b-a37d-4985e1112dbd", - "link": "https://learn.microsoft.com/en-us/azure/virtual-desktop/users/connect-windows", + "id": "C02.03", + "link": "https://learn.microsoft.com/azure/virtual-desktop/users/connect-windows", "severity": "낮다", - "subcategory": "클라이언트 및 사용자", - "text": "사용된 사용자 클라이언트 OS 및 AVD 클라이언트 유형 검토" + "subcategory": "클라이언트 & 사용자", + "text": "사용된 사용자 클라이언트 OS 및 AVD 클라이언트 유형 검토", + "waf": "공연" }, { "category": "토대", - "description": "사용자 위치 및 AVD 지역 배포에 따라 사용자 환경이 최적화되지 않을 수 있으므로 소규모 PoC 환경에서 가능한 한 빨리 테스트하는 것이 중요합니다. 'Azure Virtual Desktop Experience Estimator' 도구를 실행하여 호스트 풀을 배포하는 데 가장 적합한 Azure 지역을 선택합니다. 대기 시간이 150ms를 초과하면 사용자 환경이 최적이 아닐 수 있습니다.", + "description": "사용자 위치 및 AVD 지역 배포에 따라 사용자에게 최적의 환경이 아닐 수 있으므로 소규모 PoC 환경에서 가능한 한 빨리 테스트하는 것이 중요합니다. 'Azure Virtual Desktop Experience Estimator' 도구를 실행하여 호스트 풀을 배포하는 데 가장 적합한 Azure 지역을 선택합니다. 대기 시간이 150ms를 초과하면 사용자 환경이 최적이 아닐 수 있습니다.", "guid": "d2f54b29-769e-43a6-a1e8-838ac936667e", + "id": "C02.04", "link": "https://azure.microsoft.com/services/virtual-desktop/assessment/", "severity": "높다", - "subcategory": "클라이언트 및 사용자", - "text": "PoC를 실행하여 엔드투엔드 사용자 환경 및 네트워크 대기 시간의 영향 검증" + "subcategory": "클라이언트 & 사용자", + "text": "PoC를 실행하여 엔드투엔드 사용자 환경 및 네트워크 대기 시간의 영향 검증", + "waf": "공연" }, { "category": "토대", - "description": "RDP 설정은 현재 사용자/그룹이 아닌 호스트 풀 수준에서만 구성할 수 있습니다. 서로 다른 사용자 집합에 대해 서로 다른 설정이 필요한 경우 여러 호스트 풀을 만드는 것이 좋습니다.", + "description": "RDP 설정은 현재 사용자/그룹이 아닌 호스트 풀 수준에서만 구성할 수 있습니다. 다른 사용자 집합에 대해 다른 설정이 필요한 경우 여러 호스트 풀을 만드는 것이 좋습니다.", "guid": "3b365a5c-7acb-4e48-abe5-4cd79f2e8776", + "id": "C02.05", "link": "https://docs.microsoft.com/azure/virtual-desktop/customize-rdp-properties", "severity": "낮다", - "subcategory": "클라이언트 및 사용자", - "text": "모든 사용자 그룹에 대한 RDP 설정 평가 및 문서화" + "subcategory": "클라이언트 & 사용자", + "text": "모든 사용자 그룹에 대한 RDP 설정 평가 및 문서화", + "waf": "안전" }, { "category": "토대", - "description": "AVD는 비지역 서비스이며, 호스트 풀은 모든 지역에서 생성할 수 있으며, 가장 가까운 프런트 엔드에서 자동 리디렉션이 자동으로 수행됩니다.", + "description": "AVD는 비지역 서비스이며, 호스트 풀은 모든 지역에서 만들 수 있으며, 가장 가까운 프런트 엔드에서 자동 리디렉션이 자동으로 수행됩니다.", "guid": "42e52f47-21d9-428c-8b1b-d521e44a29a9", + "id": "C03.01", "link": "https://azure.microsoft.com/global-infrastructure/services/?products=virtual-desktop", "severity": "높다", "subcategory": "일반", - "text": "AVD 호스트 풀을 배포할 Azure 지역을 결정합니다." + "text": "AVD 호스트 풀을 배포할 Azure 지역을 결정합니다.", + "waf": "공연" }, { "category": "토대", - "description": "AVD는 서비스를 지원하기 위해 메타데이터를 저장해야 합니다. 지정된 지리에 저장됩니다. 그러나 이는 호스트 풀이 있는 지역과는 무관합니다.", + "description": "AVD는 서비스를 지원하기 위해 메타데이터를 저장해야 합니다. 지정된 geography에 저장됩니다. 그러나 이는 호스트 풀이 있는 지역과 무관합니다.", "guid": "bad37ead-53cc-47ce-8d7a-aab3571449ab", + "id": "C03.02", "link": "https://docs.microsoft.com/azure/virtual-desktop/data-locations", "severity": "보통", "subcategory": "일반", - "text": "AVD 서비스의 메타데이터 위치 확인" + "text": "AVD 서비스의 메타데이터 위치 확인", + "waf": "신뢰도" }, { "category": "토대", - "description": "특히 GPU 또는 고사양 SKU가 필요한 경우 특정 VM SKU를 확인하고, 결국 Azure NetApp Files(사용되는 경우)를 확인합니다.", + "description": "특히 GPU 또는 고사양 SKU가 필요한 경우 특정 VM SKU를 확인하고 Azure NetApp Files(사용되는 경우)를 확인합니다.", "guid": "8053d89e-89dc-47b3-9be2-a1a27f7a9e91", + "id": "C03.03", "link": "https://docs.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits", "severity": "낮다", "subcategory": "일반", - "text": "선택한 지역의 특정 VM 크기 및 유형에 대한 Azure 할당량 및 가용성 확인Check Azure quotas and availability for specific VM sizes and types in the selected regions" + "text": "선택한 지역의 특정 VM 크기 및 유형에 대한 Azure 할당량 및 가용성 확인", + "waf": "신뢰도" }, { "category": "신원", "description": "AVD 세션 호스트에 로그인하는 사용자의 대기 시간을 줄이고 결국 Azure NetApp Files 및 AD 통합을 위해 Azure의 AD DC를 사용하는 것이 좋습니다(서로 다른 AZ에 2개 이상). DC는 모든 자식 도메인에 대해 DC와 통신할 수 있어야 합니다. 또는 온-프레미스 연결을 사용하여 AD DC에 연결해야 합니다.", "guid": "c14aea7e-65e8-4d9a-9aec-218e6436b073", + "id": "D01.01", "link": "https://docs.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain", "severity": "보통", "subcategory": "액티브 디렉토리", - "text": "AVD 호스트 풀에 가까운 Azure VNet 환경에서 두 개 이상의 Active Directory DC(도메인 컨트롤러)를 만듭니다." + "text": "AVD 호스트 풀에 가까운 Azure VNet 환경에서 두 개 이상의 Active Directory DC(도메인 컨트롤러)를 만듭니다.", + "waf": "신뢰도" }, { "category": "신원", "description": "별도의 OU 계층 구조 아래에 호스트 풀당 별도의 OU를 만드는 것이 좋습니다. 이러한 OU에는 AVD 세션 호스트의 머신 계정이 포함됩니다. ", "guid": "6db55f57-9603-4334-adf9-cc23418db612", + "id": "D01.02", "link": "https://docs.microsoft.com/azure/virtual-desktop/create-host-pools-azure-marketplace", "severity": "보통", "subcategory": "액티브 디렉토리", - "text": "각 호스트 풀에 대해 Active Directory에서 특정 OU를 만듭니다" + "text": "Active Directory에서 각 호스트 풀에 대해 특정 OU를 만듭니다", + "waf": "작업" }, { "category": "신원", - "description": "AVD 호스트 풀이 포함된 OU에 대한 GPO의 상속을 신중하게 검토하고 차단/필터링할 수 있습니다. ", + "description": "신중하게 검토하고 AVD 호스트 풀이 포함된 OU에 대한 GPO 상속을 차단/필터링할 수 있습니다. ", "guid": "7126504b-b47a-4393-a080-327294798b15", + "id": "D01.03", "link": "https://docs.microsoft.com/previous-versions/windows/desktop/Policy/group-policy-hierarchy", "severity": "보통", "subcategory": "액티브 디렉토리", - "text": "OU에 적용되고 호스트 풀 세션 호스트 기능에 영향을 줄 도메인 GPO를 검토합니다." + "text": "OU에 적용되고 호스트 풀 세션 호스트 기능에 영향을 줄 도메인 GPO를 검토합니다.", + "waf": "작업" }, { "category": "신원", - "description": "Active Directory 도메인 GPO를 사용하는 경우 '추가 정보' 열의 도우미 문서에서 참조하는 기본 제공 GPO ADMX 템플릿을 사용하여 FSLogix를 구성하는 것이 좋습니다", + "description": "Active Directory 도메인 GPO를 사용하는 경우 '추가 정보' 열의 도우미 문서에 참조된 기본 제공 GPO ADMX 템플릿을 사용하여 FSLogix를 구성하는 것이 좋습니다", "guid": "2226a8e3-50a4-4ac3-8bd6-ee150553051f", + "id": "D01.04", "link": "https://learn.microsoft.com/fslogix/how-to-use-group-policy-templates", "severity": "보통", "subcategory": "액티브 디렉토리", - "text": "기본 제공 GPO ADMX 템플릿을 사용하여 FSLogix 설정 구성" + "text": "기본 제공 GPO ADMX 템플릿을 사용하여 FSLogix 설정 구성", + "waf": "작업" }, { "category": "신원", - "description": "최소한의 권한을 가진 특정 전용 계정을 사용하는 것이 좋으며 기본 10개의 조인 제한이 없습니다. 자세한 내용은 동반 문서를 검토하세요.", + "description": "최소한의 권한이 있고 기본 10개의 가입 제한이 없는 특정 전용 계정을 사용하는 것이 좋습니다. 자세한 내용은 동반 문서를 검토하세요.", "guid": "347dc560-28a7-41ff-b1cd-15dd2f0d5e77", + "id": "D01.05", "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#session-hosts", "severity": "보통", "subcategory": "액티브 디렉토리", - "text": "VM을 도메인에 가입할 수 있는 권한만 있는 전용 사용자 계정 만들기" + "text": "VM을 도메인에 가입시킬 수 있는 권한만 있는 전용 사용자 계정 만들기", + "waf": "안전" }, { "category": "신원", - "description": "사용자당 액세스 권한을 부여하지 않고 대신 AD 그룹을 사용하고 Microsoft Entra ID(이전 Azure AD)에서 ADC(Active Directory Connector)를 사용하여 복제합니다. ", + "description": "사용자당 액세스 권한을 부여하지 말고, 대신 AD 그룹을 사용하고 Microsoft Entra ID(이전 Azure AD)에서 ADC(Active Directory Connector)를 사용하여 복제합니다. ", "guid": "2d41e361-1cc5-47b4-a4b1-410d43958a8c", + "id": "D01.06", "link": "https://docs.microsoft.com/azure/virtual-desktop/manage-app-groups", "severity": "보통", "subcategory": "액티브 디렉토리", - "text": "각 호스트 풀 응용 프로그램 그룹(DAG 또는 RAG)에 대한 액세스 권한을 부여할 각 사용자 집합에 대해 도메인 사용자 그룹을 만듭니다" + "text": "각 호스트 풀 응용 프로그램 그룹(DAG 또는 RAG)에 대한 액세스 권한을 부여할 각 사용자 집합에 대해 도메인 사용자 그룹을 만듭니다", + "waf": "안전" }, { "category": "신원", - "description": "Azure Files AD(Active Directory) 통합을 사용하는 경우 구성 절차의 일부로 스토리지 계정(파일 공유)을 나타내는 AD 계정이 만들어집니다. 컴퓨터 계정 또는 서비스 로그온 계정으로 등록하도록 선택할 수 있으며, 자세한 내용은 FAQ를 참조하세요. 컴퓨터 계정의 경우 AD에 설정된 기본 암호 만료 기간이 30일입니다. 마찬가지로 서비스 로그온 계정에는 AD 도메인 또는 OU(조직 구성 단위)에 설정된 기본 암호 만료 기간이 있을 수 있습니다. 두 계정 유형 모두 AD 환경에 구성된 암호 만료 기간을 확인하고 최대 암호 사용 기간 전에 AD 계정의 스토리지 계정 ID에 대한 암호를 업데이트하도록 계획하는 것이 좋습니다. AD에서 새 AD OU(조직 구성 단위)를 만들고 그에 따라 컴퓨터 계정 또는 서비스 로그온 계정에 대한 암호 만료 정책을 사용하지 않도록 설정하는 것을 고려할 수 있습니다.", + "description": "Azure Files AD(Active Directory) 통합을 사용하는 경우 구성 절차의 일부로 스토리지 계정(파일 공유)을 나타내는 AD 계정이 만들어집니다. 컴퓨터 계정 또는 서비스 로그온 계정으로 등록하도록 선택할 수 있으며, 자세한 내용은 FAQ를 참조하세요. 컴퓨터 계정의 경우 AD에 30일로 설정된 기본 암호 만료 기간이 있습니다. 마찬가지로 서비스 로그온 계정에는 AD 도메인 또는 OU(조직 구성 단위)에 설정된 기본 암호 만료 기간이 있을 수 있습니다. 두 계정 유형 모두 AD 환경에 구성된 암호 만료 기간을 확인하고 최대 암호 사용 기간 전에 AD 계정의 스토리지 계정 ID 암호를 업데이트하도록 계획하는 것이 좋습니다. AD에서 새 AD OU(조직 구성 단위)를 만들고 그에 따라 컴퓨터 계정 또는 서비스 로그온 계정에서 암호 만료 정책을 사용하지 않도록 설정할 수 있습니다.", "guid": "2289b3d6-b57c-4fc6-9546-1e1a3e3453a3", + "id": "D01.07", "link": "https://docs.microsoft.com/azure/storage/files/storage-files-identity-ad-ds-enable", "severity": "높다", "subcategory": "액티브 디렉토리", - "text": "Azure Files AD 통합에서 사용하는 계정에 대한 조직 암호 만료 정책 검토" + "text": "Azure Files AD 통합에서 사용하는 계정에 대한 조직 암호 만료 정책 검토", + "waf": "안전" }, { "category": "신원", "description": "ADC(Active Directory Connect) 또는 Azure AD Domain Services(하이브리드 또는 클라우드 조직의 경우)를 사용하여 구성할 수 있습니다. Microsoft Entra ID는 Azure AD(Azure Active Directory)의 새 이름입니다.", "guid": "5119bf8e-8f58-4542-a7d9-cec166cd072a", + "id": "D01.08", "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#identity", "severity": "높다", "subcategory": "액티브 디렉토리", - "text": "Windows Server Active Directory 포리스트/도메인은 Microsoft Entra ID와 동기화되어야 합니다." + "text": "Windows Server Active Directory 포리스트/도메인은 Microsoft Entra ID와 동기화되어야 합니다.", + "waf": "신뢰도" }, { "category": "신원", "description": "Azure Files를 사용하고 필수 구성 요소를 충족할 수 있는 경우 Kerberos 인증(Microsoft Entra ID)을 구성하는 것이 좋습니다. 이 구성을 사용하면 도메인 컨트롤러에 대한 네트워크 가시선 없이 Azure AD 조인 세션 호스트에서 하이브리드 사용자 ID로 액세스할 수 있는 FSLogix 프로필을 저장할 수 있습니다.", "guid": "e777fd5e-c5f1-4d6e-8fa9-fc210b88e338", + "id": "D02.01", "link": "https://learn.microsoft.com/azure/storage/files/storage-files-identity-auth-hybrid-identities-enable", "severity": "보통", - "subcategory": "마이크로소프트 엔트라 ID", - "text": "Microsoft Entra ID(이전 Azure AD)에 대한 Azure Files 공유 구성 Microsoft Entra ID에 대한 Kerberos 인증 조인 시나리오" + "subcategory": "Microsoft Entra ID", + "text": "Microsoft Entra ID 조인 시나리오에서 Microsoft Entra ID(이전 Azure AD) Kerberos 인증에 대한 Azure Files 공유 구성", + "waf": "안전" }, { "category": "신원", "description": "Azure 구독은 Windows Server Active Directory Domain Services 또는 Microsoft Entra ID Domain Services 인스턴스를 포함하거나 연결된 가상 네트워크를 포함하는 동일한 Microsoft Entra ID(이전 Azure AD) 테넌트의 부모여야 합니다.", "guid": "6ceb5443-5125-4922-9442-93bb628537a5", + "id": "D03.01", "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#identity", "severity": "높다", "subcategory": "요구 사항", - "text": "Microsoft Entra ID 테넌트는 하나 이상의 구독이 연결된 상태에서 사용할 수 있어야 합니다" + "text": "Microsoft Entra ID 테넌트는 하나 이상의 구독이 연결된 상태에서 사용할 수 있어야 합니다", + "waf": "신뢰도" }, { "category": "신원", - "description": "Azure Virtual Desktop은 선택한 구성에 따라 다양한 유형의 ID를 지원합니다. '추가 정보' 문서에 언급된 지원되는 시나리오를 검토하고 그에 따라 '설명' 열에 디자인 결정을 문서화하세요. 중요한 것은 외부 ID(B2B 또는 B2C)가 지원되지 않는다는 것입니다. https://learn.microsoft.com/en-us/azure/virtual-desktop/prerequisites?tabs=portal#supported-identity-scenarios 에서 지원되는 시나리오 목록도 검토해야 합니다.", + "description": "Azure Virtual Desktop은 선택한 구성에 따라 다양한 유형의 ID를 지원합니다. '추가 정보' 문서에 언급된 지원되는 시나리오를 검토하고 그에 따라 '설명' 열에 디자인 결정을 문서화하세요. 중요한 것은 외부 ID(B2B 또는 B2C)가 지원되지 않는다는 것입니다. https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#supported-identity-scenarios 에서 지원되는 시나리오 목록도 검토해야 합니다.", "guid": "b4ce4781-7557-4a1f-8043-332ae199d44c", + "id": "D03.02", "link": "https://learn.microsoft.com/azure/virtual-desktop/authentication", "severity": "높다", "subcategory": "요구 사항", - "text": "ID 시나리오 검토 및 문서화" + "text": "ID 시나리오 검토 및 문서화", + "waf": "안전" }, { "category": "신원", - "description": "사용자는 Microsoft Entra ID(이전 Azure AD)에 있는 계정이 필요합니다. Azure Virtual Desktop 배포에서 AD DS 또는 Azure AD Domain Services를 사용하는 경우 이러한 계정은 하이브리드 ID여야 하며, 이는 사용자 계정이 동기화됨을 의미합니다. AD DS와 함께 Microsoft Entra ID를 사용하는 경우 AD DS와 Microsoft Entra ID 간에 사용자 ID 데이터를 동기화하도록 Azure AD Connect를 구성해야 합니다. Azure AD Domain Services에서 Microsoft Entra ID를 사용하는 경우 사용자 계정은 Microsoft Entra ID에서 Azure AD Domain Services로 단방향으로 동기화됩니다. 이 동기화 프로세스는 자동입니다. AVD는 몇 가지 제한 사항이 있는 Microsoft Entra ID 기본 계정도 지원합니다. 외부 ID(B2B 또는 B2C)는 지원되지 않습니다.", + "description": "사용자는 Microsoft Entra ID(이전의 Azure AD)에 있는 계정이 필요합니다. Azure Virtual Desktop 배포에서 AD DS 또는 Azure AD Domain Services를 사용하는 경우 이러한 계정은 하이브리드 ID여야 하며, 이는 사용자 계정이 동기화됨을 의미합니다. AD DS와 함께 Microsoft Entra ID를 사용하는 경우 AD DS와 Microsoft Entra ID 간에 사용자 ID 데이터를 동기화하도록 Azure AD Connect를 구성해야 합니다. Azure AD Domain Services에서 Microsoft Entra ID를 사용하는 경우 사용자 계정은 Microsoft Entra ID에서 Azure AD Domain Services로 한 방향으로 동기화됩니다. 이 동기화 프로세스는 자동입니다. AVD는 몇 가지 제한사항이 있는 Microsoft Entra ID 네이티브 계정도 지원합니다. 외부 ID(B2B 또는 B2C)는 지원되지 않습니다.", "guid": "f9b141a8-98a5-435e-9378-97e71ca7da7b", + "id": "D03.03", "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#supported-identity-scenarios", "severity": "보통", "subcategory": "요구 사항", - "text": "사용자 계정 유형 및 요구 사항 평가" + "text": "사용자 계정 유형 및 요구 사항 평가", + "waf": "안전" }, { "category": "신원", - "description": "AVD는 AD FS(Active Directory Federation Services) 또는 Microsoft Entra ID(이전 Azure AD) 인증을 사용하여 SSO를 지원합니다. 후자를 권장하며, '추가 정보' 문서에서 요구 사항 및 제한 사항을 확인하십시오. 고객 환경에 이미 있는 경우 AD FS를 사용하는 것이 실행 가능한 선택일 수 있으며, AVD SSO 구현을 위해 새로운 ADFS 인프라를 구축하는 것은 권장되지 않습니다.", + "description": "AVD는 AD FS(Active Directory Federation Services) 또는 Microsoft Entra ID(이전 Azure AD) 인증을 사용하여 SSO를 지원합니다. 후자를 권장하며, '추가 정보' 문서에서 요구 사항 및 제한 사항을 확인하십시오. 고객 환경에 이미 있는 경우 AD FS를 사용하는 것이 실행 가능한 선택이 될 수 있으며, AVD SSO 구현만을 위해 새로운 ADFS 인프라를 배포하지 않는 것이 좋습니다.", "guid": "5f9f680a-ba07-4429-bbf7-93d7071561f4", + "id": "D03.04", "link": "https://learn.microsoft.com/azure/virtual-desktop/authentication#single-sign-on-sso", "severity": "보통", "subcategory": "요구 사항", - "text": "SSO(Single-Sign On)가 요구 사항인 경우 지원되는 시나리오 및 필수 구성 요소를 검토합니다" + "text": "SSO(Single Sign-On)가 요구 사항인 경우 지원되는 시나리오 및 필수 구성 요소를 검토합니다", + "waf": "신뢰도" }, { "category": "신원", - "description": "VM은 Windows AD(Active Directory) 도메인 가입, 하이브리드 AD 가입, Microsoft Entra ID(이전 Azure AD) 가입 또는 Azure AD Domain Services 가입될 수 있습니다. 참조된 문서에서 지원되는 시나리오, 제한 사항 및 요구 사항을 검토해야 합니다.", + "description": "VM은 Windows AD(Active Directory) 도메인 조인, 하이브리드 AD 조인, Microsoft Entra ID(이전 Azure AD) 조인 또는 Azure AD Domain Services 조인일 수 있습니다. 참조된 문서에서 지원되는 시나리오, 제한 사항 및 요구 사항을 검토해야 합니다.", "guid": "ea962a15-9394-46da-a7cc-3923266b2258", + "id": "D03.05", "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#supported-identity-scenarios", "severity": "높다", "subcategory": "요구 사항", - "text": "적절한 AVD 세션 호스트 도메인 가입 유형 선택" + "text": "적절한 AVD 세션 호스트 도메인 조인 유형 선택", + "waf": "안전" }, { "category": "신원", - "description": "자체 관리형 Windows Active Directory Domain Services, Microsoft Entra ID(이전 Azure AD) 및 관리형 AAD-DS(Azure AD Domain Services) 비교", + "description": "자체 관리형 Windows Active Directory Domain Services, Microsoft Entra ID(이전의 Azure AD) 및 관리형 Azure AD Domain Services(AAD-DS) 비교", "guid": "6f4a1651-bddd-4ea8-a487-cdeb4861bc3b", + "id": "D03.06", "link": "https://docs.microsoft.com/azure/active-directory-domain-services/compare-identity-solutions", "severity": "낮다", "subcategory": "요구 사항", - "text": "AVD용 AAD-DS(Azure AD Domain Services)를 사용하기 전에 제한 사항을 검토해야 합니다." + "text": "AVD용 AAD-DS(Azure AD Domain Services)를 사용하기 전에 제한 사항을 검토해야 합니다.", + "waf": "신뢰도" }, { "category": "모니터링 및 관리", - "description": "AVD는 Intune 및 Active Directory GPO에 대한 관리 템플릿을 제공합니다. 이러한 템플릿을 사용하면 그래픽 관련 데이터 로깅, 화면 캡처 보호, 관리 네트워크용 RDP Shortpath, 워터마킹과 같은 여러 AVD 구성 설정을 중앙에서 제어할 수 있습니다. 자세한 내용은 '추가 정보' 열의 동반 문서를 참조하십시오. 참고: FSLogix에는 별도의 템플릿이 있습니다.", + "description": "AVD는 Intune 및 Active Directory GPO에 대한 관리 템플릿을 제공합니다. 이러한 템플릿을 사용하면 그래픽 관련 데이터 로깅, 화면 캡처 보호, 관리 네트워크의 RDP Shortpath, 워터마킹과 같은 여러 AVD 구성 설정을 중앙에서 제어할 수 있습니다. 자세한 내용은 '추가 정보' 칼럼의 동반 문서를 참조하십시오. 참고: FSLogix에는 별도의 템플릿이 있습니다.", "guid": "5549524b-36c0-4f1a-892b-ab3ca78f5db2", + "id": "E01.01", "link": "https://learn.microsoft.com/azure/virtual-desktop/administrative-template", "severity": "낮다", "subcategory": "경영", - "text": "AVD 설정 구성에 기본 제공 관리 템플릿 사용" + "text": "AVD 설정 구성에 기본 제공 관리 템플릿 사용", + "waf": "작업" }, { "category": "모니터링 및 관리", - "description": "초기 배포 후 호스트 풀 VM 구성을 관리하기 위한 구성 관리 도구(예: SCCM/SCOM, Intune/ConfigurationManager, 타사 솔루션)가 이미 있는지 확인합니다.", + "description": "초기 배포 후 호스트 풀 VM 구성(예: SCCM/SCOM, Intune/ConfigurationManager, 타사 솔루션)을 관리하기 위한 구성 관리 도구가 이미 있는지 확인합니다.", "guid": "3334fdf9-1c23-4418-8b65-285269440b4b", + "id": "E01.02", "link": "https://learn.microsoft.com/azure/virtual-desktop/management", "severity": "낮다", "subcategory": "경영", - "text": "AVD 세션 호스트 구성 관리 전략 계획" + "text": "AVD 세션 호스트 구성 관리 전략 계획", + "waf": "작업" }, { "category": "모니터링 및 관리", - "description": "요구 사항을 충족할 수 있는 경우 Microsoft Intune을 사용하여 Azure Virtual Desktop 환경을 관리하는 것이 좋습니다. 지원되는 시나리오 및 요구 사항을 검토하여 \"추가 정보\" 열의 참조된 문서에서 AVD 세션 호스트 관리에 Intune 사용하도록 설정합니다. '코멘트' 열에 선택 사항을 문서화합니다. 이 문서에서는 단일 세션 https://learn.microsoft.com/en-us/mem/intune/fundamentals/windows-virtual-desktop 및 다중 세션 https://learn.microsoft.com/en-us/mem/intune/fundamentals/windows-virtual-desktop-multi-session AVD에 대한 다양한 요구사항과 기능을 검토합니다.", + "description": "요구 사항을 충족할 수 있는 경우 Microsoft Intune을 사용하여 Azure Virtual Desktop 환경을 관리하는 것이 좋습니다. 추가 정보 열의 참조된 문서에서 AVD 세션 호스트 관리를 위해 Intune을 사용하도록 설정하기 위한 지원되는 시나리오 및 요구 사항을 검토합니다. '댓글' 열에 선택 사항을 문서화합니다. 이 문서에서는 AVD의 단일 세션 https://learn.microsoft.com/mem/intune/fundamentals/windows-virtual-desktop 및 다중 세션 https://learn.microsoft.com/mem/intune/fundamentals/windows-virtual-desktop-multi-session 대한 다양한 요구사항과 기능을 검토합니다.", "guid": "63a08be1-6004-4b4a-a79b-f3239faae113", + "id": "E01.03", "link": "https://learn.microsoft.com/mem/intune/fundamentals/azure-virtual-desktop", "severity": "보통", "subcategory": "경영", - "text": "AVD 세션 호스트 관리를 위한 Intune 평가" + "text": "AVD 세션 호스트 관리를 위한 Intune 평가", + "waf": "작업" }, { "category": "모니터링 및 관리", - "description": "크기 조정 도구는 세션 호스트 VM 비용을 최적화하려는 고객에게 저렴한 자동화 옵션을 제공합니다. 크기 조정 도구를 사용하여 사용량이 많은 업무 시간 및 사용량이 적은 업무 시간에 따라 VM을 시작 및 중지하도록 예약하고, CPU 코어당 세션 수에 따라 VM을 확장하고, 사용량이 적은 시간 동안 VM을 축소하고, 세션 호스트 VM의 최소 수를 실행 중인 상태로 둘 수 있습니다. 개인 호스트 풀 유형에는 아직 사용할 수 없습니다.", + "description": "크기 조정 도구는 세션 호스트 VM 비용을 최적화하려는 고객에게 저렴한 자동화 옵션을 제공합니다. 크기 조정 도구를 사용하여 피크 및 오프 피크 업무 시간에 따라 VM을 시작 및 중지하도록 예약하고, CPU 코어당 세션 수에 따라 VM을 스케일 아웃하고, 오프 피크 시간 동안 VM을 스케일 인하고, 최소 세션 호스트 VM 수를 실행 상태로 둘 수 있습니다. 개인 호스트 풀 유형에는 아직 사용할 수 없습니다.", "guid": "7138b820-102c-4e16-be30-1e6e872e52e3", + "id": "E01.04", "link": "https://learn.microsoft.com/azure/virtual-desktop/autoscale-scenarios", "severity": "보통", "subcategory": "경영", - "text": "호스트 풀 자동 크기 조정 기능에 대한 요구 사항 평가" + "text": "호스트 풀 자동 크기 조정 기능에 대한 요구 사항 평가", + "waf": "신뢰도" }, { "category": "모니터링 및 관리", - "description": "연결 시 VM 시작을 사용하면 최종 사용자가 필요할 때만 세션 호스트 VM(가상 머신)을 켤 수 있도록 하여 비용을 절감할 수 있습니다. 그런 다음 필요하지 않은 VM을 끌 수 있습니다. Azure Portal 또는 PowerShell을 사용하여 개인 또는 풀링된 호스트 풀에 대해 Connect 시 VM 시작을 구성할 수 있습니다. 연결 시 VM 시작은 호스트 풀 전체 설정입니다.", + "description": "Start VM On Connect를 사용하면 최종 사용자가 필요할 때만 세션 호스트 VM(가상 머신)을 켤 수 있도록 하여 비용을 절감할 수 있습니다. 그런 다음 필요하지 않은 경우 VM을 끌 수 있습니다. Azure Portal 또는 PowerShell을 사용하여 개인 또는 풀링된 호스트 풀에 대해 Connect에서 VM 시작을 구성할 수 있습니다. 연결 시 VM 시작은 호스트 풀 전체 설정입니다.", "guid": "55f612fe-f215-4f0d-a956-10e7dd96bcbc", + "id": "E01.05", "link": "https://learn.microsoft.com/azure/virtual-desktop/start-virtual-machine-connect", "severity": "낮다", "subcategory": "경영", - "text": "개인 호스트 풀에 대해 연결 시 VM 시작 사용을 고려합니다." + "text": "개인 호스트 풀에 대한 Connect VM 시작 사용 고려", + "waf": "비용" }, { "category": "모니터링 및 관리", - "description": "'연결 시 VM 시작'은 이전에 중지된 세션 호스트를 자동으로 시작하는 스마트한 방법을 제공하지만 사용하지 않을 때 종료하는 메커니즘은 제공하지 않습니다. 관리자는 세션에서 사용자를 로그아웃하고 Azure Automation 스크립트를 실행하여 VM의 할당을 취소하는 추가 정책을 구성하는 것이 좋습니다. 사용자는 Azure VM의 할당을 취소할 수 없으므로 개인 호스트를 종료할 수 없어야 하며, 그러면 비용 절감 없이 청구가 계속 활성화됩니다.", + "description": "'연결 시 VM 시작'은 이전에 중지된 세션 호스트를 자동으로 시작하는 스마트한 방법을 제공하지만 사용하지 않을 때 종료하는 메커니즘은 제공하지 않습니다. 관리자는 세션에서 사용자를 로그아웃하고 Azure 자동화 스크립트를 실행하여 VM 할당을 취소하는 추가 정책을 구성하는 것이 좋습니다. 사용자는 Azure VM의 할당을 취소할 수 없으므로 개인 호스트를 종료할 수 없어야 하며, 비용 절감 없이 청구가 계속 활성화됩니다.", "guid": "79a686ea-d971-4ea0-a9a8-1aea074c94cb", + "id": "E01.06", "link": "https://learn.microsoft.com/azure/virtual-desktop/start-virtual-machine-connect-faq#are-vms-automatically-deallocated-when-a-user-stops-using-them", "severity": "낮다", "subcategory": "경영", - "text": "개인 AVD 세션 호스트를 종료하는 임시 메커니즘의 구현 평가" + "text": "개인 AVD 세션 호스트를 종료하기 위한 임시 메커니즘의 구현 평가", + "waf": "비용" }, { "category": "모니터링 및 관리", - "description": "Azure Virtual Desktop 청구는 주로 호스트 풀에서 사용하는 컴퓨팅, 네트워킹 및 스토리지 리소스와 관련된 비용을 기반으로 합니다. 이 외에도 종속 리소스(예: VPN 또는 ExpressRoute 또는 vWAN, Active Directory 도메인 컨트롤러, DNS 등)에 의해 비용이 생성될 수 있습니다. 작업 공간, 호스트 풀 또는 애플리케이션 그룹과 같은 AVD 객체와 관련된 직접 비용은 없습니다. AVD 관련 비용을 더 명확하게 하고 호스트 풀별로 그룹화하려면 'cm-resource-parent' 태그를 사용하는 것이 좋습니다. ", + "description": "Azure Virtual Desktop 청구는 주로 호스트 풀에서 사용하는 컴퓨팅, 네트워킹 및 스토리지 리소스와 관련된 비용을 기반으로 합니다. 이 외에도 VPN 또는 ExpressRoute 또는 vWAN, Active Directory 도메인 컨트롤러, DNS 등과 같은 종속 리소스에 의해 비용이 생성될 수 있습니다. 작업 공간, 호스트 풀 또는 애플리케이션 그룹과 같은 AVD 객체와 관련된 직접 비용은 없습니다. AVD 관련 비용을 더 명확하게 표시하고 호스트 풀별로 그룹화하려면 'cm-resource-parent' 태그를 사용하는 것이 좋습니다. ", "guid": "51bcafca-476a-48fa-9b91-9645a7679f20", + "id": "E01.07", "link": "https://learn.microsoft.com/azure/virtual-desktop/tag-virtual-desktop-resources", "severity": "낮다", "subcategory": "경영", - "text": "Azure Virtual Desktop에 대해 제안된 Azure 태그 검토 및 채택" + "text": "Azure Virtual Desktop에 대해 제안된 Azure 태그 검토 및 채택", + "waf": "비용" }, { "category": "모니터링 및 관리", - "description": "Azure Advisor는 구성 및 원격 분석을 분석하여 일반적인 문제를 해결하기 위한 개인 설정된 권장 사항을 제공합니다. 이러한 권장 사항을 통해 안정성, 보안, 운영 우수성, 성능 및 비용에 맞게 Azure 리소스를 최적화할 수 있습니다.", + "description": "Azure Advisor는 구성 및 원격 분석을 분석하여 일반적인 문제를 해결하기 위한 개인 설정된 권장 사항을 제공합니다. 이러한 권장 사항을 통해 안정성, 보안, 운영 우수성, 성능 및 비용에 대해 Azure 리소스를 최적화할 수 있습니다.", "guid": "611dd68c-5a4b-4252-8e44-a59a9c2399c4", + "id": "E01.08", "link": "https://learn.microsoft.com/azure/virtual-desktop/azure-advisor-recommendations", "severity": "낮다", "subcategory": "경영", - "text": "AVD에 대한 Azure Advisor 권장 사항을 주기적으로 확인" + "text": "AVD에 대한 Azure Advisor 권장 사항을 주기적으로 확인합니다.", + "waf": "작업" }, { "category": "모니터링 및 관리", - "description": "고객은 다음과 같은 몇 가지 옵션을 사용할 수 있습니다. Microsoft Configuration Manager, 이 문서에서는 Windows 10/11(https://learn.microsoft.com/en-us/azure/virtual-desktop/configure-automatic-updates), Microsoft Intune: https://docs.microsoft.com/mem/intune/fundamentals/windows-virtual-desktop-multi-session, Azure 업데이트 관리 및 Windows Server OS용 WSUS(클라이언트 OS는 지원되지 않음)를 실행하는 Azure Virtual Desktop 세션 호스트에 업데이트를 자동으로 적용하는 방법을 설명합니다. https://learn.microsoft.com/en-us/azure/automation/update-management/operating-system-requirements), 제3자 도구. 긴급 보안 패치 상황이 아닌 경우 '현재 위치' 업데이트 전략 패치 전략에서 벗어나 재이미징 접근 방식을 채택하는 것이 좋습니다.", + "description": "고객에게는 다음과 같은 몇 가지 옵션이 있습니다. Microsoft Configuration Manager, 이 문서에서는 Windows 10/11을 실행하는 Azure Virtual Desktop 세션 호스트에 업데이트를 자동으로 적용하는 방법을 설명합니다. https://learn.microsoft.com/azure/virtual-desktop/configure-automatic-updates, Microsoft Intune: https://docs.microsoft.com/mem/intune/fundamentals/windows-virtual-desktop-multi-session, Azure 업데이트 관리 및 WSUS만 Windows Server OS 전용(클라이언트 OS는 지원되지 않음: https://learn.microsoft.com/azure/automation/update-management/operating-system-requirements), 제 3 자 도구. 긴급 보안 패치 상황을 벗어나면 '현재 위치' 업데이트 전략 패치 전략에서 벗어나 재이미징 접근 방식을 채택하는 것이 좋습니다.", "guid": "04722da2-9c2b-41cd-922f-54b29bade3aa", + "id": "E01.09", "link": "https://learn.microsoft.com/mem/intune/fundamentals/azure-virtual-desktop-multi-session", "severity": "보통", "subcategory": "경영", - "text": "세션 호스트 긴급 패치 및 업데이트 전략 계획" + "text": "세션 호스트 긴급 패치 및 업데이트 전략 계획", + "waf": "작업" }, { "category": "모니터링 및 관리", - "description": "예약된 에이전트 업데이트 기능을 사용하면 호스트 풀당 최대 2개의 유지 관리 기간을 만들어 편리한 시간에 AVD 구성 요소를 업데이트할 수 있습니다. 유지 관리 기간을 지정하면 사용량이 많은 업무 시간에는 세션 호스트 업그레이드가 발생하지 않는 것이 좋습니다. 예약된 에이전트 업데이트는 기본적으로 사용하지 않도록 설정되어 있습니다. 즉, 이 설정을 활성화하지 않으면 에이전트 업데이트 플라이팅 서비스를 통해 언제든지 에이전트를 업데이트할 수 있습니다.", + "description": "예약된 에이전트 업데이트 기능을 사용하면 호스트 풀당 최대 2개의 유지 보수 기간을 생성하여 편리한 시간에 AVD 구성 요소를 업데이트할 수 있습니다. 유지 관리 기간을 지정하는 것이 좋으며, 이 경우 세션 호스트 업그레이드는 업무 사용량이 가장 많은 시간 동안 수행되지 않습니다. 예약된 에이전트 업데이트는 기본적으로 비활성화되어 있습니다. 즉, 이 설정을 사용하도록 설정하지 않으면 에이전트 업데이트 플라이팅 서비스를 통해 언제든지 에이전트를 업데이트할 수 있습니다.", "guid": "c067939b-e5ca-4698-b9ce-3bd91843e73f", + "id": "E01.10", "link": "https://learn.microsoft.com/azure/virtual-desktop/scheduled-agent-updates", "severity": "낮다", "subcategory": "경영", - "text": "예약된 에이전트 업데이트 기능 구성" + "text": "예약된 에이전트 업데이트 기능 구성", + "waf": "신뢰도" }, { "category": "모니터링 및 관리", - "description": "호스트 풀은 Azure Virtual Desktop 환경 내에서 하나 이상의 동일한 가상 머신의 컬렉션입니다. 서비스 업데이트가 먼저 적용되는 유효성 검사 호스트 풀을 만드는 것이 좋습니다. 이렇게 하면 서비스가 표준 또는 비유효성 검사 환경에 적용하기 전에 서비스 업데이트를 모니터링할 수 있습니다.", + "description": "호스트 풀은 Azure Virtual Desktop 환경 내에 있는 하나 이상의 동일한 가상 머신의 컬렉션입니다. 서비스 업데이트가 먼저 적용되는 유효성 검사 호스트 풀을 만드는 것이 좋습니다. 이렇게 하면 서비스가 표준 또는 비유효성 검사 환경에 적용하기 전에 서비스 업데이트를 모니터링할 수 있습니다.", "guid": "d1e8c38e-c936-4667-913c-005674b1e944", + "id": "E01.11", "link": "https://docs.microsoft.com/azure/virtual-desktop/create-validation-host-pool", "severity": "보통", "subcategory": "경영", - "text": "유효성 검사(카나리아) 호스트 풀 만들기" + "text": "유효성 검사(카나리아) 호스트 풀 만들기", + "waf": "작업" }, { "category": "모니터링 및 관리", - "description": "AVD 호스트 풀은 Azure Portal, ARM 템플릿, Azure CLI 도구, Powershell, 등록 토큰을 사용한 수동 VM 만들기, Terraform, 타사 도구 등 여러 가지 방법으로 배포할 수 있습니다. 자동화 및 CI/CD 도구를 통해 자동 배포를 지원하는 적절한 방법을 채택하는 것이 중요합니다.", + "description": "AVD 호스트 풀은 Azure Portal, ARM 템플릿, Azure CLI 도구, Powershell, 등록 토큰을 사용한 수동 VM 만들기, Terraform, 타사 도구 등 여러 가지 방법으로 배포할 수 있습니다. 자동화 및 CI/CD 도구를 통해 자동 배포를 지원하기 위해 적절한 방법을 채택하는 것이 중요합니다.", "guid": "a459c373-e7ed-4616-83b3-65a917ecbe48", + "id": "E01.12", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/wvd/eslz-platform-automation-and-devops", "severity": "보통", "subcategory": "경영", - "text": "호스트 풀 배포 전략 결정" + "text": "호스트 풀 배포 전략 결정", + "waf": "작업" }, { "category": "모니터링 및 관리", "description": "Azure Virtual Desktop 서비스 내의 호스트 풀에 VM을 등록한 후 에이전트는 VM이 활성 상태일 때마다 VM의 토큰을 정기적으로 새로 고칩니다. 등록 토큰에 대한 인증서는 90일 동안 유효합니다. 이 90일 제한으로 인해 머신이 토큰을 새로 고치고 에이전트 및 병렬 스택 구성 요소를 업데이트할 수 있도록 VM을 90일마다 20분 동안 온라인 상태로 유지하는 것이 좋습니다.", "guid": "ebe54cd7-df2e-48bb-ac35-81559bb9153e", + "id": "E01.13", "link": "https://docs.microsoft.com/azure/virtual-desktop/faq", "severity": "보통", "subcategory": "경영", - "text": "토큰 새로 고침을 위해 최소 90일마다 세션 호스트 VM 켜기Turn on Session Host VMs at least every 90 days for token refresh" + "text": "토큰 새로 고침을 위해 최소 90일마다 세션 호스트 VM 켜기Turn on Session Host VMs at least every 90 days for token refresh", + "waf": "작업" }, { "category": "모니터링 및 관리", "description": "Azure Virtual Desktop Insights는 IT 전문가가 Azure Virtual Desktop 환경을 이해하는 데 도움이 되는 Azure Monitor 통합 문서를 기반으로 하는 대시보드입니다. AVD 환경을 모니터링하도록 Azure Virtual Desktop용 Azure Monitor를 설정하는 방법을 알아보려면 참조된 문서를 읽어보세요.", "guid": "63cfff1c-ac59-49ef-8d5a-83dd4de36c1c", + "id": "E02.01", "link": "https://learn.microsoft.com/azure/virtual-desktop/insights", "severity": "높다", "subcategory": "모니터링", - "text": "AVD에 대한 모니터링 사용 설정" + "text": "AVD 모니터링 사용 설정", + "waf": "신뢰도" }, { "category": "모니터링 및 관리", - "description": "Azure Virtual Desktop은 다른 많은 Azure 서비스와 마찬가지로 모니터링 및 경고에 Azure Monitor 및 Log Analytics를 사용합니다. 이를 통해 관리자는 단일 인터페이스를 통해 문제를 식별할 수 있습니다. 이 서비스는 사용자 및 관리 작업 모두에 대한 활동 로그를 만듭니다. 각 활동 로그는 관리, 피드, 연결, 호스트 등록, 오류, 검사점 범주에 속합니다. ", + "description": "Azure Virtual Desktop은 다른 많은 Azure 서비스와 마찬가지로 모니터링 및 경고에 Azure Monitor 및 Log Analytics를 사용합니다. 이를 통해 관리자는 단일 인터페이스를 통해 문제를 식별할 수 있습니다. 이 서비스는 사용자 및 관리 작업 모두에 대한 활동 로그를 만듭니다. 각 활동 로그는 관리, 피드, 연결, 호스트 등록, 오류, 검사점 범주로 나뉩니다. ", "guid": "81770afb-c4c0-4e43-a186-58d2857ed671", + "id": "E02.02", "link": "https://docs.microsoft.com/azure/virtual-desktop/diagnostics-log-analytics", "severity": "보통", "subcategory": "모니터링", - "text": "작업 영역, 호스트 풀, 애플리케이션 그룹 및 호스트 VM에 대한 진단 설정을 Log Analytics 작업 영역에 사용하도록 설정Enable diagnostic settings for Workspaces, Host Pools, Application Groups and Host VMs to Log Analytics workspace" + "text": "작업 영역, 호스트 풀, 애플리케이션 그룹 및 호스트 VM에 대한 진단 설정을 Log Analytics 작업 영역으로 사용하도록 설정", + "waf": "신뢰도" }, { "category": "모니터링 및 관리", "description": "참조된 문서와 이 추가 문서를 참조하여 스토리지에 대한 적절한 모니터링 및 경고를 설정합니다: https://docs.microsoft.com/azure/storage/files/storage-troubleshooting-files-performance. ", "guid": "2463cffe-179c-4599-be0d-5973dd4ce32c", + "id": "E02.03", "link": "https://docs.microsoft.com/azure/storage/files/storage-files-monitoring?tabs=azure-portal", "severity": "보통", "subcategory": "모니터링", - "text": "사용량이 많고 제한되는 경우 경고할 프로필 스토리지에 대한 경고 만들기Create alerts on the profile storage to be alerted in 경우 높은 사용량 및 제한" + "text": "사용량이 많고 제한되는 경우 경고할 프로필 저장소에 대한 경고 만들기Create alerts on the profile storage to be alert in case of high usage and throttling", + "waf": "신뢰도" }, { "category": "모니터링 및 관리", - "description": "Azure Service Health를 사용하여 Azure Virtual Desktop에 대한 서비스 문제 및 상태 권고를 모니터링할 수 있습니다. Azure Service Health는 다양한 유형의 경고(예: 이메일 또는 SMS)로 알리고, 문제의 영향을 이해하는 데 도움을 주고, 문제가 해결되면 계속 업데이트할 수 있습니다.", + "description": "Azure Service Health를 사용하여 Azure Virtual Desktop에 대한 서비스 문제 및 상태 권고를 모니터링할 수 있습니다. Azure Service Health는 다양한 유형의 경고(예: 이메일 또는 SMS)로 알리고, 문제의 영향을 이해하는 데 도움을 주고, 문제가 해결됨에 따라 최신 정보를 제공할 수 있습니다.", "guid": "18813706-f7c4-4c0d-9e51-4548d2457ed6", + "id": "E02.04", "link": "https://docs.microsoft.com/azure/virtual-desktop/set-up-service-alerts", "severity": "보통", "subcategory": "모니터링", - "text": "AVD 경고에 대한 Azure Service Health 구성 " + "text": "AVD 경고에 대한 Azure Service Health 구성 ", + "waf": "신뢰도" }, { "category": "네트워킹", - "description": "온-프레미스 환경에 연결해야 하는 경우 현재 연결 옵션을 평가하거나 필요한 연결(ExpressRoute, Azure S2S 또는 타사 NVA VPN)을 계획합니다. ", + "description": "온-프레미스 환경에 연결하는 데 필요한 경우 현재 연결 옵션을 평가하거나 필요한 연결(ExpressRoute, Azure S2S 또는 제3자 NVA VPN)을 계획합니다. ", "guid": "dd399cfd-7b28-4dc8-9555-6202bfe4563b", + "id": "F01.01", "link": "https://docs.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/", "severity": "보통", "subcategory": "네트워킹", - "text": "온-프레미스 환경에 연결하는 데 하이브리드 연결이 필요한지 확인" + "text": "온-프레미스 환경에 연결하는 데 하이브리드 연결이 필요한지 확인", + "waf": "신뢰도" }, { "category": "네트워킹", - "description": "AVD 호스트 풀은 Azure Virtual WAN 또는 기존 '허브 앤 스포크' 네트워크 토폴로지에 배포할 수 있습니다. 각 호스트 풀을 별도의 '스포크' VNet에 배포하는 것이 좋으며, '허브'를 사용하는 것은 권장되지 않습니다.", + "description": "AVD 호스트 풀은 Azure Virtual WAN 또는 기존의 '허브 & 스포크' 네트워크 토폴로지에 배포할 수 있습니다. 각 호스트 풀을 별도의 '스포크' VNet에 배포하는 것이 좋으며, 'hub'를 사용하는 것은 권장되지 않습니다.", "guid": "c8639648-a652-4d6c-85e5-02965388e5de", + "id": "F01.02", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/wvd/eslz-network-topology-and-connectivity", "severity": "보통", "subcategory": "네트워킹", - "text": "각 AVD 호스트 풀에 대한 Azure VNet(Virtual Network) 배치 결정" + "text": "각 AVD 호스트 풀에 대한 Azure VNet(Virtual Network) 배치 결정", + "waf": "공연" }, { "category": "네트워킹", - "description": "대역폭 요구 사항을 평가하고, VPN/ER 대역폭이 충분한지 확인하고, 적절한 라우팅 및 방화벽 규칙이 적용되었는지 확인하고, 엔드 투 엔드 대기 시간을 테스트합니다. ", + "description": "대역폭 요구 사항을 평가하고, VPN/ER 대역폭이 충분한지 확인하고, 적절한 라우팅 및 방화벽 규칙이 있는지 확인하고, 종단 간 대기 시간을 테스트합니다. ", "guid": "d227dd14-2b06-4c21-a799-9a646f4389a7", + "id": "F01.03", "link": "https://docs.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/", "severity": "보통", "subcategory": "네트워킹", - "text": "AVD 호스트 풀에 필요한 온프레미스 리소스 평가" + "text": "AVD 호스트 풀에서 필요한 온프레미스 리소스 평가", + "waf": "신뢰도" }, { "category": "네트워킹", - "description": "몇 가지 옵션을 사용할 수 있습니다. Azure Firewall 또는 동등한 타사 NVA, NSG(네트워크 보안 그룹) 및/또는 프록시 서버를 사용할 수 있습니다. NSG는 URL을 사용하거나 사용하지 않도록 설정할 수 없으며 포트 및 프로토콜만 사용할 수 있습니다. 프록시는 사용자 브라우저에서 명시적 설정으로만 사용해야 합니다. AVD에서 Azure Firewall 프리미엄을 사용하는 방법에 대한 자세한 내용은 '추가 정보' 열의 동반 문서에 보고됩니다. 필요한 AVD URL에 대한 적절한 액세스를 허용해야 합니다. 온-프레미스에 대한 강제 터널링은 권장되지 않습니다.", + "description": "몇 가지 옵션을 사용할 수 있습니다. Azure Firewall 또는 동등한 제3자 NVA, NSG(네트워크 보안 그룹) 및/또는 프록시 서버를 사용할 수 있습니다. NSG는 URL을 통해 사용하거나 사용하지 않도록 설정할 수 없으며 포트 및 프로토콜만 사용할 수 있습니다. 프록시는 사용자 브라우저에서 명시적 설정으로만 사용해야 합니다. AVD에서 Azure Firewall 프리미엄을 사용하는 방법에 대한 자세한 내용은 '추가 정보' 열의 도우미 문서에 보고됩니다. 필요한 AVD URL에 대한 적절한 액세스를 허용해야 합니다. 온-프레미스에 대한 강제 터널링은 권장되지 않습니다.", "guid": "fc4972cd-3cd2-41bf-9703-6e5e6b4bed3d", - "link": " https://docs.microsoft.com/azure/firewall/protect-windows-virtual-desktop", + "id": "F01.04", + "link": "https://docs.microsoft.com/azure/firewall/protect-windows-virtual-desktop", "severity": "보통", "subcategory": "네트워킹", - "text": "AVD 호스트에 대한 인터넷 아웃바운드 트래픽을 제어/제한해야 합니까?" + "text": "AVD 호스트의 인터넷 아웃바운드 트래픽을 제어/제한해야 하나요?", + "waf": "안전" }, { "category": "네트워킹", "description": "세션 호스트의 AVD 컨트롤 플레인 액세스에 필요한 URL은 https://docs.microsoft.com/azure/virtual-desktop/safe-url-list 에 설명되어 있습니다. 확인 도구를 사용하여 세션 호스트(https://docs.microsoft.com/azure/virtual-desktop/safe-url-list#required-url-check-tool)의 연결을 확인할 수 있습니다. 온-프레미스에 대한 강제 터널링은 권장되지 않습니다.", "guid": "65c7acbe-45bb-4e60-ad89-f2e87778424d", + "id": "F01.05", "link": "https://docs.microsoft.com/azure/virtual-desktop/safe-url-list", "severity": "높다", "subcategory": "네트워킹", - "text": "AVD 컨트롤 플레인 엔드포인트에 액세스할 수 있는지 확인" + "text": "AVD 컨트롤 플레인 엔드포인트에 액세스할 수 있는지 확인", + "waf": "신뢰도" }, { "category": "네트워킹", - "description": "Azure Defender 엔드포인트 또는 유사한 제3자 에이전트를 사용하여 사용자 웹 탐색을 제어하는 것이 좋으며, 자세한 내용은 보안 섹션을 참조하세요.", + "description": "Azure Defender 엔드포인트 또는 유사한 타사 에이전트를 사용하여 사용자 웹 탐색을 제어하는 것이 좋습니다.", "guid": "73676ae4-6691-4e88-95ad-a42223e13810", + "id": "F01.06", "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/onboard-windows-multi-session-device?view=o365-worldwide", "severity": "보통", "subcategory": "네트워킹", - "text": "AVD 호스트의 사용자에 대해서만 인터넷 아웃바운드 트래픽을 제어/제한해야 하나요? " + "text": "AVD 호스트의 사용자에 대해서만 인터넷 아웃바운드 트래픽을 제어/제한해야 하나요? ", + "waf": "안전" }, { "category": "네트워킹", - "description": "사용자 지정 UDR 및 NSG를 AVD 호스트 풀 서브넷에 적용하여 Azure Firewall 또는 NVA로 리디렉션하거나 네트워크 트래픽을 필터링/차단할 수 있습니다. 이 경우 AVD 컨트롤 플레인에 대한 아웃바운드 트래픽에 대한 최적의 경로가 사용되는지 신중하게 검토하는 것이 좋습니다. 이제 서비스 태그를 UDR 및 NSG와 함께 사용할 수 있으며, AVD 관리 플레인 트래픽을 쉽게 허용할 수 있습니다. https://learn.microsoft.com/en-us/azure/virtual-desktop/safe-url-list.", + "description": "사용자 지정 UDR 및 NSG를 AVD 호스트 풀 서브넷에 적용하여 Azure Firewall 또는 NVA로 리디렉션하거나 네트워크 트래픽을 필터링/차단할 수 있습니다. 이 경우 AVD 컨트롤 플레인에 대한 아웃바운드 트래픽에 대한 최적의 경로가 사용되는지 신중하게 검토하는 것이 좋습니다. 이제 UDR 및 NSG와 함께 서비스 태그를 사용할 수 있으며, AVD 관리부 트래픽을 쉽게 허용할 수 있습니다. https://learn.microsoft.com/azure/virtual-desktop/safe-url-list.", "guid": "523181a9-4174-4158-93ff-7ae7c6d37431", + "id": "F01.07", "link": "https://docs.microsoft.com/azure/firewall/protect-windows-virtual-desktop", "severity": "낮다", "subcategory": "네트워킹", - "text": "AVD 호스트 풀 서브넷에 대한 사용자 지정 UDR 및 NSG 검토" + "text": "AVD 호스트 풀 서브넷에 대한 사용자 지정 UDR 및 NSG 검토", + "waf": "안전" }, { "category": "네트워킹", - "description": "AVD 세션 호스트 VM에서 AVD 컨트롤 플레인으로의 네트워크 트래픽은 가능한 한 직접적이어야 합니다. 심층 패킷 검사 및/또는 SSL 종료를 통해 프록시 또는 방화벽을 통해 이 트래픽을 리디렉션하면 심각한 문제와 나쁜 고객 경험이 발생할 수 있습니다. AVD 컨트롤 플레인에 대해서만 프록시 및 방화벽을 우회하는 것이 좋습니다. 대신 웹 서핑을 하는 사용자 생성 트래픽은 방화벽에 의해 필터링되거나 프록시로 리디렉션되어야 합니다. 자세한 내용과 지침은 '추가 정보' 열의 동반 문서를 참조하세요.", + "description": "AVD 세션 호스트 VM에서 AVD 컨트롤 플레인으로의 네트워크 트래픽은 가능한 한 직접적이어야 합니다. 심층 패킷 검사 및/또는 SSL 종료를 통해 프록시 또는 방화벽을 통해 이 트래픽을 리디렉션하면 심각한 문제와 나쁜 고객 경험이 발생할 수 있습니다. AVD 컨트롤 플레인에 대해서만 프록시 및 방화벽을 우회하는 것이 좋습니다. 대신 웹 서핑을 하는 사용자 생성 트래픽은 방화벽으로 필터링하거나 프록시로 리디렉션해야 합니다. 자세한 내용과 지침은 '추가 정보' 열의 관련 문서를 참조하십시오.", "guid": "cc6edca0-aeca-4566-9e92-cf246f1465af", + "id": "F01.08", "link": "https://learn.microsoft.com/azure/virtual-desktop/proxy-server-support", "severity": "높다", "subcategory": "네트워킹", - "text": "AVD 컨트롤 플레인 트래픽에 프록시 서버, SSL 종료 및 Deep Packet Inspection을 사용하지 마십시오." + "text": "AVD 컨트롤 플레인 트래픽에 프록시 서버, SSL 종료 및 Deep Packet Inspection을 사용하지 마십시오.", + "waf": "신뢰도" }, { "category": "네트워킹", - "description": "특정 워크로드 유형에 따라 사용자에 대한 네트워킹 대역폭 요구 사항을 평가하고 검토하는 것이 좋습니다. 참조된 문서에서는 일반적인 추정 및 권장 사항을 제공하지만 적절한 크기 조정을 위해서는 구체적인 측정이 필요합니다. ", + "description": "특정 워크로드 유형에 따라 사용자에 대한 네트워킹 대역폭 요구 사항을 평가하고 검토하는 것이 좋습니다. 참조된 문서에서는 일반적인 예상 및 권장 사항을 제공하지만 적절한 크기 조정을 위해서는 특정 측정이 필요합니다. ", "guid": "516785c6-fa96-4c96-ad88-408f372734c8", + "id": "F01.09", "link": "https://learn.microsoft.com/azure/virtual-desktop/rdp-bandwidth", "severity": "낮다", "subcategory": "네트워킹", - "text": "각 사용자에 필요한 네트워크 대역폭 및 VM SKU에 대한 총 네트워크 대역폭 확인" + "text": "각 사용자에게 필요한 네트워크 대역폭과 VM SKU에 대한 총 네트워크 대역폭을 확인합니다.", + "waf": "공연" }, { "category": "네트워킹", - "description": "Azure Files SMB 공유를 사용하여 FSLogix를 통해 사용자 프로필을 저장하는 경우 스토리지에 대한 프라이빗 액세스에 PE(프라이빗 엔드포인트)를 사용하는 것이 좋습니다. AVD 세션 호스트는 동일한 VNet의 프라이빗 IP를 사용하여 스토리지에 액세스하므로 별도의 서브넷을 사용하는 것이 좋습니다. 이 기능에는 평가해야 하는 추가 비용이 있습니다. PE를 사용하지 않을 경우 최소한 서비스 엔드포인트가 권장됩니다(관련 비용 없음).", + "description": "Azure Files SMB 공유를 사용하여 FSLogix를 통해 사용자 프로필을 저장하는 경우 스토리지에 대한 프라이빗 액세스에 PE(프라이빗 엔드포인트)를 사용하는 것이 좋습니다. AVD 세션 호스트는 동일한 VNet의 개인 IP를 사용하여 스토리지에 액세스하므로 별도의 서브넷을 사용하는 것이 좋습니다. 이 기능에는 평가해야 하는 추가 비용이 있습니다. PE를 사용하지 않을 경우 최소한 서비스 엔드포인트를 사용하는 것이 좋습니다(관련 비용 없음).", "guid": "ec27d589-9178-426d-8df2-ff60020f30a6", + "id": "F01.10", "link": "https://learn.microsoft.com/azure/storage/files/storage-files-networking-endpoints", "severity": "보통", "subcategory": "네트워킹", - "text": "Azure Files 공유에 대한 사용량 프라이빗 엔드포인트 평가" + "text": "Azure Files 공유에 대한 사용량 프라이빗 엔드포인트 평가", + "waf": "안전" }, { "category": "네트워킹", - "description": "Azure Virtual Desktop에 대한 연결은 TCP 또는 UDP를 사용할 수 있습니다. RDP Shortpath는 지원되는 Windows 원격 데스크톱 클라이언트와 세션 호스트 간에 직접 UDP 기반 전송을 설정하는 AVD의 기능입니다. 클라이언트가 내부 네트워크에서 AVD 세션 호스트에 대한 가시선이 있는 경우(VPN 사용은 권장되지 않음) 이 기능은 https://learn.microsoft.com/en-us/azure/virtual-desktop/rdp-shortpath?tabs=managed-networks#key-benefits 에 설명된 대로 지연 시간을 줄이고 최상의 성능을 제공할 수 있습니다.", + "description": "Azure Virtual Desktop에 대한 연결은 TCP 또는 UDP를 사용할 수 있습니다. RDP Shortpath는 지원되는 Windows 원격 데스크톱 클라이언트와 세션 호스트 간에 직접 UDP 기반 전송을 설정하는 AVD의 기능입니다. 클라이언트가 내부 네트워크에서 AVD 세션 호스트에 대한 가시선이 있는 경우(VPN 사용은 권장되지 않음) 이 기능은 https://learn.microsoft.com/azure/virtual-desktop/rdp-shortpath?tabs=managed-networks#key-benefits 에 설명된 대로 더 낮은 지연 시간과 최상의 성능을 제공할 수 있습니다.", "guid": "b2074747-d01a-4f61-b1aa-92ad793d9ff4", + "id": "F01.11", "link": "https://docs.microsoft.com/azure/virtual-desktop/shortpath", "severity": "보통", "subcategory": "네트워킹", - "text": "관리되는 내부 네트워크에서 연결하는 클라이언트에 대한 RDP ShortPath 사용량 평가" + "text": "관리되는 내부 네트워크에서 연결하는 클라이언트에 대한 RDP ShortPath 사용 평가", + "waf": "공연" }, { "category": "안전", - "description": "가능한 경우 GPO에서 제공하는 보안 메커니즘을 사용해야 합니다. 예를 들어, 데스크탑 화면 잠금 및 유휴 세션 연결 해제 시간을 부과할 수 있습니다. 온프레미스 환경에 적용된 기존 GPO를 검토하고 도메인에 가입할 때 AVD 호스트를 보호하는 데에도 적용해야 합니다.", + "description": "사용 가능한 경우 GPO에서 제공하는 보안 메커니즘을 사용해야 합니다. 예를 들어 데스크톱 화면 잠금 및 유휴 세션 연결 끊김 시간을 부과할 수 있습니다. 온프레미스 환경에 적용된 기존 GPO를 검토하고 도메인에 가입할 때 AVD 호스트도 보호하기 위해 적용해야 합니다.", "guid": "a135e337-897e-431c-97d6-8cb6a22ac19f", + "id": "G01.01", "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#establish-maximum-inactive-time-and-disconnection-policies", "severity": "보통", "subcategory": "액티브 디렉토리", - "text": "Active Directory GPO를 검토하여 RDP 세션 보호" + "text": "Active Directory GPO를 검토하여 RDP 세션 보호", + "waf": "안전" }, { "category": "안전", - "description": "엔드포인트용 Microsoft Defender Windows 10/11 Enterprise 다중 세션용 Azure Virtual Desktop을 지원합니다. 비영구 VDI(가상 데스크톱 인프라) 장치 온보딩에 대한 문서 확인: https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi", + "description": "엔드포인트용 Microsoft Defender Windows 10/11 Enterprise 다중 세션용 Azure Virtual Desktop을 지원합니다. 비영구 VDI(가상 데스크톱 인프라) 디바이스 온보딩에 대한 문서 확인: https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi", "guid": "b1172576-9ef6-4691-a483-5ac932223ece", + "id": "G02.01", "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/deployment-vdi-microsoft-defender-antivirus", "severity": "높다", "subcategory": "호스트 구성", - "text": "바이러스 백신 및 맬웨어 방지 솔루션이 사용되는지 확인Ensure anti-virus and anti-malware solutions are used(바이러스 백신 및 맬웨어 방지 솔루션이 사용됨)" + "text": "바이러스 백신 및 맬웨어 방지 솔루션이 사용되는지 확인", + "waf": "안전" }, { "category": "안전", - "description": "Azure의 디스크는 기본적으로 Microsoft 관리형 키를 사용하여 미사용 시 이미 암호화되어 있습니다. 호스트 VM OS 디스크 암호화는 ADE - BitLocker(Azure Disk Encryption) 및 DES - 서버 쪽 암호화(DES - Server Side Encryption)를 사용하여 가능하며 지원되며, 후자를 사용하는 것이 좋습니다. Azure Files를 사용하여 FSLogix 스토리지를 암호화하는 작업은 Azure Storage에서 SSE를 사용하여 수행할 수 있습니다. OneDrive 암호화에 대한 자세한 내용은 https://docs.microsoft.com/compliance/assurance/assurance-encryption-for-microsoft-365-services 문서를 참조하세요.", + "description": "Azure의 디스크는 기본적으로 Microsoft 관리형 키를 사용하여 미사용 시 이미 암호화되어 있습니다. 호스트 VM OS 디스크 암호화는 ADE - BitLocker(Azure Disk Encryption) 및 DES - 서버 쪽 암호화(Disk Encryption Set)를 사용하여 가능하며 지원되는 경우 후자를 사용하는 것이 좋습니다. Azure Files를 사용한 FSLogix 스토리지의 암호화는 Azure Storage의 SSE를 사용하여 수행할 수 있습니다. OneDrive 암호화에 대한 자세한 내용은 https://docs.microsoft.com/compliance/assurance/assurance-encryption-for-microsoft-365-services 문서를 참조하세요.", "guid": "0fd32907-98bc-4178-adc5-a06ca7144351", + "id": "G02.02", "link": "https://learn.microsoft.com/azure/virtual-machines/disk-encryption-overview", "severity": "낮다", "subcategory": "호스트 구성", - "text": "AVD 세션 호스트의 디스크 암호화 요구사항 평가" + "text": "AVD 세션 호스트에 대한 디스크 암호화 요구 사항 평가", + "waf": "안전" }, { "category": "안전", - "description": "신뢰할 수 있는 시작은 루트킷, 부트 키트 및 커널 수준 맬웨어와 같은 공격 벡터를 통해 \"스택 맨 아래\" 위협으로부터 보호하기 위한 향상된 보안 기능을 갖춘 Gen2 Azure VM입니다. 보안 부팅, vTPM(가상 TPM) 및 무결성 모니터링을 사용하도록 설정하고 활용하는 것이 좋습니다.", + "description": "신뢰할 수 있는 시작은 루트킷, 부팅 키트 및 커널 수준 맬웨어와 같은 공격 벡터를 통해 스택 하단 위협으로부터 보호하기 위한 향상된 보안 기능을 갖춘 Gen2 Azure VM입니다. 보안 부팅, vTPM(가상 TPM) 및 무결성 모니터링을 사용하도록 설정하고 활용하는 것이 좋습니다.", "guid": "36a5a67f-bb9e-4d5b-9547-8c4479816b28", + "id": "G02.03", "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#azure-virtual-desktop-support-for-trusted-launch", "severity": "보통", "subcategory": "호스트 구성", - "text": "Azure Gen2 VM 세션 호스트에서 신뢰할 수 있는 시작 사용Enable Trusted launch in Azure Gen2 VM Session Hosts" + "text": "Azure Gen2 VM 세션 호스트에서 신뢰할 수 있는 시작 사용Enable Trusted launch in Azure Gen2 VM Session Hosts", + "waf": "안전" }, { "category": "안전", - "description": "신뢰할 수 있는 시작 및 Gen2 VM은 보안 및 성능 향상 기능일 뿐만 아니라 Windows 11의 시스템 요구 사항이기도 합니다. Windows 11 기반의 AVD 환경을 구축할 때 이러한 기능을 활성화하는 것이 필수적입니다.", + "description": "신뢰할 수 있는 시작 및 Gen2 VM은 보안 및 성능 향상 기능일 뿐만 아니라 Windows 11의 시스템 요구 사항이기도 합니다. Windows 11 기반 AVD 환경을 빌드할 때 이러한 기능을 활성화하는 것이 중요합니다.", "guid": "135d3899-4b31-44d3-bc8f-028871a359d8", + "id": "G02.04", "link": "https://learn.microsoft.com/windows/whats-new/windows-11-requirements", "severity": "높다", "subcategory": "호스트 구성", - "text": "신뢰할 수 있는 시작 사용 및 Gen2 이미지 사용은 Windows 11 시스템 요구 사항입니다" + "text": "신뢰할 수 있는 시작 사용 및 Gen2 이미지 사용은 Windows 11의 시스템 요구 사항입니다.", + "waf": "안전" }, { "category": "안전", - "description": "표시된 콘텐츠는 스크린샷에서 자동으로 차단되거나 숨겨집니다. 화면 공유를 사용하는 Teams 또는 기타 공동 작업 소프트웨어를 사용하는 경우에도 화면 공유가 차단됩니다.", + "description": "표시된 콘텐츠는 스크린샷에서 자동으로 차단되거나 숨겨집니다. 화면 공유를 사용하는 Teams 또는 기타 협업 소프트웨어를 사용할 때도 화면 공유가 차단됩니다.", "guid": "a49dc137-7896-4343-b2bc-1a31bf1d30b6", + "id": "G02.05", "link": "https://learn.microsoft.com/azure/virtual-desktop/screen-capture-protection", "severity": "낮다", "subcategory": "호스트 구성", - "text": "중요한 정보가 캡처되지 않도록 화면 캡처 보호를 사용하도록 설정하는 것이 좋습니다" + "text": "중요한 정보가 캡처되지 않도록 화면 캡처 보호를 사용하도록 설정하는 것이 좋습니다.", + "waf": "안전" }, { "category": "안전", - "description": "반드시 필요한 것은 아니지만 원격 데스크톱 세션에서 드라이브, 프린터 및 USB 디바이스를 사용자의 로컬 디바이스로 리디렉션하는 것을 사용하지 않도록 설정하거나 매우 제한해야 합니다. 로컬 및 원격 드라이브 매핑을 숨겨 Windows 탐색기 액세스를 제한하는 것은 사용자가 시스템 구성 및 사용자에 대한 원치 않는 정보를 발견하지 못하도록 하는 안전한 조치이기도 합니다.", + "description": "반드시 필요한 것은 아닌 경우 원격 데스크톱 세션에서 드라이브, 프린터 및 USB 디바이스를 사용자의 로컬 디바이스로 리디렉션하는 것을 사용하지 않도록 설정하거나 매우 제한해야 합니다. 로컬 및 원격 드라이브 매핑을 숨겨 Windows 탐색기 액세스를 제한하는 것도 사용자가 시스템 구성 및 사용자에 대한 원치 않는 정보를 검색하지 못하도록 하는 안전한 방법입니다.", "guid": "7ce2cd20-85b4-4f82-828e-6558736ede6a", + "id": "G02.06", "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#other-security-tips-for-session-hosts", "severity": "보통", "subcategory": "호스트 구성", - "text": "장치 리디렉션 및 드라이브 매핑 제한Restrict device redirection and drive mapping" + "text": "장치 리디렉션 및 드라이브 매핑 제한Restrict device redirection and drive mapping", + "waf": "안전" }, { "category": "안전", - "description": "배포 모델을 선택할 때 원격 사용자에게 전체 가상 데스크톱에 대한 액세스 권한을 제공하거나 일부 응용 프로그램만 선택할 수 있습니다. 원격 응용 프로그램 또는 RemoteApp는 사용자가 가상 데스크톱에서 앱을 사용할 때 원활한 환경을 제공합니다. RemoteApp는 사용자가 응용 프로그램에 의해 노출되는 원격 컴퓨터의 하위 집합으로만 작업할 수 있도록 하여 위험을 줄입니다.", + "description": "배포 모델을 선택할 때 원격 사용자에게 전체 가상 데스크톱에 대한 액세스 권한을 제공하거나 응용 프로그램만 선택할 수 있습니다. 원격 응용 프로그램 또는 RemoteApps는 사용자가 가상 데스크톱에서 앱을 사용할 때 원활한 환경을 제공합니다. RemoteApps는 사용자가 응용 프로그램에 의해 노출된 원격 컴퓨터의 하위 집합으로만 작업할 수 있도록 하여 위험을 줄입니다.", "guid": "4e25d70e-3924-44f4-b66f-d6cdd4f4a973", + "id": "G03.01", "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/web-protection-overview", "severity": "보통", "subcategory": "경영", - "text": "가능하면 DAG(전체 데스크톱)보다 원격 앱을 사용하는 것이 좋습니다" + "text": "가능하면 DAG(전체 데스크톱)보다 원격 앱을 선호합니다.", + "waf": "안전" }, { "category": "안전", - "description": "엔드포인트용 Microsoft Defender 웹 보호 기능에서 제공하는 웹 콘텐츠 필터링 기능을 사용하여 사용자 웹 탐색을 제어할 수 있습니다. 이 도구를 사용하는 경우 사용자 인터넷 검색을 위한 웹 필터링을 구성하는 것이 좋습니다. 게스트 OS 시스템에서 필요한 AVD 컨트롤 플레인 URL에 액세스할 수 있도록 보장해야 합니다.", + "description": "엔드포인트용 Microsoft Defender 웹 보호 기능에서 제공하는 웹 콘텐츠 필터링 기능을 사용하여 사용자 웹 탐색을 제어할 수 있습니다. 이 도구를 사용하는 경우 사용자 인터넷 검색에 대한 웹 필터링을 구성하는 것이 좋습니다. 게스트 OS 시스템에서 필요한 AVD 컨트롤 플레인 URL에 액세스할 수 있어야 합니다.", "guid": "e19dd344-29eb-4722-a237-a151c5bb4e4f", + "id": "G03.02", "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/web-protection-overview", "severity": "보통", "subcategory": "경영", - "text": "AVD 세션 호스트에서 사용자 인터넷 탐색을 제어/제한해야 합니까?" + "text": "AVD 세션 호스트에서 사용자 인터넷 탐색을 제어/제한해야 하나요?", + "waf": "안전" }, { "category": "안전", "description": "사용자에게 가상 데스크톱에 대한 관리자 액세스 권한을 부여하지 않는 것이 좋습니다. 소프트웨어 패키지가 필요한 경우 구성 관리 유틸리티를 통해 사용할 수 있도록 하는 것이 좋습니다.", "guid": "a0cdb3b5-4eb2-4eb0-9dda-a3592718e2ed", + "id": "G03.03", "link": "https://docs.microsoft.com/azure/virtual-desktop/security-guide", "severity": "높다", "subcategory": "경영", - "text": "AVD 사용자에게 AVD 호스트에 대한 로컬 관리자 권한이 없는지 확인" + "text": "AVD 사용자가 AVD 호스트에 대한 로컬 관리자 권한을 갖지 않는지 확인", + "waf": "안전" }, { "category": "안전", - "description": "AVD에서 사용하는 구독, 가상 머신, 키 자격 증명 모음 및 스토리지 계정에 대해 클라우드용 Defender를 사용하도록 설정하는 것이 좋습니다. 이 도구를 사용하면 취약성을 평가 및 관리하고, PCI와 같은 일반적인 프레임워크의 준수 여부를 평가하고, AVD 환경의 전반적인 보안을 강화하고, '보안 점수'를 사용하여 시간 경과에 따라 측정할 수 있습니다. https://learn.microsoft.com/en-us/azure/virtual-desktop/security-guide#improve-your-secure-score.", + "description": "AVD에서 사용하는 구독, 가상 머신, 키 자격 증명 모음 및 스토리지 계정에 대해 클라우드용 Defender를 사용하도록 설정하는 것이 좋습니다. 이 도구를 사용하면 취약점을 평가 및 관리하고, PCI와 같은 일반적인 프레임워크의 규정 준수를 평가하고, AVD 환경의 전반적인 보안을 강화하고, '보안 점수'를 사용하여 시간 경과에 따라 측정할 수 있습니다. https://learn.microsoft.com/azure/virtual-desktop/security-guide#improve-your-secure-score.", "guid": "1814387e-5ca9-4c26-a9b3-2ab5bdfc6998", + "id": "G03.04", "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#enable-microsoft-defender-for-cloud", "severity": "보통", "subcategory": "경영", - "text": "클라우드용 Microsoft Defender를 사용하여 AVD 세션 호스트 보안 태세 관리" + "text": "클라우드용 Microsoft Defender를 사용하여 AVD 세션 호스트 보안 태세를 관리할 수 있습니다.", + "waf": "안전" }, { "category": "안전", "description": "감사 로그 수집을 사용하도록 설정하면 Azure Virtual Desktop과 관련된 사용자 및 관리자 활동을 보고 Log Analytics 작업 영역과 같은 중앙 리포지토리에 저장할 수 있습니다. ", "guid": "a0916a76-4980-4ad0-b278-ee293c1bc352", + "id": "G03.05", "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#collect-audit-logs", "severity": "보통", "subcategory": "경영", - "text": "진단 및 감사 로깅 사용Enable diagnostic and audit logging" + "text": "진단 및 감사 로깅 사용Enable diagnostic and audit logging", + "waf": "안전" }, { "category": "안전", - "description": "Azure RBAC 역할에 관리, 운영 및 엔지니어링 역할을 정의하여 필요한 최소 권한을 할당합니다. Azure Virtual Desktop 랜딩 존 내에서 높은 권한 역할에 대한 액세스를 제한하려면 Azure PIM(Privileged Identity Management)과의 통합을 고려합니다. 각 특정 관리 영역을 담당하는 팀에 대한 지식을 유지하면 Azure RBAC(역할 기반 액세스 제어) 역할 및 구성을 결정하는 데 도움이 됩니다.", + "description": "Azure RBAC 역할에 관리, 운영 및 엔지니어링 역할을 정의하여 필요한 최소 권한을 할당합니다. Azure Virtual Desktop 랜딩 존 내에서 높은 권한 역할에 대한 액세스를 제한하려면 Azure PIM(Privileged Identity Management)과의 통합을 고려합니다. 각 특정 관리 영역을 담당하는 팀에 대한 지식을 유지 관리하면 Azure RBAC(역할 기반 액세스 제어) 역할 및 구성을 결정하는 데 도움이 됩니다.", "guid": "baaab757-1849-4ab8-893d-c9fc9d1bb73b", + "id": "G03.06", "link": "https://docs.microsoft.com/azure/virtual-desktop/rbac", "severity": "낮다", "subcategory": "경영", - "text": "AVD 관리를 위해 커스텀 RBAC 역할을 사용하기 위한 요구사항 평가" + "text": "AVD 관리에 맞춤 RBAC 역할을 사용하기 위한 요구사항 평가", + "waf": "안전" }, { "category": "안전", - "description": "AVD 사용자는 애플리케이션을 설치할 수 있는 권한이 없어야 합니다. 필요한 경우 Windows Defender WDAC(애플리케이션 제어)를 사용하여 Windows 클라이언트에서 실행할 수 있는 드라이버 및 애플리케이션을 제어할 수 있습니다. ", + "description": "AVD 사용자는 애플리케이션을 설치할 수 있는 권한이 없어야 합니다. 필요한 경우 WDAC(Windows Defender 애플리케이션 제어)를 사용하여 Windows 클라이언트에서 실행할 수 있는 드라이버 및 애플리케이션을 제어할 수 있습니다. ", "guid": "b9ea80c8-0628-49fc-ae63-125aa4c0a284", + "id": "G03.07", "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#windows-defender-application-control", "severity": "보통", "subcategory": "경영", - "text": "사용자가 승인되지 않은 응용 프로그램을 설치하지 못하도록 제한" + "text": "사용자가 승인되지 않은 응용 프로그램을 설치하지 못하도록 제한", + "waf": "안전" }, { "category": "안전", - "description": "MFA 및 CA를 사용 설정하면 사용자에게 AVD 환경에 대한 액세스 권한을 부여하기 전에 위험을 관리할 수 있습니다. 액세스 권한을 부여할 사용자를 결정할 때 사용자가 누구인지, 어떻게 로그인하는지, 어떤 기기를 사용하는지도 고려하는 것이 좋습니다. 추가 세부 정보 및 구성 절차는 동반 문서에 나와 있습니다. Microsoft Entra ID는 Azure AD(Azure Active Directory)의 새 이름입니다.", + "description": "MFA 및 CA를 사용 설정하면 사용자에게 AVD 환경에 대한 액세스 권한을 부여하기 전에 위험을 관리할 수 있습니다. 액세스 권한을 부여할 사용자를 결정할 때 사용자가 누구인지, 로그인 방법, 사용 중인 기기도 고려하는 것이 좋습니다. 추가 세부 정보 및 구성 절차는 관련 문서에 나와 있습니다. Microsoft Entra ID는 Azure AD(Azure Active Directory)의 새 이름입니다.", "guid": "916d697d-8ead-4ed2-9bdd-186f1ac252b9", + "id": "G04.01", "link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-mfa", "severity": "보통", - "subcategory": "마이크로소프트 엔트라 ID", - "text": "AVD 사용자에 대한 Multi-Factor Authentication(MFA) 및 조건부 액세스(CA) 사용량 평가" + "subcategory": "Microsoft Entra ID", + "text": "AVD 사용자에 대한 다단계 인증(MFA) 및 조건부 액세스(CA) 사용 평가", + "waf": "안전" }, { "category": "안전", - "description": "제로 트러스트가 필요한 경우 '추가 정보' 열의 동반 문서를 검토하세요. Azure Virtual Desktop 배포에 제로 트러스트 원칙을 적용하는 단계를 제공합니다.", + "description": "제로 트러스트가 요구 사항인 경우 '추가 정보' 열의 동반 문서를 검토하세요. 제로 트러스트 원칙을 Azure Virtual Desktop 배포에 적용하는 단계를 제공합니다.", "guid": "221102d0-90af-49fc-b2b7-8d3fe397e43", + "id": "G05.01", "link": "https://learn.microsoft.com/security/zero-trust/azure-infrastructure-avd", "severity": "보통", "subcategory": "제로 트러스트", - "text": "제로 트러스트 원칙 및 지침 검토 및 적용Review and Apply Zero Trust principles and guidance" + "text": "Zero Trust 원칙 및 지침 검토 및 적용", + "waf": "안전" }, { "category": "보관", "description": "사용하는 경우 참조된 문서에 설명된 모범 사례 및 권장 사항 목록을 확인해야 합니다.", "guid": "9164e990-9ae2-48c8-9c33-b6b7808bafe6", + "id": "H01.01", "link": "https://learn.microsoft.com/azure/virtual-desktop/fslogix-containers-azure-files#best-practices-for-azure-virtual-desktop", "severity": "보통", "subcategory": "Azure 파일", - "text": "Azure Files에 대한 모범 사례 확인" + "text": "Azure Files에 대한 모범 사례 확인", + "waf": "공연" }, { "category": "보관", - "description": "SMB 다중 채널을 통해 클라이언트는 소유 비용을 낮추면서 향상된 성능을 제공하는 여러 네트워크 연결을 사용할 수 있습니다. 여러 NIC에 대한 대역폭 집계 및 NIC에 대한 RSS(수신측 배율) 지원을 활용하여 여러 CPU에 IO 부하를 분산함으로써 성능이 향상됩니다.", + "description": "SMB 다중 채널을 통해 클라이언트는 소유 비용을 낮추면서 향상된 성능을 제공하는 여러 네트워크 연결을 사용할 수 있습니다. 여러 NIC를 통한 대역폭 집계와 NIC에 대한 RSS(수신측 크기 조정) 지원을 활용하여 여러 CPU에 IO 부하를 분산함으로써 성능이 향상됩니다.", "guid": "5784b6ca-5e9e-4bcf-8b54-c95459ea7369", + "id": "H01.02", "link": "https://learn.microsoft.com/azure/storage/files/storage-files-smb-multichannel-performance", "severity": "낮다", "subcategory": "Azure 파일", - "text": "프리미엄 파일 공유를 사용하여 FSLogix 프로필 컨테이너를 호스트할 때 SMB 다중 채널을 사용하도록 설정합니다." + "text": "프리미엄 파일 공유를 사용하여 FSLogix 프로필 컨테이너를 호스트하는 경우 SMB 다중 채널을 사용하도록 설정합니다.", + "waf": "공연" }, { "category": "보관", "description": "DR을 위해 두 번째 지역이 필요한 경우 해당 지역에서도 NetApp 가용성을 확인합니다.", "guid": "4a359836-ee79-4d6c-9d3a-364a5b7abae3", + "id": "H02.01", "link": "https://azure.microsoft.com/global-infrastructure/services/", "severity": "보통", "subcategory": "Azure NetApp Files", - "text": "NetApp Files 스토리지가 필요한 경우 특정 지역의 스토리지 서비스 가용성을 확인합니다." + "text": "NetApp Files 스토리지가 필요한 경우 특정 지역의 스토리지 서비스 가용성을 확인하십시오.", + "waf": "신뢰도" }, { "category": "보관", - "description": "CA 옵션은 세션 호스트와 NetApp Files 간에 보다 탄력적인 SMB 세션을 사용할 수 있도록 FSLogix 시나리오에서 권장되는 설정입니다.", + "description": "CA 옵션은 세션 호스트와 NetApp Files 간에 보다 탄력적인 SMB 세션을 사용할 수 있으므로 FSLogix 시나리오에서 권장되는 설정입니다.", "guid": "a2661898-866a-4c8d-9d1f-8cfc86e88024", + "id": "H02.02", "link": "https://learn.microsoft.com/azure/virtual-desktop/create-fslogix-profile-container", "severity": "보통", "subcategory": "Azure NetApp Files", - "text": "NetApp Files 스토리지를 사용하는 경우 CA(Continuous Availability) 옵션을 활성화하여 복원력을 높입니다." + "text": "NetApp Files 스토리지를 사용하는 경우 CA(지속적인 가용성) 옵션을 활성화하여 복원력을 높입니다", + "waf": "신뢰도" }, { "category": "보관", "description": "ANF(Azure NetApp Files) 서브넷을 만들 Azure 가상 네트워크 환경에 대해 Active Directory 사이트를 만들어야 하며, 참조 문서에 설명된 대로 조인 절차를 실행할 때 ANF 연결 속성에 해당 사이트 이름을 지정해야 합니다.", "guid": "6647e977-db49-48a8-bc35-743f17499d42", + "id": "H02.03", "link": "https://docs.microsoft.com/azure/azure-netapp-files/create-active-directory-connections", "severity": "높다", "subcategory": "Azure NetApp Files", - "text": "Azure NetApp Files 스토리지를 사용하는 경우 Active Directory 연결 구성에서 Active Directory 사이트 이름 설정을 확인합니다" + "text": "Azure NetApp Files 스토리지를 사용하는 경우 Active Directory 연결 구성에서 Active Directory 사이트 이름 설정을 확인합니다", + "waf": "신뢰도" }, { "category": "보관", "description": "가능한 옵션: 표준 HDD, 표준 SSD 또는 프리미엄 SSD. 임시 디스크는 지원되지 않으며 Ultra-Disk는 권장되지 않습니다. 사용자 밀도가 낮지 않고 Cloud Cache를 사용할 경우 OS 디스크에 대한 프리미엄을 평가하는 것이 좋습니다. ", "guid": "3611c818-b0a0-4bc5-80e4-3a18a9cd289c", + "id": "H03.01", "link": "https://docs.microsoft.com/azure/virtual-machines/disks-types", "severity": "보통", "subcategory": "용량 계획", - "text": "세션 호스트에 사용할 관리 디스크 유형 결정" + "text": "세션 호스트에 사용할 관리 디스크 유형 결정", + "waf": "공연" }, { "category": "보관", - "description": "가능한 옵션은 Azure NetApp Files, Azure Files, VM 기반 파일 서버입니다. 파일 서버는 권장되지 않습니다. Azure Files Premium은 일반적으로 좋은 시작점입니다. NetApp은 일반적으로 대규모/고성능 환경에 필요합니다. 자세한 비교는 '추가 정보' 열의 문서를 참조하세요.", + "description": "가능한 옵션은 Azure NetApp Files, Azure Files, VM 기반 파일 서버입니다. 파일 서버는 권장하지 않습니다. Azure Files 프리미엄은 일반적으로 좋은 시작점입니다. NetApp은 일반적으로 대규모/고성능 환경에 필요합니다. 자세한 비교는 '추가 정보' 열의 문서를 참조하세요.", "guid": "ed6b17db-8255-4462-b2ae-e4553afc8339", + "id": "H03.02", "link": "https://docs.microsoft.com/azure/virtual-desktop/store-fslogix-profile", "severity": "높다", "subcategory": "용량 계획", - "text": "FSLogix 프로필에 사용할 스토리지 백 엔드 솔루션 결정" + "text": "FSLogix 프로필에 사용할 스토리지 백 엔드 솔루션 결정", + "waf": "공연" }, { "category": "보관", - "description": "모든 호스트 풀은 별도의 스토리지 계정/볼륨(하나 이상) 및 공유 집합을 사용해야 합니다. 설정 및 구성은 각 호스트 풀에 따라 다르므로 사용자는 각 호스트 풀에 대해 서로 다른 프로필을 가져야 합니다. 또한 동시에 다른 호스트 풀에 액세스하면 공유 사용자 프로필 VHD/X에서 오류가 발생할 수 있습니다. 여러 공유에 대해 서로 다른 스토리지 계정/볼륨을 사용하는 것도 독립적으로 확장하는 것이 좋습니다.", + "description": "모든 호스트 풀은 별도의 스토리지 계정/볼륨(하나 이상) 및 공유 집합을 사용해야 합니다. 설정 및 구성은 각 호스트 풀에 따라 다르므로 사용자는 각 호스트 풀에 대해 서로 다른 프로필을 가져야 합니다. 또한 서로 다른 호스트 풀에 동시에 액세스하면 공유 사용자 프로필 VHD/X에서 오류가 발생할 수 있습니다. 여러 공유에 대해 서로 다른 스토리지 계정/볼륨을 사용하는 것도 독립적으로 크기를 조정하는 것이 좋습니다.", "guid": "2fad62bd-5004-453c-ace4-64d862e7f5a4", + "id": "H03.03", "link": "https://learn.microsoft.com/azure/virtual-desktop/store-fslogix-profile", "severity": "높다", "subcategory": "용량 계획", - "text": "서로 다른 호스트 풀 간에 스토리지 및 프로파일을 공유하지 마십시오" + "text": "서로 다른 호스트 풀 간에 스토리지 및 프로필을 공유하지 마십시오.", + "waf": "공연" }, { "category": "보관", - "description": "프로필 컨테이너 스토리지 성능 요구 사항을 예측하기 위한 시작점으로 안정적인 상태에서는 사용자당 10 IOPS를 가정하고 로그인/로그아웃 중에는 사용자당 50 IOPS를 가정하는 것이 좋습니다. 공간 요구 사항은 각 호스트 풀의 총 사용자 수에 따라 FSLogix의 최대 프로필 크기를 기준으로 간단히 가져옵니다. 필요한 경우 동일한 호스트 풀에 여러 스토리지 계정을 사용할 수 있습니다.", + "description": "프로필 컨테이너 스토리지 성능 요구 사항을 예측하기 위한 시작점으로 안정적인 상태에서는 사용자당 10 IOPS를, 로그인/로그아웃 중에는 사용자당 50 IOPS를 가정하는 것이 좋습니다. 공간 요구 사항은 각 호스트 풀의 총 사용자 수당 FSLogix의 최대 프로필 크기에 따라 간단히 가져옵니다. 필요한 경우 동일한 호스트 풀에 여러 스토리지 계정을 사용할 수 있습니다.", "guid": "680e7828-9c93-4665-9d02-bff4564b0d93", + "id": "H03.04", "link": "https://learn.microsoft.com/azure/virtual-desktop/faq#what-s-the-largest-profile-size-fslogix-can-handle-", "severity": "높다", "subcategory": "용량 계획", - "text": "스토리지 확장성 제한 및 호스트 풀 요구 사항 확인" + "text": "스토리지 확장성 제한 및 호스트 풀 요구 사항 확인", + "waf": "신뢰도" }, { "category": "보관", "description": "가능한 경우 지역 간 네트워크 트래픽과 관련된 추가 대기 시간 및 비용을 도입하지 마세요.", "guid": "8aad53cc-79e2-4e86-9673-57c549675c5e", + "id": "H03.05", "link": "https://docs.microsoft.com/azure/virtual-desktop/fslogix-containers-azure-files", "severity": "높다", "subcategory": "용량 계획", - "text": "최적의 성능을 위해 스토리지 솔루션과 FSLogix 프로필 컨테이너는 동일한 Azure 지역에 있어야 합니다." + "text": "최적의 성능을 위해 스토리지 솔루션과 FSLogix 프로필 컨테이너는 동일한 Azure 지역에 있어야 합니다.", + "waf": "공연" }, { "category": "보관", - "description": "Azure Virtual Desktop의 권장 사항은 아래 재해 복구 섹션에 설명된 대로 특정 BCDR(비즈니스 연속성 및 재해 복구) 시나리오를 계획하지 않는 한 ODFC(Office 컨테이너) 분할이 없는 프로필 컨테이너를 사용하는 것입니다. https://docs.microsoft.com/fslogix/profile-container-office-container-cncpt ", + "description": "Azure Virtual Desktop의 권장 사항은 아래 재해 복구 섹션에 설명된 대로 특정 BCDR(비즈니스 연속성 및 재해 복구) 시나리오를 계획하지 않는 한 ODFC(Office 컨테이너) 분할 없이 프로필 컨테이너를 사용하는 것입니다. https://docs.microsoft.com/fslogix/profile-container-office-container-cncpt ", "guid": "df47d2d9-2881-4b1c-b5d1-e54a29759e39", + "id": "H04.01", "link": "https://learn.microsoft.com/fslogix/concepts-container-types#when-to-use-profile-and-odfc-containers", "severity": "높다", - "subcategory": "FSLogix", - "text": "엄격하게 요구되고 정당하지 않은 경우 ODFC(Office Containers)를 사용하지 마세요." + "subcategory": "에프에스로직스", + "text": "엄격하게 요구되고 정당화되지 않는 경우 ODFC(Office Container)를 사용하지 마세요.", + "waf": "신뢰도" }, { "category": "보관", - "description": "'추가 정보' 열의 참조된 문서에 설명된 대로 FSLogix 프로필 컨테이너 가상 하드 드라이브에 대해 다음과 같은 바이러스 백신 제외를 구성해야 합니다.", + "description": "'추가 정보' 열의 참조 문서에 설명된 대로 FSLogix 프로필 컨테이너 가상 하드 드라이브에 대해 다음 바이러스 백신 제외를 구성해야 합니다.", "guid": "83f63047-22ee-479d-9b5c-3632054b69ba", + "id": "H04.02", "link": "https://learn.microsoft.com/fslogix/overview-prerequisites#configure-antivirus-file-and-folder-exclusions", "severity": "보통", - "subcategory": "FSLogix", - "text": "FSLogix에 대한 권장 바이러스 백신 제외를 구성합니다(연결 시 VHD(x) 파일을 검사하지 않는 항목 포함)." + "subcategory": "에프에스로직스", + "text": "FSLogix에 대한 권장 바이러스 백신 제외를 구성합니다(연결 시 VHD(x) 파일을 검사하지 않는 것 포함).", + "waf": "안전" }, { "category": "보관", - "description": "프로필 컨테이너의 기본 최대 크기는 30GB입니다. 큰 프로필 컨테이너가 예상되고 고객이 이를 작게 유지하려는 경우 OneDrive를 사용하여 FSLogix 프로필 외부에서 Office 365 파일을 호스트하는 것이 좋습니다.", + "description": "프로필 컨테이너의 기본 최대 크기는 30GB입니다. 큰 프로필 컨테이너가 예상되고 고객이 작게 유지하려는 경우 OneDrive를 사용하여 FSLogix 프로필 외부에서 Office 365 파일을 호스트하는 것이 좋습니다.", "guid": "01e6a84d-e5df-443d-8992-481718d5d1e5", + "id": "H04.03", "link": "https://docs.microsoft.com/fslogix/profile-container-configuration-reference", "severity": "높다", - "subcategory": "FSLogix", - "text": "FSLogix에서 구성된 최대 프로필 크기 검토 및 확인" + "subcategory": "에프에스로직스", + "text": "FSLogix에서 구성된 최대 프로필 크기 검토 및 확인", + "waf": "비용" }, { "category": "보관", "description": "기본값 및 권장 설정은 '추가 정보' 열의 동반 문서에 보고됩니다. 권장되지 않는 키 및/또는 값을 사용해야 하는 경우 Microsoft AVD 전문가와 함께 검토하고 선택 사항을 명확하게 문서화해야 합니다.", "guid": "d34aad5e-8c78-4e1d-9666-7313c405674c", + "id": "H04.04", "link": "https://learn.microsoft.com/fslogix/concepts-configuration-examples", "severity": "높다", - "subcategory": "FSLogix", - "text": "FSLogix 레지스트리 키를 검토하고 적용할 레지스트리 키를 결정합니다." + "subcategory": "에프에스로직스", + "text": "FSLogix 레지스트리 키를 검토하고 적용할 레지스트리 키 결정", + "waf": "신뢰도" }, { "category": "보관", - "description": "Azure Virtual Desktop에서는 동시 또는 다중 연결을 사용하지 않는 것이 좋습니다. 동시 연결은 Azure Virtual Desktop 호스트 풀에서 실행되는 세션 호스트에서도 지원되지 않습니다. OneDrive를 사용하는 경우 어떤 상황에서도 동일한 컨테이너를 사용하는 동시 또는 다중 연결을 지원하지 않습니다. 여러 연결의 경우 동일한 프로필 디스크를 사용하지 않는 것이 좋습니다.", + "description": "동시 또는 다중 연결은 Azure Virtual Desktop에서 권장되지 않습니다. 동시 연결은 Azure Virtual Desktop 호스트 풀에서 실행되는 세션 호스트에서도 지원되지 않습니다. OneDrive를 사용하는 경우 어떤 상황에서도 동일한 컨테이너를 사용하는 동시 또는 여러 연결을 지원하지 않습니다. 여러 연결의 경우 동일한 프로필 디스크를 사용하지 않는 것이 좋습니다.", "guid": "5e985b85-9c77-43e7-b261-623b775a917e", + "id": "H04.05", "link": "https://learn.microsoft.com/fslogix/concepts-multi-concurrent-connections", "severity": "높다", - "subcategory": "FSLogix", - "text": "동시 또는 다중 연결 사용 방지" + "subcategory": "에프에스로직스", + "text": "동시 또는 다중 연결 사용 방지", + "waf": "신뢰도" }, { "category": "보관", - "description": "Cloud Cache는 OS 드라이브를 로컬 캐시 스토리지로 사용하며 VM 디스크에 많은 부담을 줄 수 있습니다. 사용된 VM SKU 및 크기에 따라 VM 임시 드라이브는 클라우드 캐시 캐시된 콘텐츠를 재배치할 수 있는 실행 가능하고 성능이 뛰어난 솔루션이 될 수 있습니다. 이 솔루션을 채택하기 전에 성능과 안정성을 확인하기 위해 테스트를 실행해야 합니다. Cloud Cache에 대한 자세한 내용은 https://learn.microsoft.com/en-us/fslogix/concepts-fslogix-cloud-cache 에서 확인할 수 있습니다. ", + "description": "Cloud Cache는 OS 드라이브를 로컬 캐시 스토리지로 사용하며 VM 디스크에 많은 부담을 줄 수 있습니다. 사용되는 VM SKU 및 크기에 따라 VM 임시 드라이브는 Cloud Cache 캐시된 콘텐츠를 재배치하는 실행 가능하고 성능이 뛰어난 솔루션이 될 수 있습니다. 이 솔루션을 채택하기 전에 테스트를 실행하여 성능과 안정성을 확인해야 합니다. Cloud Cache에 대한 자세한 내용은 https://learn.microsoft.com/fslogix/concepts-fslogix-cloud-cache 에서 확인할 수 있습니다. ", "guid": "b2d1215a-e114-4ba3-9df5-85ecdcd9bd3b", + "id": "H04.06", "link": "https://docs.microsoft.com/fslogix/cloud-cache-configuration-reference", "severity": "낮다", - "subcategory": "FSLogix", - "text": "FSLogix 클라우드 캐시를 사용하는 경우 캐시 디렉터리를 VM 임시 드라이브로 이동하는 것이 좋습니다." + "subcategory": "에프에스로직스", + "text": "FSLogix Cloud Cache를 사용하는 경우 캐시 디렉터리를 VM 임시 드라이브로 이동하는 것이 좋습니다.", + "waf": "공연" }, { "category": "보관", - "description": "리디렉션.XML 파일은 프로필 컨테이너에서 'C:' 드라이브로 리디렉션되는 폴더를 제어하는 데 사용됩니다. 제외는 예외여야 하며 제외를 구성하는 사람이 특정 제외를 완전히 이해하지 않는 한 사용해서는 안 됩니다. 제외는 항상 구현하려는 환경에서 완전히 테스트되어야 합니다. 제외를 구성하면 기능, 안정성 및 성능에 영향을 줄 수 있습니다.", + "description": "리디렉션 .XML 파일은 프로필 컨테이너에서 'C:' 드라이브로 리디렉션되는 폴더를 제어하는 데 사용됩니다. 제외는 예외여야 하며 제외를 구성하는 사람이 특정 제외를 완전히 이해하지 않는 한 사용해서는 안 됩니다. 제외는 항상 구현하려는 환경에서 완전히 테스트되어야 합니다. 제외를 구성하면 기능, 안정성 및 성능에 영향을 줄 수 있습니다.", "guid": "0b50ca97-b1d2-473c-b4d9-6e98b0f912de", + "id": "H04.07", "link": "https://docs.microsoft.com/fslogix/manage-profile-content-cncpt#redirectionsxml", "severity": "보통", - "subcategory": "FSLogix", - "text": "FSLogix 리디렉션 사용을 검토합니다." + "subcategory": "에프에스로직스", + "text": "FSLogix 리디렉션의 사용을 검토합니다.", + "waf": "비용" } ], "metadata": { "name": "Azure Virtual Desktop Review", "state": "GA", - "timestamp": "July 14, 2023" + "timestamp": "November 09, 2023" }, "severities": [ { @@ -1228,12 +1487,37 @@ "name": "성취" }, { - "description": "권장 사항을 이해했지만 현재 요구 사항에는 필요하지 않습니다.", - "name": "필요하지 않음" + "description": "권장 사항은 이해되었지만 현재 요구 사항에 필요하지 않음", + "name": "필요 없음" }, { "description": "현재 설계에는 적용되지 않습니다.", - "name": "해당 사항 없음" + "name": "해당 없음" + } + ], + "waf": [ + { + "name": "신뢰도" + }, + { + "name": "안전" + }, + { + "name": "비용" + }, + { + "name": "작업" + }, + { + "name": "공연" + } + ], + "yesno": [ + { + "name": "예" + }, + { + "name": "아니요" } ] } \ No newline at end of file diff --git a/checklists/avd_checklist.pt.json b/checklists/avd_checklist.pt.json index b30c1f08c..07143293a 100644 --- a/checklists/avd_checklist.pt.json +++ b/checklists/avd_checklist.pt.json @@ -1,5 +1,4 @@ { - "$schema": "checklist.schema.json", "categories": [ { "name": "Fundação" @@ -31,1177 +30,1437 @@ "category": "Continuidade de negócios e recuperação de desastres", "description": "O plano de controle AVD não oferece um contrato de nível de serviço com suporte financeiro. Nós nos esforçamos para atingir pelo menos 99,9% de disponibilidade para as URLs de serviço da Área de Trabalho Virtual do Azure. A disponibilidade das máquinas virtuais do host de sessão em sua assinatura é coberta pelo SLA de Máquinas Virtuais. Os recursos/serviços dependentes e a disponibilidade da infraestrutura também devem ser considerados para satisfazer adequadamente os requisitos globais de alta disponibilidade.", "guid": "56c57ba5-9119-4bf8-b8f5-c586c7d9cdc1", + "id": "A01.01", "link": "https://azure.microsoft.com/support/legal/sla/virtual-desktop/v1_0/", "severity": "Alto", "subcategory": "Calcular", - "text": "Determinar o SLA de alta disponibilidade esperado para aplicativos/desktops publicados por meio do AVD" + "text": "Determinar o SLA de alta disponibilidade esperado para aplicativos/desktops publicados por meio do AVD", + "waf": "Fiabilidade" }, { "category": "Continuidade de negócios e recuperação de desastres", - "description": "O modelo 'Ativo-Ativo' pode ser alcançado com vários pools de hosts em diferentes regiões. Um único Pool de Hosts com VMs de regiões diferentes não é recomendado. Se vários pools para os mesmos usuários forem usados, o problema de como sincronizar/replicar perfis de usuário deverá ser resolvido. O FSLogix Cloud Cache pode ser usado, mas precisa ser cuidadosamente revisado e planejado, ou os clientes podem decidir não sincronizar/replicar. 'Ativo-Passivo' pode ser obtido usando o Azure Site Recovery (ASR) ou a implantação de Pool sob demanda com mecanismo automatizado. Para uma discussão detalhada sobre BCDR de várias regiões, leia o artigo complementar na coluna 'Mais informações' e esta página relacionada ao FSLogix: https://learn.microsoft.com/en-us/fslogix/concepts-container-recovery-business-continuity.", + "description": "O modelo 'Ativo-Ativo' pode ser alcançado com vários pools de hosts em diferentes regiões. Um único Pool de Hosts com VMs de regiões diferentes não é recomendado. Se vários pools para os mesmos usuários forem usados, o problema de como sincronizar/replicar perfis de usuário deverá ser resolvido. O FSLogix Cloud Cache pode ser usado, mas precisa ser cuidadosamente revisado e planejado, ou os clientes podem decidir não sincronizar/replicar. 'Ativo-Passivo' pode ser obtido usando o Azure Site Recovery (ASR) ou a implantação de Pool sob demanda com mecanismo automatizado. Para uma discussão detalhada sobre BCDR de várias regiões, leia o artigo complementar na coluna 'Mais informações' e esta página relacionada ao FSLogix: https://learn.microsoft.com/fslogix/concepts-container-recovery-business-continuity.", "guid": "6acc076e-f9b1-441a-a989-579e76b897e7", + "id": "A01.02", "link": "https://learn.microsoft.com/azure/architecture/example-scenario/wvd/azure-virtual-desktop-multi-region-bcdr", "severity": "Média", "subcategory": "Calcular", - "text": "Avaliar os requisitos de recuperação de desastres geográficos para pools de hosts AVD" + "text": "Avaliar os requisitos de recuperação de desastres geográficos para pools de hosts AVD", + "waf": "Fiabilidade" }, { "category": "Continuidade de negócios e recuperação de desastres", - "description": "Antes de abordar o planejamento e o design do BCDR da Área de Trabalho Virtual do Azure, é importante considerar inicialmente quais aplicativos são consumidos por meio do AVD como críticos. Talvez você queira separá-los de aplicativos não críticos e usar um Pool de Hosts separado com uma abordagem e recursos de recuperação de desastres diferentes.", + "description": "Antes de abordar o planejamento e o design do BCDR da Área de Trabalho Virtual do Azure, é importante considerar inicialmente quais aplicativos consumidos por meio do AVD são críticos. Talvez você queira separá-los de aplicativos não críticos e usar um Pool de Hosts separado com uma abordagem e recursos de recuperação de desastres diferentes.", "guid": "10a7da7b-e996-46e1-9d3c-4ada97cc3d13", + "id": "A01.03", "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery", "severity": "Baixo", "subcategory": "Calcular", - "text": "Separe aplicativos críticos em diferentes pools de hosts AVD" + "text": "Separe aplicativos críticos em diferentes pools de hosts AVD", + "waf": "Fiabilidade" }, { "category": "Continuidade de negócios e recuperação de desastres", - "description": "Cada Pool de Hosts pode ser implantado usando Zonas de Disponibilidade (AZ) ou Conjunto de Disponibilidade (AS). Para maximizar a resiliência, o uso do AZ é recomendado: no momento da criação do Pool de Hosts, você pode decidir espalhar os Hosts de Sessão do Pool de Hosts por todos os AZ disponíveis. Mais detalhes sobre AZ e AVD no artigo complementar. Para uma comparação entre AZ e AS, você pode ler aqui: https://learn.microsoft.com/en-us/azure/virtual-machines/availability.", + "description": "Cada Pool de Hosts pode ser implantado usando Zonas de Disponibilidade (AZ) ou Conjunto de Disponibilidade (AS). Para maximizar a resiliência, o uso do AZ é recomendado: no momento da criação do Pool de Hosts, você pode decidir espalhar os Hosts de Sessão do Pool de Hosts por todos os AZ disponíveis. Mais detalhes sobre AZ e AVD no artigo complementar. Para uma comparação entre AZ e AS, você pode ler aqui: https://learn.microsoft.com/azure/virtual-machines/availability.", "guid": "25ab225c-6f4e-4168-9fdd-dea8a4b7cdeb", + "id": "A01.04", "link": "https://techcommunity.microsoft.com/t5/azure-virtual-desktop-blog/announcing-general-availability-of-support-for-azure/ba-p/3636262", "severity": "Alto", "subcategory": "Calcular", - "text": "Planejar a melhor opção de resiliência para a implantação do AVD Host Pool" + "text": "Planejar a melhor opção de resiliência para a implantação do AVD Host Pool", + "waf": "Fiabilidade" }, { "category": "Continuidade de negócios e recuperação de desastres", "description": "O Backup do Azure pode ser usado para proteger VMs do Pool de Hosts. Para pools agrupados, isso não é necessário, pois deve ser sem monitoração de estado. Em vez disso, essa opção pode ser considerada para Pools de Host Pessoal.", "guid": "4c61fc3f-c14e-4ea6-b69e-8d9a3eec218e", + "id": "A01.05", "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery", "severity": "Média", "subcategory": "Calcular", - "text": "Avaliar o requisito de backup de VMs de host de sessão AVD" + "text": "Avaliar o requisito de backup de VMs de host de sessão AVD", + "waf": "Fiabilidade" }, { "category": "Continuidade de negócios e recuperação de desastres", "description": "Mesmo para Pools Pessoais, recomenda-se o uso de Zonas de Disponibilidade, quando disponíveis. Três possíveis estratégias de DR na região são possíveis, recomenda-se selecionar a melhor com base no custo, RTO/RPO, e se for realmente necessário salvar todo o disco do sistema operacional da VM: (1) crie cada host de sessão em uma zona específica (AZ) e, em seguida, use o Azure Site Recovery (ASR) para replicar para uma zona diferente. (2) Use o Backup do Azure para fazer backup e restaurar o host de sessão específico em um AZ diferente. (3) Crie um novo host de sessão em um AZ diferente e confie no FSLogix e/ou no OneDrive para disponibilizar dados e configurações na nova máquina. Todas as opções exigem intervenção do administrador para DR e atribuição direta de usuário no nível do Pool de Hosts, então devem ser planejadas e configuradas com antecedência.", "guid": "5da58639-ca3a-4961-890b-29663c5e10d", + "id": "A01.06", "link": "https://learn.microsoft.com/azure/site-recovery/azure-to-azure-how-to-enable-zone-to-zone-disaster-recovery", "severity": "Média", "subcategory": "Calcular", - "text": "Preparar uma estratégia de DR local para hosts de sessão do pool de hosts pessoais" + "text": "Preparar uma estratégia de DR local para hosts de sessão do pool de hosts pessoais", + "waf": "Fiabilidade" }, { "category": "Continuidade de negócios e recuperação de desastres", "description": "Se imagens personalizadas forem usadas para implantar VMs do Pool de Hosts AVD, é importante garantir que esses artefatos estejam disponíveis em todas as regiões onde o AVD está implantado. O serviço Galeria de Computação do Azure pode ser usado para replicar imagens em todas as regiões onde um Pool de Hosts está implantado, com armazenamento redundante e em várias cópias. Lembre-se de que o serviço Galeria de Computação do Azure não é um recurso global. Para cenários de recuperação de desastres, a prática recomendada é ter pelo menos duas galerias, em regiões diferentes.", "guid": "dd2e0d5d-771d-441e-9610-cc57b4a4a141", + "id": "A02.01", "link": "https://learn.microsoft.com/azure/virtual-machines/azure-compute-gallery", "severity": "Baixo", "subcategory": "Dependências", - "text": "Planejar a disponibilidade entre regiões da Golden Image" + "text": "Planejar a disponibilidade entre regiões da Golden Image", + "waf": "Fiabilidade" }, { "category": "Continuidade de negócios e recuperação de desastres", "description": "Se os usuários da infraestrutura AVD precisarem de acesso a recursos locais, a alta disponibilidade da infraestrutura de rede necessária para se conectar também é crítica e deve ser considerada. A resiliência da infraestrutura de autenticação precisa ser avaliada e avaliada. Os aspectos de BCDR para aplicativos dependentes e outros recursos precisam ser considerados para garantir a disponibilidade no local de recuperação de desastres secundário.", "guid": "fd339489-8c12-488b-9c6a-57cfb644451e", + "id": "A02.02", "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery", "severity": "Média", "subcategory": "Dependências", - "text": "Avaliar dependências de infraestrutura e aplicativos " + "text": "Avaliar dependências de infraestrutura e aplicativos ", + "waf": "Fiabilidade" }, { "category": "Continuidade de negócios e recuperação de desastres", "description": "Nem todos os dados dentro dos perfis de usuário do FSLogix podem merecer proteção contra desastres. Além disso, se o armazenamento externo for usado, por exemplo, OneDrive ou Servidores/Compartilhamentos de Arquivos, o que resta no perfil FSLogix é mínimo e pode ser perdido em algumas circunstâncias extremas. Em outros casos, os dados dentro do perfil podem ser recriados a partir de outros armazenamentos (por exemplo, Caixa de Entrada do Outlook no modo em cache).", "guid": "687ab077-adb5-49e5-a960-3334fdf8cc23", + "id": "A03.01", "link": "https://docs.microsoft.com/fslogix/manage-profile-content-cncpt", "severity": "Média", "subcategory": "Armazenamento", - "text": "Avaliar quais dados precisam ser protegidos no Perfil e nos Contêineres do Office" + "text": "Avaliar quais dados precisam ser protegidos no Perfil e nos Contêineres do Office", + "waf": "Fiabilidade" }, { "category": "Continuidade de negócios e recuperação de desastres", "description": "Evitar a perda de dados para dados críticos do usuário é importante, o primeiro passo é avaliar quais dados precisam ser salvos e protegidos. Se estiver usando o OneDrive ou outro armazenamento externo, talvez não seja necessário salvar dados de Perfil de usuário e/ou Contêineres do Office. Deve ser considerado um mecanismo adequado para proteger os dados críticos dos utilizadores. O serviço de Backup do Azure pode ser usado para proteger dados de Perfil e Contêineres do Office quando armazenados nas camadas Standard e Premium dos Arquivos do Azure. Os Instantâneos e Políticas de Arquivos do Azure NetApp podem ser usados para Arquivos do Azure NetApp (todas as camadas).", "guid": "fc4972cc-3cd2-45bf-a707-6e9eab4bed32", + "id": "A03.02", "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery", "severity": "Média", "subcategory": "Armazenamento", - "text": "Criar uma estratégia de proteção de backup para perfis e contêineres do Office" + "text": "Criar uma estratégia de proteção de backup para perfis e contêineres do Office", + "waf": "Fiabilidade" }, { "category": "Continuidade de negócios e recuperação de desastres", "description": "No AVD, vários mecanismos e estratégias de replicação podem ser usados para dados de usuário residentes em contêineres FSLogix: [Padrão de Perfil #1]: mecanismos de replicação de armazenamento nativos do Azure, por exemplo, replicação GRS do Azure Files Standard, replicação entre regiões do Azure NetApp Files. Recomenda-se usar ZRS (Zone Replicated Storage) ou GRS (Geo Replicated Storage, armazenamento replicado geograficamente) para Arquivos do Azure. O LRS com resiliência somente local pode ser usado se nenhuma proteção de zona/região for necessária. NOTA: O Padrão de Compartilhamento de Arquivos do Azure é LRS/ZRS/GRS, mas com suporte grande de 100 TB habilitado, somente há suporte para LRS/ZRS. [Profile Pattern #2]: O FSLogix Cloud Cache é um mecanismo automático integrado para replicar contêineres entre diferentes (até 4) contas de armazenamento. O Cloud Cache deve ser usado somente quando:(1) A disponibilidade de dados de contêineres de usuário ou contêineres do Office exigida pelo SLA de alta disponibilidade é crítica e precisa ser resiliente a falhas de região. (2) A opção de armazenamento selecionada não é capaz de satisfazer os requisitos do BCDR. Por exemplo, com a camada Premium de Compartilhamento de Arquivos do Azure ou o Padrão de Compartilhamento de Arquivos do Azure com Suporte a Arquivos Grandes habilitado, o GRS não está disponível. (3) Quando for necessária a replicação entre armazenamentos diferentes. [Padrão de Perfil #3]: configure apenas a recuperação de desastres geográficos para dados de aplicativos e não para contêineres de dados/perfis de usuários: armazene dados importantes de aplicativos em armazenamentos separados, como o OneDrive ou outro armazenamento externo com seu próprio mecanismo de DR interno.", "guid": "9f7547c1-746d-4c56-868a-714435bd09dd", + "id": "A03.03", "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery", "severity": "Média", "subcategory": "Armazenamento", - "text": "Avaliar os requisitos de replicação e resiliência do armazenamento de contêiner de perfil para fins de BCDR" + "text": "Avaliar os requisitos de replicação e resiliência do armazenamento de contêiner de perfil para fins de BCDR", + "waf": "Fiabilidade" }, { "category": "Continuidade de negócios e recuperação de desastres", "description": "Para recuperação de desastres local, o Backup do Azure para Arquivos do Azure pode ser usado. Para recuperação de desastres geográficos entre regiões: o GRS for Azure Files só está disponível com SKU padrão e sem suporte a compartilhamento grande, não sendo adequado na maioria dos cenários de clientes. Se a replicação geográfica for necessária com o Azure File Share Premium, a replicação com o FSLogix Cloud Cache poderá ser avaliada ou somente a resiliência da Zona de Disponibilidade (AZ) 'na região' deverá ser considerada.", "guid": "3d4f3537-c134-46dc-9602-7a71efe1bd05", + "id": "A03.04", "link": "https://docs.microsoft.com/azure/backup/backup-afs", "severity": "Média", "subcategory": "Armazenamento", - "text": "Revise a estratégia de recuperação de desastres dos Arquivos do Azure" + "text": "Revise a estratégia de recuperação de desastres dos Arquivos do Azure", + "waf": "Fiabilidade" }, { "category": "Continuidade de negócios e recuperação de desastres", "description": "O armazenamento redundante de zona maximizará a resiliência na região para os dados de perfil do usuário. O ZRS é suportado para compartilhamentos de arquivos premium por meio do tipo de conta de armazenamento 'FileStorage'. O ZRS é suportado em contas de armazenamento v2 de uso geral padrão. O uso do armazenamento redundante de zona deve ser emparelhado com a implantação redundante de zona de hosts de sessão em cada pool de hosts. ", "guid": "10d4e875-d502-4142-a795-f2b6eff34f88", + "id": "A03.05", "link": "https://learn.microsoft.com/azure/storage/files/files-redundancy#zone-redundant-storage", "severity": "Alto", "subcategory": "Armazenamento", - "text": "Usar ZRS (Zone Redundant Storage) para arquivos do Azure para maximizar a resiliência" + "text": "Usar ZRS (Zone Redundant Storage) para arquivos do Azure para maximizar a resiliência", + "waf": "Fiabilidade" }, { "category": "Continuidade de negócios e recuperação de desastres", - "description": "Para recuperação de desastres local, o backup nativo do Azure NetApp Files (ANF) está disponível. O ANF é essencialmente redundante localmente, então, para recuperação de desastres geográficos entre regiões, é necessário usar um mecanismo adicional que é a CRR (replicação entre regiões) https://learn.microsoft.com/en-us/azure/azure-netapp-files/cross-region-replication-create-peering. Atualmente, o ANF não fornece replicação nem redundância em diferentes zonas de disponibilidade (AZ), apenas a possibilidade de selecionar em qual AZ único colocar o volume ANF: https://learn.microsoft.com/en-us/azure/azure-netapp-files/manage-availability-zone-volume-placement.", + "description": "Para recuperação de desastres local, o backup nativo do Azure NetApp Files (ANF) está disponível. O ANF é essencialmente redundante localmente, então, para recuperação de desastres geográficos entre regiões, é necessário usar um mecanismo adicional que é a CRR (Cross-Region Replication, replicação entre regiões) https://learn.microsoft.com/azure/azure-netapp-files/cross-region-replication-create-peering. Atualmente, o ANF não fornece replicação nem redundância em diferentes zonas de disponibilidade (AZ), apenas a possibilidade de selecionar em qual AZ único colocar o volume ANF: https://learn.microsoft.com/azure/azure-netapp-files/manage-availability-zone-volume-placement.", "guid": "23429db7-2281-4376-85cc-57b4a4b18142", + "id": "A03.06", "link": "https://learn.microsoft.com/azure/azure-netapp-files/cross-region-replication-create-peering", "severity": "Média", "subcategory": "Armazenamento", - "text": "Revise a estratégia de recuperação de desastres do Azure NetApp Files" + "text": "Revise a estratégia de recuperação de desastres do Azure NetApp Files", + "waf": "Fiabilidade" }, { "category": "Calcular", "description": "Os aplicativos podem ser pré-instalados na(s) imagem(ns) dourada(s), podem ser anexados usando o recurso MSIX & AppAttach ou distribuídos para os hosts de sessão após a implantação do pool de hosts usando métodos tradicionais de distribuição de software.", "guid": "86ba2802-1459-4014-95d3-8e5309ccbd97", + "id": "B01.01", "link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-golden-image", "severity": "Alto", "subcategory": "Imagens de Ouro", - "text": "Determinar como os aplicativos serão implantados nos pools de hosts AVD" + "text": "Determinar como os aplicativos serão implantados nos pools de hosts AVD", + "waf": "Operações" }, { "category": "Calcular", "description": "Várias imagens douradas podem ser necessárias para suportar diferentes versões e/ou configurações do sistema operacional, diferentes grupos de aplicativos que devem ser separados e não podem ser incluídos em uma única imagem.", "guid": "9266bcca-274f-4aa1-abf3-9d95d44c7c89", + "id": "B01.02", "link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-golden-image", "severity": "Média", "subcategory": "Imagens de Ouro", - "text": "Estimar o número de imagens douradas que serão necessárias" + "text": "Estimar o número de imagens douradas que serão necessárias", + "waf": "Operações" }, { "category": "Calcular", "description": "Determine qual sistema operacional convidado será usado para implantar cada pool de hosts: Windows 10 vs. Windows Server, Marketplace vs. imagens personalizadas", "guid": "19ca1f6d-5315-4ae5-84ba-34d4585e2213", + "id": "B01.03", "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#operating-systems-and-licenses", "severity": "Média", "subcategory": "Imagens de Ouro", - "text": "Determine qual(is) imagem(ns) do sistema operacional você usará para a implantação do Pool de Hosts" + "text": "Determine qual(is) imagem(ns) do sistema operacional você usará para a implantação do Pool de Hosts", + "waf": "Fiabilidade" }, { "category": "Calcular", "description": "As imagens personalizadas da VM do Azure podem ser criadas e armazenadas de diferentes maneiras: em uma Galeria de Computação do Azure, como um objeto de imagem gerenciado ou como um disco gerenciado no armazenamento. A maneira recomendada é usar a Galeria de Computação do Azure.", "guid": "5a2adb2c-3e23-426b-b225-ca44e1696fdd", + "id": "B01.04", "link": "https://learn.microsoft.com/azure/virtual-machines/shared-image-galleries", "severity": "Baixo", "subcategory": "Imagens de Ouro", - "text": "Selecione o armazenamento adequado para imagens personalizadas" + "text": "Selecione o armazenamento adequado para imagens personalizadas", + "waf": "Fiabilidade" }, { "category": "Calcular", "description": "Se imagens personalizadas forem usadas, planeje um processo de compilação automatizado. Se não existir uma fábrica de software pré-existente, considere usar Modelos de Imagem Personalizados e/ou o Construtor de Imagens do Azure para automatizar o processo de compilação.", "guid": "9bd7bb01-2f7b-495e-86e1-54e2aa359282", + "id": "B01.05", "link": "https://learn.microsoft.com/azure/virtual-desktop/create-custom-image-templates", "severity": "Baixo", "subcategory": "Imagens de Ouro", - "text": "Projete seu processo de compilação para imagens personalizadas" + "text": "Projete seu processo de compilação para imagens personalizadas", + "waf": "Operações" }, { "category": "Calcular", "description": "Existem algumas práticas recomendadas conhecidas e recomendações para a personalização da imagem dourada, certifique-se de verificar o artigo referenciado.", "guid": "deace4cb-1dec-44c6-90c3-fc14eebb36a3", + "id": "B01.06", "link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-golden-image", "severity": "Média", "subcategory": "Imagens de Ouro", - "text": "Se a imagem personalizada for usada, verifique as práticas recomendadas para o AVD sobre como criar uma imagem personalizada" + "text": "Se a imagem personalizada for usada, verifique as práticas recomendadas para o AVD sobre como criar uma imagem personalizada", + "waf": "Operações" }, { "category": "Calcular", "description": "A pilha FSLogix instalada em hosts de sessão AVD não fornece capacidade de atualização automática. Por esta razão, recomenda-se baixar a versão mais recente do FSLogix e incluir no processo de atualização da imagem dourada.", "guid": "ed5c9027-dd1a-4343-86ca-52b199223186", + "id": "B01.07", "link": "https://learn.microsoft.com/fslogix/how-to-install-fslogix", "severity": "Alto", "subcategory": "Imagens de Ouro", - "text": "Inclua a versão mais recente do FSLogix no processo de atualização da imagem dourada" + "text": "Inclua a versão mais recente do FSLogix no processo de atualização da imagem dourada", + "waf": "Fiabilidade" }, { "category": "Calcular", "description": "Este conjunto de ferramentas foi criado para aplicar automaticamente a configuração referenciada no white paper 'Otimizando o Windows 10, versão 2004 para uma função VDI (Virtual Desktop Infrastructure)': https://docs.microsoft.com/windows-server/remote/remote-desktop-services/rds-vdi-recommendations-2004. O uso da ferramenta e/ou otimizações mencionadas no white-paper devem ser considerados. ", "guid": "829e3fec-2183-4687-a017-7a2b5945bda4", + "id": "B01.08", "link": "https://github.com/The-Virtual-Desktop-Team/Virtual-Desktop-Optimization-Tool", "severity": "Baixo", "subcategory": "Imagens de Ouro", - "text": "Avaliar o uso da Virtual-Desktop-Optimization-Tool" + "text": "Avaliar o uso da Virtual-Desktop-Optimization-Tool", + "waf": "Desempenho" }, { "category": "Calcular", "description": "Se o OneDrive for usado e incluído em uma imagem dourada, siga o procedimento de configuração relatado no artigo complementar na seção \"Mais informações\". Não está no escopo desta lista de verificação do AVD, mas otimizações do OneDrive como 'Redirecionamento de pasta conhecida' e 'Arquivos sob demanda' devem ser avaliadas para reduzir o espaço usado nos perfis do FSLogix e fornecer uma melhor experiência do usuário. Atualmente, o OneDrive não é compatível com Aplicativos Remotos.", "guid": "e3d3e084-4276-4d4b-bc01-5bcf219e4a1e", + "id": "B01.09", "link": "https://learn.microsoft.com/azure/virtual-desktop/install-office-on-wvd-master-image#install-onedrive-in-per-machine-mode", "severity": "Baixo", "subcategory": "Imagens de Ouro", - "text": "Determinar se o Microsoft OneDrive fará parte da implantação do AVD" + "text": "Determinar se o Microsoft OneDrive fará parte da implantação do AVD", + "waf": "Operações" }, { "category": "Calcular", "description": "Certifique-se de revisar os requisitos e o procedimento de configuração contidos no artigo complementar na coluna 'Mais informações'. Como as atualizações automáticas do Teams serão desabilitadas, é recomendável verificar e incluir a versão mais recente do Teams no processo de atualização da imagem dourada.", "guid": "b5887953-5d22-4788-9d30-b66c67be5951", + "id": "B01.10", "link": "https://learn.microsoft.com/azure/virtual-desktop/teams-on-AVD", "severity": "Baixo", "subcategory": "Imagens de Ouro", - "text": "Determinar se o Microsoft Teams fará parte da implantação do AVD" + "text": "Determinar se o Microsoft Teams fará parte da implantação do AVD", + "waf": "Desempenho" }, { "category": "Calcular", "description": "O AVD pode oferecer suporte a usuários com requisitos de idioma e localização diferentes no mesmo pool de hosts. Isso pode ser feito personalizando imagens douradas para garantir que os usuários possam selecionar o idioma que precisarem. O procedimento para configurar pacotes de idiomas adicionais no Windows 11 está documentado no artigo de referência.", "guid": "7c336f3b-822a-498e-8cd1-667d1150df4a", + "id": "B01.11", "link": "https://learn.microsoft.com/azure/virtual-desktop/windows-11-language-packs", "severity": "Baixo", "subcategory": "Imagens de Ouro", - "text": "Avaliar o requisito de suporte a vários idiomas" + "text": "Avaliar o requisito de suporte a vários idiomas", + "waf": "Fiabilidade" }, { "category": "Calcular", "description": "É altamente recomendável usar contas/compartilhamentos de armazenamento separados para armazenar pacotes MSIX. Se necessário, o armazenamento pode ser expandido de forma independente e não ser afetado pelas atividades de E/S do perfil. O Azure oferece várias opções de armazenamento que podem ser usadas para anexação de aplicativo MISX. Recomendamos o uso dos Arquivos do Azure ou dos Arquivos do Azure NetApp, pois essas opções oferecem o melhor valor entre custo e sobrecarga de gerenciamento. ", "guid": "90083845-c587-4cb3-a1ec-16a1d076ef9f", + "id": "B02.01", "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-file-share", "severity": "Média", "subcategory": "MSIX & AppAttach", - "text": "Não use a mesma conta/compartilhamento de armazenamento que os perfis FSLogix" + "text": "Não use a mesma conta/compartilhamento de armazenamento que os perfis FSLogix", + "waf": "Desempenho" }, { "category": "Calcular", "description": "No artigo referenciado, relatamos poucas, mas importantes considerações de desempenho para o uso de MSIX no contexto AVD, certifique-se de revisar cuidadosamente.", "guid": "241addce-5793-477b-adb3-751ab2ac1fad", + "id": "B02.02", "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-file-share", "severity": "Média", "subcategory": "MSIX & AppAttach", - "text": "Revise as considerações de desempenho do MSIX" + "text": "Revise as considerações de desempenho do MSIX", + "waf": "Desempenho" }, { "category": "Calcular", "description": "A anexação do aplicativo MSIX requer permissões somente leitura para acessar o compartilhamento de arquivos. Se você estiver armazenando seus aplicativos MSIX nos Arquivos do Azure, para seus hosts de sessão, precisará atribuir a todas as VMs de host de sessão permissões RBAC (controle de acesso baseado em função) de conta de armazenamento e NTFS (New Technology File System) de compartilhamento de arquivos no compartilhamento.", "guid": "66e15d4d-5a2a-4db2-a3e2-326bf225ca41", + "id": "B02.03", "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-file-share", "severity": "Média", "subcategory": "MSIX & AppAttach", - "text": "Verificar as permissões adequadas de host de sessão para compartilhamento MSIX" + "text": "Verificar as permissões adequadas de host de sessão para compartilhamento MSIX", + "waf": "Segurança" }, { "category": "Calcular", "description": "O fornecedor de software de terceiros 3 deve fornecer um pacote MSIX, não é recomendado que o cliente tente o procedimento de conversão sem o suporte adequado do proprietário do aplicativo.", "guid": "bd362caa-ab79-4b19-adab-81932c9fc9d1", + "id": "B02.04", "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-faq", "severity": "Baixo", "subcategory": "MSIX & AppAttach", - "text": "Pacotes MSIX para aplicativos de terceiros" + "text": "Pacotes MSIX para aplicativos de terceiros", + "waf": "Custar" }, { "category": "Calcular", "description": "A anexação de aplicativos MSIX não oferece suporte à atualização automática para aplicativos MSIX, portanto, eles devem ser desabilitados.", "guid": "bb88037f-5e6b-4fbb-aed5-03547cc447e8", + "id": "B02.05", "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-faq", "severity": "Baixo", "subcategory": "MSIX & AppAttach", - "text": "Desabilitar a atualização automática para pacotes MSIX" + "text": "Desabilitar a atualização automática para pacotes MSIX", + "waf": "Operações" }, { "category": "Calcular", "description": "Para aproveitar o MSIX & App Attach, a imagem do sistema operacional convidado para o pool AVD Host deve ser Windows 10/11 Enterprise ou Windows 10/11 Enterprise Multi-session, versão 2004 ou posterior.", "guid": "26128a71-f0f1-4cac-9d9e-f1d5e832e42e", + "id": "B02.06", "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-faq", "severity": "Média", "subcategory": "MSIX & AppAttach", - "text": "Revise o suporte a sistemas operacionais" + "text": "Revise o suporte a sistemas operacionais", + "waf": "Fiabilidade" }, { "category": "Calcular", "description": "Depois de selecionada a SKU da VM que será usada para a implantação do Pool de Hosts, é recomendável usar o tipo Gen2 da SKU para maior segurança e recursos aprimorados.", "guid": "e4633254-3185-40a1-b120-bd563a1c8e9d", + "id": "B03.01", "link": "https://docs.microsoft.com/azure/virtual-machines/generation-2", "severity": "Média", "subcategory": "Host da Sessão", - "text": "Avaliar o uso da VM Gen2 para implantação do Pool de Hosts" + "text": "Avaliar o uso da VM Gen2 para implantação do Pool de Hosts", + "waf": "Desempenho" }, { "category": "Calcular", "description": "O MMR redireciona o conteúdo de mídia do Host da Sessão para sua máquina local para processamento e renderização mais rápidos. Ele só funciona quando você reproduz conteúdo de mídia no Microsoft Edge ou no Google Chrome. Consulte a URL vinculada para obter mais detalhes.", "guid": "adecb27f-dc40-40f5-aca2-0090f633b1c9", + "id": "B03.02", "link": "https://learn.microsoft.com/azure/virtual-desktop/multimedia-redirection", "severity": "Baixo", "subcategory": "Host da Sessão", - "text": "Considere o uso de MMR (Redirecionamento de Multimídia) para obter melhor desempenho de vídeo no navegador" + "text": "Considere o uso de MMR (Redirecionamento de Multimídia) para obter melhor desempenho de vídeo no navegador", + "waf": "Desempenho" }, { "category": "Fundação", "description": "Um pool de hosts é uma coleção de máquinas virtuais do Azure que se registram na Área de Trabalho Virtual do Azure como hosts de sessão. Um pool de hosts pode ser de dois tipos: Pessoal e Agrupado. Qual tipo usar e quantos é uma decisão de design fundamental que deve ser documentada e validada. Consulte o artigo complementar na coluna \"Mais informações\" para obter mais detalhes.", "guid": "8468c55a-775c-46ee-a5b8-6ad8844ce3b2", + "id": "C01.01", "link": "https://learn.microsoft.com/azure/virtual-desktop/terminology#host-pools", "severity": "Alto", "subcategory": "Planejamento de Capacidade", - "text": "Determinar o tipo de pool de hosts a ser usado" + "text": "Determinar o tipo de pool de hosts a ser usado", + "waf": "Custar" }, { "category": "Fundação", "description": "Use seus critérios de design para determinar o número de Pools de Hosts a serem implantados. Isso será baseado em fatores como diferentes imagens do sistema operacional, suporte a várias regiões, diferenças de hardware de VM convidada (como suporte a GPU ou não), diferentes expectativas do usuário e requisitos de tempo de atividade (exemplos podem ser 'Executivos', 'Trabalhadores do Office', 'Desenvolvedores', etc.) e configurações de RDP do Pool de Hosts (como suporte a redirecionamento de unidade). Isso determinará o número de pools de hosts, bem como quantos hosts estarão em cada pool.", "guid": "4e98495f-d3c0-4af2-aa59-a793395a32a7", + "id": "C01.02", "link": "https://learn.microsoft.com/azure/virtual-desktop/terminology?WT.mc_id=Portal-fx#host-pools", "severity": "Alto", "subcategory": "Planejamento de Capacidade", - "text": "Estimar o número de pools de hosts diferentes a serem implantados " + "text": "Estimar o número de pools de hosts diferentes a serem implantados ", + "waf": "Desempenho" }, { "category": "Fundação", "description": "Confirme se a diferença entre atribuição automática e direta é bem compreendida e se a opção selecionada é apropriada para o cenário em questão. Automático é a configuração padrão.", "guid": "b38b875b-a1cf-4204-a901-3a5d3ce474db", + "id": "C01.03", "link": "https://docs.microsoft.com/azure/virtual-desktop/configure-host-pool-personal-desktop-assignment-type", "severity": "Baixo", "subcategory": "Planejamento de Capacidade", - "text": "Para o tipo de Pool de Host Pessoal, selecione o tipo de atribuição apropriado" + "text": "Para o tipo de Pool de Host Pessoal, selecione o tipo de atribuição apropriado", + "waf": "Operações" }, { "category": "Fundação", "description": "Verifique qual usar e as opções disponíveis, o dimensionamento automático ignora os algoritmos de balanceamento de carga existentes.", "guid": "cbd8682a-6abc-4a2a-9fda-1dbf3dc95d48", + "id": "C01.04", "link": "https://docs.microsoft.com/azure/virtual-desktop/host-pool-load-balancing", "severity": "Baixo", "subcategory": "Planejamento de Capacidade", - "text": "Para o tipo Pool de Hosts em Pool, selecione o melhor método de balanceamento de carga" + "text": "Para o tipo Pool de Hosts em Pool, selecione o melhor método de balanceamento de carga", + "waf": "Desempenho" }, { "category": "Fundação", "description": "O número de núcleos aumenta, a sobrecarga de sincronização do sistema também aumenta. Especialmente para a entrada de vários usuários simultaneamente. Certifique-se de não usar uma VM muito grande para o host da sessão", "guid": "b3724959-4943-4577-a3a9-e10ff6345f24", + "id": "C01.05", "link": "https://learn.microsoft.com/windows-server/remote/remote-desktop-services/virtual-machine-recs", "severity": "Média", "subcategory": "Planejamento de Capacidade", - "text": "Para o tipo Pool de Hosts em Pool, as VMs não devem ter mais de 32 núcleos" + "text": "Para o tipo Pool de Hosts em Pool, as VMs não devem ter mais de 32 núcleos", + "waf": "Desempenho" }, { "category": "Fundação", "description": "O AVD não oferece suporte à atribuição do RemoteApp e do Grupo de Aplicativos de Área de Trabalho (DAG) em um único pool de hosts ao mesmo conjunto de usuários. Isso fará com que um único usuário tenha duas sessões de usuário em um único pool de hosts. Os usuários não devem ter duas sessões ativas ao mesmo tempo no mesmo pool de hosts usando o mesmo perfil.", "guid": "b384b7ed-1cdd-457e-a2cd-c8d4d55bc144", + "id": "C01.06", "link": "https://learn.microsoft.com/azure/virtual-desktop/terminology?WT.mc_id=Portal-fx#application-groups", "severity": "Alto", "subcategory": "Planejamento de Capacidade", - "text": "Não use o mesmo Pool de Hosts para oferecer áreas de trabalho completas (DAG) e Aplicativos Remotos para o mesmo conjunto de usuários" + "text": "Não use o mesmo Pool de Hosts para oferecer áreas de trabalho completas (DAG) e Aplicativos Remotos para o mesmo conjunto de usuários", + "waf": "Segurança" }, { "category": "Fundação", "description": "Há um limite de 500 Grupos de Aplicativos que podem ser criados no AVD para cada locatário do Microsoft Entra ID (antigo Azure AD). O limite pode ser aumentado (consulte o link complementar para obter detalhes), mas não é recomendado.", "guid": "971cc4a4-b1f7-4c12-90e0-1ad96808f00c", + "id": "C01.07", "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits#azure-virtual-desktop-service-limits", "severity": "Média", "subcategory": "Planejamento de Capacidade", - "text": "Estimar o número de Grupos de Aplicativos necessários em todos os Pools de Hosts no locatário do Microsoft Entra ID" + "text": "Estimar o número de Grupos de Aplicativos necessários em todos os Pools de Hosts no locatário do Microsoft Entra ID", + "waf": "Fiabilidade" }, { "category": "Fundação", "description": "Os aplicativos são agrupados em Grupos de Aplicativos como contêineres para publicação e atribuição de permissões: recomendamos que você não publique mais de 50 aplicativos por grupo de aplicativos.", "guid": "fa9f2895-473d-439b-ab8e-5a5cf92c7f32", + "id": "C01.08", "link": "https://learn.microsoft.com/azure/architecture/example-scenario/wvd/windows-virtual-desktop#considerations", "severity": "Baixo", "subcategory": "Planejamento de Capacidade", - "text": "Estimar o número de aplicativos para cada grupo de aplicativos" + "text": "Estimar o número de aplicativos para cada grupo de aplicativos", + "waf": "Fiabilidade" }, { "category": "Fundação", "description": "O FSLogix não é necessário para Pools de Host Pessoal, pois cada VM é atribuída estaticamente a um único usuário, portanto, não há necessidade imediata de uma solução de perfil móvel. Em alguns cenários de uso, o FSLogix pode ajudar. Por exemplo, uma VM pode ser reatribuída, ou o usuário movido para outra área de trabalho, ou o perfil móvel pode ser usado para salvar o perfil de usuário em um local diferente para fins de DR.", "guid": "38b19ab6-0693-4992-9394-5590883916ec", - "link": "https://learn.microsoft.com/en-us/azure/virtual-desktop/configure-host-pool-personal-desktop-assignment-type?tabs=azure#reassign-a-personal-desktop", + "id": "C01.09", + "link": "https://learn.microsoft.com/azure/virtual-desktop/configure-host-pool-personal-desktop-assignment-type?tabs=azure#reassign-a-personal-desktop", "severity": "Baixo", "subcategory": "Planejamento de Capacidade", - "text": "Avaliar o uso do FSLogix para pools de hosts pessoais" + "text": "Avaliar o uso do FSLogix para pools de hosts pessoais", + "waf": "Fiabilidade" }, { "category": "Fundação", "description": "Use o link fornecido para definir um ponto de partida para a decisão de SKU e, em seguida, valide usando um teste de desempenho. Certifique-se de que um mínimo de quatro núcleos para Produção seja selecionado por Host de Sessão (várias sessões)", "guid": "e1112dbd-7ba0-412e-9b94-ef6e047d2ea2", + "id": "C01.10", "link": "https://docs.microsoft.com/windows-server/remote/remote-desktop-services/virtual-machine-recs", "severity": "Alto", "subcategory": "Planejamento de Capacidade", - "text": "Execute o teste de desempenho da carga de trabalho para determinar a melhor SKU de VM do Azure e o tamanho a ser usado" + "text": "Execute o teste de desempenho da carga de trabalho para determinar a melhor SKU de VM do Azure e o tamanho a ser usado", + "waf": "Desempenho" }, { "category": "Fundação", "description": "É fundamental verificar a capacidade e os limites de AVD relatados no artigo referenciado. Limites e limites adicionais se aplicam ao gerenciamento de rede, computação, armazenamento e serviços. ", "guid": "992b1cd6-d2f5-44b2-a769-e3a691e8838a", + "id": "C01.11", "link": "https://learn.microsoft.com/azure/architecture/example-scenario/wvd/windows-virtual-desktop#considerations", "severity": "Alto", "subcategory": "Planejamento de Capacidade", - "text": "Verificar os limites de escalabilidade do AVD para o ambiente" + "text": "Verificar os limites de escalabilidade do AVD para o ambiente", + "waf": "Fiabilidade" }, { "category": "Fundação", "description": "Pools de hosts com GPU exigem configuração especial, certifique-se de revisar o artigo referenciado.", "guid": "c936667e-13c0-4056-94b1-e945a459837e", + "id": "C01.12", "link": "https://docs.microsoft.com/azure/virtual-desktop/configure-vm-gpu", "severity": "Baixo", "subcategory": "Planejamento de Capacidade", - "text": "Determine se os hosts de sessão exigirão GPU" + "text": "Determine se os hosts de sessão exigirão GPU", + "waf": "Desempenho" }, { "category": "Fundação", "description": "Sempre que possível, recomenda-se aproveitar os SKUs de VM com o recurso de rede acelerada. Esse recurso requer versões específicas de SKU/tamanho e SO da VM, consulte a lista e o requisito no artigo complementar.", "guid": "b47a393a-0803-4272-a479-8b1578b219a4", + "id": "C01.13", "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview", "severity": "Baixo", "subcategory": "Planejamento de Capacidade", - "text": "Usar SKUs de VM do Azure capazes de aproveitar a Rede Acelerada" + "text": "Usar SKUs de VM do Azure capazes de aproveitar a Rede Acelerada", + "waf": "Desempenho" }, { "category": "Fundação", "description": "Para planejamento e implantação adequados, é importante avaliar o número máximo de usuários simultâneos e totais para cada Pool de Hosts. Além disso, usuários de diferentes regiões podem exigir pools de hosts diferentes para garantir a melhor experiência do usuário.", "guid": "bb91a33d-90ca-4e2c-a881-3706f7c0cb9f", + "id": "C02.01", "link": "https://learn.microsoft.com/azure/virtual-desktop/overview", "severity": "Média", "subcategory": "Clientes & Usuários", - "text": "Avaliar quantos usuários se conectarão ao AVD e de quais regiões" + "text": "Avaliar quantos usuários se conectarão ao AVD e de quais regiões", + "waf": "Desempenho" }, { "category": "Fundação", "description": "As dependências de recursos externos ao pool AVD devem ser avaliadas e revisadas, por exemplo, Active Directory, compartilhamentos de arquivos externos ou outro armazenamento, serviços e recursos locais, componentes de infraestrutura de rede como VPN e ou ExpressRoute, serviços externos e componentes de terceiros 3rd. Para todos esses recursos, a latência do AVD Host Pool precisa ser avaliada e a conectividade considerada. Além disso, as considerações de BCDR também precisam ser aplicadas a essas dependências.", "guid": "6abca2a4-fda1-4dbf-9dc9-5d48c7c791dc", + "id": "C02.02", "link": "https://learn.microsoft.com/azure/architecture/example-scenario/wvd/windows-virtual-desktop?toc=%2Fazure%2Fvirtual-desktop%2Ftoc.json&bc=%2Fazure%2Fvirtual-desktop%2Fbreadcrumb%2Ftoc.json", "severity": "Média", "subcategory": "Clientes & Usuários", - "text": "Avaliar dependências externas para cada Pool de Hosts" + "text": "Avaliar dependências externas para cada Pool de Hosts", + "waf": "Desempenho" }, { "category": "Fundação", "description": "AVD oferece uma variedade de tipos de clientes (gordo, magro, web) para se conectar em diferentes plataformas (Windows, MacOS, iOS, Android). Revise as limitações de cada cliente e compare várias opções quando possível.", "guid": "a1f6d565-99e5-458b-a37d-4985e1112dbd", - "link": "https://learn.microsoft.com/en-us/azure/virtual-desktop/users/connect-windows", + "id": "C02.03", + "link": "https://learn.microsoft.com/azure/virtual-desktop/users/connect-windows", "severity": "Baixo", "subcategory": "Clientes & Usuários", - "text": "Revisar o sistema operacional do cliente do usuário usado e o tipo de cliente AVD" + "text": "Revisar o sistema operacional do cliente do usuário usado e o tipo de cliente AVD", + "waf": "Desempenho" }, { "category": "Fundação", "description": "Dependendo dos locais do usuário e da implantação da região AVD, os usuários podem ter uma experiência não ideal, portanto, é importante testar o mais rápido possível em um ambiente PoC pequeno. Execute a ferramenta 'Azure Virtual Desktop Experience Estimator' para selecionar a melhor região do Azure para implantar Pools de Host. Além da latência de 150ms, a experiência do usuário pode não ser a ideal.", "guid": "d2f54b29-769e-43a6-a1e8-838ac936667e", + "id": "C02.04", "link": "https://azure.microsoft.com/services/virtual-desktop/assessment/", "severity": "Alto", "subcategory": "Clientes & Usuários", - "text": "Executar um PoC para validar a experiência do usuário de ponta a ponta e o impacto da latência da rede" + "text": "Executar um PoC para validar a experiência do usuário de ponta a ponta e o impacto da latência da rede", + "waf": "Desempenho" }, { "category": "Fundação", "description": "No momento, as configurações de RDP só podem ser definidas no nível do pool de hosts, não por usuário/grupo. Se forem necessárias configurações diferentes para diferentes conjuntos de usuários, é recomendável criar vários Pools de Hosts.", "guid": "3b365a5c-7acb-4e48-abe5-4cd79f2e8776", + "id": "C02.05", "link": "https://docs.microsoft.com/azure/virtual-desktop/customize-rdp-properties", "severity": "Baixo", "subcategory": "Clientes & Usuários", - "text": "Avaliar e documentar configurações de RDP para todos os grupos de usuários" + "text": "Avaliar e documentar configurações de RDP para todos os grupos de usuários", + "waf": "Segurança" }, { "category": "Fundação", "description": "O AVD é um serviço não regional, os Pools de Hosts podem ser criados em qualquer região, o redirecionamento automático do front-end mais próximo acontecerá automaticamente.", "guid": "42e52f47-21d9-428c-8b1b-d521e44a29a9", + "id": "C03.01", "link": "https://azure.microsoft.com/global-infrastructure/services/?products=virtual-desktop", "severity": "Alto", "subcategory": "Geral", - "text": "Determine em quais regiões do Azure os Pools de Hosts AVD serão implantados." + "text": "Determine em quais regiões do Azure os Pools de Hosts AVD serão implantados.", + "waf": "Desempenho" }, { "category": "Fundação", "description": "O AVD deve armazenar metadados para dar suporte ao serviço; isso é armazenado na geografia especificada. No entanto, isso é independente das regiões onde os Pools de Host estão localizados.", "guid": "bad37ead-53cc-47ce-8d7a-aab3571449ab", + "id": "C03.02", "link": "https://docs.microsoft.com/azure/virtual-desktop/data-locations", "severity": "Média", "subcategory": "Geral", - "text": "Determinar o local dos metadados para o serviço AVD" + "text": "Determinar o local dos metadados para o serviço AVD", + "waf": "Fiabilidade" }, { "category": "Fundação", "description": "Verifique se há SKUs de VM específicos, especialmente se você precisar de GPU ou SKUs de alta especificação e, eventualmente, Arquivos NetApp do Azure, se usados.", "guid": "8053d89e-89dc-47b3-9be2-a1a27f7a9e91", + "id": "C03.03", "link": "https://docs.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits", "severity": "Baixo", "subcategory": "Geral", - "text": "Verificar cotas e disponibilidade do Azure para tamanhos e tipos de VM específicos nas regiões selecionadas" + "text": "Verificar cotas e disponibilidade do Azure para tamanhos e tipos de VM específicos nas regiões selecionadas", + "waf": "Fiabilidade" }, { "category": "Identidade", "description": "Os DCs do AD no Azure são recomendados (pelo menos dois em AZ diferentes) para reduzir a latência para usuários que fazem logon em hosts de sessão AVD e, eventualmente, para a integração do Azure NetApp Files e do AD. Um controlador de domínio precisa ser capaz de falar com os DCs para TODOS os domínios filho. Como alternativa, a conectividade local deve ser usada para alcançar os DCs do AD.", "guid": "c14aea7e-65e8-4d9a-9aec-218e6436b073", + "id": "D01.01", "link": "https://docs.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain", "severity": "Média", "subcategory": "Diretório Ativo", - "text": "Criar pelo menos dois DCs (Controladores de Domínio) do Active Directory no ambiente de Rede Virtual do Azure próximo ao Pool de Hosts AVD" + "text": "Criar pelo menos dois DCs (Controladores de Domínio) do Active Directory no ambiente de Rede Virtual do Azure próximo ao Pool de Hosts AVD", + "waf": "Fiabilidade" }, { "category": "Identidade", "description": "Recomendado para criar uma UO separada por Pool de Hosts em uma hierarquia de UO separada. Essas UOs conterão contas de máquina de hosts de sessão AVD. ", "guid": "6db55f57-9603-4334-adf9-cc23418db612", + "id": "D01.02", "link": "https://docs.microsoft.com/azure/virtual-desktop/create-host-pools-azure-marketplace", "severity": "Média", "subcategory": "Diretório Ativo", - "text": "Criar uma UO específica no Active Directory para cada Pool de Hosts" + "text": "Criar uma UO específica no Active Directory para cada Pool de Hosts", + "waf": "Operações" }, { "category": "Identidade", "description": "Analise cuidadosamente e potencialmente bloqueie/filtre a herança de GPOs para as UOs que contêm pools de hosts AVD. ", "guid": "7126504b-b47a-4393-a080-327294798b15", + "id": "D01.03", "link": "https://docs.microsoft.com/previous-versions/windows/desktop/Policy/group-policy-hierarchy", "severity": "Média", "subcategory": "Diretório Ativo", - "text": "Revise os GPOs de domínio que serão aplicados à UO e afetarão as funcionalidades de hosts de sessão do pool de hosts" + "text": "Revise os GPOs de domínio que serão aplicados à UO e afetarão as funcionalidades de hosts de sessão do pool de hosts", + "waf": "Operações" }, { "category": "Identidade", "description": "Se GPOs de Domínio do Active Directory forem usados, é recomendável configurar o FSLogix usando o modelo ADMX de GPO fornecido internamente mencionado no artigo complementar na coluna 'Mais informações'", "guid": "2226a8e3-50a4-4ac3-8bd6-ee150553051f", + "id": "D01.04", "link": "https://learn.microsoft.com/fslogix/how-to-use-group-policy-templates", "severity": "Média", "subcategory": "Diretório Ativo", - "text": "Definir configurações do FSLogix usando o modelo ADMX de GPO fornecido internamente" + "text": "Definir configurações do FSLogix usando o modelo ADMX de GPO fornecido internamente", + "waf": "Operações" }, { "category": "Identidade", "description": "Recomenda-se ter uma conta dedicada específica com permissões mínimas e sem a limitação padrão de 10 junções. Consulte o artigo complementar para obter mais detalhes.", "guid": "347dc560-28a7-41ff-b1cd-15dd2f0d5e77", + "id": "D01.05", "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#session-hosts", "severity": "Média", "subcategory": "Diretório Ativo", - "text": "Criar uma conta de usuário dedicada com apenas permissões para ingressar a VM no domínio" + "text": "Criar uma conta de usuário dedicada com apenas permissões para ingressar a VM no domínio", + "waf": "Segurança" }, { "category": "Identidade", "description": "Evite conceder acesso por usuário, use grupos do AD e replique-os usando o Active Directory Connector (ADC) na ID do Microsoft Entra (antigo Azure AD). ", "guid": "2d41e361-1cc5-47b4-a4b1-410d43958a8c", + "id": "D01.06", "link": "https://docs.microsoft.com/azure/virtual-desktop/manage-app-groups", "severity": "Média", "subcategory": "Diretório Ativo", - "text": "Crie um grupo de usuários de domínio para cada conjunto de usuários que terá acesso a cada Grupo de Aplicativos do Pool de Hosts (DAG ou RAG)" + "text": "Crie um grupo de usuários de domínio para cada conjunto de usuários que terá acesso a cada Grupo de Aplicativos do Pool de Hosts (DAG ou RAG)", + "waf": "Segurança" }, { "category": "Identidade", "description": "Se a integração do Azure Files Active Directory (AD) for usada, como parte do procedimento de configuração, uma conta do AD para representar a conta de armazenamento (compartilhamento de arquivos) será criada. Você pode optar por se registrar como uma conta de computador ou conta de logon de serviço, consulte as Perguntas frequentes para obter detalhes. Para contas de computador, há uma idade de expiração de senha padrão definida no AD em 30 dias. Da mesma forma, a conta de logon de serviço pode ter uma idade de expiração de senha padrão definida no domínio do AD ou na Unidade Organizacional (OU). Para ambos os tipos de conta, recomendamos que você verifique a idade de expiração da senha configurada em seu ambiente do AD e planeje atualizar a senha da identidade da conta de armazenamento da conta do AD antes da idade máxima da senha. Você pode considerar a criação de uma nova Unidade Organizacional (UO) do AD no AD e desabilitar a diretiva de expiração de senha em contas de computador ou contas de logon de serviço adequadamente.", "guid": "2289b3d6-b57c-4fc6-9546-1e1a3e3453a3", + "id": "D01.07", "link": "https://docs.microsoft.com/azure/storage/files/storage-files-identity-ad-ds-enable", "severity": "Alto", "subcategory": "Diretório Ativo", - "text": "Revise a política de expiração de senha da sua organização para contas usadas pela integração do Azure Files AD" + "text": "Revise a política de expiração de senha da sua organização para contas usadas pela integração do Azure Files AD", + "waf": "Segurança" }, { "category": "Identidade", "description": "Você pode configurar isso usando o Active Directory Connect (ADC) ou os Serviços de Domínio do Azure AD (para organizações híbridas ou na nuvem). A ID do Microsoft Entra é o novo nome do Azure Active Directory (Azure AD).", "guid": "5119bf8e-8f58-4542-a7d9-cec166cd072a", + "id": "D01.08", "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#identity", "severity": "Alto", "subcategory": "Diretório Ativo", - "text": "Uma floresta/domínio do Active Directory do Windows Server deve estar sincronizado com o Microsoft Entra ID" + "text": "Uma floresta/domínio do Active Directory do Windows Server deve estar sincronizado com o Microsoft Entra ID", + "waf": "Fiabilidade" }, { "category": "Identidade", "description": "Se os Arquivos do Azure forem usados e os pré-requisitos puderem ser satisfeitos, é recomendável configurar a autenticação Kerberos (ID do Microsoft Entra). Essa configuração permitirá armazenar perfis FSLogix que podem ser acessados por identidades de usuário híbridas de hosts de sessão ingressados no Azure AD sem exigir linha de visão de rede para controladores de domínio.", "guid": "e777fd5e-c5f1-4d6e-8fa9-fc210b88e338", + "id": "D02.01", "link": "https://learn.microsoft.com/azure/storage/files/storage-files-identity-auth-hybrid-identities-enable", "severity": "Média", "subcategory": "Microsoft Entra ID", - "text": "Configurar o compartilhamento de Arquivos do Azure para a autenticação Kerberos da ID do Microsoft Entra (antigo Azure AD) no Microsoft Entra ID Cenário de ingresso" + "text": "Configurar o compartilhamento de Arquivos do Azure para a autenticação Kerberos da ID do Microsoft Entra (antigo Azure AD) no Microsoft Entra ID Cenário de ingresso", + "waf": "Segurança" }, { "category": "Identidade", "description": "Uma assinatura do Azure deve ser vinculada ao mesmo locatário do Microsoft Entra ID (antigo Azure AD), que contém uma rede virtual que contém ou está conectada à instância dos Serviços de Domínio Active Directory do Windows Server ou dos Serviços de Domínio Microsoft Entra ID.", "guid": "6ceb5443-5125-4922-9442-93bb628537a5", + "id": "D03.01", "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#identity", "severity": "Alto", "subcategory": "Requisitos", - "text": "Um locatário do Microsoft Entra ID deve estar disponível com pelo menos uma assinatura vinculada" + "text": "Um locatário do Microsoft Entra ID deve estar disponível com pelo menos uma assinatura vinculada", + "waf": "Fiabilidade" }, { "category": "Identidade", - "description": "A Área de Trabalho Virtual do Azure dá suporte a diferentes tipos de identidades, dependendo da configuração escolhida. Analise os cenários suportados mencionados no artigo 'Mais informações' e documente a decisão de design de acordo na coluna 'Comentário'. Criticamente, identidades externas (B2B ou B2C) não são suportadas. Certifique-se de revisar também a lista de cenários com suporte no https://learn.microsoft.com/en-us/azure/virtual-desktop/prerequisites?tabs=portal#supported-identity-scenarios.", + "description": "A Área de Trabalho Virtual do Azure dá suporte a diferentes tipos de identidades, dependendo da configuração escolhida. Analise os cenários suportados mencionados no artigo 'Mais informações' e documente a decisão de design de acordo na coluna 'Comentário'. Criticamente, identidades externas (B2B ou B2C) não são suportadas. Certifique-se de revisar também a lista de cenários com suporte no https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#supported-identity-scenarios.", "guid": "b4ce4781-7557-4a1f-8043-332ae199d44c", + "id": "D03.02", "link": "https://learn.microsoft.com/azure/virtual-desktop/authentication", "severity": "Alto", "subcategory": "Requisitos", - "text": "Revisar e documentar seu cenário de identidade" + "text": "Revisar e documentar seu cenário de identidade", + "waf": "Segurança" }, { "category": "Identidade", "description": "Os usuários precisam de contas que estejam na ID do Microsoft Entra (antigo Azure AD). Se você também estiver usando o AD DS ou os Serviços de Domínio do Azure AD em sua implantação da Área de Trabalho Virtual do Azure, essas contas precisarão ser identidades híbridas, o que significa que as contas de usuário são sincronizadas. Se você estiver usando a ID do Microsoft Entra com o AD DS, precisará configurar o Azure AD Connect para sincronizar os dados de identidade do usuário entre o AD DS e a ID do Microsoft Entra. Se você estiver usando a ID do Microsoft Entra com os Serviços de Domínio do Azure AD, as contas de usuário serão sincronizadas de uma maneira da ID do Microsoft Entra para os Serviços de Domínio do Azure AD. Esse processo de sincronização é automático. O AVD também oferece suporte a contas nativas do Microsoft Entra ID com algumas restrições. Não há suporte para identidades externas (B2B ou B2C).", "guid": "f9b141a8-98a5-435e-9378-97e71ca7da7b", + "id": "D03.03", "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#supported-identity-scenarios", "severity": "Média", "subcategory": "Requisitos", - "text": "Avaliar tipos e requisitos de Conta de Usuário" + "text": "Avaliar tipos e requisitos de Conta de Usuário", + "waf": "Segurança" }, { "category": "Identidade", "description": "O AVD dá suporte ao SSO usando a autenticação dos Serviços de Federação do Active Directory (AD FS) ou da ID do Microsoft Entra (antigo AD do Azure). Este último é recomendado, verifique os requisitos e limitações no artigo 'Mais informações'. Usar o AD FS pode ser uma opção viável se já estiver presente no ambiente do cliente, não é recomendável implantar uma nova infraestrutura do ADFS apenas para a implementação do AVD SSO.", "guid": "5f9f680a-ba07-4429-bbf7-93d7071561f4", + "id": "D03.04", "link": "https://learn.microsoft.com/azure/virtual-desktop/authentication#single-sign-on-sso", "severity": "Média", "subcategory": "Requisitos", - "text": "Se o SSO (logon único) for um requisito, examine os cenários e pré-requisitos com suporte" + "text": "Se o SSO (logon único) for um requisito, examine os cenários e pré-requisitos com suporte", + "waf": "Fiabilidade" }, { "category": "Identidade", "description": "As VMs podem ser ingressadas no domínio do Windows Active Directory (AD), ingressadas no AD híbrido, ingressadas na ID do Microsoft Entra (antigo Azure AD) ou ingressadas nos Serviços de Domínio do Azure AD. Certifique-se de revisar os cenários, limitações e requisitos suportados do artigo referenciado.", "guid": "ea962a15-9394-46da-a7cc-3923266b2258", + "id": "D03.05", "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#supported-identity-scenarios", "severity": "Alto", "subcategory": "Requisitos", - "text": "Selecione o tipo de ingresso de domínio do Host da Sessão AVD adequado" + "text": "Selecione o tipo de ingresso de domínio do Host da Sessão AVD adequado", + "waf": "Segurança" }, { "category": "Identidade", "description": "Comparar os Serviços de Domínio Active Directory do Windows autogerenciados, a ID do Microsoft Entra (antigo Azure AD) e os Serviços de Domínio do Azure AD (AAD-DS) gerenciados", "guid": "6f4a1651-bddd-4ea8-a487-cdeb4861bc3b", + "id": "D03.06", "link": "https://docs.microsoft.com/azure/active-directory-domain-services/compare-identity-solutions", "severity": "Baixo", "subcategory": "Requisitos", - "text": "Antes de usar os Serviços de Domínio do Azure AD (AAD-DS) para AVD, verifique as limitações." + "text": "Antes de usar os Serviços de Domínio do Azure AD (AAD-DS) para AVD, verifique as limitações.", + "waf": "Fiabilidade" }, { "category": "Monitoramento e Gerenciamento", "description": "O AVD fornece modelos administrativos para o Intune e o GPO do Active Directory. Usando esses modelos, é possível controlar centralmente várias definições de configuração do AVD: registro de dados relacionados a gráficos, proteção de captura de tela, Shortpath RDP para redes gerenciadas, Marca d'água. Consulte o artigo complementar no colum 'Mais informações' para obter detalhes. NOTA: FSLogix tem seu próprio modelo separado.", "guid": "5549524b-36c0-4f1a-892b-ab3ca78f5db2", + "id": "E01.01", "link": "https://learn.microsoft.com/azure/virtual-desktop/administrative-template", "severity": "Baixo", "subcategory": "Gestão", - "text": "Usar modelos administrativos fornecidos internos para configuração de configurações do AVD" + "text": "Usar modelos administrativos fornecidos internos para configuração de configurações do AVD", + "waf": "Operações" }, { "category": "Monitoramento e Gerenciamento", "description": "Determine se uma ferramenta de gerenciamento de configuração já está em vigor para gerenciar a configuração da VM do Pool de Hosts após a implantação inicial, por exemplo, SCCM/SCOM, Intune/ConfigurationManager, soluções de terceiros 3rd.", "guid": "3334fdf9-1c23-4418-8b65-285269440b4b", + "id": "E01.02", "link": "https://learn.microsoft.com/azure/virtual-desktop/management", "severity": "Baixo", "subcategory": "Gestão", - "text": "Planejar a estratégia de gerenciamento de configuração de hosts de sessão AVD" + "text": "Planejar a estratégia de gerenciamento de configuração de hosts de sessão AVD", + "waf": "Operações" }, { "category": "Monitoramento e Gerenciamento", - "description": "Recomendamos usar o Microsoft Intune, se os requisitos puderem ser satisfeitos, para gerenciar seu ambiente de Área de Trabalho Virtual do Azure. Analise os cenários e requisitos com suporte para habilitar o gerenciamento do Intune para Host de Sessão AVD no artigo referenciado na coluna \"Mais Informações\". Documente sua escolha na coluna 'Comentário'. Nesse artigo, analise os diferentes requisitos e recursos para https://learn.microsoft.com/en-us/mem/intune/fundamentals/windows-virtual-desktop-multi-session https://learn.microsoft.com/en-us/mem/intune/fundamentals/windows-virtual-desktop de sessão única e AVD de várias sessões.", + "description": "Recomendamos usar o Microsoft Intune, se os requisitos puderem ser satisfeitos, para gerenciar seu ambiente de Área de Trabalho Virtual do Azure. Analise os cenários e requisitos com suporte para habilitar o gerenciamento do Intune para Host de Sessão AVD no artigo referenciado na coluna Mais Informações. Documente sua escolha na coluna 'Comentário'. Nesse artigo, analise os diferentes requisitos e recursos para https://learn.microsoft.com/mem/intune/fundamentals/windows-virtual-desktop de sessão única e AVD de várias sess https://learn.microsoft.com/mem/intune/fundamentals/windows-virtual-desktop-multi-session ões.", "guid": "63a08be1-6004-4b4a-a79b-f3239faae113", + "id": "E01.03", "link": "https://learn.microsoft.com/mem/intune/fundamentals/azure-virtual-desktop", "severity": "Média", "subcategory": "Gestão", - "text": "Avaliar o Intune para gerenciamento de hosts de sessão AVD" + "text": "Avaliar o Intune para gerenciamento de hosts de sessão AVD", + "waf": "Operações" }, { "category": "Monitoramento e Gerenciamento", "description": "A ferramenta de dimensionamento fornece uma opção de automação de baixo custo para clientes que desejam otimizar seus custos de VM de host de sessão. Você pode usar a ferramenta de dimensionamento para agendar VMs para iniciar e parar com base no horário comercial de pico e fora de pico, dimensionar VMs com base no número de sessões por núcleo de CPU, dimensionar em VMs durante o horário fora de pico, deixando o número mínimo de VMs de host de sessão em execução. Ainda não disponível para o tipo de Pool de Host Pessoal.", "guid": "7138b820-102c-4e16-be30-1e6e872e52e3", + "id": "E01.04", "link": "https://learn.microsoft.com/azure/virtual-desktop/autoscale-scenarios", "severity": "Média", "subcategory": "Gestão", - "text": "Avaliar os requisitos para o recurso de dimensionamento automático do pool de hosts" + "text": "Avaliar os requisitos para o recurso de dimensionamento automático do pool de hosts", + "waf": "Fiabilidade" }, { "category": "Monitoramento e Gerenciamento", "description": "Iniciar VM On Connect permite reduzir custos, permitindo que os usuários finais ativem suas máquinas virtuais (VMs) de host de sessão somente quando precisarem delas. Em seguida, você pode desativar as VMs quando elas não forem necessárias. Você pode configurar Iniciar VM no Connect para pools de hosts pessoais ou em pool usando o portal do Azure ou o PowerShell. Iniciar VM no Connect é uma configuração ampla do pool de hosts.", "guid": "55f612fe-f215-4f0d-a956-10e7dd96bcbc", + "id": "E01.05", "link": "https://learn.microsoft.com/azure/virtual-desktop/start-virtual-machine-connect", "severity": "Baixo", "subcategory": "Gestão", - "text": "Considere o uso de Iniciar VM no Connect para pools de hosts pessoais" + "text": "Considere o uso de Iniciar VM no Connect para pools de hosts pessoais", + "waf": "Custar" }, { "category": "Monitoramento e Gerenciamento", "description": "'Iniciar VM na Conexão' fornece uma maneira inteligente de iniciar automaticamente Hosts de Sessão interrompidos anteriormente, mas não fornece um mecanismo para desligar quando não estiver em uso. Os administradores são incentivados a configurar políticas adicionais para desconectar usuários de suas sessões e executar scripts de automação do Azure para desalocar VMs. Os usuários não devem ter permissão para desligar seus hosts pessoais, pois não poderão desalocar VMs do Azure, a cobrança ainda estará ativa sem redução de custos.", "guid": "79a686ea-d971-4ea0-a9a8-1aea074c94cb", + "id": "E01.06", "link": "https://learn.microsoft.com/azure/virtual-desktop/start-virtual-machine-connect-faq#are-vms-automatically-deallocated-when-a-user-stops-using-them", "severity": "Baixo", "subcategory": "Gestão", - "text": "Avaliar a implementação de um mecanismo ad-hoc para desligar hosts de sessão AVD pessoais" + "text": "Avaliar a implementação de um mecanismo ad-hoc para desligar hosts de sessão AVD pessoais", + "waf": "Custar" }, { "category": "Monitoramento e Gerenciamento", "description": "A cobrança da Área de Trabalho Virtual do Azure é baseada principalmente no custo associado aos recursos de computação, rede e armazenamento consumidos pelos Pools de Hosts. Além disso, os custos podem ser gerados por recursos dependentes, por exemplo, VPN ou ExpressRoute ou vWAN, Controladores de Domínio do Active Directory, DNS, etc. Não há custo direto associado a objetos AVD, como espaços de trabalho, pools de hosts ou grupos de aplicativos. Para tornar os custos associados ao AVD mais evidentes e agrupados por Pool de Hosts, é recomendável usar a tag 'cm-resource-parent'. ", "guid": "51bcafca-476a-48fa-9b91-9645a7679f20", + "id": "E01.07", "link": "https://learn.microsoft.com/azure/virtual-desktop/tag-virtual-desktop-resources", "severity": "Baixo", "subcategory": "Gestão", - "text": "Revisar e adotar Tags do Azure sugeridas para a Área de Trabalho Virtual do Azure" + "text": "Revisar e adotar Tags do Azure sugeridas para a Área de Trabalho Virtual do Azure", + "waf": "Custar" }, { "category": "Monitoramento e Gerenciamento", "description": "O Azure Advisor analisa suas configurações e telemetria para oferecer recomendações personalizadas para resolver problemas comuns. Com essas recomendações, você pode otimizar seus recursos do Azure para confiabilidade, segurança, excelência operacional, desempenho e custo.", "guid": "611dd68c-5a4b-4252-8e44-a59a9c2399c4", + "id": "E01.08", "link": "https://learn.microsoft.com/azure/virtual-desktop/azure-advisor-recommendations", "severity": "Baixo", "subcategory": "Gestão", - "text": "Verifique periodicamente as recomendações do Azure Advisor para AVD" + "text": "Verifique periodicamente as recomendações do Azure Advisor para AVD", + "waf": "Operações" }, { "category": "Monitoramento e Gerenciamento", - "description": "Os clientes têm várias opções: Microsoft Configuration Manager, este artigo explica como aplicar automaticamente atualizações a hosts de sessão da Área de Trabalho Virtual do Azure que executam o Windows 10/11: https://learn.microsoft.com/en-us/azure/virtual-desktop/configure-automatic-updates, Microsoft Intune: https://docs.microsoft.com/mem/intune/fundamentals/windows-virtual-desktop-multi-session, Azure Update Management e WSUS para o sistema operacional Windows Server somente (sistema operacional cliente não suportado: https://learn.microsoft.com/en-us/azure/automation/update-management/operating-system-requirements), 3ª Festa. Fora de uma situação de correção de segurança de emergência, recomenda-se sair de uma estratégia de correção de estratégia de atualização \"in-loco\" e adotar uma abordagem de recriação de imagens.", + "description": "Os clientes têm várias opções: Microsoft Configuration Manager, este artigo explica como aplicar automaticamente atualizações a hosts de sessão da Área de Trabalho Virtual do Azure que executam o Windows 10/11: https://learn.microsoft.com/azure/virtual-desktop/configure-automatic-updates, Microsoft Intune: https://docs.microsoft.com/mem/intune/fundamentals/windows-virtual-desktop-multi-session, Azure Update Management e WSUS somente para o sistema operacional Windows Server (sistema operacional cliente não suportado: https://learn.microsoft.com/azure/automation/update-management/operating-system-requirements), 3ª Festa. Fora de uma situação de correção de segurança de emergência, recomenda-se sair de uma estratégia de correção de estratégia de atualização \"in-loco\" e adotar uma abordagem de recriação de imagens.", "guid": "04722da2-9c2b-41cd-922f-54b29bade3aa", + "id": "E01.09", "link": "https://learn.microsoft.com/mem/intune/fundamentals/azure-virtual-desktop-multi-session", "severity": "Média", "subcategory": "Gestão", - "text": "Planejar uma estratégia de atualização e patch de emergência do Host de Sessão" + "text": "Planejar uma estratégia de atualização e patch de emergência do Host de Sessão", + "waf": "Operações" }, { "category": "Monitoramento e Gerenciamento", "description": "O recurso Atualizações Agendadas do Agente permite criar até duas janelas de manutenção por Pool de Hosts para atualizar os componentes do AVD em um momento conveniente. Recomenda-se especificar janelas de manutenção e, em seguida, a atualização dos hosts de sessão não ocorrerá durante o horário comercial de pico. As Atualizações Agendadas do Agente estão desabilitadas por padrão. Isso significa que, a menos que você habilite essa configuração, o agente pode ser atualizado a qualquer momento pelo serviço de voo de atualização do agente.", "guid": "c067939b-e5ca-4698-b9ce-3bd91843e73f", + "id": "E01.10", "link": "https://learn.microsoft.com/azure/virtual-desktop/scheduled-agent-updates", "severity": "Baixo", "subcategory": "Gestão", - "text": "Configurar o recurso Atualizações Agendadas do Agente" + "text": "Configurar o recurso Atualizações Agendadas do Agente", + "waf": "Fiabilidade" }, { "category": "Monitoramento e Gerenciamento", "description": "Os pools de host são uma coleção de uma ou mais máquinas virtuais idênticas no ambiente de Área de Trabalho Virtual do Azure. É altamente recomendável que você crie um pool de hosts de validação onde as atualizações de serviço sejam aplicadas primeiro. Isso permite que você monitore as atualizações de serviço antes que o serviço as aplique ao seu ambiente padrão ou não.", "guid": "d1e8c38e-c936-4667-913c-005674b1e944", + "id": "E01.11", "link": "https://docs.microsoft.com/azure/virtual-desktop/create-validation-host-pool", "severity": "Média", "subcategory": "Gestão", - "text": "Criar um pool de hosts de validação (canário)" + "text": "Criar um pool de hosts de validação (canário)", + "waf": "Operações" }, { "category": "Monitoramento e Gerenciamento", "description": "Um Pool de Hosts AVD pode ser implantado de várias maneiras: Portal do Azure, modelos ARM, ferramenta CLI do Azure, Powershell, criação manual de VM com token de registro, Terraform, ferramentas de terceiros 3rd. É importante adotar método(s) adequado(s) para suportar a implantação automática por meio de ferramentas de automação e CI/CD.", "guid": "a459c373-e7ed-4616-83b3-65a917ecbe48", + "id": "E01.12", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/wvd/eslz-platform-automation-and-devops", "severity": "Média", "subcategory": "Gestão", - "text": "Determinar a estratégia de implantação do Pool de Hosts" + "text": "Determinar a estratégia de implantação do Pool de Hosts", + "waf": "Operações" }, { "category": "Monitoramento e Gerenciamento", "description": "Depois de registrar uma VM em um pool de hosts no serviço Área de Trabalho Virtual do Azure, o agente atualiza regularmente o token da VM sempre que a VM estiver ativa. O certificado para o token de registro é válido por 90 dias. Devido a esse limite de 90 dias, recomendamos que as VMs fiquem online por 20 minutos a cada 90 dias para que a máquina possa atualizar seus tokens e atualizar o agente e os componentes de pilha lado a lado.", "guid": "ebe54cd7-df2e-48bb-ac35-81559bb9153e", + "id": "E01.13", "link": "https://docs.microsoft.com/azure/virtual-desktop/faq", "severity": "Média", "subcategory": "Gestão", - "text": "Ativar VMs de Host de Sessão pelo menos a cada 90 dias para atualização de token" + "text": "Ativar VMs de Host de Sessão pelo menos a cada 90 dias para atualização de token", + "waf": "Operações" }, { "category": "Monitoramento e Gerenciamento", "description": "O Azure Virtual Desktop Insights é um painel criado em Pastas de Trabalho do Azure Monitor que ajuda os profissionais de TI a entender seus ambientes de Área de Trabalho Virtual do Azure. Leia o artigo referenciado para saber como configurar o Azure Monitor para Área de Trabalho Virtual do Azure para monitorar seus ambientes AVD.", "guid": "63cfff1c-ac59-49ef-8d5a-83dd4de36c1c", + "id": "E02.01", "link": "https://learn.microsoft.com/azure/virtual-desktop/insights", "severity": "Alto", "subcategory": "Monitorização", - "text": "Habilitar o monitoramento para AVD" + "text": "Habilitar o monitoramento para AVD", + "waf": "Fiabilidade" }, { "category": "Monitoramento e Gerenciamento", "description": "A Área de Trabalho Virtual do Azure usa o Azure Monitor e o Log Analytics para monitoramento e alertas, como muitos outros serviços do Azure. Isso permite que os administradores identifiquem problemas por meio de uma única interface. O serviço cria logs de atividades para ações de usuário e administrativas. Cada registro de atividades se enquadra nas seguintes categorias: Gerenciamento, Feed, Conexões, Registro de Host, Erros, Pontos de Verificação. ", "guid": "81770afb-c4c0-4e43-a186-58d2857ed671", + "id": "E02.02", "link": "https://docs.microsoft.com/azure/virtual-desktop/diagnostics-log-analytics", "severity": "Média", "subcategory": "Monitorização", - "text": "Habilitar configurações de diagnóstico para Espaços de Trabalho, Pools de Hosts, Grupos de Aplicativos e VMs de Host para o espaço de trabalho do Log Analytics" + "text": "Habilitar configurações de diagnóstico para Espaços de Trabalho, Pools de Hosts, Grupos de Aplicativos e VMs de Host para o espaço de trabalho do Log Analytics", + "waf": "Fiabilidade" }, { "category": "Monitoramento e Gerenciamento", "description": "Consulte o artigo referenciado e este adicional para configurar o monitoramento e o alerta adequados para armazenamento: https://docs.microsoft.com/azure/storage/files/storage-troubleshooting-files-performance. ", "guid": "2463cffe-179c-4599-be0d-5973dd4ce32c", + "id": "E02.03", "link": "https://docs.microsoft.com/azure/storage/files/storage-files-monitoring?tabs=azure-portal", "severity": "Média", "subcategory": "Monitorização", - "text": "Criar alertas no armazenamento de perfil para ser alertado em caso de alto uso e limitação" + "text": "Criar alertas no armazenamento de perfil para ser alertado em caso de alto uso e limitação", + "waf": "Fiabilidade" }, { "category": "Monitoramento e Gerenciamento", "description": "Você pode usar a Integridade do Serviço do Azure para monitorar problemas de serviço e avisos de integridade para a Área de Trabalho Virtual do Azure. O Azure Service Health pode notificá-lo com diferentes tipos de alertas (por exemplo, email ou SMS), ajudá-lo a entender o efeito de um problema e mantê-lo atualizado à medida que o problema é resolvido.", "guid": "18813706-f7c4-4c0d-9e51-4548d2457ed6", + "id": "E02.04", "link": "https://docs.microsoft.com/azure/virtual-desktop/set-up-service-alerts", "severity": "Média", "subcategory": "Monitorização", - "text": "Configurar a Integridade do Serviço do Azure para alertas AVD " + "text": "Configurar a Integridade do Serviço do Azure para alertas AVD ", + "waf": "Fiabilidade" }, { "category": "Rede", "description": "Se necessário para se conectar ao ambiente local, avalie a opção de conectividade atual ou planeje a conectividade necessária (ExpressRoute, Azure S2S ou VPN NVA de 3ª parte). ", "guid": "dd399cfd-7b28-4dc8-9555-6202bfe4563b", + "id": "F01.01", "link": "https://docs.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/", "severity": "Média", "subcategory": "Rede", - "text": "Determinar se a conectividade híbrida é necessária para se conectar ao ambiente local" + "text": "Determinar se a conectividade híbrida é necessária para se conectar ao ambiente local", + "waf": "Fiabilidade" }, { "category": "Rede", "description": "Os Pools de Hosts AVD podem ser implantados em topologias de rede WAN Virtual do Azure ou tradicionais 'Hub & Spoke'. Recomenda-se implantar cada Pool de Hosts em uma VNet 'spoke' separada, o uso de 'hub' não é recomendado.", "guid": "c8639648-a652-4d6c-85e5-02965388e5de", + "id": "F01.02", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/wvd/eslz-network-topology-and-connectivity", "severity": "Média", "subcategory": "Rede", - "text": "Determinar o posicionamento da Rede Virtual do Azure (VNet) para cada Pool de Hosts AVD" + "text": "Determinar o posicionamento da Rede Virtual do Azure (VNet) para cada Pool de Hosts AVD", + "waf": "Desempenho" }, { "category": "Rede", "description": "Avalie os requisitos de largura de banda, garanta que a largura de banda VPN/ER será suficiente, assegure-se de que as regras adequadas de roteamento e firewall estejam em vigor, teste a latência de ponta a ponta. ", "guid": "d227dd14-2b06-4c21-a799-9a646f4389a7", + "id": "F01.03", "link": "https://docs.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/", "severity": "Média", "subcategory": "Rede", - "text": "Avaliar quais recursos locais são necessários dos pools de hosts AVD" + "text": "Avaliar quais recursos locais são necessários dos pools de hosts AVD", + "waf": "Fiabilidade" }, { "category": "Rede", "description": "Várias opções estão disponíveis. Você pode usar o Firewall do Azure ou NVA de 3ª parte, NSG (Grupo de Segurança de Rede) e/ou servidores Proxy equivalentes. O NSG não é capaz de ativar/desativar por URL, apenas portas e protocolos. O proxy deve ser usado apenas como configuração explícita no navegador do usuário. Os detalhes sobre como usar o Firewall do Azure Premium com AVD são relatados no artigo complementar na coluna 'Mais informações'. Certifique-se de permitir o acesso adequado aos URLs AVD necessários. O tunelamento forçado para o local não é recomendado.", "guid": "fc4972cd-3cd2-41bf-9703-6e5e6b4bed3d", - "link": " https://docs.microsoft.com/azure/firewall/protect-windows-virtual-desktop", + "id": "F01.04", + "link": "https://docs.microsoft.com/azure/firewall/protect-windows-virtual-desktop", "severity": "Média", "subcategory": "Rede", - "text": "Precisa controlar/restringir o tráfego de saída da Internet para hosts AVD?" + "text": "Precisa controlar/restringir o tráfego de saída da Internet para hosts AVD?", + "waf": "Segurança" }, { "category": "Rede", "description": "As URLs necessárias para acesso ao plano de controle AVD por hosts de sessão estão documentadas aqui: https://docs.microsoft.com/azure/virtual-desktop/safe-url-list. Uma ferramenta de verificação está disponível para verificar a conectividade dos hosts de sessão: https://docs.microsoft.com/azure/virtual-desktop/safe-url-list#required-url-check-tool. O tunelamento forçado para o local não é recomendado.", "guid": "65c7acbe-45bb-4e60-ad89-f2e87778424d", + "id": "F01.05", "link": "https://docs.microsoft.com/azure/virtual-desktop/safe-url-list", "severity": "Alto", "subcategory": "Rede", - "text": "Garantir que os pontos de extremidade do plano de controle AVD estejam acessíveis" + "text": "Garantir que os pontos de extremidade do plano de controle AVD estejam acessíveis", + "waf": "Fiabilidade" }, { "category": "Rede", "description": "Considere o uso do Azure Defender Endpoint ou agentes 3rd-party semelhantes para controlar a navegação na Web do usuário, consulte a seção Segurança para obter mais detalhes.", "guid": "73676ae4-6691-4e88-95ad-a42223e13810", + "id": "F01.06", "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/onboard-windows-multi-session-device?view=o365-worldwide", "severity": "Média", "subcategory": "Rede", - "text": "Precisa controlar/restringir o tráfego de saída da Internet apenas para usuários em hosts AVD? " + "text": "Precisa controlar/restringir o tráfego de saída da Internet apenas para usuários em hosts AVD? ", + "waf": "Segurança" }, { "category": "Rede", - "description": "UDR e NSG personalizados podem ser aplicados a sub-redes do Pool de Hosts AVD, por exemplo, para redirecionar para o Firewall do Azure ou NVA, ou para filtrar/bloquear o tráfego de rede. Neste caso, recomenda-se revisar cuidadosamente para garantir que o caminho ideal para o tráfego de saída para o plano de controle AVD seja usado. As etiquetas de serviço agora podem ser usadas com UDR e NSG, então o tráfego do plano de gerenciamento AVD pode ser facilmente permitido: https://learn.microsoft.com/en-us/azure/virtual-desktop/safe-url-list.", + "description": "UDR e NSG personalizados podem ser aplicados a sub-redes do Pool de Hosts AVD, por exemplo, para redirecionar para o Firewall do Azure ou NVA, ou para filtrar/bloquear o tráfego de rede. Neste caso, recomenda-se revisar cuidadosamente para garantir que o caminho ideal para o tráfego de saída para o plano de controle AVD seja usado. As etiquetas de serviço agora podem ser usadas com UDR e NSG, então o tráfego do plano de gerenciamento AVD pode ser facilmente permitido: https://learn.microsoft.com/azure/virtual-desktop/safe-url-list.", "guid": "523181a9-4174-4158-93ff-7ae7c6d37431", + "id": "F01.07", "link": "https://docs.microsoft.com/azure/firewall/protect-windows-virtual-desktop", "severity": "Baixo", "subcategory": "Rede", - "text": "Revisar UDR e NSG personalizados para sub-redes do pool de hosts AVD" + "text": "Revisar UDR e NSG personalizados para sub-redes do pool de hosts AVD", + "waf": "Segurança" }, { "category": "Rede", "description": "O tráfego de rede das VMs do Host da Sessão AVD para o plano de controle AVD deve ser o mais direto possível. Redirecionar esse tráfego por meio de um Proxy ou Firewall com inspeção profunda de pacotes e/ou encerramento SSL pode causar sérios problemas e má experiência do cliente. Recomenda-se ignorar Proxy e Firewall apenas para o plano de controle AVD. O tráfego gerado pelo usuário navegando na web, em vez disso, deve ser filtrado pelo Firewall e/ou redirecionado para um Proxy. Para obter detalhes e diretrizes, consulte o artigo complementar na coluna \"Mais informações\".", "guid": "cc6edca0-aeca-4566-9e92-cf246f1465af", + "id": "F01.08", "link": "https://learn.microsoft.com/azure/virtual-desktop/proxy-server-support", "severity": "Alto", "subcategory": "Rede", - "text": "Não use servidores proxy, terminação SSL e inspeção profunda de pacotes para tráfego de plano de controle AVD" + "text": "Não use servidores proxy, terminação SSL e inspeção profunda de pacotes para tráfego de plano de controle AVD", + "waf": "Fiabilidade" }, { "category": "Rede", "description": "É recomendável avaliar e revisar os requisitos de largura de banda de rede para os usuários, com base no tipo de carga de trabalho específico. O artigo referenciado fornece estimativas e recomendações gerais, mas medidas específicas são necessárias para o dimensionamento adequado. ", "guid": "516785c6-fa96-4c96-ad88-408f372734c8", + "id": "F01.09", "link": "https://learn.microsoft.com/azure/virtual-desktop/rdp-bandwidth", "severity": "Baixo", "subcategory": "Rede", - "text": "Verifique a largura de banda de rede necessária para cada usuário e, no total, para o SKU da VM" + "text": "Verifique a largura de banda de rede necessária para cada usuário e, no total, para o SKU da VM", + "waf": "Desempenho" }, { "category": "Rede", "description": "Se o compartilhamento SMB de Arquivos do Azure for usado para armazenar perfis de usuário por meio do FSLogix, o uso do Ponto de Extremidade Privado (PE) para acesso privado ao armazenamento é recomendado. Os hosts de sessão AVD acessarão o armazenamento usando um IP privado na mesma rede virtual, uma sub-rede separada é recomendada. Esse recurso tem um custo adicional que deve ser avaliado. Se o PE não for usado, pelo menos o Service Endpoint é recomendado (sem custo associado).", "guid": "ec27d589-9178-426d-8df2-ff60020f30a6", + "id": "F01.10", "link": "https://learn.microsoft.com/azure/storage/files/storage-files-networking-endpoints", "severity": "Média", "subcategory": "Rede", - "text": "Avaliar o uso do Ponto de Extremidade Privado para compartilhamento de Arquivos do Azure" + "text": "Avaliar o uso do Ponto de Extremidade Privado para compartilhamento de Arquivos do Azure", + "waf": "Segurança" }, { "category": "Rede", - "description": "As conexões com a Área de Trabalho Virtual do Azure podem usar TCP ou UDP. O RDP Shortpath é um recurso do AVD que estabelece um transporte direto baseado em UDP entre um cliente de Área de Trabalho Remota do Windows com suporte e o host de sessão. se os clientes tiverem linha de visão para hosts de sessão AVD da rede interna (o uso de VPN não é recomendado), esse recurso pode fornecer menor latência e melhores desempenhos, conforme explicado em https://learn.microsoft.com/en-us/azure/virtual-desktop/rdp-shortpath?tabs=managed-networks#key-benefits.", + "description": "As conexões com a Área de Trabalho Virtual do Azure podem usar TCP ou UDP. O RDP Shortpath é um recurso do AVD que estabelece um transporte direto baseado em UDP entre um cliente de Área de Trabalho Remota do Windows com suporte e o host de sessão. se os clientes tiverem linha de visão para hosts de sessão AVD da rede interna (o uso de VPN não é recomendado), esse recurso pode fornecer menor latência e melhores desempenhos, conforme explicado em https://learn.microsoft.com/azure/virtual-desktop/rdp-shortpath?tabs=managed-networks#key-benefits.", "guid": "b2074747-d01a-4f61-b1aa-92ad793d9ff4", + "id": "F01.11", "link": "https://docs.microsoft.com/azure/virtual-desktop/shortpath", "severity": "Média", "subcategory": "Rede", - "text": "Avaliar o uso do RDP ShortPath para clientes que se conectam a partir de redes internas gerenciadas" + "text": "Avaliar o uso do RDP ShortPath para clientes que se conectam a partir de redes internas gerenciadas", + "waf": "Desempenho" }, { "category": "Segurança", "description": "Os mecanismos de segurança fornecidos pelo GPO devem ser usados, se disponíveis. Por exemplo, é possível impor o bloqueio da tela da área de trabalho e o tempo ocioso de desconexão da sessão. Os GPOs existentes aplicados ao ambiente local devem ser revisados e, eventualmente, aplicados também para proteger também os hosts AVD quando ingressados no domínio.", "guid": "a135e337-897e-431c-97d6-8cb6a22ac19f", + "id": "G01.01", "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#establish-maximum-inactive-time-and-disconnection-policies", "severity": "Média", "subcategory": "Diretório Ativo", - "text": "Revise o GPO do Active Directory para proteger sessões RDP" + "text": "Revise o GPO do Active Directory para proteger sessões RDP", + "waf": "Segurança" }, { "category": "Segurança", "description": "O Microsoft Defender for Endpoint oferece suporte à Área de Trabalho Virtual do Azure para Windows 10/11 Enterprise em várias sessões. Consulte o artigo para integrar dispositivos VDI (infraestrutura de área de trabalho virtual) não persistentes: https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi", "guid": "b1172576-9ef6-4691-a483-5ac932223ece", + "id": "G02.01", "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/deployment-vdi-microsoft-defender-antivirus", "severity": "Alto", "subcategory": "Configuração do Host", - "text": "Garantir que as soluções antivírus e antimalware sejam usadas" + "text": "Garantir que as soluções antivírus e antimalware sejam usadas", + "waf": "Segurança" }, { "category": "Segurança", "description": "Os discos no Azure já são criptografados em repouso por padrão com chaves gerenciadas pela Microsoft. A criptografia de disco do sistema operacional da VM do host é possível e com suporte usando a Criptografia de Disco do Azure (ADE - BitLocker) e o Conjunto de Criptografia de Disco (DES - Criptografia do Lado do Servidor), este último é recomendado. A criptografia do armazenamento FSLogix usando Arquivos do Azure pode ser feita usando o SSE no Armazenamento do Azure. Para criptografia do OneDrive, consulte este artigo: https://docs.microsoft.com/compliance/assurance/assurance-encryption-for-microsoft-365-services.", "guid": "0fd32907-98bc-4178-adc5-a06ca7144351", + "id": "G02.02", "link": "https://learn.microsoft.com/azure/virtual-machines/disk-encryption-overview", "severity": "Baixo", "subcategory": "Configuração do Host", - "text": "Avaliar os requisitos de criptografia de disco para hosts de sessão AVD" + "text": "Avaliar os requisitos de criptografia de disco para hosts de sessão AVD", + "waf": "Segurança" }, { "category": "Segurança", - "description": "O lançamento confiável são VMs do Azure Gen2 com recursos de segurança aprimorados destinados a proteger contra ameaças do \"fundo da pilha\" por meio de vetores de ataque, como rootkits, kits de inicialização e malware no nível do kernel. Recomendado para habilitar e aproveitar a Inicialização Segura, o TPM Virtual (vTPM) e o Monitoramento de Integridade.", + "description": "O lançamento confiável são VMs do Azure Gen2 com recursos de segurança aprimorados destinados a proteger contra ameaças da parte inferior da pilha por meio de vetores de ataque, como rootkits, kits de inicialização e malware no nível do kernel. Recomendado para habilitar e aproveitar a Inicialização Segura, o TPM Virtual (vTPM) e o Monitoramento de Integridade.", "guid": "36a5a67f-bb9e-4d5b-9547-8c4479816b28", + "id": "G02.03", "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#azure-virtual-desktop-support-for-trusted-launch", "severity": "Média", "subcategory": "Configuração do Host", - "text": "Habilitar inicialização confiável em hosts de sessão de VM do Azure Gen2" + "text": "Habilitar inicialização confiável em hosts de sessão de VM do Azure Gen2", + "waf": "Segurança" }, { "category": "Segurança", "description": "O Lançamento Confiável e a VM Gen2 não são apenas recursos de aprimoramento de segurança e desempenho, mas também requisitos de sistema para o Windows 11. Ao criar um ambiente AVD baseado no Windows 11, é essencial habilitar esses recursos.", "guid": "135d3899-4b31-44d3-bc8f-028871a359d8", + "id": "G02.04", "link": "https://learn.microsoft.com/windows/whats-new/windows-11-requirements", "severity": "Alto", "subcategory": "Configuração do Host", - "text": "Habilitar o Início Confiável e usar a imagem Gen2 são requisitos do sistema para o Windows 11" + "text": "Habilitar o Início Confiável e usar a imagem Gen2 são requisitos do sistema para o Windows 11", + "waf": "Segurança" }, { "category": "Segurança", "description": "O conteúdo exibido será automaticamente bloqueado ou oculto em capturas de tela. Lembre-se de que o compartilhamento de tela também será bloqueado ao usar o Teams ou outro software de colaboração que use o compartilhamento de tela.", "guid": "a49dc137-7896-4343-b2bc-1a31bf1d30b6", + "id": "G02.05", "link": "https://learn.microsoft.com/azure/virtual-desktop/screen-capture-protection", "severity": "Baixo", "subcategory": "Configuração do Host", - "text": "Considere ativar a proteção de captura de tela para impedir que informações confidenciais sejam capturadas" + "text": "Considere ativar a proteção de captura de tela para impedir que informações confidenciais sejam capturadas", + "waf": "Segurança" }, { "category": "Segurança", "description": "Se não for absolutamente necessário, o redirecionamento de unidades, impressoras e dispositivos USB para o dispositivo local de um usuário em uma sessão de área de trabalho remota deve ser desabilitado ou altamente restrito. Restringir o acesso ao Windows Explorer ocultando mapeamentos de unidades locais e remotas também é uma medida segura a ser adotada, impedindo que os usuários descubram informações indesejadas sobre a configuração do sistema e os usuários.", "guid": "7ce2cd20-85b4-4f82-828e-6558736ede6a", + "id": "G02.06", "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#other-security-tips-for-session-hosts", "severity": "Média", "subcategory": "Configuração do Host", - "text": "Restringir o redirecionamento de dispositivos e o mapeamento de unidades" + "text": "Restringir o redirecionamento de dispositivos e o mapeamento de unidades", + "waf": "Segurança" }, { "category": "Segurança", "description": "Ao escolher um modelo de implantação, você pode fornecer aos usuários remotos acesso a áreas de trabalho virtuais inteiras ou apenas selecionar aplicativos. Os aplicativos remotos, ou RemoteApps, fornecem uma experiência perfeita à medida que o usuário trabalha com aplicativos em sua área de trabalho virtual. Os RemoteApps reduzem o risco permitindo que o usuário trabalhe apenas com um subconjunto da máquina remota exposta pelo aplicativo.", "guid": "4e25d70e-3924-44f4-b66f-d6cdd4f4a973", + "id": "G03.01", "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/web-protection-overview", "severity": "Média", "subcategory": "Gestão", - "text": "Quando possível, prefira Aplicativos Remotos em vez de Áreas de Trabalho Completas (DAG)" + "text": "Quando possível, prefira Aplicativos Remotos em vez de Áreas de Trabalho Completas (DAG)", + "waf": "Segurança" }, { "category": "Segurança", "description": "O recurso de filtragem de conteúdo da Web fornecido pelo recurso Proteção da Web no Microsoft Defender for Endpoint pode ser usado para controlar a navegação na Web do usuário. Se essa ferramenta for usada, recomenda-se a configuração da filtragem da Web para navegação do usuário na Internet. O acesso pelo sistema operacional convidado às URLs necessárias do plano de controle AVD deve ser garantido.", "guid": "e19dd344-29eb-4722-a237-a151c5bb4e4f", + "id": "G03.02", "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/web-protection-overview", "severity": "Média", "subcategory": "Gestão", - "text": "Precisa controlar/restringir a navegação do usuário na Internet a partir de hosts de sessão AVD?" + "text": "Precisa controlar/restringir a navegação do usuário na Internet a partir de hosts de sessão AVD?", + "waf": "Segurança" }, { "category": "Segurança", "description": "Recomendamos que você não conceda aos usuários acesso de administrador a áreas de trabalho virtuais. Se você precisar de pacotes de software, recomendamos disponibilizá-los por meio de utilitários de gerenciamento de configuração.", "guid": "a0cdb3b5-4eb2-4eb0-9dda-a3592718e2ed", + "id": "G03.03", "link": "https://docs.microsoft.com/azure/virtual-desktop/security-guide", "severity": "Alto", "subcategory": "Gestão", - "text": "Garantir que os usuários do AVD não terão privilégios de administrador local em hosts AVD" + "text": "Garantir que os usuários do AVD não terão privilégios de administrador local em hosts AVD", + "waf": "Segurança" }, { "category": "Segurança", - "description": "Recomendamos que você habilite o Defender for Cloud para assinaturas, máquinas virtuais, cofres de chaves e contas de armazenamento usadas pelo AVD. Com esta ferramenta é possível avaliar e gerenciar vulnerabilidades, avaliar a conformidade com estruturas comuns como PCI, fortalecer a segurança geral do seu ambiente AVD e medi-la ao longo do tempo usando 'Secure Score': https://learn.microsoft.com/en-us/azure/virtual-desktop/security-guide#improve-your-secure-score.", + "description": "Recomendamos que você habilite o Defender for Cloud para assinaturas, máquinas virtuais, cofres de chaves e contas de armazenamento usadas pelo AVD. Com esta ferramenta é possível avaliar e gerenciar vulnerabilidades, avaliar a conformidade com estruturas comuns como PCI, fortalecer a segurança geral do seu ambiente AVD e medi-la ao longo do tempo usando 'Secure Score': https://learn.microsoft.com/azure/virtual-desktop/security-guide#improve-your-secure-score.", "guid": "1814387e-5ca9-4c26-a9b3-2ab5bdfc6998", + "id": "G03.04", "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#enable-microsoft-defender-for-cloud", "severity": "Média", "subcategory": "Gestão", - "text": "Habilitar o Microsoft Defender for Cloud para gerenciar a postura de segurança dos hosts de sessão AVD" + "text": "Habilitar o Microsoft Defender for Cloud para gerenciar a postura de segurança dos hosts de sessão AVD", + "waf": "Segurança" }, { "category": "Segurança", "description": "Habilitar a coleta de logs de auditoria permite exibir atividades de usuário e administrador relacionadas à Área de Trabalho Virtual do Azure e armazená-la em um repositório central, como o espaço de trabalho do Log Analytics. ", "guid": "a0916a76-4980-4ad0-b278-ee293c1bc352", + "id": "G03.05", "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#collect-audit-logs", "severity": "Média", "subcategory": "Gestão", - "text": "Habilitar o log de diagnóstico e auditoria" + "text": "Habilitar o log de diagnóstico e auditoria", + "waf": "Segurança" }, { "category": "Segurança", "description": "Atribua o privilégio mínimo necessário definindo funções administrativas, de operações e de engenharia às funções RBAC do Azure. Para limitar o acesso a funções de alto privilégio na zona de aterrissagem da Área de Trabalho Virtual do Azure, considere a integração com o PIM (Gerenciamento de Identidades Privilegiadas) do Azure. Manter o conhecimento de qual equipe é responsável por cada área administrativa específica ajuda a determinar as funções e a configuração do RBAC (controle de acesso baseado em função) do Azure.", "guid": "baaab757-1849-4ab8-893d-c9fc9d1bb73b", + "id": "G03.06", "link": "https://docs.microsoft.com/azure/virtual-desktop/rbac", "severity": "Baixo", "subcategory": "Gestão", - "text": "Avaliar o requisito de usar funções RBAC personalizadas para gerenciamento de AVD" + "text": "Avaliar o requisito de usar funções RBAC personalizadas para gerenciamento de AVD", + "waf": "Segurança" }, { "category": "Segurança", "description": "Os usuários do AVD não devem ter permissão para instalar o aplicativo. Se necessário, o WDAC (Windows Defender Application Control) pode ser usado para controlar quais drivers e aplicativos têm permissão para serem executados em seus clientes Windows. ", "guid": "b9ea80c8-0628-49fc-ae63-125aa4c0a284", + "id": "G03.07", "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#windows-defender-application-control", "severity": "Média", "subcategory": "Gestão", - "text": "Impedir que os usuários instalem aplicativos não autorizados" + "text": "Impedir que os usuários instalem aplicativos não autorizados", + "waf": "Segurança" }, { "category": "Segurança", "description": "A habilitação da MFA e da CA permite que você gerencie riscos antes de conceder aos usuários acesso ao seu ambiente AVD. Ao decidir a quais usuários conceder acesso, recomendamos que você também considere quem é o usuário, como ele entra e qual dispositivo está usando. Detalhes adicionais e procedimentos de configuração são fornecidos no artigo complementar. A ID do Microsoft Entra é o novo nome do Azure Active Directory (Azure AD).", "guid": "916d697d-8ead-4ed2-9bdd-186f1ac252b9", + "id": "G04.01", "link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-mfa", "severity": "Média", "subcategory": "Microsoft Entra ID", - "text": "Avaliar o uso de MFA (Multi-Factor Authentication) e CA (Acesso Condicional) para usuários AVD" + "text": "Avaliar o uso de MFA (Multi-Factor Authentication) e CA (Acesso Condicional) para usuários AVD", + "waf": "Segurança" }, { "category": "Segurança", "description": "Se Zero Trust for um requisito, revise o artigo complementar na coluna 'Mais informações'. Ele fornece etapas para aplicar os princípios de Confiança Zero a uma implantação de Área de Trabalho Virtual do Azure.", "guid": "221102d0-90af-49fc-b2b7-8d3fe397e43", + "id": "G05.01", "link": "https://learn.microsoft.com/security/zero-trust/azure-infrastructure-avd", "severity": "Média", "subcategory": "Confiança Zero", - "text": "Revise e aplique os princípios e diretrizes do Zero Trust" + "text": "Revise e aplique os princípios e diretrizes do Zero Trust", + "waf": "Segurança" }, { "category": "Armazenamento", "description": "Se usado, certifique-se de verificar a lista de práticas recomendadas e recomendações descritas no artigo referenciado.", "guid": "9164e990-9ae2-48c8-9c33-b6b7808bafe6", + "id": "H01.01", "link": "https://learn.microsoft.com/azure/virtual-desktop/fslogix-containers-azure-files#best-practices-for-azure-virtual-desktop", "severity": "Média", "subcategory": "Arquivos do Azure", - "text": "Verificar as práticas recomendadas para Arquivos do Azure" + "text": "Verificar as práticas recomendadas para Arquivos do Azure", + "waf": "Desempenho" }, { "category": "Armazenamento", "description": "O SMB Multichannel permite que os clientes usem várias conexões de rede que fornecem maior desempenho e, ao mesmo tempo, reduzem o custo de propriedade. O desempenho aprimorado é obtido por meio da agregação de largura de banda em várias NICs e da utilização do suporte a RSS (Receive Side Scaling) para NICs para distribuir a carga de E/S em várias CPUs.", "guid": "5784b6ca-5e9e-4bcf-8b54-c95459ea7369", + "id": "H01.02", "link": "https://learn.microsoft.com/azure/storage/files/storage-files-smb-multichannel-performance", "severity": "Baixo", "subcategory": "Arquivos do Azure", - "text": "Habilite o SMB multicanal ao usar um compartilhamento de arquivos premium para hospedar contêineres de perfil FSLogix." + "text": "Habilite o SMB multicanal ao usar um compartilhamento de arquivos premium para hospedar contêineres de perfil FSLogix.", + "waf": "Desempenho" }, { "category": "Armazenamento", "description": "Se uma segunda região for necessária para fins de DR, verifique a disponibilidade da NetApp lá também.", "guid": "4a359836-ee79-4d6c-9d3a-364a5b7abae3", + "id": "H02.01", "link": "https://azure.microsoft.com/global-infrastructure/services/", "severity": "Média", "subcategory": "Azure NetApp Files", - "text": "Se o armazenamento do NetApp Files for necessário, verifique a disponibilidade do serviço de armazenamento em sua região específica." + "text": "Se o armazenamento do NetApp Files for necessário, verifique a disponibilidade do serviço de armazenamento em sua região específica.", + "waf": "Fiabilidade" }, { "category": "Armazenamento", "description": "A opção CA é uma configuração recomendada no cenário FSLogix, pois permite uma sessão SMB mais resiliente entre o Host da Sessão e os Arquivos NetApp.", "guid": "a2661898-866a-4c8d-9d1f-8cfc86e88024", + "id": "H02.02", "link": "https://learn.microsoft.com/azure/virtual-desktop/create-fslogix-profile-container", "severity": "Média", "subcategory": "Azure NetApp Files", - "text": "Se o armazenamento NetApp Files for usado, habilite a opção CA (Continuous Availability) para aumentar a resiliência" + "text": "Se o armazenamento NetApp Files for usado, habilite a opção CA (Continuous Availability) para aumentar a resiliência", + "waf": "Fiabilidade" }, { "category": "Armazenamento", "description": "Um Site do Active Directory deve ser criado para o ambiente de rede virtual do Azure onde a sub-rede ANF (Azure NetApp Files) será criada, e esse nome de site deve ser especificado na propriedade de conexão ANF ao executar o procedimento de associação, conforme explicado no artigo de referência.", "guid": "6647e977-db49-48a8-bc35-743f17499d42", + "id": "H02.03", "link": "https://docs.microsoft.com/azure/azure-netapp-files/create-active-directory-connections", "severity": "Alto", "subcategory": "Azure NetApp Files", - "text": "Se o armazenamento de Arquivos NetApp do Azure for usado, verifique a configuração Nome do Site do Active Directory na configuração de Conexão do Active Directory" + "text": "Se o armazenamento de Arquivos NetApp do Azure for usado, verifique a configuração Nome do Site do Active Directory na configuração de Conexão do Active Directory", + "waf": "Fiabilidade" }, { "category": "Armazenamento", "description": "Opções possíveis: HDD padrão, SSD padrão ou SSD premium. Discos efêmeros não são suportados, Ultra-Disks não recomendados. Recomendado para avaliar o disco Premium para SO se a densidade do usuário não for baixa e se o Cloud Cache for usado. ", "guid": "3611c818-b0a0-4bc5-80e4-3a18a9cd289c", + "id": "H03.01", "link": "https://docs.microsoft.com/azure/virtual-machines/disks-types", "severity": "Média", "subcategory": "Planejamento de Capacidade", - "text": "Determinar qual tipo de disco gerenciado será usado para os hosts de sessão" + "text": "Determinar qual tipo de disco gerenciado será usado para os hosts de sessão", + "waf": "Desempenho" }, { "category": "Armazenamento", "description": "As opções possíveis são: Arquivos do Azure NetApp, Arquivos do Azure, Servidor de Arquivos baseado em VM. Servidor de arquivos não é recomendado. O Azure Files Premium normalmente é um bom ponto de partida. NetApp geralmente necessário para ambiente de grande escala / alto desempenho. Para uma comparação detalhada, consulte o artigo na coluna 'Mais informações'.", "guid": "ed6b17db-8255-4462-b2ae-e4553afc8339", + "id": "H03.02", "link": "https://docs.microsoft.com/azure/virtual-desktop/store-fslogix-profile", "severity": "Alto", "subcategory": "Planejamento de Capacidade", - "text": "Determinar qual solução de back-end de armazenamento será usada para perfis FSLogix" + "text": "Determinar qual solução de back-end de armazenamento será usada para perfis FSLogix", + "waf": "Desempenho" }, { "category": "Armazenamento", "description": "Cada Pool de Hosts deve usar um conjunto separado de contas/volumes de armazenamento (pelo menos um) e compartilhamentos. Os usuários devem ter um perfil diferente para cada Pool de Hosts, pois as configurações são específicas para cada Pool de Hosts. Além disso, acessar diferentes pools de hosts ao mesmo tempo pode causar erros no perfil de usuário compartilhado VHD/X. O uso de diferentes contas/volumes de armazenamento para vários compartilhamentos também é recomendado para dimensionar de forma independente.", "guid": "2fad62bd-5004-453c-ace4-64d862e7f5a4", + "id": "H03.03", "link": "https://learn.microsoft.com/azure/virtual-desktop/store-fslogix-profile", "severity": "Alto", "subcategory": "Planejamento de Capacidade", - "text": "Não compartilhe armazenamento e perfis entre pools de hosts diferentes" + "text": "Não compartilhe armazenamento e perfis entre pools de hosts diferentes", + "waf": "Desempenho" }, { "category": "Armazenamento", "description": "Como ponto de partida para estimar os requisitos de desempenho de armazenamento de contêiner de perfil, recomendamos assumir 10 IOPS por usuário no estado estacionário e 50 IOPS por usuário durante a entrada/saída. Os requisitos de espaço são simplesmente obtidos com base no tamanho máximo de perfis no FSLogix pelo número total de usuários para cada Pool de Hosts. Várias contas de armazenamento podem ser usadas para o mesmo Pool de Hosts, se necessário.", "guid": "680e7828-9c93-4665-9d02-bff4564b0d93", + "id": "H03.04", "link": "https://learn.microsoft.com/azure/virtual-desktop/faq#what-s-the-largest-profile-size-fslogix-can-handle-", "severity": "Alto", "subcategory": "Planejamento de Capacidade", - "text": "Verificar os limites de escalabilidade de armazenamento e os requisitos do Pool de Hosts" + "text": "Verificar os limites de escalabilidade de armazenamento e os requisitos do Pool de Hosts", + "waf": "Fiabilidade" }, { "category": "Armazenamento", "description": "Evite introduzir latência e custos adicionais associados ao tráfego de rede entre regiões, sempre que possível.", "guid": "8aad53cc-79e2-4e86-9673-57c549675c5e", + "id": "H03.05", "link": "https://docs.microsoft.com/azure/virtual-desktop/fslogix-containers-azure-files", "severity": "Alto", "subcategory": "Planejamento de Capacidade", - "text": "Para obter o desempenho ideal, a solução de armazenamento e o contêiner de perfil FSLogix devem estar na mesma região do Azure." + "text": "Para obter o desempenho ideal, a solução de armazenamento e o contêiner de perfil FSLogix devem estar na mesma região do Azure.", + "waf": "Desempenho" }, { "category": "Armazenamento", "description": "A recomendação na Área de Trabalho Virtual do Azure é usar o Contêiner de Perfil sem divisão ODFC (Contêiner do Office), a menos que você esteja planejando cenários específicos de BCDR (Business Continuity and Disaster Recovery), conforme descrito na seção Recuperação de Desastres abaixo. https://docs.microsoft.com/fslogix/profile-container-office-container-cncpt ", "guid": "df47d2d9-2881-4b1c-b5d1-e54a29759e39", + "id": "H04.01", "link": "https://learn.microsoft.com/fslogix/concepts-container-types#when-to-use-profile-and-odfc-containers", "severity": "Alto", "subcategory": "FSLogix", - "text": "Não use Contêineres do Office (ODFC) se não for estritamente necessário e justificado" + "text": "Não use Contêineres do Office (ODFC) se não for estritamente necessário e justificado", + "waf": "Fiabilidade" }, { "category": "Armazenamento", "description": "Certifique-se de configurar as seguintes exclusões de antivírus para discos rígidos virtuais FSLogix Profile Container, conforme documentado no artigo referenciado na coluna 'Mais informações'.", "guid": "83f63047-22ee-479d-9b5c-3632054b69ba", + "id": "H04.02", "link": "https://learn.microsoft.com/fslogix/overview-prerequisites#configure-antivirus-file-and-folder-exclusions", "severity": "Média", "subcategory": "FSLogix", - "text": "Configure as exclusões de antivírus recomendadas para FSLogix (inclui não examinar arquivos VHD(x) na conexão)." + "text": "Configure as exclusões de antivírus recomendadas para FSLogix (inclui não examinar arquivos VHD(x) na conexão).", + "waf": "Segurança" }, { "category": "Armazenamento", "description": "Os contêineres de perfil têm um tamanho máximo padrão de 30 GB. Se os Contêineres de Perfil grandes forem antecipados e os clientes quiserem tentar mantê-los pequenos, considere usar o OneDrive para hospedar arquivos do Office 365 fora do perfil FSLogix.", "guid": "01e6a84d-e5df-443d-8992-481718d5d1e5", + "id": "H04.03", "link": "https://docs.microsoft.com/fslogix/profile-container-configuration-reference", "severity": "Alto", "subcategory": "FSLogix", - "text": "Revise e confirme o tamanho máximo do perfil configurado no FSLogix" + "text": "Revise e confirme o tamanho máximo do perfil configurado no FSLogix", + "waf": "Custar" }, { "category": "Armazenamento", "description": "Os padrões e as configurações recomendadas são relatados no artigo complementar na coluna 'Mais informações'. Se chaves e/ou valores não recomendados precisarem ser usados, certifique-se de revisar com um especialista em AVD da Microsoft e documentar claramente suas escolhas.", "guid": "d34aad5e-8c78-4e1d-9666-7313c405674c", + "id": "H04.04", "link": "https://learn.microsoft.com/fslogix/concepts-configuration-examples", "severity": "Alto", "subcategory": "FSLogix", - "text": "Revise as chaves do Registro FSLogix e determine quais aplicar" + "text": "Revise as chaves do Registro FSLogix e determine quais aplicar", + "waf": "Fiabilidade" }, { "category": "Armazenamento", "description": "Conexões simultâneas ou múltiplas não são recomendadas na Área de Trabalho Virtual do Azure. Conexões simultâneas também não são suportadas por Hosts de Sessão em execução em um Pool de Host de Área de Trabalho Virtual do Azure. O OneDrive, se usado, não oferece suporte a conexões simultâneas ou múltiplas usando o mesmo contêiner, em nenhuma circunstância. Para várias conexões, o uso do mesmo disco de perfil não é recomendado.", "guid": "5e985b85-9c77-43e7-b261-623b775a917e", + "id": "H04.05", "link": "https://learn.microsoft.com/fslogix/concepts-multi-concurrent-connections", "severity": "Alto", "subcategory": "FSLogix", - "text": "Evite o uso de conexões simultâneas ou múltiplas" + "text": "Evite o uso de conexões simultâneas ou múltiplas", + "waf": "Fiabilidade" }, { "category": "Armazenamento", - "description": "O Cloud Cache usa a unidade do sistema operacional como armazenamento de cache local e pode gerar muita pressão no disco da VM. Dependendo da SKU da VM e do tamanho usado, a unidade temporária da VM pode ser uma solução viável e eficiente para realocar o conteúdo armazenado em cache do Cloud Cache. Antes de adotar esta solução, testes devem ser executados para confirmar o desempenho e a estabilidade. Mais detalhes sobre o Cloud Cache podem ser encontrados aqui: https://learn.microsoft.com/en-us/fslogix/concepts-fslogix-cloud-cache. ", + "description": "O Cloud Cache usa a unidade do sistema operacional como armazenamento de cache local e pode gerar muita pressão no disco da VM. Dependendo da SKU da VM e do tamanho usado, a unidade temporária da VM pode ser uma solução viável e eficiente para realocar o conteúdo armazenado em cache do Cloud Cache. Antes de adotar esta solução, testes devem ser executados para confirmar o desempenho e a estabilidade. Mais detalhes sobre o Cloud Cache podem ser encontrados aqui: https://learn.microsoft.com/fslogix/concepts-fslogix-cloud-cache. ", "guid": "b2d1215a-e114-4ba3-9df5-85ecdcd9bd3b", + "id": "H04.06", "link": "https://docs.microsoft.com/fslogix/cloud-cache-configuration-reference", "severity": "Baixo", "subcategory": "FSLogix", - "text": "Se o FSLogix Cloud Cache for usado, considere mover o diretório de cache para a unidade temporária da VM." + "text": "Se o FSLogix Cloud Cache for usado, considere mover o diretório de cache para a unidade temporária da VM.", + "waf": "Desempenho" }, { "category": "Armazenamento", "description": "REDIRECTION.XML arquivo é usado para controlar quais pastas são redirecionadas do contêiner de perfil para a unidade 'C:'. As exclusões devem ser a exceção e nunca devem ser usadas a menos que a exclusão específica seja completamente compreendida pela pessoa que configura a exclusão. As exclusões devem ser sempre totalmente testadas no ambiente em que se destinam a ser implementadas. A configuração de exclusões pode afetar a funcionalidade, a estabilidade e o desempenho.", "guid": "0b50ca97-b1d2-473c-b4d9-6e98b0f912de", + "id": "H04.07", "link": "https://docs.microsoft.com/fslogix/manage-profile-content-cncpt#redirectionsxml", "severity": "Média", "subcategory": "FSLogix", - "text": "Revise o uso do redirecionamento FSLogix." + "text": "Revise o uso do redirecionamento FSLogix.", + "waf": "Custar" } ], "metadata": { "name": "Azure Virtual Desktop Review", "state": "GA", - "timestamp": "July 14, 2023" + "timestamp": "November 09, 2023" }, "severities": [ { @@ -1235,5 +1494,30 @@ "description": "Não aplicável ao projeto atual", "name": "N/A" } + ], + "waf": [ + { + "name": "Fiabilidade" + }, + { + "name": "Segurança" + }, + { + "name": "Custar" + }, + { + "name": "Operações" + }, + { + "name": "Desempenho" + } + ], + "yesno": [ + { + "name": "Sim" + }, + { + "name": "Não" + } ] } \ No newline at end of file diff --git a/checklists/checklist.en.master.json b/checklists/checklist.en.master.json index cf5350ccc..110231c97 100644 --- a/checklists/checklist.en.master.json +++ b/checklists/checklist.en.master.json @@ -77,8 +77,8 @@ "id": "A02.03", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations", "services": [ - "Cost", - "Entra" + "Entra", + "Cost" ], "severity": "Medium", "subcategory": "Cloud Solution Provider", @@ -107,8 +107,8 @@ "id": "A03.02", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", "services": [ - "TrafficManager", - "Entra" + "Entra", + "TrafficManager" ], "severity": "Low", "subcategory": "Enterprise Agreement", @@ -137,8 +137,8 @@ "id": "A03.04", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", "services": [ - "Cost", - "Entra" + "Entra", + "Cost" ], "severity": "Medium", "subcategory": "Enterprise Agreement", @@ -153,8 +153,8 @@ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", "services": [ "Subscriptions", - "Cost", - "Entra" + "Entra", + "Cost" ], "severity": "Low", "subcategory": "Enterprise Agreement", @@ -168,8 +168,8 @@ "id": "A03.06", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", "services": [ - "RBAC", - "Entra" + "Entra", + "RBAC" ], "severity": "Medium", "subcategory": "Enterprise Agreement", @@ -197,9 +197,9 @@ "id": "A04.02", "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/mca-section-invoice", "services": [ - "Cost", + "Entra", "Storage", - "Entra" + "Cost" ], "severity": "Low", "subcategory": "Microsoft Customer Agreement", @@ -213,8 +213,8 @@ "id": "A04.03", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations", "services": [ - "Cost", - "Entra" + "Entra", + "Cost" ], "severity": "Low", "subcategory": "Microsoft Customer Agreement", @@ -228,8 +228,8 @@ "id": "A04.04", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations", "services": [ - "RBAC", - "Entra" + "Entra", + "RBAC" ], "severity": "Medium", "subcategory": "Microsoft Customer Agreement", @@ -259,8 +259,8 @@ "id": "B02.01", "link": "https://learn.microsoft.com/azure/active-directory/hybrid/how-to-connect-sync-staging-server", "services": [ - "ASR", - "Entra" + "Entra", + "ASR" ], "severity": "Medium", "subcategory": "Microsoft Entra ID", @@ -290,8 +290,8 @@ "id": "B03.02", "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/concept-activity-logs-azure-monitor", "services": [ - "Entra", - "Monitor" + "Monitor", + "Entra" ], "severity": "Medium", "subcategory": "Identity", @@ -306,10 +306,10 @@ "id": "B03.03", "link": "https://learn.microsoft.com/azure/role-based-access-control/overview", "services": [ - "Subscriptions", "ACR", + "Entra", "RBAC", - "Entra" + "Subscriptions" ], "severity": "High", "subcategory": "Identity", @@ -356,8 +356,8 @@ "id": "B03.06", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/centralize-operations", "services": [ - "RBAC", - "Entra" + "Entra", + "RBAC" ], "severity": "Medium", "subcategory": "Identity", @@ -418,9 +418,9 @@ "id": "B03.10", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access#prerequisites-for-a-landing-zone---design-recommendations", "services": [ - "Subscriptions", + "Entra", "RBAC", - "Entra" + "Subscriptions" ], "severity": "Medium", "subcategory": "Identity", @@ -435,8 +435,8 @@ "id": "B03.11", "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview", "services": [ - "Subscriptions", - "Entra" + "Entra", + "Subscriptions" ], "severity": "Medium", "subcategory": "Identity", @@ -497,8 +497,8 @@ "id": "B03.15", "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices", "services": [ - "RBAC", - "Entra" + "Entra", + "RBAC" ], "severity": "Medium", "subcategory": "Identity", @@ -529,11 +529,11 @@ "id": "B04.02", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access-landing-zones#rbac-recommendations", "services": [ - "Storage", - "AKV", "RBAC", + "AKV", + "ACR", "Entra", - "ACR" + "Storage" ], "severity": "Medium", "subcategory": "Landing zones", @@ -606,9 +606,9 @@ "id": "C02.03", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-group-recommendations", "services": [ - "Subscriptions", "AzurePolicy", - "RBAC" + "RBAC", + "Subscriptions" ], "severity": "Medium", "subcategory": "Subscriptions", @@ -623,10 +623,10 @@ "id": "C02.04", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-group-recommendations", "services": [ - "Subscriptions", "ExpressRoute", "DNS", - "VWAN" + "VWAN", + "Subscriptions" ], "severity": "Medium", "subcategory": "Subscriptions", @@ -656,8 +656,8 @@ "id": "C02.06", "link": "https://learn.microsoft.com/azure/governance/management-groups/how-to/protect-resource-hierarchy#setting---require-authorization", "services": [ - "Subscriptions", - "RBAC" + "RBAC", + "Subscriptions" ], "severity": "Medium", "subcategory": "Subscriptions", @@ -686,10 +686,10 @@ "id": "C02.08", "link": "https://learn.microsoft.com/azure/governance/management-groups/overview", "services": [ - "Subscriptions", - "Cost", "AzurePolicy", - "RBAC" + "Subscriptions", + "RBAC", + "Cost" ], "severity": "High", "subcategory": "Subscriptions", @@ -718,10 +718,10 @@ "id": "C02.10", "link": "https://learn.microsoft.com/azure/cost-management-billing/reservations/save-compute-costs-reservations", "services": [ - "Subscriptions", - "Cost", "AzurePolicy", - "VM" + "VM", + "Subscriptions", + "Cost" ], "severity": "High", "subcategory": "Subscriptions", @@ -737,8 +737,8 @@ "id": "C02.11", "link": "https://learn.microsoft.com/azure/architecture/framework/scalability/design-capacity", "services": [ - "Subscriptions", - "Monitor" + "Monitor", + "Subscriptions" ], "severity": "High", "subcategory": "Subscriptions", @@ -770,8 +770,8 @@ "id": "C02.13", "link": "https://learn.microsoft.com/azure/governance/management-groups/overview", "services": [ - "Subscriptions", - "Entra" + "Entra", + "Subscriptions" ], "severity": "Medium", "subcategory": "Subscriptions", @@ -846,8 +846,8 @@ "id": "D01.01", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-app-delivery", "services": [ - "AppGW", - "FrontDoor" + "FrontDoor", + "AppGW" ], "severity": "Medium", "subcategory": "App delivery", @@ -935,13 +935,13 @@ "id": "D03.02", "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/expressroute", "services": [ - "NVA", "VPN", "DNS", + "NVA", + "VNet", "Entra", "Firewall", - "ExpressRoute", - "VNet" + "ExpressRoute" ], "severity": "High", "subcategory": "Hub and spoke", @@ -969,8 +969,8 @@ "id": "D03.04", "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager#to-enable-transit-routing-between-expressroute-and-azure-vpn", "services": [ - "ARS", "VPN", + "ARS", "ExpressRoute" ], "severity": "Low", @@ -1033,9 +1033,9 @@ "id": "D03.08", "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits", "services": [ - "ExpressRoute", "VNet", - "Entra" + "Entra", + "ExpressRoute" ], "severity": "Medium", "subcategory": "Hub and spoke", @@ -1130,8 +1130,8 @@ "id": "D04.04", "link": "https://learn.microsoft.com/azure/expressroute/plan-manage-cost", "services": [ - "Cost", - "ExpressRoute" + "ExpressRoute", + "Cost" ], "severity": "High", "subcategory": "Hybrid", @@ -1147,8 +1147,8 @@ "id": "D04.05", "link": "https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local", "services": [ - "Cost", - "ExpressRoute" + "ExpressRoute", + "Cost" ], "severity": "High", "subcategory": "Hybrid", @@ -1225,8 +1225,8 @@ "id": "D04.10", "link": "https://learn.microsoft.com/azure/expressroute/expressroute-erdirect-about", "services": [ - "Cost", - "ExpressRoute" + "ExpressRoute", + "Cost" ], "severity": "High", "subcategory": "Hybrid", @@ -1256,8 +1256,8 @@ "id": "D04.12", "link": "https://learn.microsoft.com/azure/expressroute/expressroute-monitoring-metrics-alerts", "services": [ - "ExpressRoute", - "Monitor" + "Monitor", + "ExpressRoute" ], "severity": "Medium", "subcategory": "Hybrid", @@ -1272,9 +1272,9 @@ "id": "D04.13", "link": "https://learn.microsoft.com/azure/expressroute/how-to-configure-connection-monitor", "services": [ - "NetworkWatcher", "ACR", - "Monitor" + "Monitor", + "NetworkWatcher" ], "severity": "Medium", "subcategory": "Hybrid", @@ -1385,8 +1385,8 @@ "id": "D05.05", "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances", "services": [ - "DNS", - "VNet" + "VNet", + "DNS" ], "severity": "Medium", "subcategory": "IP plan", @@ -1402,8 +1402,8 @@ "link": "https://learn.microsoft.com/azure/dns/dns-private-resolver-overview", "services": [ "ACR", - "DNS", - "VNet" + "VNet", + "DNS" ], "severity": "Medium", "subcategory": "IP plan", @@ -1418,8 +1418,8 @@ "id": "D05.07", "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances", "services": [ - "DNS", - "VNet" + "VNet", + "DNS" ], "severity": "Low", "subcategory": "IP plan", @@ -1434,9 +1434,9 @@ "id": "D05.08", "link": "https://learn.microsoft.com/azure/dns/private-dns-autoregistration", "services": [ + "VNet", "DNS", - "VM", - "VNet" + "VM" ], "severity": "High", "subcategory": "IP plan", @@ -1497,9 +1497,9 @@ "id": "D06.04", "link": "https://learn.microsoft.com/azure/firewall/", "services": [ - "Firewall", - "AzurePolicy", "ACR", + "AzurePolicy", + "Firewall", "RBAC" ], "severity": "Medium", @@ -1530,10 +1530,10 @@ "id": "D06.06", "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview", "services": [ - "WAF", - "AzurePolicy", "ACR", - "FrontDoor" + "FrontDoor", + "AzurePolicy", + "WAF" ], "severity": "Medium", "subcategory": "Internet", @@ -1548,10 +1548,10 @@ "id": "D06.07", "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", "services": [ - "WAF", + "FrontDoor", "AzurePolicy", - "AppGW", - "FrontDoor" + "WAF", + "AppGW" ], "severity": "Low", "subcategory": "Internet", @@ -1567,8 +1567,8 @@ "id": "D06.08", "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", "services": [ - "WAF", - "VNet" + "VNet", + "WAF" ], "severity": "High", "subcategory": "Internet", @@ -1668,10 +1668,10 @@ "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview", "services": [ "NVA", - "VWAN", - "Storage", + "VNet", "Firewall", - "VNet" + "Storage", + "VWAN" ], "severity": "High", "subcategory": "Internet", @@ -1729,8 +1729,8 @@ "id": "D07.03", "link": "https://learn.microsoft.com/azure/app-service/networking-features", "services": [ - "ExpressRoute", - "PrivateLink" + "PrivateLink", + "ExpressRoute" ], "severity": "Medium", "subcategory": "PaaS", @@ -1762,8 +1762,8 @@ "link": "https://learn.microsoft.com/azure/app-service/networking-features", "services": [ "NVA", - "Firewall", "PrivateLink", + "Firewall", "DNS" ], "severity": "Medium", @@ -1781,8 +1781,8 @@ "id": "D08.01", "link": "https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size", "services": [ - "Firewall", - "VNet" + "VNet", + "Firewall" ], "severity": "High", "subcategory": "Segmentation", @@ -1799,8 +1799,8 @@ "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway", "services": [ "VPN", - "ExpressRoute", - "VNet" + "VNet", + "ExpressRoute" ], "severity": "High", "subcategory": "Segmentation", @@ -1860,8 +1860,8 @@ "guid": "9c2299c4-d7b5-47d0-a655-562f2b3e4563", "id": "D08.06", "services": [ - "VM", - "VNet" + "VNet", + "VM" ], "severity": "Medium", "subcategory": "Segmentation", @@ -1893,8 +1893,8 @@ "id": "D08.08", "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works", "services": [ - "NetworkWatcher", - "VNet" + "VNet", + "NetworkWatcher" ], "severity": "Medium", "subcategory": "Segmentation", @@ -1985,8 +1985,8 @@ "id": "D09.06", "link": "https://learn.microsoft.com/azure/virtual-wan/azure-monitor-insights", "services": [ - "VWAN", - "Monitor" + "Monitor", + "VWAN" ], "severity": "Medium", "subcategory": "Virtual WAN", @@ -2015,8 +2015,8 @@ "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing-preference", "services": [ "VPN", - "ExpressRoute", - "VWAN" + "VWAN", + "ExpressRoute" ], "severity": "Medium", "subcategory": "Virtual WAN", @@ -2103,8 +2103,8 @@ "id": "E01.04", "link": "https://learn.microsoft.com/azure/governance/policy/overview", "services": [ - "Subscriptions", - "AzurePolicy" + "AzurePolicy", + "Subscriptions" ], "severity": "Medium", "subcategory": "Governance", @@ -2132,8 +2132,8 @@ "id": "E01.06", "link": "https://learn.microsoft.com/security/benchmark/azure/mcsb-asset-management#am-2-use-only-approved-services", "services": [ - "Subscriptions", - "AzurePolicy" + "AzurePolicy", + "Subscriptions" ], "severity": "Low", "subcategory": "Governance", @@ -2162,10 +2162,10 @@ "id": "E01.08", "link": "https://learn.microsoft.com/azure/governance/policy/overview#azure-rbac-permissions-in-azure-policy", "services": [ - "Subscriptions", + "Entra", "AzurePolicy", "RBAC", - "Entra" + "Subscriptions" ], "severity": "Medium", "subcategory": "Governance", @@ -2179,8 +2179,8 @@ "id": "E01.09", "link": "https://learn.microsoft.com/azure/governance/policy/overview", "services": [ - "Subscriptions", - "AzurePolicy" + "AzurePolicy", + "Subscriptions" ], "severity": "Medium", "subcategory": "Governance", @@ -2209,9 +2209,9 @@ "id": "E02.01", "link": "https://learn.microsoft.com/azure/automation/automation-solution-vm-management-config", "services": [ - "Cost", + "VM", "TrafficManager", - "VM" + "Cost" ], "severity": "Low", "subcategory": "Optimize your cloud investment", @@ -2239,9 +2239,9 @@ "id": "E02.02", "link": "https://learn.microsoft.com/azure/cost-management-billing/costs/tutorial-acm-create-budgets?bc=%2Fazure%2Fcloud-adoption-framework%2F_bread%2Ftoc.json&toc=%2Fazure%2Fcloud-adoption-framework%2Ftoc.json", "services": [ - "Cost", + "Monitor", "TrafficManager", - "Monitor" + "Cost" ], "severity": "Medium", "subcategory": "Optimize your cloud investment", @@ -2256,9 +2256,9 @@ "id": "F01.01", "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs", "services": [ + "FrontDoor", "WAF", - "AppGW", - "FrontDoor" + "AppGW" ], "severity": "High", "subcategory": "App delivery", @@ -2272,10 +2272,10 @@ "id": "F01.02", "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel", "services": [ + "FrontDoor", "WAF", - "Sentinel", "AppGW", - "FrontDoor" + "Sentinel" ], "severity": "Medium", "subcategory": "App delivery", @@ -2315,10 +2315,10 @@ "id": "F03.01", "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", "services": [ - "Entra", + "Monitor", "AzurePolicy", - "RBAC", - "Monitor" + "Entra", + "RBAC" ], "severity": "Medium", "subcategory": "Monitoring", @@ -2362,8 +2362,8 @@ "id": "F03.04", "link": "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/govern/policy-compliance/regulatory-compliance", "services": [ - "AzurePolicy", - "Monitor" + "Monitor", + "AzurePolicy" ], "severity": "Medium", "subcategory": "Monitoring", @@ -2378,9 +2378,9 @@ "id": "F03.05", "link": "https://learn.microsoft.com/azure/governance/policy/how-to/guest-configuration-create", "services": [ + "Monitor", "AzurePolicy", - "VM", - "Monitor" + "VM" ], "severity": "Medium", "subcategory": "Monitoring", @@ -2395,8 +2395,8 @@ "id": "F03.06", "link": "https://learn.microsoft.com/azure/automation/update-management/overview", "services": [ - "VM", - "Monitor" + "Monitor", + "VM" ], "severity": "Medium", "subcategory": "Monitoring", @@ -2411,8 +2411,8 @@ "id": "F03.07", "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview", "services": [ - "NetworkWatcher", - "Monitor" + "Monitor", + "NetworkWatcher" ], "severity": "Medium", "subcategory": "Monitoring", @@ -2442,9 +2442,9 @@ "id": "F03.09", "link": "https://learn.microsoft.com/azure/governance/policy/overview", "services": [ + "Monitor", "AzurePolicy", - "RBAC", - "Monitor" + "RBAC" ], "severity": "Low", "subcategory": "Monitoring", @@ -2500,9 +2500,9 @@ "id": "F03.13", "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", "services": [ + "Monitor", "Entra", - "RBAC", - "Monitor" + "RBAC" ], "severity": "Medium", "subcategory": "Monitoring", @@ -2530,8 +2530,8 @@ "id": "F03.15", "link": "https://learn.microsoft.com/azure/azure-monitor/agents/diagnostics-extension-overview", "services": [ - "Storage", - "Monitor" + "Monitor", + "Storage" ], "severity": "Medium", "subcategory": "Monitoring", @@ -2603,9 +2603,9 @@ "id": "F04.02", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift", "services": [ + "Monitor", "AzurePolicy", - "VM", - "Monitor" + "VM" ], "severity": "Medium", "subcategory": "Operational compliance", @@ -2620,8 +2620,8 @@ "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview", "services": [ "ACR", - "ASR", - "VM" + "VM", + "ASR" ], "severity": "Medium", "subcategory": "Protect and Recover", @@ -2693,8 +2693,8 @@ "id": "F06.03", "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", "services": [ - "LoadBalancer", "ACR", + "LoadBalancer", "AppGW" ], "severity": "Medium", @@ -2763,8 +2763,8 @@ "id": "G02.03", "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", "services": [ - "AzurePolicy", - "AKV" + "AKV", + "AzurePolicy" ], "severity": "Medium", "subcategory": "Encryption and keys", @@ -2779,8 +2779,8 @@ "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", "services": [ "AKV", - "RBAC", - "Entra" + "Entra", + "RBAC" ], "severity": "Medium", "subcategory": "Encryption and keys", @@ -2838,9 +2838,9 @@ "id": "G02.08", "link": "https://learn.microsoft.com/azure/key-vault/general/monitor-key-vault", "services": [ - "Entra", + "Monitor", "AKV", - "Monitor" + "Entra" ], "severity": "Medium", "subcategory": "Encryption and keys", @@ -2854,8 +2854,8 @@ "id": "G02.09", "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", "services": [ - "AzurePolicy", - "AKV" + "AKV", + "AzurePolicy" ], "severity": "Medium", "subcategory": "Encryption and keys", @@ -2928,8 +2928,8 @@ "link": "https://learn.microsoft.com/azure/azure-monitor/logs/logs-data-export?tabs=portal", "services": [ "ARS", - "Storage", - "Monitor" + "Monitor", + "Storage" ], "severity": "Medium", "subcategory": "Operations", @@ -3004,8 +3004,8 @@ "id": "G03.07", "link": "https://learn.microsoft.com/azure/security-center/", "services": [ - "Defender", - "Monitor" + "Monitor", + "Defender" ], "severity": "Medium", "subcategory": "Operations", @@ -3019,8 +3019,8 @@ "id": "G03.08", "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", "services": [ - "Entra", - "Monitor" + "Monitor", + "Entra" ], "severity": "Medium", "subcategory": "Operations", @@ -3261,9 +3261,9 @@ "id": "A01.01", "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/sql-database-security-baseline#br-2-encrypt-backup-data", "services": [ - "Backup", "SQL", - "AKV" + "AKV", + "Backup" ], "severity": "Medium", "subcategory": "Azure Key Vault", @@ -3278,9 +3278,9 @@ "id": "A02.01", "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/sql-database-security-baseline#br-1-ensure-regular-automated-backups", "services": [ - "Backup", "SQL", - "Storage" + "Storage", + "Backup" ], "severity": "Medium", "subcategory": "Backup", @@ -3295,9 +3295,9 @@ "id": "A02.02", "link": "https://learn.microsoft.com/azure/azure-sql/database/automated-backups-overview?tabs=single-database&view=azuresql#backup-storage-redundancy", "services": [ - "Backup", "SQL", - "Storage" + "Storage", + "Backup" ], "severity": "Low", "subcategory": "Backup", @@ -3357,8 +3357,8 @@ "id": "E01.01", "link": "https://learn.microsoft.com/azure/azure-sql/database/threat-detection-configure", "services": [ - "SQL", "EventHubs", + "SQL", "Defender" ], "severity": "High", @@ -3392,8 +3392,8 @@ "link": "https://learn.microsoft.com/azure/azure-sql/database/threat-detection-configure", "services": [ "SQL", - "Defender", - "Monitor" + "Monitor", + "Defender" ], "severity": "High", "subcategory": "Defender for Azure SQL", @@ -3409,8 +3409,8 @@ "link": "https://learn.microsoft.com/azure/defender-for-cloud/sql-azure-vulnerability-assessment-overview", "services": [ "SQL", - "Defender", - "Monitor" + "Monitor", + "Defender" ], "severity": "High", "subcategory": "Vulnerability Assessment", @@ -3457,8 +3457,8 @@ "link": "https://learn.microsoft.com/azure/azure-sql/database/security-best-practice?view=azuresql#control-access-of-application-users-to-sensitive-data-through-encryption", "services": [ "SQL", - "Storage", - "AKV" + "AKV", + "Storage" ], "severity": "Low", "subcategory": "Column Encryption", @@ -3473,9 +3473,9 @@ "id": "F03.01", "link": "https://learn.microsoft.com/azure/azure-sql/database/transparent-data-encryption-byok-create-server", "services": [ - "Backup", "SQL", - "Storage" + "Storage", + "Backup" ], "severity": "High", "subcategory": "Transparent Data Encryption", @@ -3537,8 +3537,8 @@ "id": "G01.02", "link": "https://learn.microsoft.com/azure/azure-sql/database/security-best-practice?view=azuresql#central-management-for-identities", "services": [ - "Monitor", "SQL", + "Monitor", "Entra" ], "severity": "Medium", @@ -3572,9 +3572,9 @@ "services": [ "SQL", "AKV", - "RBAC", + "ACR", "Entra", - "ACR" + "RBAC" ], "severity": "Low", "subcategory": "Managed Identities", @@ -3701,12 +3701,12 @@ "id": "I01.02", "link": "https://learn.microsoft.com/azure/azure-sql/database/auditing-overview", "services": [ - "EventHubs", - "Backup", "SQL", - "Storage", "Monitor", - "Entra" + "Backup", + "EventHubs", + "Entra", + "Storage" ], "severity": "Low", "subcategory": "Auditing", @@ -3721,11 +3721,11 @@ "id": "I01.03", "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log", "services": [ - "EventHubs", "SQL", - "Storage", "Monitor", - "Subscriptions" + "Subscriptions", + "EventHubs", + "Storage" ], "severity": "Medium", "subcategory": "Auditing", @@ -3772,8 +3772,8 @@ "id": "I02.03", "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log", "services": [ - "SQL", - "EventHubs" + "EventHubs", + "SQL" ], "severity": "Medium", "subcategory": "SIEM/SOAR", @@ -3837,9 +3837,9 @@ "id": "J02.01", "link": "https://learn.microsoft.com/sql/relational-databases/system-stored-procedures/sp-invoke-external-rest-endpoint-transact-sql", "services": [ - "SQL", + "APIM", "EventHubs", - "APIM" + "SQL" ], "severity": "Medium", "subcategory": "Outbound Control", @@ -3871,10 +3871,10 @@ "link": "https://learn.microsoft.com/azure/azure-sql/database/private-endpoint-overview?view=azuresql#disable-public-access-to-your-logical-server", "services": [ "SQL", - "PrivateLink", "Monitor", - "Firewall", - "VNet" + "VNet", + "PrivateLink", + "Firewall" ], "severity": "Medium", "subcategory": "Private Access", @@ -3890,8 +3890,8 @@ "link": "https://learn.microsoft.com/azure/azure-sql/database/private-endpoint-overview?view=azuresql#disable-public-access-to-your-logical-server", "services": [ "SQL", - "PrivateLink", - "VNet" + "VNet", + "PrivateLink" ], "severity": "High", "subcategory": "Private Access", @@ -3907,8 +3907,8 @@ "link": "https://learn.microsoft.com/azure/private-link/private-endpoint-overview#network-security-of-private-endpoints", "services": [ "SQL", - "PrivateLink", - "VNet" + "VNet", + "PrivateLink" ], "severity": "Medium", "subcategory": "Private Access", @@ -3924,8 +3924,8 @@ "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/connectivity-architecture-overview", "services": [ "SQL", - "ExpressRoute", - "VNet" + "VNet", + "ExpressRoute" ], "severity": "Medium", "subcategory": "Private Access", @@ -4067,8 +4067,8 @@ "id": "A01.01", "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates", "services": [ - "AKV", - "FrontDoor" + "FrontDoor", + "AKV" ], "severity": "Medium", "subcategory": "App delivery", @@ -4127,8 +4127,8 @@ "id": "A01.05", "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet", "services": [ - "AppGW", - "VNet" + "VNet", + "AppGW" ], "severity": "Medium", "subcategory": "App delivery", @@ -4146,10 +4146,10 @@ "services": [ "NVA", "VNet", - "WAF", - "Entra", + "AppGW", "Subscriptions", - "AppGW" + "Entra", + "WAF" ], "severity": "Medium", "subcategory": "App delivery", @@ -4179,9 +4179,9 @@ "id": "A01.08", "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", "services": [ - "WAF", + "FrontDoor", "AzurePolicy", - "FrontDoor" + "WAF" ], "severity": "Medium", "subcategory": "App delivery", @@ -4196,10 +4196,10 @@ "id": "A01.09", "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", "services": [ - "WAF", + "FrontDoor", "AzurePolicy", - "AppGW", - "FrontDoor" + "WAF", + "AppGW" ], "severity": "Medium", "subcategory": "App delivery", @@ -4263,9 +4263,9 @@ "id": "A01.13", "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings", "services": [ + "FrontDoor", "WAF", - "Storage", - "FrontDoor" + "Storage" ], "severity": "High", "subcategory": "App delivery", @@ -4280,8 +4280,8 @@ "id": "A01.14", "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door", "services": [ - "TrafficManager", - "FrontDoor" + "FrontDoor", + "TrafficManager" ], "severity": "High", "subcategory": "App delivery", @@ -4369,9 +4369,9 @@ "id": "A01.20", "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates", "services": [ - "Cost", + "FrontDoor", "AKV", - "FrontDoor" + "Cost" ], "severity": "High", "subcategory": "App delivery", @@ -4385,8 +4385,8 @@ "id": "A01.21", "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#define-your-waf-configuration-as-code", "services": [ - "WAF", - "FrontDoor" + "FrontDoor", + "WAF" ], "severity": "Medium", "subcategory": "App delivery", @@ -4430,8 +4430,8 @@ "id": "A02.03", "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#enable-the-waf", "services": [ - "WAF", - "FrontDoor" + "FrontDoor", + "WAF" ], "severity": "High", "subcategory": "App delivery", @@ -4446,8 +4446,8 @@ "id": "A02.04", "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#tune-your-waf", "services": [ - "WAF", - "FrontDoor" + "FrontDoor", + "WAF" ], "severity": "High", "subcategory": "App delivery", @@ -4462,8 +4462,8 @@ "id": "A02.05", "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-prevention-mode", "services": [ - "WAF", - "FrontDoor" + "FrontDoor", + "WAF" ], "severity": "High", "subcategory": "App delivery", @@ -4478,8 +4478,8 @@ "id": "A02.06", "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-default-rule-sets", "services": [ - "WAF", - "FrontDoor" + "FrontDoor", + "WAF" ], "severity": "High", "subcategory": "App delivery", @@ -4494,8 +4494,8 @@ "id": "A02.07", "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-bot-management-rules", "services": [ - "WAF", - "FrontDoor" + "FrontDoor", + "WAF" ], "severity": "High", "subcategory": "App delivery", @@ -4509,8 +4509,8 @@ "id": "A02.08", "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-the-latest-ruleset-versions", "services": [ - "WAF", - "FrontDoor" + "FrontDoor", + "WAF" ], "severity": "Medium", "subcategory": "App delivery", @@ -4524,8 +4524,8 @@ "id": "A02.09", "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-rate-limiting", "services": [ - "WAF", - "FrontDoor" + "FrontDoor", + "WAF" ], "severity": "Medium", "subcategory": "App delivery", @@ -4539,8 +4539,8 @@ "id": "A02.10", "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-a-high-threshold-for-rate-limits", "services": [ - "WAF", - "FrontDoor" + "FrontDoor", + "WAF" ], "severity": "Medium", "subcategory": "App delivery", @@ -4554,8 +4554,8 @@ "id": "A02.11", "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#geo-filter-traffic", "services": [ - "WAF", - "FrontDoor" + "FrontDoor", + "WAF" ], "severity": "Low", "subcategory": "App delivery", @@ -4569,8 +4569,8 @@ "id": "A02.12", "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#specify-the-unknown-zz-location", "services": [ - "WAF", - "FrontDoor" + "FrontDoor", + "WAF" ], "severity": "Medium", "subcategory": "App delivery", @@ -4613,8 +4613,8 @@ "id": "01.02.01", "link": "https://learn.microsoft.com/azure-stack/hci/concepts/fault-tolerance#parity", "services": [ - "Backup", - "Storage" + "Storage", + "Backup" ], "severity": "Medium", "subcategory": "S2D", @@ -4791,8 +4791,8 @@ "id": "02.01.05", "link": "https://learn.microsoft.com/azure-stack/hci/concepts/host-network-requirements", "services": [ - "Storage", - "VNet" + "VNet", + "Storage" ], "severity": "Medium", "subcategory": "Host", @@ -5008,9 +5008,9 @@ "id": "05.01.01", "link": "https://learn.microsoft.com/azure/backup/back-up-azure-stack-hyperconverged-infrastructure-virtual-machines", "services": [ - "Backup", "ASR", - "VM" + "VM", + "Backup" ], "severity": "High", "subcategory": "VM", @@ -5135,8 +5135,8 @@ "guid": "3277558e-3155-4088-b49a-78594cb4ce1a", "id": "07.01.02", "services": [ - "Storage", - "VNet" + "VNet", + "Storage" ], "severity": "High", "subcategory": "Stretch Clustering", @@ -5280,9 +5280,9 @@ "id": "A01.01", "link": "https://learn.microsoft.com/azure/azure-vmware/set-up-backup-server-for-azure-vmware-solution", "services": [ - "Backup", "Storage", - "AVS" + "AVS", + "Backup" ], "severity": "Medium", "subcategory": "Backup", @@ -5297,8 +5297,8 @@ "id": "A02.01", "link": "https://docs.microsoft.com/azure/azure-vmware/set-up-backup-server-for-azure-vmware-solution", "services": [ - "Backup", - "AVS" + "AVS", + "Backup" ], "severity": "Medium", "subcategory": "Business Continuity", @@ -5313,9 +5313,9 @@ "id": "A02.02", "link": "Best practice to deploy backup in the same region as your AVS deployment", "services": [ - "Backup", "ASR", - "AVS" + "AVS", + "Backup" ], "severity": "Medium", "subcategory": "Business Continuity", @@ -5360,8 +5360,8 @@ "id": "A03.01", "link": "https://docs.microsoft.com/azure/azure-vmware/disaster-recovery-using-vmware-site-recovery-manager", "services": [ - "ASR", - "AVS" + "AVS", + "ASR" ], "severity": "Medium", "subcategory": "Disaster Recovery", @@ -5376,8 +5376,8 @@ "id": "A03.02", "link": "https://docs.microsoft.com/azure/site-recovery/avs-tutorial-prepare-azure", "services": [ - "ASR", - "AVS" + "AVS", + "ASR" ], "severity": "Medium", "subcategory": "Disaster Recovery", @@ -5392,8 +5392,8 @@ "id": "A03.03", "link": "https://docs.microsoft.com/azure/site-recovery/avs-tutorial-prepare-azure", "services": [ - "ASR", - "AVS" + "AVS", + "ASR" ], "severity": "Medium", "subcategory": "Disaster Recovery", @@ -5408,8 +5408,8 @@ "id": "A03.04", "link": "https://docs.microsoft.com/azure/azure-vmware/connect-multiple-private-clouds-same-region", "services": [ - "ASR", - "AVS" + "AVS", + "ASR" ], "severity": "Medium", "subcategory": "Disaster Recovery", @@ -5424,8 +5424,8 @@ "id": "A03.05", "link": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", "services": [ - "ASR", - "AVS" + "AVS", + "ASR" ], "severity": "Medium", "subcategory": "Disaster Recovery", @@ -5440,10 +5440,10 @@ "id": "A03.06", "link": "This depends if you have multiple AVS Private Clouds. If so and they are in the same region then use AVS Interconnect. If they are in separate regions then use ExpressRoute Global Reach.", "services": [ - "NVA", "ExpressRoute", - "ASR", - "AVS" + "NVA", + "AVS", + "ASR" ], "severity": "Medium", "subcategory": "Disaster Recovery", @@ -5474,8 +5474,8 @@ "id": "B02.01", "link": "https://learn.microsoft.com/azure/azure-vmware/tutorial-expressroute-global-reach-private-cloud", "services": [ - "ExpressRoute", - "AVS" + "AVS", + "ExpressRoute" ], "severity": "Medium", "subcategory": "ExpressRoute", @@ -5490,8 +5490,8 @@ "id": "B02.02", "link": "https://learn.microsoft.com/azure/expressroute/expressroute-introduction", "services": [ - "ExpressRoute", - "AVS" + "AVS", + "ExpressRoute" ], "severity": "Medium", "subcategory": "ExpressRoute", @@ -5506,8 +5506,8 @@ "id": "B02.03", "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/azure-vmware-solution-foundation-networking", "services": [ - "ExpressRoute", - "AVS" + "AVS", + "ExpressRoute" ], "severity": "Medium", "subcategory": "ExpressRoute", @@ -5522,8 +5522,8 @@ "id": "B02.04", "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/azure-vmware-solution-foundation-networking", "services": [ - "ExpressRoute", - "AVS" + "AVS", + "ExpressRoute" ], "severity": "Medium", "subcategory": "ExpressRoute", @@ -5555,9 +5555,9 @@ "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings", "services": [ "VPN", - "ExpressRoute", + "VNet", "AVS", - "VNet" + "ExpressRoute" ], "severity": "Medium", "subcategory": "Hub & Spoke", @@ -5573,9 +5573,9 @@ "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings", "services": [ "VPN", - "ExpressRoute", + "VNet", "AVS", - "VNet" + "ExpressRoute" ], "severity": "Medium", "subcategory": "Hub & Spoke", @@ -5591,9 +5591,9 @@ "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings", "services": [ "VPN", - "ExpressRoute", + "VNet", "AVS", - "VNet" + "ExpressRoute" ], "severity": "Medium", "subcategory": "Hub & Spoke", @@ -5640,8 +5640,8 @@ "id": "B05.02", "link": "https://learn.microsoft.com/azure/bastion/tutorial-create-host-portal", "services": [ - "VNet", "Bastion", + "VNet", "AVS" ], "severity": "Medium", @@ -5658,8 +5658,8 @@ "link": "https://learn.microsoft.com/azure/virtual-network/network-security-groups-overview", "services": [ "Bastion", - "VM", - "AVS" + "AVS", + "VM" ], "severity": "Medium", "subcategory": "Jumpbox & Bastion", @@ -5738,9 +5738,9 @@ "id": "B07.02", "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-point-to-site-portal", "services": [ - "VWAN", "VPN", - "AVS" + "AVS", + "VWAN" ], "severity": "Medium", "subcategory": "vWAN hub", @@ -5772,8 +5772,8 @@ "id": "C01.01", "link": "https://learn.microsoft.com/azure/azure-vmware/configure-identity-source-vcenter", "services": [ - "AVS", - "Entra" + "Entra", + "AVS" ], "severity": "Medium", "subcategory": "Access", @@ -5788,8 +5788,8 @@ "id": "C01.02", "link": "https://learn.microsoft.com/windows-server/identity/ad-ds/plan/understanding-active-directory-site-topology", "services": [ - "AVS", - "Entra" + "Entra", + "AVS" ], "severity": "Medium", "subcategory": "Access", @@ -5804,8 +5804,8 @@ "id": "C01.03", "link": "https://learn.microsoft.com/azure/azure-vmware/configure-identity-source-vcenter", "services": [ - "AVS", - "Entra" + "Entra", + "AVS" ], "severity": "Medium", "subcategory": "Access", @@ -5820,8 +5820,8 @@ "id": "C01.04", "link": "https://learn.microsoft.com/azure/azure-vmware/configure-external-identity-source-nsx-t", "services": [ - "AVS", - "Entra" + "Entra", + "AVS" ], "severity": "Medium", "subcategory": "Access", @@ -5836,8 +5836,8 @@ "id": "C02.01", "link": "https://youtu.be/4jvfbsrhnEs", "services": [ - "AVS", - "Entra" + "Entra", + "AVS" ], "severity": "Medium", "subcategory": "Security", @@ -5852,9 +5852,9 @@ "id": "C02.02", "link": "https://learn.microsoft.com/azure/azure-vmware/concepts-identity", "services": [ + "Entra", "RBAC", - "AVS", - "Entra" + "AVS" ], "severity": "Medium", "subcategory": "Security", @@ -5869,9 +5869,9 @@ "id": "C02.03", "link": "https://learn.microsoft.com/azure/azure-vmware/concepts-identity#view-the-vcenter-server-privileges", "services": [ + "Entra", "RBAC", - "AVS", - "Entra" + "AVS" ], "severity": "Medium", "subcategory": "Security", @@ -5886,9 +5886,9 @@ "id": "C02.04", "link": "Best practice", "services": [ + "Entra", "RBAC", - "AVS", - "Entra" + "AVS" ], "severity": "Medium", "subcategory": "Security", @@ -5904,8 +5904,8 @@ "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure", "services": [ "RBAC", - "AVS", - "Entra" + "Entra", + "AVS" ], "severity": "Medium", "subcategory": "Security ", @@ -5921,8 +5921,8 @@ "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure", "services": [ "RBAC", - "AVS", - "Entra" + "Entra", + "AVS" ], "severity": "Medium", "subcategory": "Security ", @@ -5938,8 +5938,8 @@ "link": "Best practice", "services": [ "Monitor", - "AVS", - "Entra" + "Entra", + "AVS" ], "severity": "Medium", "subcategory": "Security ", @@ -5954,8 +5954,8 @@ "id": "C03.04", "link": "https://learn.microsoft.com/azure/azure-vmware/rotate-cloudadmin-credentials?tabs=azure-portal", "services": [ - "AVS", - "Entra" + "Entra", + "AVS" ], "severity": "Medium", "subcategory": "Security ", @@ -5971,8 +5971,8 @@ "link": "https://learn.microsoft.com/azure/azure-arc/vmware-vsphere/overview", "services": [ "Arc", - "VM", - "AVS" + "AVS", + "VM" ], "severity": "Medium", "subcategory": "Operations", @@ -5987,9 +5987,9 @@ "id": "D01.02", "link": "https://docs.microsoft.com/azure/governance/policy/overview", "services": [ + "Monitor", "AzurePolicy", - "AVS", - "Monitor" + "AVS" ], "severity": "Medium", "subcategory": "Operations", @@ -6050,8 +6050,8 @@ "id": "E01.01", "link": "https://docs.microsoft.com/azure/azure-vmware/configure-alerts-for-azure-vmware-solution", "services": [ - "AVS", - "Monitor" + "Monitor", + "AVS" ], "severity": "Medium", "subcategory": "Alerts", @@ -6066,8 +6066,8 @@ "id": "E01.02", "link": "https://docs.microsoft.com/azure/azure-vmware/configure-alerts-for-azure-vmware-solution", "services": [ - "AVS", - "Monitor" + "Monitor", + "AVS" ], "severity": "Medium", "subcategory": "Alerts", @@ -6082,8 +6082,8 @@ "id": "E01.03", "link": "https://www.virtualworkloads.com/2021/04/azure-vmware-solution-azure-service-health/", "services": [ - "AVS", - "Monitor" + "Monitor", + "AVS" ], "severity": "Medium", "subcategory": "Alerts", @@ -6098,11 +6098,11 @@ "id": "E02.01", "link": "https://docs.microsoft.com/azure/azure-vmware/set-up-backup-server-for-azure-vmware-solution", "services": [ - "AzurePolicy", "VM", + "Monitor", + "AzurePolicy", "AVS", - "Backup", - "Monitor" + "Backup" ], "severity": "Medium", "subcategory": "Backup", @@ -6117,9 +6117,9 @@ "id": "E03.01", "link": "https://docs.microsoft.com/azure/azure-vmware/configure-alerts-for-azure-vmware-solution", "services": [ + "Monitor", "AzurePolicy", - "AVS", - "Monitor" + "AVS" ], "severity": "Medium", "subcategory": "Capacity", @@ -6134,10 +6134,10 @@ "id": "E04.01", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/azure-vmware/govern", "services": [ + "Monitor", "Subscriptions", - "Cost", "AVS", - "Monitor" + "Cost" ], "severity": "Medium", "subcategory": "Costs", @@ -6152,9 +6152,9 @@ "id": "E05.01", "link": "https://docs.microsoft.com/azure/azure-portal/azure-portal-dashboards", "services": [ + "Monitor", "NetworkWatcher", - "AVS", - "Monitor" + "AVS" ], "severity": "Medium", "subcategory": "Dashboard", @@ -6169,9 +6169,9 @@ "id": "E06.01", "link": "https://docs.microsoft.com/azure/azure-vmware/configure-vmware-syslogs", "services": [ + "Monitor", "Storage", - "AVS", - "Monitor" + "AVS" ], "severity": "Medium", "subcategory": "Logs & Metrics", @@ -6186,8 +6186,8 @@ "id": "E06.02", "link": "Is vROPS or vRealize Network Insight going to be used? ", "services": [ - "AVS", - "Monitor" + "Monitor", + "AVS" ], "severity": "Medium", "subcategory": "Logs & Metrics", @@ -6202,9 +6202,9 @@ "id": "E06.03", "link": "https://docs.microsoft.com/azure/azure-vmware/configure-vmware-syslogs", "services": [ - "VM", + "Monitor", "AVS", - "Monitor" + "VM" ], "severity": "Medium", "subcategory": "Logs & Metrics", @@ -6219,10 +6219,10 @@ "id": "E07.01", "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-create-using-portal", "services": [ - "AVS", - "NetworkWatcher", "VPN", "Monitor", + "AVS", + "NetworkWatcher", "ExpressRoute" ], "severity": "Medium", @@ -6238,9 +6238,9 @@ "id": "E07.02", "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-create-using-portal", "services": [ - "ExpressRoute", + "Monitor", "AVS", - "Monitor" + "ExpressRoute" ], "severity": "Medium", "subcategory": "Network", @@ -6255,8 +6255,8 @@ "id": "E07.03", "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-create-using-portal", "services": [ - "AVS", - "Monitor" + "Monitor", + "AVS" ], "severity": "Medium", "subcategory": "Network", @@ -6271,8 +6271,8 @@ "id": "E08.01", "link": "Firewall logging and alerting rules are configured (Azure Firewall or 3rd party)", "services": [ - "AVS", - "Monitor" + "Monitor", + "AVS" ], "severity": "Medium", "subcategory": "Security", @@ -6287,8 +6287,8 @@ "id": "E08.02", "link": "https://docs.microsoft.com/azure/cloud-adoption-framework/scenarios/azure-vmware/eslz-network-topology-connectivity", "services": [ - "AVS", - "Monitor" + "Monitor", + "AVS" ], "severity": "Medium", "subcategory": "Security", @@ -6303,8 +6303,8 @@ "id": "E09.01", "link": "https://docs.microsoft.com/azure/azure-vmware/configure-vmware-syslogs", "services": [ - "AVS", - "Monitor" + "Monitor", + "AVS" ], "severity": "Medium", "subcategory": "VMWare", @@ -6319,9 +6319,9 @@ "id": "E10.01", "link": "https://docs.microsoft.com/azure/azure-monitor/agents/agent-windows?tabs=setup-wizard", "services": [ - "VM", + "Monitor", "AVS", - "Monitor" + "VM" ], "severity": "Medium", "subcategory": "VMware", @@ -6366,9 +6366,9 @@ "id": "F01.03", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/azure-vmware/eslz-network-topology-connectivity", "services": [ + "ARS", "NVA", - "AVS", - "ARS" + "AVS" ], "severity": "Medium", "subcategory": "Hub & Spoke", @@ -6414,10 +6414,10 @@ "id": "F02.02", "link": "Research and choose optimal solution for each application", "services": [ + "FrontDoor", "NVA", "AppGW", - "AVS", - "FrontDoor" + "AVS" ], "severity": "Medium", "subcategory": "Internet", @@ -6448,15 +6448,15 @@ "id": "F04.01", "link": "https://docs.microsoft.com/azure/ddos-protection/manage-ddos-protection", "services": [ - "LoadBalancer", - "AVS", - "VM", "VPN", - "FrontDoor", + "DDoS", + "VM", + "LoadBalancer", + "VNet", "AppGW", + "AVS", "ExpressRoute", - "DDoS", - "VNet" + "FrontDoor" ], "severity": "Medium", "subcategory": "Security", @@ -6534,8 +6534,8 @@ "id": "G01.01", "link": "https://docs.microsoft.com/azure/azure-vmware/configure-nsx-network-components-azure-portal", "services": [ - "Subscriptions", - "AVS" + "AVS", + "Subscriptions" ], "severity": "Medium", "subcategory": "Automated Scale", @@ -6612,8 +6612,8 @@ "id": "G01.06", "link": "https://docs.microsoft.com/azure/cloud-adoption-framework/scenarios/azure-vmware/eslz-management-and-monitoring", "services": [ - "AVS", - "Monitor" + "Monitor", + "AVS" ], "severity": "Medium", "subcategory": "Automated Scale", @@ -6720,8 +6720,8 @@ "id": "H01.05", "link": "Done through the subscription/resource providers/ AVS register in the portal", "services": [ - "Subscriptions", - "AVS" + "AVS", + "Subscriptions" ], "severity": "Medium", "subcategory": "Pre-deployment", @@ -6736,8 +6736,8 @@ "id": "H01.06", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/azure-vmware/enterprise-scale-landing-zone", "services": [ - "Subscriptions", - "AVS" + "AVS", + "Subscriptions" ], "severity": "Medium", "subcategory": "Pre-deployment", @@ -6843,8 +6843,8 @@ "id": "H01.13", "link": "https://azure.microsoft.com/en-ca/pricing/details/azure-vmware/#:~:text=Azure%20VMware%20Solution%20%20%20%20Instance%20size,TB%20%28all%20NVMe%29%20%20%20N%2FA%20%2Fhour%20", "services": [ - "Cost", - "AVS" + "AVS", + "Cost" ], "severity": "Medium", "subcategory": "Pre-deployment", @@ -6859,8 +6859,8 @@ "id": "H01.14", "link": "https://docs.microsoft.com/azure/azure-vmware/concepts-storage#storage-policies-and-fault-tolerance", "services": [ - "ASR", - "AVS" + "AVS", + "ASR" ], "severity": "Medium", "subcategory": "Pre-deployment", @@ -6937,9 +6937,9 @@ "id": "I01.03", "link": "https://docs.microsoft.com/azure/key-vault/general/authentication", "services": [ - "ExpressRoute", "AKV", - "AVS" + "AVS", + "ExpressRoute" ], "severity": "Medium", "subcategory": "Encryption", @@ -6985,8 +6985,8 @@ "id": "I04.01", "link": "https://learn.microsoft.com/azure/azure-vmware/azure-security-integration#prerequisites", "services": [ - "Defender", - "AVS" + "AVS", + "Defender" ], "severity": "Medium", "subcategory": "Security", @@ -7184,8 +7184,8 @@ "link": "3rd-Party tools", "services": [ "Storage", - "VM", - "AVS" + "AVS", + "VM" ], "severity": "Medium", "subcategory": "Storage", @@ -7201,8 +7201,8 @@ "link": "Contact VMware", "services": [ "Storage", - "VM", - "AVS" + "AVS", + "VM" ], "severity": "Medium", "subcategory": "Storage", @@ -7251,8 +7251,8 @@ "services": [ "AzurePolicy", "Storage", - "VM", - "AVS" + "AVS", + "VM" ], "severity": "Medium", "subcategory": "Storage", @@ -7269,8 +7269,8 @@ "services": [ "AzurePolicy", "Storage", - "VM", - "AVS" + "AVS", + "VM" ], "severity": "Medium", "subcategory": "Storage", @@ -7333,8 +7333,8 @@ "id": "A01.02", "link": "https://learn.microsoft.com/azure/container-registry/container-registry-azure-policy", "services": [ - "AzurePolicy", - "ACR" + "ACR", + "AzurePolicy" ], "severity": "High", "subcategory": "Data Protection", @@ -7382,8 +7382,8 @@ "link": "https://learn.microsoft.com/azure/container-registry/container-registry-authentication-managed-identity", "services": [ "ACR", - "RBAC", - "Entra" + "Entra", + "RBAC" ], "severity": "High", "subcategory": "Identity and Access Control", @@ -7399,8 +7399,8 @@ "link": "https://learn.microsoft.com/azure/container-registry/container-registry-authentication-managed-identity", "services": [ "ACR", - "RBAC", - "Entra" + "Entra", + "RBAC" ], "severity": "High", "subcategory": "Identity and Access Control", @@ -7416,8 +7416,8 @@ "link": "https://learn.microsoft.com/azure/container-registry/container-registry-roles?tabs=azure-cli", "services": [ "ACR", - "RBAC", - "Entra" + "Entra", + "RBAC" ], "severity": "High", "subcategory": "Identity and Access Control", @@ -7463,8 +7463,8 @@ "guid": "b3bec3d4-f343-47c1-936d-b55f27a71eee", "id": "A02.06", "services": [ - "EventHubs", "ACR", + "EventHubs", "PrivateLink", "Entra" ], @@ -7481,8 +7481,8 @@ "id": "A02.07", "link": "https://learn.microsoft.com/azure/container-registry/container-registry-enable-conditional-access-policy", "services": [ - "AzurePolicy", "ACR", + "AzurePolicy", "Entra" ], "severity": "Medium", @@ -7498,9 +7498,9 @@ "id": "A03.01", "link": "https://learn.microsoft.com/azure/container-registry/monitor-service", "services": [ - "Entra", "ACR", - "Monitor" + "Monitor", + "Entra" ], "severity": "Medium", "subcategory": "Logging and Monitoring", @@ -7515,10 +7515,10 @@ "id": "A04.01", "link": "https://learn.microsoft.com/azure/container-registry/container-registry-private-link", "services": [ - "Firewall", "ACR", + "VNet", "PrivateLink", - "VNet" + "Firewall" ], "severity": "Medium", "subcategory": "Network Security", @@ -7565,8 +7565,8 @@ "id": "A04.04", "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction", "services": [ - "Defender", - "ACR" + "ACR", + "Defender" ], "severity": "Low", "subcategory": "Network Security", @@ -7636,10 +7636,10 @@ "guid": "13b0f566-4b1e-4944-a459-837ee79d6c6d", "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-shared-access-signature#shared-access-authorization-policies", "services": [ - "EventHubs", "AzurePolicy", - "RBAC", + "EventHubs", "Entra", + "RBAC", "TrafficManager" ], "severity": "Medium", @@ -7654,11 +7654,11 @@ "guid": "3a365a5c-7acb-4e48-abd5-4cd79f2e8776", "link": "https://learn.microsoft.com/azure/event-hubs/authenticate-managed-identity?tabs=latest", "services": [ - "EventHubs", "VM", - "Storage", "AKV", - "Entra" + "EventHubs", + "Entra", + "Storage" ], "severity": "Medium", "subcategory": "Identity and Access Management", @@ -7673,8 +7673,8 @@ "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-azure-active-directory#azure-built-in-roles-for-azure-event-hubs", "services": [ "EventHubs", - "RBAC", - "Entra" + "Entra", + "RBAC" ], "severity": "High", "subcategory": "Identity and Access Management", @@ -7689,8 +7689,8 @@ "link": "https://learn.microsoft.com/azure/event-hubs/monitor-event-hubs-reference", "services": [ "EventHubs", - "VNet", - "Monitor" + "Monitor", + "VNet" ], "severity": "Medium", "subcategory": "Monitoring", @@ -7705,8 +7705,8 @@ "link": "https://learn.microsoft.com/azure/event-hubs/private-link-service", "services": [ "EventHubs", - "PrivateLink", - "VNet" + "VNet", + "PrivateLink" ], "severity": "Medium", "subcategory": "Networking", @@ -7734,8 +7734,8 @@ "id": "A01.01", "link": "https://learn.microsoft.com/azure/openshift/howto-create-service-principal?pivots=aro-azurecli", "services": [ - "RBAC", - "Entra" + "Entra", + "RBAC" ], "severity": "High", "subcategory": "Identity", @@ -7763,8 +7763,8 @@ "id": "A01.03", "link": "https://docs.openshift.com/container-platform/4.13/applications/projects/working-with-projects.html", "services": [ - "RBAC", - "Entra" + "Entra", + "RBAC" ], "severity": "High", "subcategory": "Identity", @@ -7778,8 +7778,8 @@ "id": "A01.04", "link": "https://docs.openshift.com/container-platform/4.13/authentication/using-rbac.html", "services": [ - "RBAC", - "Entra" + "Entra", + "RBAC" ], "severity": "Medium", "subcategory": "Identity", @@ -7808,8 +7808,8 @@ "id": "A01.06", "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure", "services": [ - "RBAC", - "Entra" + "Entra", + "RBAC" ], "severity": "Medium", "subcategory": "Identity", @@ -7823,12 +7823,12 @@ "id": "B01.01", "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", "services": [ - "WAF", - "Entra", - "Firewall", - "Subscriptions", "DDoS", - "VNet" + "VNet", + "Subscriptions", + "Firewall", + "Entra", + "WAF" ], "severity": "Low", "subcategory": "DDoS", @@ -7854,8 +7854,8 @@ "id": "B03.01", "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview", "services": [ - "WAF", - "FrontDoor" + "FrontDoor", + "WAF" ], "severity": "Medium", "subcategory": "Internet", @@ -7869,8 +7869,8 @@ "id": "B03.02", "link": "https://learn.microsoft.com/azure/openshift/howto-secure-openshift-with-front-door", "services": [ - "PrivateLink", - "FrontDoor" + "FrontDoor", + "PrivateLink" ], "severity": "Medium", "subcategory": "Internet", @@ -7885,8 +7885,8 @@ "link": "https://learn.microsoft.com/azure/openshift/howto-restrict-egress", "services": [ "NVA", - "Firewall", - "AzurePolicy" + "AzurePolicy", + "Firewall" ], "severity": "Medium", "subcategory": "Internet", @@ -8264,9 +8264,9 @@ "id": "E03.01", "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction", "services": [ - "Defender", "Arc", - "AKS" + "AKS", + "Defender" ], "severity": "Medium", "subcategory": "Posture", @@ -8308,8 +8308,8 @@ "id": "E05.02", "link": "https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes#install-azure-policy-extension-for-azure-arc-enabled-kubernetes", "services": [ - "AzurePolicy", - "Monitor" + "Monitor", + "AzurePolicy" ], "severity": "Medium", "subcategory": "Workload", @@ -8337,8 +8337,8 @@ "id": "E05.04", "link": "https://learn.microsoft.com/azure/container-registry/container-registry-private-link", "services": [ - "Subscriptions", - "ACR" + "ACR", + "Subscriptions" ], "severity": "Low", "subcategory": "Workload", @@ -8366,8 +8366,8 @@ "guid": "4d874a74-8b66-42d6-b150-512a66498f6d", "link": "https://learn.microsoft.com/azure/backup/backup-azure-vms-introduction", "services": [ - "Backup", - "VM" + "VM", + "Backup" ], "severity": "High", "subcategory": "Virtual Machines", @@ -8470,9 +8470,9 @@ "guid": "2a6bcca2-b5fe-4a1e-af3d-d95d48c7c891", "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview", "services": [ + "VM", "AVS", - "ASR", - "VM" + "ASR" ], "severity": "High", "subcategory": "Virtual Machines", @@ -8500,8 +8500,8 @@ "guid": "e6e2065b-3a76-4af4-a691-e8939ada4666", "link": "https://learn.microsoft.com/azure/quotas/per-vm-quota-requests", "services": [ - "ASR", - "VM" + "VM", + "ASR" ], "severity": "Medium", "subcategory": "Virtual Machines", @@ -8613,8 +8613,8 @@ "guid": "2cc88147-0607-4c1c-aa0e-614658dd458e", "link": "https://learn.microsoft.com/azure/backup/backup-azure-immutable-vault-concept?source=recommendations&tabs=recovery-services-vault", "services": [ - "Backup", - "Storage" + "Storage", + "Backup" ], "severity": "Low", "subcategory": "Backup", @@ -8697,8 +8697,8 @@ "guid": "ced126cd-032a-4f5b-8fc6-998a535e3378", "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2", "services": [ - "Storage", - "AppGW" + "AppGW", + "Storage" ], "severity": "High", "subcategory": "Application Gateways", @@ -8727,9 +8727,9 @@ "link": "https://learn.microsoft.com/azure/networking/disaster-recovery-dns-traffic-manager", "services": [ "Monitor", - "TrafficManager", + "ASR", "DNS", - "ASR" + "TrafficManager" ], "severity": "Low", "subcategory": "DNS", @@ -8787,8 +8787,8 @@ "guid": "a359c373-e7dd-4616-83a3-64a907ebae48", "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering", "services": [ - "Backup", - "ExpressRoute" + "ExpressRoute", + "Backup" ], "severity": "Medium", "subcategory": "ExpressRoute", @@ -8802,10 +8802,10 @@ "guid": "ead53cc7-de2e-48aa-ab35-71549ab9153d", "link": "https://learn.microsoft.com/azure/expressroute/use-s2s-vpn-as-backup-for-expressroute-privatepeering", "services": [ - "Backup", - "Cost", + "ExpressRoute", "VPN", - "ExpressRoute" + "Cost", + "Backup" ], "severity": "Low", "subcategory": "ExpressRoute", @@ -8922,8 +8922,8 @@ "id": "A02.01", "link": "https://learn.microsoft.com/azure/storage/common/storage-private-endpoints", "services": [ - "Storage", - "PrivateLink" + "PrivateLink", + "Storage" ], "severity": "High", "subcategory": "Networking", @@ -8938,9 +8938,9 @@ "id": "A03.01", "link": "https://learn.microsoft.com/azure/virtual-machines/migration-classic-resource-manager-overview#migration-of-storage-accounts", "services": [ - "Subscriptions", "Storage", - "RBAC" + "RBAC", + "Subscriptions" ], "severity": "Medium", "subcategory": "Governance", @@ -8955,8 +8955,8 @@ "id": "A03.02", "link": "https://learn.microsoft.com/azure/storage/common/azure-defender-storage-configure", "services": [ - "Defender", - "Storage" + "Storage", + "Defender" ], "severity": "High", "subcategory": "Governance", @@ -9046,9 +9046,9 @@ "id": "A09.01", "link": "https://learn.microsoft.com/azure/storage/blobs/immutable-storage-overview", "services": [ - "Subscriptions", "AzurePolicy", - "Storage" + "Storage", + "Subscriptions" ], "severity": "High", "subcategory": "Data Availability, Compliance", @@ -9108,8 +9108,8 @@ "id": "A11.01", "link": "https://learn.microsoft.com/azure/storage/common/authorize-data-access", "services": [ - "Storage", - "Entra" + "Entra", + "Storage" ], "severity": "High", "subcategory": "Identity and Access Management", @@ -9123,9 +9123,9 @@ "guid": "a4b1410d-4395-48a8-a228-9b3d6b57cfc6", "id": "A11.02", "services": [ + "Entra", "Storage", - "RBAC", - "Entra" + "RBAC" ], "severity": "Medium", "subcategory": "Identity and Access Management", @@ -9140,8 +9140,8 @@ "id": "A11.03", "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#best-practices-when-using-sas", "services": [ - "Storage", - "Entra" + "Entra", + "Storage" ], "severity": "High", "subcategory": "Identity and Access Management", @@ -9156,10 +9156,10 @@ "id": "A11.04", "link": "https://learn.microsoft.com/rest/api/storageservices/authorize-with-shared-key", "services": [ - "Monitor", - "Storage", + "Entra", "AKV", - "Entra" + "Storage", + "Monitor" ], "severity": "High", "subcategory": "Identity and Access Management", @@ -9174,10 +9174,10 @@ "id": "A12.01", "link": "https://learn.microsoft.com/azure/storage/blobs/blob-storage-monitoring-scenarios#audit-account-activity", "services": [ - "AzurePolicy", - "Storage", + "Monitor", "AKV", - "Monitor" + "AzurePolicy", + "Storage" ], "severity": "High", "subcategory": "Monitoring", @@ -9192,10 +9192,10 @@ "id": "A13.01", "link": "https://learn.microsoft.com/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#create-a-key-expiration-policy", "services": [ - "AzurePolicy", - "Storage", + "Entra", "AKV", - "Entra" + "AzurePolicy", + "Storage" ], "severity": "Medium", "subcategory": "Identity and Access Management", @@ -9210,9 +9210,9 @@ "id": "A13.02", "link": "https://learn.microsoft.com/azure/storage/common/sas-expiration-policy", "services": [ + "Entra", "AzurePolicy", - "Storage", - "Entra" + "Storage" ], "severity": "Medium", "subcategory": "Identity and Access Management", @@ -9227,10 +9227,10 @@ "id": "A13.03", "link": "https://learn.microsoft.com/rest/api/storageservices/define-stored-access-policy", "services": [ - "AzurePolicy", - "Storage", "AKV", - "Entra" + "Entra", + "AzurePolicy", + "Storage" ], "severity": "Medium", "subcategory": "Identity and Access Management", @@ -9244,8 +9244,8 @@ "id": "A14.01", "link": "https://microsoft.github.io/code-with-engineering-playbook/continuous-integration/dev-sec-ops/secret-management/recipes/detect-secrets-ado/", "services": [ - "Storage", - "AKV" + "AKV", + "Storage" ], "severity": "Medium", "subcategory": "CI/CD", @@ -9260,8 +9260,8 @@ "id": "A15.01", "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys", "services": [ - "Storage", - "Entra" + "Entra", + "Storage" ], "severity": "High", "subcategory": "Identity and Access Management", @@ -9276,9 +9276,9 @@ "id": "A15.02", "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature", "services": [ + "Entra", "AzurePolicy", - "Storage", - "Entra" + "Storage" ], "severity": "High", "subcategory": "Identity and Access Management", @@ -9293,8 +9293,8 @@ "id": "A15.03", "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature", "services": [ - "Storage", - "Entra" + "Entra", + "Storage" ], "severity": "Medium", "subcategory": "Identity and Access Management", @@ -9309,8 +9309,8 @@ "id": "A15.04", "link": "https://learn.microsoft.com/rest/api/storageservices/create-account-sas", "services": [ - "Storage", - "Entra" + "Entra", + "Storage" ], "severity": "Medium", "subcategory": "Identity and Access Management", @@ -9324,8 +9324,8 @@ "guid": "348b263e-6dd6-4051-8a36-498f6dbad38e", "id": "A15.05", "services": [ - "Storage", - "Entra" + "Entra", + "Storage" ], "severity": "Low", "subcategory": "Identity and Access Management", @@ -9340,9 +9340,9 @@ "id": "A15.06", "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support#sftp-permission-model", "services": [ + "Entra", "Storage", - "RBAC", - "Entra" + "RBAC" ], "severity": "High", "subcategory": "Identity and Access Management", @@ -9356,8 +9356,8 @@ "id": "A15.07", "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-known-issues#authentication-and-authorization", "services": [ - "Storage", - "Entra" + "Entra", + "Storage" ], "severity": "Medium", "subcategory": "Identity and Access Management", @@ -9431,8 +9431,8 @@ "id": "A18.01", "link": "https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#allow-or-disallow-public-read-access-for-a-storage-account", "services": [ - "Storage", - "Entra" + "Entra", + "Storage" ], "severity": "High", "subcategory": "Identity and Access Management", @@ -9446,8 +9446,8 @@ "id": "A01.01", "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models", "services": [ - "Cost", - "Monitor" + "Monitor", + "Cost" ], "subcategory": "Azure Monitor - enforce data collection rules", "text": "Data collection rules in Azure Monitor -https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-rule-overview", @@ -9498,8 +9498,8 @@ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations", "services": [ "Backup", - "Cost", - "Storage" + "Storage", + "Cost" ], "subcategory": "delete/archive", "text": "delete or archive unused resources (old backups, logs, storage accounts, etc...)" @@ -9512,9 +9512,9 @@ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations", "services": [ "Backup", - "Cost", + "ASR", "Storage", - "ASR" + "Cost" ], "subcategory": "delete/archive", "text": "consider a good balance between site recovery storage and backup for non mission critical applications" @@ -9526,8 +9526,8 @@ "id": "A04.01", "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/direct-ea-administration#manage-notification-contacts", "services": [ - "Cost", - "Monitor" + "Monitor", + "Cost" ], "subcategory": "Log Analytics retention for workspaces", "text": "check spending and savings opportunities among the 40 different log analytics workspaces- use different retention and data collection for nonprod workspaces-create daily cap for awareness and tier sizing - If you do set a daily cap, in addition to creating an alert when the cap is reached,ensure that you also create an alert rule to be notified when some percentage has been reached (90% for example). - consider workspace transformation if possible - https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-transformations#workspace-transformation-dcr ", @@ -9540,9 +9540,9 @@ "id": "A05.01", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", "services": [ - "Cost", + "AzurePolicy", "Storage", - "AzurePolicy" + "Cost" ], "subcategory": "Policy", "text": "enforce a purging log policy and automation (if needed, logs can be moved to cold storage)", @@ -9582,9 +9582,9 @@ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", "services": [ "Backup", - "Cost", + "VM", "Storage", - "VM" + "Cost" ], "subcategory": "stopped/deallocated VMs: check disks", "text": "check that the disks are really needed, if not: delete. If they are needed, find lower storage tiers or use backup -", @@ -9597,9 +9597,9 @@ "id": "A09.01", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", "services": [ - "Cost", + "AzurePolicy", "Storage", - "AzurePolicy" + "Cost" ], "subcategory": "storage accounts lifecycle policy", "text": "consider moving unused storage to lower tier, with customized rule - https://learn.microsoft.com/azure/storage/blobs/lifecycle-management-policy-configure ", @@ -9648,9 +9648,9 @@ "id": "B03.01", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations", "services": [ - "Cost", + "VM", "Storage", - "VM" + "Cost" ], "subcategory": "db optimization", "text": "optimizing the DB queries will increase performance and allow better right-sizing of storage and VMs" @@ -9674,8 +9674,8 @@ "id": "C01.01", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/naming-and-tagging", "services": [ - "Cost", - "Entra" + "Entra", + "Cost" ], "subcategory": "Advisor", "text": "Start from the Azure Advisor page suggestions." @@ -9687,8 +9687,8 @@ "id": "C01.02", "link": "https://learn.microsoft.com/azure/governance/policy/overview", "services": [ - "Cost", - "VM" + "VM", + "Cost" ], "subcategory": "Advisor", "text": "make sure advisor is configured for VM right sizing " @@ -9712,8 +9712,8 @@ "id": "C02.02", "link": "https://learn.microsoft.com/azure/governance/policy/overview", "services": [ - "Cost", - "Monitor" + "Monitor", + "Cost" ], "subcategory": "Automation", "text": "set up cost alerts for applications that have variable costs (ideally for all of them)" @@ -9749,8 +9749,8 @@ "id": "C03.01", "link": "https://learn.microsoft.com/azure/governance/policy/overview#azure-rbac-permissions-in-azure-policy", "services": [ - "Cost", - "Storage" + "Storage", + "Cost" ], "subcategory": "Baseline", "text": "try and establish a baseline of monthly spending and an acceptable saving target against the baseline (new services will not be optimized at this stage)" @@ -9762,8 +9762,8 @@ "id": "C03.02", "link": "https://learn.microsoft.com/azure/governance/policy/overview", "services": [ - "Cost", - "AzurePolicy" + "AzurePolicy", + "Cost" ], "subcategory": "Baseline", "text": "establish a cost optimization baseline by using a policy that tags every new resource as #NEW" @@ -9835,8 +9835,8 @@ "id": "C06.01", "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/concept-activity-logs-azure-monitor", "services": [ - "Cost", - "ACR" + "ACR", + "Cost" ], "subcategory": "free services", "text": "Take advantage of Azure free services: Azure offers a number of free services, such as DevOps, Azure Container Registry, and Azure Logic Apps, that can help you save costs on development and operations. " @@ -9886,9 +9886,9 @@ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/centralize-operations", "services": [ "SQL", - "Cost", "AzurePolicy", - "VM" + "VM", + "Cost" ], "subcategory": "check AHUB is applied to all Windows VMs, RHEL and SQL", "text": "run the script on all windows VMs https://learn.microsoft.com/azure/virtual-machines/windows/hybrid-use-benefit-licensing?ref=andrewmatveychuk.com#convert-an-existing-vm-using-azure-hybrid-benefit-for-windows-server- consider implementing a policy if windows VMs are created frequently" @@ -9926,9 +9926,9 @@ "id": "D05.01", "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal", "services": [ - "Cost", - "VM" - ], + "VM", + "Cost" + ], "subcategory": "planning", "text": "consolidate reserved VM families with flexibility option (no more than 4-5 families)", "training": "https://learn.microsoft.com/azure/automation/automation-solution-vm-management" @@ -9941,8 +9941,8 @@ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access#prerequisites-for-a-landing-zone---design-recommendations", "services": [ "ARS", - "Cost", - "VM" + "VM", + "Cost" ], "subcategory": "reservations/savings plans", "text": "Utilize Azure Reserved Instances: This feature allows you to reserve VMs for a period of 1 or 3 years, providing significant cost savings compared to PAYG prices." @@ -9978,8 +9978,8 @@ "id": "D07.01", "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview", "services": [ - "Cost", - "Storage" + "Storage", + "Cost" ], "subcategory": "reserve storage", "text": "only larger disks can be reserved =>1TiB -" @@ -9991,8 +9991,8 @@ "id": "D08.01", "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain", "services": [ - "Cost", - "VM" + "VM", + "Cost" ], "subcategory": "reserve VMs with normalized and rationalized sizes", "text": "after the right-sizing optimization" @@ -10005,8 +10005,8 @@ "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy", "services": [ "SQL", - "Cost", - "AzurePolicy" + "AzurePolicy", + "Cost" ], "subcategory": "SQL Database AHUB", "text": "check if applicable and enforce policy/change https://learn.microsoft.com/azure/azure-sql/azure-hybrid-benefit?view=azuresql&tabs=azure-portalhttps://learn.microsoft.com/azure/cost-management-billing/scope-level/create-sql-license-assignments?source=recommendations" @@ -10019,8 +10019,8 @@ "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices", "services": [ "SQL", - "Cost", - "VM" + "VM", + "Cost" ], "subcategory": "SQL Database Reservations", "text": "the VM + licence part discount (ahub+3YRI) is around 70% discount" @@ -10044,8 +10044,8 @@ "id": "D11.02", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access-landing-zones#rbac-recommendations", "services": [ - "Cost", - "AzurePolicy" + "AzurePolicy", + "Cost" ], "subcategory": "tracking", "text": "make sure that your reservations usage is close to 100%. If not, either enforce an allowed SKU policy or exchange the reservation" @@ -10057,8 +10057,8 @@ "id": "E01.01", "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-create-roles-and-resource-roles-review", "services": [ - "Cost", - "AzurePolicy" + "AzurePolicy", + "Cost" ], "subcategory": "Automation", "text": "plan and enforce a ON/OFF policy for production services, where possible" @@ -10070,8 +10070,8 @@ "id": "E01.02", "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs", "services": [ - "Cost", - "AzurePolicy" + "AzurePolicy", + "Cost" ], "subcategory": "Automation", "text": "plan and enforce a ON-DEMAND policy with auto-shutdown for non-production services, where possible" @@ -10083,8 +10083,8 @@ "id": "E02.01", "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel", "services": [ - "Cost", - "VM" + "VM", + "Cost" ], "subcategory": "Autoscale", "text": "consider using a VMSS to match demand rather than flat sizing" @@ -10096,8 +10096,8 @@ "id": "E02.02", "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure", "services": [ - "Cost", - "AKS" + "AKS", + "Cost" ], "subcategory": "Autoscale", "text": "use AKS autoscaler to match your clusters usage (make sure the pods requirements match the scaler)" @@ -10160,8 +10160,8 @@ "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", "services": [ "LoadBalancer", - "Cost", - "VM" + "VM", + "Cost" ], "subcategory": "databricks", "text": "consider using Spot VMs with fallback where possibleconsider autotermination of clusters https://learn.microsoft.com/azure/databricks/clusters/cluster-config-best-practices#automatic-termination ", @@ -10200,8 +10200,8 @@ "id": "E05.03", "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview", "services": [ - "Cost", - "Storage" + "Storage", + "Cost" ], "subcategory": "Functions", "text": "functions - Cold starts-Use the 'Run from package' functionality. This way, the code is downloaded as a single zip file. This can, for example, result in significant improvements with Javascript functions, which have a lot of node modules.Use language specific tools to reduce the package size, for example, tree shaking Javascript applications.", @@ -10275,9 +10275,9 @@ "id": "E06.02", "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", "services": [ - "Cost", + "EventHubs", "FrontDoor", - "EventHubs" + "Cost" ], "subcategory": "Networking", "text": "Frontdoor - Turn off the default homepageIn the application settings of your App, set AzureWebJobsDisableHomepage to true. This will return a 204 (No Content) to the PoP so only header data is returned." @@ -10290,8 +10290,8 @@ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor", "services": [ "AppSvc", - "Cost", - "FrontDoor" + "FrontDoor", + "Cost" ], "subcategory": "Networking", "text": "Frontdoor -Route to something that returns nothingEither set up a Function, Function Proxy, or add a route in your WebApp that returns 200 (OK) and sends no or minimal content. The advantage of this is you will be able to log out when it is called." @@ -10327,8 +10327,8 @@ "id": "E09.01", "link": "https://learn.microsoft.com/azure/architecture/best-practices/monitoring", "services": [ - "Cost", - "Storage" + "Storage", + "Cost" ], "subcategory": "Storage", "text": "consider archiving tiers for less used data" @@ -10340,8 +10340,8 @@ "id": "E09.02", "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings", "services": [ - "Cost", - "Storage" + "Storage", + "Cost" ], "subcategory": "Storage", "text": "check disk sizes where the size does not match the tier (i.e. A 513 GiB disk will pay a P30 (1TiB) and consider resizing" @@ -10353,8 +10353,8 @@ "id": "E09.03", "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration", "services": [ - "Cost", - "Storage" + "Storage", + "Cost" ], "subcategory": "Storage", "text": "consider using standard SSD rather than Premium or Ultra where possible" @@ -10366,8 +10366,8 @@ "id": "E09.04", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift", "services": [ - "Cost", - "Storage" + "Storage", + "Cost" ], "subcategory": "Storage", "text": "For storage accounts, make sure that the chosen tier is not adding up transaction charges (it might be cheaper to move to the next tier)" @@ -10379,9 +10379,9 @@ "id": "E09.05", "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview", "services": [ - "Cost", + "ASR", "Storage", - "ASR" + "Cost" ], "subcategory": "Storage", "text": "for ASR, consider using Standard SSD disks if the RPO/RTO and replication throughput allow it" @@ -10393,8 +10393,8 @@ "id": "E10.01", "link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery", "services": [ - "Cost", - "Storage" + "Storage", + "Cost" ], "subcategory": "storage", "text": "storage accounts: check hot tier and/or GRS necessary" @@ -10406,8 +10406,8 @@ "id": "E10.02", "link": "https://learn.microsoft.com/azure/backup/backup-center-overview", "services": [ - "Cost", - "Storage" + "Storage", + "Cost" ], "subcategory": "storage", "text": "Disks -validate use of Premium SSD disks everywhere: for example, non-prod could swap to Standard SSD or On demand Premium SSD " @@ -10419,9 +10419,9 @@ "id": "E11.01", "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview", "services": [ + "EventHubs", "Monitor", - "Cost", - "EventHubs" + "Cost" ], "subcategory": "Synapse", "text": "Create budgets to manage costs and create alerts that automatically notify stakeholders of spending anomalies and overspending risks." @@ -10433,8 +10433,8 @@ "id": "E11.02", "link": "https://learn.microsoft.com/azure/virtual-machines/availability", "services": [ - "Cost", - "Storage" + "Storage", + "Cost" ], "subcategory": "Synapse", "text": "Export cost data to a storage account for additional data analysis." @@ -10496,8 +10496,8 @@ "id": "E12.01", "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2", "services": [ - "Cost", - "VM" + "VM", + "Cost" ], "subcategory": "VM", "text": "Use SPOT VMs for interruptible jobs: These are VMs that can be bid on and purchased at a discounted price, providing a cost-effective solution for non-critical workloads.", @@ -10510,8 +10510,8 @@ "id": "E12.02", "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", "services": [ - "Cost", - "VM" + "VM", + "Cost" ], "subcategory": "VM", "text": "right-sizing all VMs" @@ -10523,8 +10523,8 @@ "id": "E12.03", "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet", "services": [ - "Cost", - "VM" + "VM", + "Cost" ], "subcategory": "VM", "text": "swap VM sized with normalized and most recent sizes", @@ -10537,9 +10537,9 @@ "id": "E12.04", "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", "services": [ - "Cost", + "Monitor", "VM", - "Monitor" + "Cost" ], "subcategory": "VM", "text": "right-sizing VMs - start with monitoring usage below 5% and then work up to 40%", @@ -10552,8 +10552,8 @@ "id": "E12.05", "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", "services": [ - "Cost", - "VM" + "VM", + "Cost" ], "subcategory": "VM", "text": "containerizing an application can improve VM density and save money on scaling it", @@ -10565,9 +10565,9 @@ "guid": "32e42e36-11c8-418b-8a0b-c510e43a18a9", "id": "A01.01", "services": [ - "Subscriptions", + "Entra", "AVS", - "Entra" + "Subscriptions" ], "severity": "High", "subcategory": "Identity", @@ -10580,8 +10580,8 @@ "guid": "43f63047-22d9-429c-8b1c-d622f54b29ba", "id": "A01.02", "services": [ - "AVS", - "Entra" + "Entra", + "AVS" ], "severity": "Medium", "subcategory": "Identity", @@ -10594,8 +10594,8 @@ "guid": "de3aad1e-7c28-4ec9-9666-b7570449aa80", "id": "A01.03", "services": [ - "AVS", - "Entra" + "Entra", + "AVS" ], "severity": "High", "subcategory": "Identity", @@ -10608,8 +10608,8 @@ "guid": "cd289ced-6b17-4db8-8554-61e2aee3553a", "id": "A01.04", "services": [ - "AVS", - "Entra" + "Entra", + "AVS" ], "severity": "Medium", "subcategory": "Identity", @@ -10622,8 +10622,8 @@ "guid": "b9d37dac-43bc-46cd-8d79-a9b24604489a", "id": "A01.05", "services": [ - "AVS", - "Entra" + "Entra", + "AVS" ], "severity": "Medium", "subcategory": "Identity", @@ -10636,8 +10636,8 @@ "guid": "53d88e89-d17b-473b-82a5-a67e7a9ed5b3", "id": "A01.06", "services": [ - "AVS", - "Entra" + "Entra", + "AVS" ], "severity": "High", "subcategory": "Identity", @@ -10650,9 +10650,9 @@ "guid": "ae0e37ce-e297-411b-b352-caaab79b198d", "id": "A01.07", "services": [ + "Entra", "RBAC", - "AVS", - "Entra" + "AVS" ], "severity": "Medium", "subcategory": "Identity", @@ -10665,9 +10665,9 @@ "guid": "ab81932c-9fc9-4d1b-a780-36f5e6bfbb9e", "id": "A01.08", "services": [ + "Entra", "RBAC", - "AVS", - "Entra" + "AVS" ], "severity": "Medium", "subcategory": "Identity", @@ -10680,9 +10680,9 @@ "guid": "d503547c-c447-4e82-9128-a71f0f1cac6d", "id": "A01.09", "services": [ + "Entra", "RBAC", - "AVS", - "Entra" + "AVS" ], "severity": "High", "subcategory": "Identity", @@ -10709,10 +10709,10 @@ "guid": "dbf590ce-65de-48e0-9f9c-cbd468266abc", "id": "B02.01", "services": [ - "AVS", - "NetworkWatcher", "VPN", "Monitor", + "AVS", + "NetworkWatcher", "ExpressRoute" ], "severity": "High", @@ -10727,9 +10727,9 @@ "id": "B02.02", "services": [ "VM", + "Monitor", "AVS", "NetworkWatcher", - "Monitor", "ExpressRoute" ], "severity": "Medium", @@ -10743,10 +10743,10 @@ "guid": "25659d35-58fd-4772-99c9-31112d027fe4", "id": "B02.03", "services": [ + "Monitor", "NetworkWatcher", - "VM", "AVS", - "Monitor" + "VM" ], "severity": "Medium", "subcategory": "Monitoring", @@ -10773,9 +10773,9 @@ "guid": "6128a71f-0f1c-4ac6-b9ef-1d5e832e42e3", "id": "C01.01", "services": [ + "Entra", "RBAC", - "AVS", - "Entra" + "AVS" ], "severity": "High", "subcategory": "Security (identity)", @@ -10788,9 +10788,9 @@ "guid": "c4e2436b-b336-4d71-9f17-960eee0b9b5c", "id": "C01.02", "services": [ + "Entra", "RBAC", - "AVS", - "Entra" + "AVS" ], "severity": "High", "subcategory": "Security (identity)", @@ -10803,8 +10803,8 @@ "guid": "8defc4d7-21d3-41d2-90fb-707ae9eab40e", "id": "C01.03", "services": [ - "AVS", - "Entra" + "Entra", + "AVS" ], "severity": "High", "subcategory": "Security (identity)", @@ -10817,9 +10817,9 @@ "guid": "d329f798-bc17-48bd-a5a0-6ca7144351d1", "id": "C01.04", "services": [ + "Entra", "RBAC", - "AVS", - "Entra" + "AVS" ], "severity": "Medium", "subcategory": "Security (identity)", @@ -10832,8 +10832,8 @@ "guid": "9dd24429-eb72-4281-97a1-51c5bb4e4f18", "id": "C01.05", "services": [ - "AVS", - "Entra" + "Entra", + "AVS" ], "severity": "Medium", "subcategory": "Security (identity)", @@ -10846,9 +10846,9 @@ "guid": "586cb291-ec16-4a1d-876e-f9f141acdce5", "id": "C01.06", "services": [ - "VM", + "Entra", "AVS", - "Entra" + "VM" ], "severity": "High", "subcategory": "Security (identity)", @@ -10874,9 +10874,9 @@ "guid": "a2adb1c3-d232-46af-825c-a44e1695fddd", "id": "C02.02", "services": [ - "AppGW", "Firewall", - "AVS" + "AVS", + "AppGW" ], "severity": "High", "subcategory": "Security (network)", @@ -10902,8 +10902,8 @@ "guid": "29e3eec2-1836-487a-8077-a2b5945bda43", "id": "C02.04", "services": [ - "AVS", - "Monitor" + "Monitor", + "AVS" ], "severity": "Medium", "subcategory": "Security (network)", @@ -10916,11 +10916,11 @@ "guid": "334fdf91-c234-4182-a652-75269440b4be", "id": "C02.05", "services": [ - "AVS", "VPN", - "ExpressRoute", "DDoS", - "VNet" + "VNet", + "AVS", + "ExpressRoute" ], "severity": "Medium", "subcategory": "Security (network)", @@ -10946,8 +10946,8 @@ "guid": "9ccbd869-266a-4cca-874f-aa19bf39d95d", "id": "C03.01", "services": [ - "Defender", - "AVS" + "AVS", + "Defender" ], "severity": "Medium", "subcategory": "Security (guest/VM)", @@ -11017,8 +11017,8 @@ "services": [ "AzurePolicy", "Storage", - "VM", - "AVS" + "AVS", + "VM" ], "severity": "High", "subcategory": "Governance (platform)", @@ -11031,8 +11031,8 @@ "guid": "d89f2e87-7784-424d-9167-85c6fa95b96a", "id": "C04.02", "services": [ - "ASR", - "AVS" + "AVS", + "ASR" ], "severity": "Low", "subcategory": "Governance (platform)", @@ -11087,8 +11087,8 @@ "guid": "4ba34d45-85e1-4213-abd7-bb012f7b95ef", "id": "C04.06", "services": [ - "Cost", - "AVS" + "AVS", + "Cost" ], "severity": "Medium", "subcategory": "Governance (platform)", @@ -11101,8 +11101,8 @@ "guid": "6e043e2a-a359-4271-ae6e-205172676ae4", "id": "C04.07", "services": [ - "Cost", - "AVS" + "AVS", + "Cost" ], "severity": "Low", "subcategory": "Governance (platform)", @@ -11128,9 +11128,9 @@ "guid": "48b262d6-cc5f-4512-a253-98e6db9d37da", "id": "C05.01", "services": [ - "Defender", "VM", - "AVS" + "AVS", + "Defender" ], "severity": "Medium", "subcategory": "Governance (guest/VM)", @@ -11144,8 +11144,8 @@ "id": "C05.02", "services": [ "Arc", - "VM", - "AVS" + "AVS", + "VM" ], "severity": "Medium", "subcategory": "Governance (guest/VM)", @@ -11171,9 +11171,9 @@ "guid": "4ed90dae-2cc8-44c4-9b6b-781cbafe6c46", "id": "C05.04", "services": [ - "VM", + "Monitor", "AVS", - "Monitor" + "VM" ], "severity": "Medium", "subcategory": "Governance (guest/VM)", @@ -11186,10 +11186,10 @@ "guid": "589d457a-927c-4397-9d11-02cad6aae11e", "id": "C05.05", "services": [ - "Backup", "AzurePolicy", "VM", - "AVS" + "AVS", + "Backup" ], "severity": "Medium", "subcategory": "Governance (guest/VM)", @@ -11202,9 +11202,9 @@ "guid": "ee29711b-d352-4caa-ab79-b198dab81932", "id": "C06.01", "services": [ - "Defender", + "Monitor", "AVS", - "Monitor" + "Defender" ], "severity": "Medium", "subcategory": "Compliance", @@ -11217,8 +11217,8 @@ "guid": "c9fc9d1b-b780-436f-9e6b-fbb9ed503547", "id": "C06.02", "services": [ - "Defender", - "AVS" + "AVS", + "Defender" ], "severity": "Medium", "subcategory": "Compliance", @@ -11257,8 +11257,8 @@ "guid": "e43a18a9-cd28-49ce-b6b1-7db8255461e2", "id": "D01.01", "services": [ - "AVS", - "Monitor" + "Monitor", + "AVS" ], "severity": "High", "subcategory": "Monitoring", @@ -11271,8 +11271,8 @@ "guid": "6b84ee5d-f47d-42d9-8881-b1cd5d1e54a2", "id": "D01.02", "services": [ - "AVS", - "Monitor" + "Monitor", + "AVS" ], "severity": "High", "subcategory": "Monitoring", @@ -11285,8 +11285,8 @@ "guid": "9659e396-80e7-4828-ac93-5657d02bff45", "id": "D01.03", "services": [ - "AVS", - "Monitor" + "Monitor", + "AVS" ], "severity": "High", "subcategory": "Monitoring", @@ -11299,8 +11299,8 @@ "guid": "64b0d934-a348-4726-be79-d6b5c3a36495", "id": "D01.04", "services": [ - "AVS", - "Monitor" + "Monitor", + "AVS" ], "severity": "High", "subcategory": "Monitoring", @@ -11313,9 +11313,9 @@ "guid": "b6abad38-aad5-43cc-99e1-d86667357c54", "id": "D01.05", "services": [ + "Monitor", "Storage", - "AVS", - "Monitor" + "AVS" ], "severity": "Medium", "subcategory": "Monitoring", @@ -11328,8 +11328,8 @@ "guid": "9674c5ed-85b8-459c-9733-be2b1a27b775", "id": "D01.06", "services": [ - "AVS", - "Monitor" + "Monitor", + "AVS" ], "severity": "Low", "subcategory": "Monitoring", @@ -11344,8 +11344,8 @@ "services": [ "AzurePolicy", "Storage", - "VM", - "AVS" + "AVS", + "VM" ], "severity": "High", "subcategory": "Operations", @@ -11371,9 +11371,9 @@ "guid": "0e43a18a-9cd2-489b-bd6b-17db8255461e", "id": "D02.03", "services": [ - "Backup", "Storage", - "AVS" + "AVS", + "Backup" ], "severity": "Medium", "subcategory": "Operations", @@ -11400,8 +11400,8 @@ "guid": "925398e6-da9d-437d-ac43-bc6cd1d79a9b", "id": "D02.05", "services": [ - "AVS", - "Monitor" + "Monitor", + "AVS" ], "severity": "Medium", "subcategory": "Operations", @@ -11427,9 +11427,9 @@ "guid": "17e7a8d9-0ae0-4e27-aee2-9711bd352caa", "id": "D02.07", "services": [ + "Monitor", "AzurePolicy", - "AVS", - "Monitor" + "AVS" ], "severity": "Medium", "subcategory": "Operations", @@ -11443,8 +11443,8 @@ "id": "D02.08", "services": [ "Storage", - "VM", - "AVS" + "AVS", + "VM" ], "severity": "High", "subcategory": "Operations", @@ -11457,8 +11457,8 @@ "guid": "aee3553a-fc83-4392-98b2-62d6cc5f5129", "id": "D03.01", "services": [ - "Defender", - "AVS" + "AVS", + "Defender" ], "severity": "Medium", "subcategory": "Security", @@ -11471,8 +11471,8 @@ "guid": "25398e6d-b9d3-47da-a43b-c6cd1d79a9b2", "id": "E01.01", "services": [ - "Backup", - "AVS" + "AVS", + "Backup" ], "severity": "Medium", "subcategory": "Backup", @@ -11485,8 +11485,8 @@ "guid": "5e6bfbb9-ed50-4354-9cc4-47e826028a71", "id": "E02.01", "services": [ - "ASR", - "AVS" + "AVS", + "ASR" ], "severity": "Medium", "subcategory": "Disaster Recovery", @@ -11499,8 +11499,8 @@ "guid": "f0f1cac6-d9ef-41d5-b832-d42e3611c818", "id": "E02.02", "services": [ - "ASR", - "AVS" + "AVS", + "ASR" ], "severity": "Medium", "subcategory": "Disaster Recovery", @@ -11513,8 +11513,8 @@ "guid": "b0afbc51-0e43-4a18-a9cd-289bed6b17db", "id": "E02.03", "services": [ - "ASR", - "AVS" + "AVS", + "ASR" ], "severity": "High", "subcategory": "Disaster Recovery", @@ -11527,8 +11527,8 @@ "guid": "8255461e-2aee-4345-9aec-8339248b262d", "id": "E02.04", "services": [ - "ASR", - "AVS" + "AVS", + "ASR" ], "severity": "Medium", "subcategory": "Disaster Recovery", @@ -11541,8 +11541,8 @@ "guid": "6cc5f512-9253-498e-9da9-d37dac43bc6c", "id": "E02.05", "services": [ - "ASR", - "AVS" + "AVS", + "ASR" ], "severity": "High", "subcategory": "Disaster Recovery", @@ -11555,10 +11555,10 @@ "guid": "d1d79a9b-2460-4448-aa8f-42d78e78cb6a", "id": "E02.06", "services": [ - "NVA", - "ExpressRoute", "ASR", - "AVS" + "NVA", + "AVS", + "ExpressRoute" ], "severity": "Medium", "subcategory": "Disaster Recovery", @@ -11571,8 +11571,8 @@ "guid": "33bd2a09-17e7-4a8d-a0ae-0e27cee29711", "id": "E03.01", "services": [ - "Backup", - "AVS" + "AVS", + "Backup" ], "severity": "Medium", "subcategory": "Business Continuity", @@ -11585,8 +11585,8 @@ "guid": "bd352caa-ab79-4b18-adab-81932c9fc9d1", "id": "E03.02", "services": [ - "Backup", - "AVS" + "AVS", + "Backup" ], "severity": "Medium", "subcategory": "Business Continuity", @@ -11705,9 +11705,9 @@ "guid": "255461e2-aee3-4553-afc8-339248b262d6", "id": "F03.02", "services": [ - "ExpressRoute", "AKV", - "AVS" + "AVS", + "ExpressRoute" ], "severity": "Low", "subcategory": "Automated Connectivity", @@ -11746,8 +11746,8 @@ "guid": "3bd2a0a1-7e7a-48d9-8ae0-e37cee29711b", "id": "F04.01", "services": [ - "Subscriptions", - "AVS" + "AVS", + "Subscriptions" ], "severity": "Medium", "subcategory": "Automated Scale", @@ -11814,8 +11814,8 @@ "guid": "1dc15a1c-075e-4e9f-841a-cccd579376bc", "id": "F04.06", "services": [ - "AVS", - "Monitor" + "Monitor", + "AVS" ], "severity": "Medium", "subcategory": "Automated Scale", @@ -11840,8 +11840,8 @@ "guid": "03b125d5-b69b-4739-b7fd-84b86da4933e", "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-properties?tabs=azure-portal", "services": [ - "AzurePolicy", - "APIM" + "APIM", + "AzurePolicy" ], "severity": "Medium", "subcategory": "Best practices", @@ -11879,9 +11879,9 @@ "guid": "8d2db6e8-85c6-4118-a52c-ae76a4f27934", "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#service-native-backup-capability", "services": [ - "Backup", "APIM", - "ASR" + "ASR", + "Backup" ], "severity": "High", "subcategory": "Business continuity and disaster recovery", @@ -11893,8 +11893,8 @@ "guid": "f96ddac5-77ec-4fa9-8833-4327f052059e", "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-cache-external", "services": [ - "AzurePolicy", - "APIM" + "APIM", + "AzurePolicy" ], "severity": "Medium", "subcategory": "Performance and scalability", @@ -11907,8 +11907,8 @@ "guid": "8210699f-8d43-45c2-8f19-57e54134bd8f", "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-log-event-hubs", "services": [ - "EventHubs", "APIM", + "EventHubs", "AzurePolicy" ], "severity": "Low", @@ -11921,8 +11921,8 @@ "guid": "121bfc39-fa7b-4096-b93b-ab56c1bc0bed", "link": "https://learn.microsoft.com/azure/api-management/api-management-sample-flexible-throttling", "services": [ - "AzurePolicy", - "APIM" + "APIM", + "AzurePolicy" ], "severity": "Medium", "subcategory": "Performance and scalability", @@ -11959,8 +11959,8 @@ "guid": "d7941d4a-7b6f-458f-8714-2f8f8c059ad4", "link": "https://learn.microsoft.com/azure/api-management/api-management-error-handling-policies", "services": [ - "AzurePolicy", - "APIM" + "APIM", + "AzurePolicy" ], "severity": "Medium", "subcategory": "Development best practices", @@ -11972,8 +11972,8 @@ "guid": "0b0c0765-ff37-4369-90bd-3eb23ce71b08", "link": "https://learn.microsoft.com/azure/api-management/set-edit-policies?tabs=form#use-base-element-to-set-policy-evaluation-order", "services": [ - "AzurePolicy", - "APIM" + "APIM", + "AzurePolicy" ], "severity": "Medium", "subcategory": "Development best practices", @@ -11985,9 +11985,9 @@ "guid": "a5c45b03-93b6-42fe-b16b-8fccb6a79902", "link": "https://learn.microsoft.com/azure/api-management/policy-fragments", "services": [ + "APIM", "ACR", - "AzurePolicy", - "APIM" + "AzurePolicy" ], "severity": "Medium", "subcategory": "Development best practices", @@ -12117,8 +12117,8 @@ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#network-security-group-support", "services": [ "APIM", - "VNet", - "Monitor" + "Monitor", + "VNet" ], "severity": "Medium", "subcategory": "Security", @@ -12131,8 +12131,8 @@ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-private-link", "services": [ "APIM", - "PrivateLink", - "VNet" + "VNet", + "PrivateLink" ], "severity": "Medium", "subcategory": "Security", @@ -12305,10 +12305,10 @@ "guid": "220c4ca6-6688-476b-b2b5-425a78e6fb87", "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#ns-6-deploy-web-application-firewall", "services": [ - "WAF", "APIM", - "AppGW", - "Entra" + "WAF", + "Entra", + "AppGW" ], "severity": "High", "subcategory": "Network", @@ -12482,9 +12482,9 @@ "id": "A03.01", "link": "https://learn.microsoft.com/azure/app-service/troubleshoot-diagnostic-logs", "services": [ - "Entra", "AppSvc", - "Monitor" + "Monitor", + "Entra" ], "severity": "Medium", "subcategory": "Logging and Monitoring", @@ -12499,9 +12499,9 @@ "id": "A03.02", "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log", "services": [ - "Entra", "AppSvc", - "Monitor" + "Monitor", + "Entra" ], "severity": "Medium", "subcategory": "Logging and Monitoring", @@ -12516,10 +12516,10 @@ "id": "A04.01", "link": "https://learn.microsoft.com/azure/app-service/overview-vnet-integration", "services": [ + "Monitor", "NVA", - "Firewall", "VNet", - "Monitor" + "Firewall" ], "severity": "Medium", "subcategory": "Network Security", @@ -12535,10 +12535,10 @@ "link": "https://learn.microsoft.com/azure/app-service/networking/nat-gateway-integration", "services": [ "NVA", - "Storage", "PrivateLink", + "VNet", "Firewall", - "VNet" + "Storage" ], "severity": "Low", "subcategory": "Network Security", @@ -12569,11 +12569,11 @@ "id": "A04.04", "link": "https://learn.microsoft.com/azure/app-service/networking/app-gateway-with-service-endpoints", "services": [ - "WAF", - "FrontDoor", - "Monitor", "AppSvc", - "AppGW" + "Monitor", + "AppGW", + "FrontDoor", + "WAF" ], "severity": "High", "subcategory": "Network Security", @@ -12588,8 +12588,8 @@ "id": "A04.05", "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions", "services": [ - "WAF", - "PrivateLink" + "PrivateLink", + "WAF" ], "severity": "High", "subcategory": "Network Security", @@ -12622,8 +12622,8 @@ "id": "A04.07", "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https", "services": [ - "WAF", - "AppSvc" + "AppSvc", + "WAF" ], "severity": "High", "subcategory": "Network Security", @@ -12683,12 +12683,12 @@ "id": "A04.11", "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", "services": [ + "DDoS", "NVA", - "EventHubs", - "WAF", + "VNet", "AppGW", - "DDoS", - "VNet" + "EventHubs", + "WAF" ], "severity": "Medium", "subcategory": "Network Security", @@ -12853,9 +12853,9 @@ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region", "services": [ "LoadBalancer", - "TrafficManager", + "FrontDoor", "AKS", - "FrontDoor" + "TrafficManager" ], "severity": "Medium", "subcategory": "High Availability", @@ -12903,8 +12903,8 @@ "id": "02.02.04", "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler", "services": [ - "Cost", - "AKS" + "AKS", + "Cost" ], "severity": "Low", "simple": -1, @@ -12952,8 +12952,8 @@ "id": "03.01.01", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/aks/eslz-cost-governance-with-kubecost", "services": [ - "Cost", - "AKS" + "AKS", + "Cost" ], "severity": "Low", "subcategory": "Cost", @@ -12968,8 +12968,8 @@ "id": "03.01.02", "link": "https://learn.microsoft.com/azure/aks/scale-down-mode", "services": [ - "Cost", - "AKS" + "AKS", + "Cost" ], "severity": "Low", "subcategory": "Cost", @@ -12984,8 +12984,8 @@ "id": "03.01.03", "link": "https://learn.microsoft.com/azure/aks/gpu-multi-instance", "services": [ - "Cost", - "AKS" + "AKS", + "Cost" ], "severity": "Medium", "subcategory": "Cost", @@ -13000,8 +13000,8 @@ "id": "03.01.04", "link": "https://learn.microsoft.com/azure/aks/start-stop-nodepools", "services": [ - "Cost", - "AKS" + "AKS", + "Cost" ], "severity": "Low", "subcategory": "Cost", @@ -13102,8 +13102,8 @@ "link": "https://learn.microsoft.com/azure/security-center/container-security", "security": 1, "services": [ - "Defender", - "AKS" + "AKS", + "Defender" ], "severity": "Medium", "subcategory": "Compliance", @@ -13217,9 +13217,9 @@ "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable", "security": 1, "services": [ - "Defender", "AKV", - "AKS" + "AKS", + "Defender" ], "severity": "Medium", "subcategory": "Secrets", @@ -13286,8 +13286,8 @@ "security": 1, "services": [ "AKS", - "RBAC", - "Entra" + "Entra", + "RBAC" ], "severity": "Medium", "simple": -1, @@ -13304,9 +13304,9 @@ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-identity", "security": 1, "services": [ + "Entra", "AKS", - "RBAC", - "Entra" + "RBAC" ], "severity": "High", "simple": -1, @@ -13511,8 +13511,8 @@ "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#add-a-node-pool-with-a-unique-subnet", "security": 1, "services": [ - "AKS", - "VNet" + "VNet", + "AKS" ], "severity": "Medium", "simple": -2, @@ -13528,10 +13528,10 @@ "link": "https://learn.microsoft.com/azure/private-link/private-link-overview", "security": 1, "services": [ - "Cost", "PrivateLink", "AKS", - "VNet" + "VNet", + "Cost" ], "severity": "Medium", "simple": -1, @@ -13580,8 +13580,8 @@ "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", "scale": 1, "services": [ - "AKS", - "VNet" + "VNet", + "AKS" ], "severity": "High", "subcategory": "IPAM", @@ -13613,8 +13613,8 @@ "link": "https://learn.microsoft.com/azure/aks/internal-lb", "security": 1, "services": [ - "AKS", - "VNet" + "VNet", + "AKS" ], "severity": "Low", "simple": -1, @@ -13830,8 +13830,8 @@ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network", "security": 2, "services": [ - "WAF", - "AKS" + "AKS", + "WAF" ], "severity": "High", "simple": -1, @@ -13849,9 +13849,9 @@ "link": "https://learn.microsoft.com/azure/virtual-network/ddos-protection-overview", "security": 2, "services": [ - "AKS", "DDoS", - "VNet" + "VNet", + "AKS" ], "severity": "Medium", "subcategory": "Security", @@ -13899,8 +13899,8 @@ "id": "07.01.01", "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-metric-alerts", "services": [ - "AKS", - "Monitor" + "Monitor", + "AKS" ], "severity": "High", "simple": -1, @@ -14117,8 +14117,8 @@ "id": "07.02.15", "link": "https://learn.microsoft.com/azure/aks/monitor-aks", "services": [ - "AKS", - "Monitor" + "Monitor", + "AKS" ], "severity": "Low", "subcategory": "Compliance", @@ -14148,8 +14148,8 @@ "id": "07.03.01", "link": "https://learn.microsoft.com/azure/aks/spot-node-pool", "services": [ - "Cost", - "AKS" + "AKS", + "Cost" ], "severity": "Low", "simple": -1, @@ -14166,8 +14166,8 @@ "link": "https://learn.microsoft.com/azure/aks/concepts-scale", "scale": 1, "services": [ - "Cost", - "AKS" + "AKS", + "Cost" ], "severity": "Low", "simple": -1, @@ -14183,8 +14183,8 @@ "id": "07.04.01", "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview", "services": [ - "AKS", - "Monitor" + "Monitor", + "AKS" ], "severity": "High", "simple": -1, @@ -14201,8 +14201,8 @@ "id": "07.04.02", "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview", "services": [ - "AKS", - "Monitor" + "Monitor", + "AKS" ], "severity": "High", "simple": -1, @@ -14218,8 +14218,8 @@ "id": "07.04.03", "link": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-analyze", "services": [ - "AKS", - "Monitor" + "Monitor", + "AKS" ], "severity": "Medium", "simple": -1, @@ -14235,8 +14235,8 @@ "id": "07.04.04", "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", "services": [ - "AKS", - "Monitor" + "Monitor", + "AKS" ], "severity": "Medium", "simple": -1, @@ -14254,10 +14254,10 @@ "link": "https://learn.microsoft.com/azure/virtual-machines/premium-storage-performance", "services": [ "ServiceBus", - "EventHubs", - "Storage", "Monitor", - "AKS" + "EventHubs", + "AKS", + "Storage" ], "severity": "Medium", "simple": -1, @@ -14274,9 +14274,9 @@ "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard", "services": [ "LoadBalancer", + "Monitor", "NVA", - "AKS", - "Monitor" + "AKS" ], "severity": "Medium", "simple": -1, @@ -14292,8 +14292,8 @@ "id": "07.04.07", "link": "https://learn.microsoft.com/azure/aks/aks-resource-health", "services": [ - "AKS", - "Monitor" + "Monitor", + "AKS" ], "severity": "Medium", "subcategory": "Monitoring", @@ -14340,8 +14340,8 @@ "id": "07.05.03", "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits", "services": [ - "Subscriptions", - "AKS" + "AKS", + "Subscriptions" ], "severity": "High", "subcategory": "Resources", @@ -14484,8 +14484,8 @@ "link": "https://learn.microsoft.com/azure/aks/cluster-configuration", "scale": 1, "services": [ - "Storage", - "AKS" + "AKS", + "Storage" ], "severity": "High", "subcategory": "Storage", @@ -14501,8 +14501,8 @@ "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types", "scale": 1, "services": [ - "Storage", - "AKS" + "AKS", + "Storage" ], "severity": "High", "subcategory": "Storage", @@ -14518,8 +14518,8 @@ "link": "https://learn.microsoft.com/azure/aks/use-ultra-disks", "scale": 1, "services": [ - "Storage", - "AKS" + "AKS", + "Storage" ], "severity": "Low", "subcategory": "Storage", @@ -14535,8 +14535,8 @@ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region", "services": [ "SQL", - "Storage", - "AKS" + "AKS", + "Storage" ], "severity": "Medium", "simple": -1, @@ -14553,8 +14553,8 @@ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-storage", "scale": 1, "services": [ - "Storage", - "AKS" + "AKS", + "Storage" ], "severity": "Medium", "subcategory": "Storage", @@ -14569,8 +14569,8 @@ "id": "07.07.06", "link": "https://learn.microsoft.com/azure/aks/availability-zones#azure-disk-availability-zone-support", "services": [ - "Storage", - "AKS" + "AKS", + "Storage" ], "severity": "Medium", "simple": -1, @@ -14796,8 +14796,8 @@ "guid": "c851fd44-7cf1-459c-95a4-f6455d75a981", "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/cost-management-allocation", "services": [ - "Cost", - "Monitor" + "Monitor", + "Cost" ], "severity": "Medium", "subcategory": "Cost Optimization", @@ -14954,8 +14954,8 @@ "services": [ "ServiceBus", "AzurePolicy", - "RBAC", "Entra", + "RBAC", "TrafficManager" ], "severity": "Medium", @@ -14970,12 +14970,12 @@ "guid": "786d60f9-6c96-4ad8-a55d-04c2b39c986b", "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-managed-service-identity", "services": [ + "AppSvc", "ServiceBus", "VM", - "Storage", "AKV", "Entra", - "AppSvc" + "Storage" ], "severity": "Medium", "subcategory": "Identity and Access Management", @@ -14991,9 +14991,9 @@ "services": [ "ServiceBus", "Storage", - "RBAC", + "Subscriptions", "Entra", - "Subscriptions" + "RBAC" ], "severity": "High", "subcategory": "Identity and Access Management", @@ -15007,9 +15007,9 @@ "guid": "af12e7f9-43f6-4304-922d-929c2b1cd622", "link": "https://learn.microsoft.com/azure/service-bus-messaging/monitor-service-bus-reference", "services": [ - "ServiceBus", + "Monitor", "VNet", - "Monitor" + "ServiceBus" ], "severity": "Medium", "subcategory": "Monitoring", @@ -15023,8 +15023,8 @@ "guid": "9ae669ca-48e4-4a85-b222-3ece8bb12307", "link": "https://learn.microsoft.com/azure/service-bus-messaging/private-link-service", "services": [ - "ServiceBus", "PrivateLink", + "ServiceBus", "VNet" ], "severity": "Medium", @@ -15051,456 +15051,519 @@ "checklist": "Azure Virtual Desktop Review", "description": "AVD control plane does not offer a financially backed service level agreement. We strive to attain at least 99.9% availability for the Azure Virtual Desktop service URLs. The availability of the session host virtual machines in your subscription is covered by the Virtual Machines SLA. Dependent resources/services and infrastructure availability must be also considered to properly satisfy global high-availability requirements.", "guid": "56c57ba5-9119-4bf8-b8f5-c586c7d9cdc1", + "id": "A01.01", "link": "https://azure.microsoft.com/support/legal/sla/virtual-desktop/v1_0/", "services": [ - "Subscriptions", - "ASR", "AVD", - "VM" + "Subscriptions", + "VM", + "ASR" ], "severity": "High", "subcategory": "Compute", - "text": "Determine the expected High Availability SLA for applications/desktops published through AVD" + "text": "Determine the expected High Availability SLA for applications/desktops published through AVD", + "waf": "Reliability" }, { "category": "Business Continuity and Disaster Recovery", "checklist": "Azure Virtual Desktop Review", - "description": "'Active-Active' model can be achieved with multiple host pools in different regions. A single Host Pool with VMs from different regions is not recommended. If multiple pools for same users will be used, the problem of how to synchronize/replicate user profiles must be solved. FSLogix Cloud Cache could be used, but need to be carefully reviewed and planned, or customers can decide to do not synchronize/replicate at all. 'Active-Passive' can be achieved using Azure Site Recovery (ASR) or on-demand Pool deployment with automated mechanism. For a detailed discussion on multi-region BCDR, please read the companion article in the 'More Info' column and this FSLogix related page: https://learn.microsoft.com/en-us/fslogix/concepts-container-recovery-business-continuity.", + "description": "'Active-Active' model can be achieved with multiple host pools in different regions. A single Host Pool with VMs from different regions is not recommended. If multiple pools for same users will be used, the problem of how to synchronize/replicate user profiles must be solved. FSLogix Cloud Cache could be used, but need to be carefully reviewed and planned, or customers can decide to do not synchronize/replicate at all. 'Active-Passive' can be achieved using Azure Site Recovery (ASR) or on-demand Pool deployment with automated mechanism. For a detailed discussion on multi-region BCDR, please read the companion article in the 'More Info' column and this FSLogix related page: https://learn.microsoft.com/fslogix/concepts-container-recovery-business-continuity.", "guid": "6acc076e-f9b1-441a-a989-579e76b897e7", + "id": "A01.02", "link": "https://learn.microsoft.com/azure/architecture/example-scenario/wvd/azure-virtual-desktop-multi-region-bcdr", "services": [ - "Storage", - "ASR", "AVD", - "VM" + "VM", + "Storage", + "ASR" ], "severity": "Medium", "subcategory": "Compute", - "text": "Assess Geo Disaster Recovery requirements for AVD Host Pools" + "text": "Assess Geo Disaster Recovery requirements for AVD Host Pools", + "waf": "Reliability" }, { "category": "Business Continuity and Disaster Recovery", "checklist": "Azure Virtual Desktop Review", - "description": "Before approaching Azure Virtual Desktop BCDR planning and design, it is important to initially consider which applications are consumed through AVD are critical. You may want to separate them from non-critical apps and use a separate Host Pool with a different disaster recovery approach and capabilities.", + "description": "Before approaching Azure Virtual Desktop BCDR planning and design, it is important to initially consider which applications consumed through AVD are critical. You may want to separate them from non-critical apps and use a separate Host Pool with a different disaster recovery approach and capabilities.", "guid": "10a7da7b-e996-46e1-9d3c-4ada97cc3d13", + "id": "A01.03", "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery", "services": [ - "ASR", - "AVD" + "AVD", + "ASR" ], "severity": "Low", "subcategory": "Compute", - "text": "Separate critical applications in different AVD Host Pools" + "text": "Separate critical applications in different AVD Host Pools", + "waf": "Reliability" }, { "category": "Business Continuity and Disaster Recovery", "checklist": "Azure Virtual Desktop Review", - "description": "Each Host Pool can be deployed using Availability Zones (AZ) or Availability Set (AS). To maximize resiliency, usage of AZ is recommended: at Host Pool creation time you can decide to spread Host Pool Session Hosts across all available AZ. Usage of AS will not protect from single datacenter failure, then should be used only in regions where AZ are not available. More details on AZ and AVD in the companion article. For a comparison between AZ and AS you can read here: https://learn.microsoft.com/en-us/azure/virtual-machines/availability.", + "description": "Each Host Pool can be deployed using Availability Zones (AZ) or Availability Set (AS). To maximize resiliency, usage of AZ is recommended: at Host Pool creation time you can decide to spread Host Pool Session Hosts across all available AZ. Usage of AS will not protect from single datacenter failure, then should be used only in regions where AZ are not available. More details on AZ and AVD in the companion article. For a comparison between AZ and AS you can read here: https://learn.microsoft.com/azure/virtual-machines/availability.", "guid": "25ab225c-6f4e-4168-9fdd-dea8a4b7cdeb", + "id": "A01.04", "link": "https://techcommunity.microsoft.com/t5/azure-virtual-desktop-blog/announcing-general-availability-of-support-for-azure/ba-p/3636262", "services": [ "ACR", - "ASR", - "AVD" + "AVD", + "ASR" ], "severity": "High", "subcategory": "Compute", - "text": "Plan the best resiliency option for AVD Host Pool deployment" + "text": "Plan the best resiliency option for AVD Host Pool deployment", + "waf": "Reliability" }, { "category": "Business Continuity and Disaster Recovery", "checklist": "Azure Virtual Desktop Review", "description": "Azure Backup can be used to protect Host Pool VMs. For Pooled Pools, this is not necessary since should be stateless. Instead, this option can be considered for Personal Host Pools.", "guid": "4c61fc3f-c14e-4ea6-b69e-8d9a3eec218e", + "id": "A01.05", "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery", "services": [ - "Backup", - "ASR", "AVD", - "VM" + "ASR", + "VM", + "Backup" ], "severity": "Medium", "subcategory": "Compute", - "text": "Assess the requirement to backup AVD Session Host VMs" + "text": "Assess the requirement to backup AVD Session Host VMs", + "waf": "Reliability" }, { "category": "Business Continuity and Disaster Recovery", "checklist": "Azure Virtual Desktop Review", "description": "Even for Personal Pools, usage of Availability Zones, when available, is recommended. Three possible in-region DR strategies are possible, it is recommended to select the best one based on cost, RTO/RPO, and if it is really necessary to save the entire VM OS disk: (1) create each session host in a specific zone (AZ) and then use Azure Site Recovery (ASR) to replicate to a different zone. (2) Use Azure Backup to backup and restore the specific session host in a different AZ. (3) Create a new session host in a different AZ and rely on FSLogix and/or OneDrive to make data and settings available on the new machine. All options require administrator intervention for DR and direct user assignment at Host Pool level, then must be planned and configured in advance.", "guid": "5da58639-ca3a-4961-890b-29663c5e10d", + "id": "A01.06", "link": "https://learn.microsoft.com/azure/site-recovery/azure-to-azure-how-to-enable-zone-to-zone-disaster-recovery", "services": [ - "ASR", + "AVD", "VM", - "Backup", "Cost", - "AVD" + "Backup", + "ASR" ], "severity": "Medium", "subcategory": "Compute", - "text": "Prepare a local DR strategy for Personal Host Pool Session Hosts" + "text": "Prepare a local DR strategy for Personal Host Pool Session Hosts", + "waf": "Reliability" }, { "category": "Business Continuity and Disaster Recovery", "checklist": "Azure Virtual Desktop Review", "description": "If custom images are used to deploy AVD Host Pool VMs, it is important to ensure those artifacts are available in all regions where AVD is deployed. Azure Compute Gallery service can be used to replicate images across all regions where a Host Pool is deployed, with redundant storage and in multiple copies. Please be aware that the Azure Compute Gallery service isn't a global resource. For disaster recovery scenarios, the best practice is to have at least two galleries, in different regions.", "guid": "dd2e0d5d-771d-441e-9610-cc57b4a4a141", + "id": "A02.01", "link": "https://learn.microsoft.com/azure/virtual-machines/azure-compute-gallery", "services": [ - "ASR", - "VM", - "Storage", "AVD", - "ACR" + "VM", + "ACR", + "ASR", + "Storage" ], "severity": "Low", "subcategory": "Dependencies", - "text": "Plan for Golden Image cross-region availability" + "text": "Plan for Golden Image cross-region availability", + "waf": "Reliability" }, { "category": "Business Continuity and Disaster Recovery", "checklist": "Azure Virtual Desktop Review", "description": "If users of the AVD infrastructure need on-premises resource access, high availability of network infrastructure required to connect is also critical and should be considered. Resiliency of authentication infrastructure needs to be assessed and evaluated. BCDR aspects for dependent applications and other resources need to be considered to ensure availability in the secondary DR location.", "guid": "fd339489-8c12-488b-9c6a-57cfb644451e", + "id": "A02.02", "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery", "services": [ - "ASR", - "AVD" + "AVD", + "ASR" ], "severity": "Medium", "subcategory": "Dependencies", - "text": "Assess Infrastructure & Application dependencies " + "text": "Assess Infrastructure & Application dependencies ", + "waf": "Reliability" }, { "category": "Business Continuity and Disaster Recovery", "checklist": "Azure Virtual Desktop Review", "description": "Not all data inside FSLogix user profiles may deserve protection from disaster. Additionally, if external storage is used, for example OneDrive or File Servers/Shares, what is remaining in the FSLogix profile is minimal and could be lost in some extreme circumstances. In other cases, data inside the profile can be rebuilt from other storages (for example Outlook Inbox in cached mode).", "guid": "687ab077-adb5-49e5-a960-3334fdf8cc23", + "id": "A03.01", "link": "https://docs.microsoft.com/fslogix/manage-profile-content-cncpt", "services": [ + "AVD", "Storage", - "ASR", - "AVD" + "ASR" ], "severity": "Medium", "subcategory": "Storage", - "text": "Assess which data need to be protected in the Profile and Office Containers" + "text": "Assess which data need to be protected in the Profile and Office Containers", + "waf": "Reliability" }, { "category": "Business Continuity and Disaster Recovery", "checklist": "Azure Virtual Desktop Review", "description": "Preventing data loss for critical user data is important, first step is to assess which data need to be saved and protected. If using OneDrive or other external storage, saving user Profile and/or Office Containers data maybe not necessary. Appropriate mechanism must be considered to provide protection for critical user data. Azure Backup service can be used to protect Profile and Office Containers data when stored on Azure Files Standard and Premium tiers. Azure NetApp Files Snapshots and Policies can be used for Azure NetApp Files (all tiers).", "guid": "fc4972cc-3cd2-45bf-a707-6e9eab4bed32", + "id": "A03.02", "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery", "services": [ + "AVD", "AzurePolicy", - "ASR", "Backup", - "Storage", - "AVD" + "ASR", + "Storage" ], "severity": "Medium", "subcategory": "Storage", - "text": "Build a backup protection strategy for Profile and Office Containers" + "text": "Build a backup protection strategy for Profile and Office Containers", + "waf": "Reliability" }, { "category": "Business Continuity and Disaster Recovery", "checklist": "Azure Virtual Desktop Review", "description": "In AVD, multiple replication mechanisms and strategies can be used for user data residing in FSLogix containers: [Profile Pattern #1]: Native Azure storage replication mechanisms, for example Azure Files Standard GRS replication, Azure NetApp Files Cross Region Replication. Use Zone Replicated Storage (ZRS) or Geo replicated storage (GRS) for Azure Files is recommended. LRS with local-only resiliency can be used if no zone/region protection is required. NOTE: Azure Files Share Standard is LRS/ZRS/GRS, but with 100TB large support enabled only LRS/ZRS are supported. [Profile Pattern #2]: FSLogix Cloud Cache is built in automatic mechanism to replicate containers between different (up to 4) storage accounts. Cloud Cache should be used only when:(1) User Profile or Office containers data availability required high-availability SLA is critical and need to be resilient to region failure. (2) Selected storage option is not able to satisfy BCDR requirements. For example, with Azure File Share Premium tier, or Azure File Share Standard with Large File Support enabled, GRS is not available. (3) When replication between disparate storage is required. [Profile Pattern #3]: Only set up geo disaster recovery for application data and not for user data/profile containers: store important application data in separate storages, like OneDrive or other external storage with its own built-in DR mechanism.", "guid": "9f7547c1-746d-4c56-868a-714435bd09dd", + "id": "A03.03", "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery", "services": [ + "AVD", "Storage", - "ASR", - "AVD" + "ASR" ], "severity": "Medium", "subcategory": "Storage", - "text": "Assess Profile Container storage replication requirements and resiliency for BCDR purpose" + "text": "Assess Profile Container storage replication requirements and resiliency for BCDR purpose", + "waf": "Reliability" }, { "category": "Business Continuity and Disaster Recovery", "checklist": "Azure Virtual Desktop Review", "description": "For local disaster recovery, Azure Backup for Azure Files can be used. For cross-region geo disaster recovery: GRS for Azure Files is only available with standard SKU and no large share support, then not suitable in most customer scenarios. If geo-replication is required with Azure File Share Premium, replication with FSLogix Cloud Cache can be evaluated, or 'in-region' Availability Zone (AZ) only resiliency should be considered.", "guid": "3d4f3537-c134-46dc-9602-7a71efe1bd05", + "id": "A03.04", "link": "https://docs.microsoft.com/azure/backup/backup-afs", "services": [ "Backup", + "AVD", "Storage", - "ASR", - "AVD" + "ASR" ], "severity": "Medium", "subcategory": "Storage", - "text": "Review Azure Files disaster recovery strategy" + "text": "Review Azure Files disaster recovery strategy", + "waf": "Reliability" }, { "category": "Business Continuity and Disaster Recovery", "checklist": "Azure Virtual Desktop Review", "description": "Zone Redundant Storage will maximize in-region resiliency for the user profile data. ZRS is supported for premium file shares through the 'FileStorage' storage account kind. ZRS is supported in standard general-purpose v2 storage accounts. Usage of zone redundant storage must be paired with zone redundant deployment of Session Hosts in each Host Pool. ", "guid": "10d4e875-d502-4142-a795-f2b6eff34f88", + "id": "A03.05", "link": "https://learn.microsoft.com/azure/storage/files/files-redundancy#zone-redundant-storage", "services": [ + "AVD", "Storage", - "ASR", - "AVD" + "ASR" ], "severity": "High", "subcategory": "Storage", - "text": "Use Zone Redundant Storage (ZRS) for Azure Files to maximize resiliency" + "text": "Use Zone Redundant Storage (ZRS) for Azure Files to maximize resiliency", + "waf": "Reliability" }, { "category": "Business Continuity and Disaster Recovery", "checklist": "Azure Virtual Desktop Review", - "description": "For local disaster recovery, Azure NetApp Files (ANF) native backup is available. ANF is essentially locally redundant, then for cross-region geo disaster recovery it is necessary to use an additional mechanism that is Cross-Region Replication (CRR) https://learn.microsoft.com/en-us/azure/azure-netapp-files/cross-region-replication-create-peering. Currently, ANF does not provide replication nor redundancy across different Availability Zones (AZ), only the possibility to select in which single AZ to place the ANF volume: https://learn.microsoft.com/en-us/azure/azure-netapp-files/manage-availability-zone-volume-placement.", + "description": "For local disaster recovery, Azure NetApp Files (ANF) native backup is available. ANF is essentially locally redundant, then for cross-region geo disaster recovery it is necessary to use an additional mechanism that is Cross-Region Replication (CRR) https://learn.microsoft.com/azure/azure-netapp-files/cross-region-replication-create-peering. Currently, ANF does not provide replication nor redundancy across different Availability Zones (AZ), only the possibility to select in which single AZ to place the ANF volume: https://learn.microsoft.com/azure/azure-netapp-files/manage-availability-zone-volume-placement.", "guid": "23429db7-2281-4376-85cc-57b4a4b18142", + "id": "A03.06", "link": "https://learn.microsoft.com/azure/azure-netapp-files/cross-region-replication-create-peering", "services": [ - "ASR", - "Backup", - "Storage", "AVD", - "ACR" + "Backup", + "ACR", + "ASR", + "Storage" ], "severity": "Medium", "subcategory": "Storage", - "text": "Review Azure NetApp Files disaster recovery strategy" + "text": "Review Azure NetApp Files disaster recovery strategy", + "waf": "Reliability" }, { "category": "Compute", "checklist": "Azure Virtual Desktop Review", "description": "Applications can be preinstalled in the golden image/s, can be attached using MSIX & AppAttach feature or distributed to the session hosts after host pool deployment using traditional software distribution methods.", "guid": "86ba2802-1459-4014-95d3-8e5309ccbd97", + "id": "B01.01", "link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-golden-image", "services": [ "AVD" ], "severity": "High", "subcategory": "Golden Images", - "text": "Determine how applications will be deployed in AVD Host Pools" + "text": "Determine how applications will be deployed in AVD Host Pools", + "waf": "Operations" }, { "category": "Compute", "checklist": "Azure Virtual Desktop Review", "description": "Multiple golden images can be required to support different OS versions and/or settings, different groups of applications that must be separated and cannot be included in a single image.", "guid": "9266bcca-274f-4aa1-abf3-9d95d44c7c89", + "id": "B01.02", "link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-golden-image", "services": [ "AVD" ], "severity": "Medium", "subcategory": "Golden Images", - "text": "Estimate the number of golden images that will be required" + "text": "Estimate the number of golden images that will be required", + "waf": "Operations" }, { "category": "Compute", "checklist": "Azure Virtual Desktop Review", "description": "Determine which Guest OS will be used to deploy each Host Pool: Windows 10 vs. Windows Server, Marketplace vs. Custom images", "guid": "19ca1f6d-5315-4ae5-84ba-34d4585e2213", + "id": "B01.03", "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#operating-systems-and-licenses", "services": [ "AVD" ], "severity": "Medium", "subcategory": "Golden Images", - "text": "Determine which OS image/s you will use for Host Pool deployment" + "text": "Determine which OS image/s you will use for Host Pool deployment", + "waf": "Reliability" }, { "category": "Compute", "checklist": "Azure Virtual Desktop Review", "description": "Azure VM custom images can be created and stored in different ways: in an Azure Compute Gallery, as a managed image object or as a managed disk in the storage. The recommended way is to use Azure Compute Gallery.", "guid": "5a2adb2c-3e23-426b-b225-ca44e1696fdd", + "id": "B01.04", "link": "https://learn.microsoft.com/azure/virtual-machines/shared-image-galleries", "services": [ - "Storage", "AVD", + "Storage", "VM" ], "severity": "Low", "subcategory": "Golden Images", - "text": "Select the proper store for custom images" + "text": "Select the proper store for custom images", + "waf": "Reliability" }, { "category": "Compute", "checklist": "Azure Virtual Desktop Review", "description": "If custom images will be used, plan for an automated build process. If no pre-existing software factory exists, consider using Custom Image Templates and/or Azure Image Builder to automate the build process.", "guid": "9bd7bb01-2f7b-495e-86e1-54e2aa359282", + "id": "B01.05", "link": "https://learn.microsoft.com/azure/virtual-desktop/create-custom-image-templates", "services": [ "AVD" ], "severity": "Low", "subcategory": "Golden Images", - "text": "Design your build process for custom images" + "text": "Design your build process for custom images", + "waf": "Operations" }, { "category": "Compute", "checklist": "Azure Virtual Desktop Review", "description": "There are some known best practices and recommendations for the golden image customization, be sure to check the referenced article.", "guid": "deace4cb-1dec-44c6-90c3-fc14eebb36a3", + "id": "B01.06", "link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-golden-image", "services": [ "AVD" ], "severity": "Medium", "subcategory": "Golden Images", - "text": "If custom image will be used, check recommended best practices for AVD on how to build custom image" + "text": "If custom image will be used, check recommended best practices for AVD on how to build custom image", + "waf": "Operations" }, { "category": "Compute", "checklist": "Azure Virtual Desktop Review", "description": "FSLogix stack installed in AVD session hosts does not provide auto-update capability. For this reason, it is recommended to download the latest version of FSLogix and include in the golden image update process.", "guid": "ed5c9027-dd1a-4343-86ca-52b199223186", + "id": "B01.07", "link": "https://learn.microsoft.com/fslogix/how-to-install-fslogix", "services": [ "AVD" ], "severity": "High", "subcategory": "Golden Images", - "text": "Include the latest version of FSLogix in the golden image update process" + "text": "Include the latest version of FSLogix in the golden image update process", + "waf": "Reliability" }, { "category": "Compute", "checklist": "Azure Virtual Desktop Review", "description": "This tool-set has been created to automatically apply setting referenced in white paper 'Optimizing Windows 10, version 2004 for a Virtual Desktop Infrastructure (VDI) role': https://docs.microsoft.com/windows-server/remote/remote-desktop-services/rds-vdi-recommendations-2004. Usage of the tool and/or optimizations mentioned in the white-paper should be considered. ", "guid": "829e3fec-2183-4687-a017-7a2b5945bda4", + "id": "B01.08", "link": "https://github.com/The-Virtual-Desktop-Team/Virtual-Desktop-Optimization-Tool", "services": [ - "RBAC", - "AVD" + "AVD", + "RBAC" ], "severity": "Low", "subcategory": "Golden Images", - "text": "Evaluate the usage of Virtual-Desktop-Optimization-Tool" + "text": "Evaluate the usage of Virtual-Desktop-Optimization-Tool", + "waf": "Performance" }, { "category": "Compute", "checklist": "Azure Virtual Desktop Review", "description": "If OneDrive is used and included in a golden image, be sure to follow the configuration procedure reported in the companion article in the 'More Info' section. Not in scope in this AVD checklist, but OneDrive optimizations like 'Known Folder Redirection' and 'Files On-Demand' should be evaluated used to reduce the space used in FSLogix profiles and provide a better user experience. OneDrive today is not supported for Remote Apps.", "guid": "e3d3e084-4276-4d4b-bc01-5bcf219e4a1e", + "id": "B01.09", "link": "https://learn.microsoft.com/azure/virtual-desktop/install-office-on-wvd-master-image#install-onedrive-in-per-machine-mode", "services": [ - "Storage", - "AVD" + "AVD", + "Storage" ], "severity": "Low", "subcategory": "Golden Images", - "text": "Determine if Microsoft OneDrive will be part of AVD deployment" + "text": "Determine if Microsoft OneDrive will be part of AVD deployment", + "waf": "Operations" }, { "category": "Compute", "checklist": "Azure Virtual Desktop Review", "description": "Be sure to review the requirements and configuration procedure contained in the companion article in the 'More Info' column. Since Teams automatic updates will be disabled, it is recommended to check and include Teams latest version in the golden image update process.", "guid": "b5887953-5d22-4788-9d30-b66c67be5951", + "id": "B01.10", "link": "https://learn.microsoft.com/azure/virtual-desktop/teams-on-AVD", "services": [ "AVD" ], "severity": "Low", "subcategory": "Golden Images", - "text": "Determine if Microsoft Teams will be part of AVD deployment" + "text": "Determine if Microsoft Teams will be part of AVD deployment", + "waf": "Performance" }, { "category": "Compute", "checklist": "Azure Virtual Desktop Review", "description": "AVD can support users with different language and localization requirements in the same host pool. This can be done customizing golden images to ensure users can select whichever language they need. The procedure to configure additional language packs in Windows 11 is documented in the reference article.", "guid": "7c336f3b-822a-498e-8cd1-667d1150df4a", + "id": "B01.11", "link": "https://learn.microsoft.com/azure/virtual-desktop/windows-11-language-packs", "services": [ "AVD" ], "severity": "Low", "subcategory": "Golden Images", - "text": "Assess the requirement to support multiple languages" + "text": "Assess the requirement to support multiple languages", + "waf": "Reliability" }, { "category": "Compute", "checklist": "Azure Virtual Desktop Review", "description": "It is highly recommended to use separate storage accounts/shares to store MSIX packages. If necessary, storage can scale out independently and not being impacted by profile I/O activities. Azure offers multiple storage options that can be used for MISX app attach. We recommend using Azure Files or Azure NetApp Files as those options offer the best value between cost and management overhead. ", "guid": "90083845-c587-4cb3-a1ec-16a1d076ef9f", + "id": "B02.01", "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-file-share", "services": [ - "Cost", + "AVD", "Storage", - "AVD" + "Cost" ], "severity": "Medium", "subcategory": "MSIX & AppAttach", - "text": "Do not use the same storage account/share as FSLogix profiles" + "text": "Do not use the same storage account/share as FSLogix profiles", + "waf": "Performance" }, { "category": "Compute", "checklist": "Azure Virtual Desktop Review", "description": "In the referenced article, we reported few but important performance considerations for MSIX usage in AVD context, be sure to carefully review.", "guid": "241addce-5793-477b-adb3-751ab2ac1fad", + "id": "B02.02", "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-file-share", "services": [ "AVD" ], "severity": "Medium", "subcategory": "MSIX & AppAttach", - "text": "Review performance considerations for MSIX" + "text": "Review performance considerations for MSIX", + "waf": "Performance" }, { "category": "Compute", "checklist": "Azure Virtual Desktop Review", "description": "MSIX app attach requires read-only permissions to access the file share. If you're storing your MSIX applications in Azure Files, then for your session hosts, you'll need to assign all session host VMs both storage account role-based access control (RBAC) and file share New Technology File System (NTFS) permissions on the share.", "guid": "66e15d4d-5a2a-4db2-a3e2-326bf225ca41", + "id": "B02.03", "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-file-share", "services": [ + "AVD", "Storage", "RBAC", - "AVD", "VM" ], "severity": "Medium", "subcategory": "MSIX & AppAttach", - "text": "Check proper session host permissions for MSIX share" + "text": "Check proper session host permissions for MSIX share", + "waf": "Security" }, { "category": "Compute", "checklist": "Azure Virtual Desktop Review", "description": "3rd-party software vendor must provide a MSIX package, it is not recommended for customer to attempt the conversion procedure without proper support from the application owner.", "guid": "bd362caa-ab79-4b19-adab-81932c9fc9d1", + "id": "B02.04", "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-faq", "services": [ "AVD" ], "severity": "Low", "subcategory": "MSIX & AppAttach", - "text": "MSIX packages for 3rd-party applications" + "text": "MSIX packages for 3rd-party applications", + "waf": "Cost" }, { "category": "Compute", "checklist": "Azure Virtual Desktop Review", "description": "MSIX app attach doesn't support auto-update for MSIX applications, so they should be disabled.", "guid": "bb88037f-5e6b-4fbb-aed5-03547cc447e8", + "id": "B02.05", "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-faq", "services": [ "AVD" ], "severity": "Low", "subcategory": "MSIX & AppAttach", - "text": "Disable auto-update for MSIX packages" + "text": "Disable auto-update for MSIX packages", + "waf": "Operations" }, { "category": "Compute", "checklist": "Azure Virtual Desktop Review", "description": "In order to leverage MSIX & App Attach, guest OS image for AVD Host pool must be Windows 10/11 Enterprise or Windows 10/11 Enterprise Multi-session, version 2004 or later.", "guid": "26128a71-f0f1-4cac-9d9e-f1d5e832e42e", + "id": "B02.06", "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-faq", "services": [ "AVD" ], "severity": "Medium", "subcategory": "MSIX & AppAttach", - "text": "Review operating systems support" + "text": "Review operating systems support", + "waf": "Reliability" }, { "category": "Compute", "checklist": "Azure Virtual Desktop Review", "description": "Once selected the VM SKU that will be used for Host Pool deployment, it is recommended to use Gen2 type of the SKU for higher security and improved capabilities.", "guid": "e4633254-3185-40a1-b120-bd563a1c8e9d", + "id": "B03.01", "link": "https://docs.microsoft.com/azure/virtual-machines/generation-2", "services": [ "AVD", @@ -15508,26 +15571,30 @@ ], "severity": "Medium", "subcategory": "Session Host", - "text": "Evaluate the usage of Gen2 VM for Host Pool deployment" + "text": "Evaluate the usage of Gen2 VM for Host Pool deployment", + "waf": "Performance" }, { "category": "Compute", "checklist": "Azure Virtual Desktop Review", "description": "MMR redirects the media content from Session Host to your local machine for faster processing and rendering. It only works when you play media content on Microsoft Edge or Google Chrome. See linked URL for more details.", "guid": "adecb27f-dc40-40f5-aca2-0090f633b1c9", + "id": "B03.02", "link": "https://learn.microsoft.com/azure/virtual-desktop/multimedia-redirection", "services": [ "AVD" ], "severity": "Low", "subcategory": "Session Host", - "text": "Consider using MMR (MultiMedia Redirection) to get better video performance on browser" + "text": "Consider using MMR (MultiMedia Redirection) to get better video performance on browser", + "waf": "Performance" }, { "category": "Foundation", "checklist": "Azure Virtual Desktop Review", "description": "A host pool is a collection of Azure virtual machines that register to Azure Virtual Desktop as session hosts. A host pool can be one of two types: Personal and Pooled. Which type to use, and how many, is a key design decision that must be documented and validated. See companion article in 'More Info' column for more details.", "guid": "8468c55a-775c-46ee-a5b8-6ad8844ce3b2", + "id": "C01.01", "link": "https://learn.microsoft.com/azure/virtual-desktop/terminology#host-pools", "services": [ "AVD", @@ -15535,13 +15602,15 @@ ], "severity": "High", "subcategory": "Capacity Planning", - "text": "Determine the Host Pool type to use" + "text": "Determine the Host Pool type to use", + "waf": "Cost" }, { "category": "Foundation", "checklist": "Azure Virtual Desktop Review", "description": "Use your design criteria to determine the number of Host Pools to deploy. This will be based on factors such as different OS images, multi-region support, guest VM hardware differences (such as GPU support or no), different user expectations and uptime requirements (examples might be 'Executives', 'Office Workers', 'Developers', etc.), and Host Pool RDP settings (such as drive redirection support). These will determine the number of host pools as well as how many hosts will be in each pool.", "guid": "4e98495f-d3c0-4af2-aa59-a793395a32a7", + "id": "C01.02", "link": "https://learn.microsoft.com/azure/virtual-desktop/terminology?WT.mc_id=Portal-fx#host-pools", "services": [ "AVD", @@ -15549,39 +15618,45 @@ ], "severity": "High", "subcategory": "Capacity Planning", - "text": "Estimate the number of different Host Pools to deploy " + "text": "Estimate the number of different Host Pools to deploy ", + "waf": "Performance" }, { "category": "Foundation", "checklist": "Azure Virtual Desktop Review", "description": "Confirm that the difference between automatic and direct assignment is well understood and the selected option is appropriate for the scenario in question. Automatic is the default setting.", "guid": "b38b875b-a1cf-4204-a901-3a5d3ce474db", + "id": "C01.03", "link": "https://docs.microsoft.com/azure/virtual-desktop/configure-host-pool-personal-desktop-assignment-type", "services": [ "AVD" ], "severity": "Low", "subcategory": "Capacity Planning", - "text": "For Personal Host Pool type, select the proper assignment type" + "text": "For Personal Host Pool type, select the proper assignment type", + "waf": "Operations" }, { "category": "Foundation", "checklist": "Azure Virtual Desktop Review", "description": "Check which one to use and available options, autoscale ignores existing load-balancing algorithms.", "guid": "cbd8682a-6abc-4a2a-9fda-1dbf3dc95d48", + "id": "C01.04", "link": "https://docs.microsoft.com/azure/virtual-desktop/host-pool-load-balancing", "services": [ "AVD" ], "severity": "Low", "subcategory": "Capacity Planning", - "text": "For Pooled Host Pool type, select the best load balancing method" + "text": "For Pooled Host Pool type, select the best load balancing method", + "waf": "Performance" }, { "category": "Foundation", "checklist": "Azure Virtual Desktop Review", "description": "The number of cores increase, the system's synchronization overhead also increases. Especially for multiple user's sign-in simultaneously. Make sure not to use a VM that is too large for the session host", "guid": "b3724959-4943-4577-a3a9-e10ff6345f24", + "id": "C01.05", "link": "https://learn.microsoft.com/windows-server/remote/remote-desktop-services/virtual-machine-recs", "services": [ "AVD", @@ -15589,27 +15664,31 @@ ], "severity": "Medium", "subcategory": "Capacity Planning", - "text": "For Pooled Host Pool type, VMs shouldn't have more than 32 cores" + "text": "For Pooled Host Pool type, VMs shouldn't have more than 32 cores", + "waf": "Performance" }, { "category": "Foundation", "checklist": "Azure Virtual Desktop Review", "description": "AVD does not support assigning both the RemoteApp and Desktop Application Group (DAG) in a single host pool to the same set of users. Doing so will cause a single user to have two user sessions in a single host pool. Users aren't supposed to have two active sessions at the same time in the same host pool using the same profile.", "guid": "b384b7ed-1cdd-457e-a2cd-c8d4d55bc144", + "id": "C01.06", "link": "https://learn.microsoft.com/azure/virtual-desktop/terminology?WT.mc_id=Portal-fx#application-groups", "services": [ - "Storage", - "AVD" + "AVD", + "Storage" ], "severity": "High", "subcategory": "Capacity Planning", - "text": "Do not use the same Host Pool to offer both full desktops (DAG) and Remote Apps to the same set of users" + "text": "Do not use the same Host Pool to offer both full desktops (DAG) and Remote Apps to the same set of users", + "waf": "Security" }, { "category": "Foundation", "checklist": "Azure Virtual Desktop Review", "description": "There is a limit of 500 Application Groups that can be created in AVD for each Microsoft Entra ID (former Azure AD) tenant. The limit can be increased (see the companion link for details) but it is not recommended.", "guid": "971cc4a4-b1f7-4c12-90e0-1ad96808f00c", + "id": "C01.07", "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits#azure-virtual-desktop-service-limits", "services": [ "ACR", @@ -15618,41 +15697,47 @@ ], "severity": "Medium", "subcategory": "Capacity Planning", - "text": "Estimate the number of Application Groups required across all Host Pools in the Microsoft Entra ID tenant" + "text": "Estimate the number of Application Groups required across all Host Pools in the Microsoft Entra ID tenant", + "waf": "Reliability" }, { "category": "Foundation", "checklist": "Azure Virtual Desktop Review", "description": "Applications are grouped under Application Groups as containers for publishing and assigning permissions: we recommend that you do not publish more than 50 applications per application group.", "guid": "fa9f2895-473d-439b-ab8e-5a5cf92c7f32", + "id": "C01.08", "link": "https://learn.microsoft.com/azure/architecture/example-scenario/wvd/windows-virtual-desktop#considerations", "services": [ "AVD" ], "severity": "Low", "subcategory": "Capacity Planning", - "text": "Estimate the number of Applications for each Application Group" + "text": "Estimate the number of Applications for each Application Group", + "waf": "Reliability" }, { "category": "Foundation", "checklist": "Azure Virtual Desktop Review", "description": "FSLogix is not required for Personal Host Pools since each VM is statically assigned to a single user, then no immediate needs for a roaming profile solution. In some usage scenarios FSLogix can help. For example, a VM can be re-assigned, or user moved to another desktop, or roaming profile can be used to save user profile in a different location for DR purposes.", "guid": "38b19ab6-0693-4992-9394-5590883916ec", - "link": "https://learn.microsoft.com/en-us/azure/virtual-desktop/configure-host-pool-personal-desktop-assignment-type?tabs=azure#reassign-a-personal-desktop", + "id": "C01.09", + "link": "https://learn.microsoft.com/azure/virtual-desktop/configure-host-pool-personal-desktop-assignment-type?tabs=azure#reassign-a-personal-desktop", "services": [ - "Storage", "AVD", + "Storage", "VM" ], "severity": "Low", "subcategory": "Capacity Planning", - "text": "Evaluate the usage of FSLogix for Personal Host Pools" + "text": "Evaluate the usage of FSLogix for Personal Host Pools", + "waf": "Reliability" }, { "category": "Foundation", "checklist": "Azure Virtual Desktop Review", "description": "Use the link provided to set a starting point for SKU decision, then validate using a performance test. Ensure a minimum of four cores for Production is selected per Session Host (multi-session)", "guid": "e1112dbd-7ba0-412e-9b94-ef6e047d2ea2", + "id": "C01.10", "link": "https://docs.microsoft.com/windows-server/remote/remote-desktop-services/virtual-machine-recs", "services": [ "AVD", @@ -15660,40 +15745,46 @@ ], "severity": "High", "subcategory": "Capacity Planning", - "text": "Run workload performance test to determine the best Azure VM SKU and size to use" + "text": "Run workload performance test to determine the best Azure VM SKU and size to use", + "waf": "Performance" }, { "category": "Foundation", "checklist": "Azure Virtual Desktop Review", "description": "It is critical to check AVD capacity and limits reported in the referenced article. Additional limits and thresholds apply for network, compute, storage and service management. ", "guid": "992b1cd6-d2f5-44b2-a769-e3a691e8838a", + "id": "C01.11", "link": "https://learn.microsoft.com/azure/architecture/example-scenario/wvd/windows-virtual-desktop#considerations", "services": [ - "Storage", - "AVD" + "AVD", + "Storage" ], "severity": "High", "subcategory": "Capacity Planning", - "text": "Verify AVD scalability limits for the environment" + "text": "Verify AVD scalability limits for the environment", + "waf": "Reliability" }, { "category": "Foundation", "checklist": "Azure Virtual Desktop Review", "description": "Host Pools with GPU require special configuration, please be sure to review the referenced article.", "guid": "c936667e-13c0-4056-94b1-e945a459837e", + "id": "C01.12", "link": "https://docs.microsoft.com/azure/virtual-desktop/configure-vm-gpu", "services": [ "AVD" ], "severity": "Low", "subcategory": "Capacity Planning", - "text": "Determine if Session Hosts will require GPU" + "text": "Determine if Session Hosts will require GPU", + "waf": "Performance" }, { "category": "Foundation", "checklist": "Azure Virtual Desktop Review", "description": "Whenever is possible, it is recommended to leverage VM SKUs with Accelerated Networking feature. This feature does require specific VM SKU/size and OS versions, please see the list and requirement in the companion article.", "guid": "b47a393a-0803-4272-a479-8b1578b219a4", + "id": "C01.13", "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview", "services": [ "AVD", @@ -15701,138 +15792,158 @@ ], "severity": "Low", "subcategory": "Capacity Planning", - "text": "Use Azure VM SKUs able to leverage Accelerated Networking" + "text": "Use Azure VM SKUs able to leverage Accelerated Networking", + "waf": "Performance" }, { "category": "Foundation", "checklist": "Azure Virtual Desktop Review", "description": "For proper planning and deployment, it is important to assess the maximum number of concurrent and total users for each Host Pool. Additionally, users from different regions may require different Host Pools to ensure the best user experience.", "guid": "bb91a33d-90ca-4e2c-a881-3706f7c0cb9f", + "id": "C02.01", "link": "https://learn.microsoft.com/azure/virtual-desktop/overview", "services": [ "AVD" ], "severity": "Medium", "subcategory": "Clients & Users", - "text": "Assess how many users will connect to AVD and from which regions" + "text": "Assess how many users will connect to AVD and from which regions", + "waf": "Performance" }, { "category": "Foundation", "checklist": "Azure Virtual Desktop Review", "description": "The dependencies on resources external to the AVD pool should be assessed and reviewed, for example Active Directory, external file shares or other storage, on-premises services and resources, network infrastructure components like VPN and or ExpressRoute, external services and 3rd-party components. For all these resources, latency from the AVD Host Pool needs to be evaluated and connectivity considered. Additionally, BCDR considerations need to be applied to these dependencies as well.", "guid": "6abca2a4-fda1-4dbf-9dc9-5d48c7c791dc", + "id": "C02.02", "link": "https://learn.microsoft.com/azure/architecture/example-scenario/wvd/windows-virtual-desktop?toc=%2Fazure%2Fvirtual-desktop%2Ftoc.json&bc=%2Fazure%2Fvirtual-desktop%2Fbreadcrumb%2Ftoc.json", "services": [ "VPN", - "Storage", "AVD", + "Storage", "ExpressRoute" ], "severity": "Medium", "subcategory": "Clients & Users", - "text": "Assess external dependencies for each Host Pool" + "text": "Assess external dependencies for each Host Pool", + "waf": "Performance" }, { "category": "Foundation", "checklist": "Azure Virtual Desktop Review", "description": "AVD offers a variety of client types (fat, thin, web) to connect over different platforms (Windows, MacOS, iOS, Android). Review limitations of each client and compare multiple options when possible.", "guid": "a1f6d565-99e5-458b-a37d-4985e1112dbd", - "link": "https://learn.microsoft.com/en-us/azure/virtual-desktop/users/connect-windows", + "id": "C02.03", + "link": "https://learn.microsoft.com/azure/virtual-desktop/users/connect-windows", "services": [ "AVD" ], "severity": "Low", "subcategory": "Clients & Users", - "text": "Review user client OS used and AVD client type" + "text": "Review user client OS used and AVD client type", + "waf": "Performance" }, { "category": "Foundation", "checklist": "Azure Virtual Desktop Review", "description": "Depending on the user locations, and AVD region deployment, users may have a non-optimal experience, hence is important to test as soon as possible in a small PoC environment. Run the 'Azure Virtual Desktop Experience Estimator' tool to select the best Azure region to deploy Host Pools. Beyond 150ms latency, user experience may be not optimal.", "guid": "d2f54b29-769e-43a6-a1e8-838ac936667e", + "id": "C02.04", "link": "https://azure.microsoft.com/services/virtual-desktop/assessment/", "services": [ "AVD" ], "severity": "High", "subcategory": "Clients & Users", - "text": "Run a PoC to validate end-to-end user experience and impact of network latency" + "text": "Run a PoC to validate end-to-end user experience and impact of network latency", + "waf": "Performance" }, { "category": "Foundation", "checklist": "Azure Virtual Desktop Review", "description": "RDP settings can currently only be configured at the host pool level, not per user/group. If different settings are required for different set of users, it is recommended to create multiple Host Pools.", "guid": "3b365a5c-7acb-4e48-abe5-4cd79f2e8776", + "id": "C02.05", "link": "https://docs.microsoft.com/azure/virtual-desktop/customize-rdp-properties", "services": [ "AVD" ], "severity": "Low", "subcategory": "Clients & Users", - "text": "Assess and document RDP settings for all user groups" + "text": "Assess and document RDP settings for all user groups", + "waf": "Security" }, { "category": "Foundation", "checklist": "Azure Virtual Desktop Review", "description": "AVD is a non-regional service, Host Pools can be created in any region, automatic redirection from closest front-end will happen automatically.", "guid": "42e52f47-21d9-428c-8b1b-d521e44a29a9", + "id": "C03.01", "link": "https://azure.microsoft.com/global-infrastructure/services/?products=virtual-desktop", "services": [ "AVD" ], "severity": "High", "subcategory": "General", - "text": "Determine in which Azure regions AVD Host Pools will be deployed." + "text": "Determine in which Azure regions AVD Host Pools will be deployed.", + "waf": "Performance" }, { "category": "Foundation", "checklist": "Azure Virtual Desktop Review", "description": "AVD must store metadata to support the service; this is stored in the specified geography. However, this is independent of the regions where Host Pools are located.", "guid": "bad37ead-53cc-47ce-8d7a-aab3571449ab", + "id": "C03.02", "link": "https://docs.microsoft.com/azure/virtual-desktop/data-locations", "services": [ "AVD" ], "severity": "Medium", "subcategory": "General", - "text": "Determine metadata location for AVD service" + "text": "Determine metadata location for AVD service", + "waf": "Reliability" }, { "category": "Foundation", "checklist": "Azure Virtual Desktop Review", "description": "Check for specific VM SKUs, especially if you need GPU or high-specs SKUs, and eventually Azure NetApp Files if used.", "guid": "8053d89e-89dc-47b3-9be2-a1a27f7a9e91", + "id": "C03.03", "link": "https://docs.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits", "services": [ - "Storage", "AVD", + "Storage", "VM" ], "severity": "Low", "subcategory": "General", - "text": "Check Azure quotas and availability for specific VM sizes and types in the selected regions" + "text": "Check Azure quotas and availability for specific VM sizes and types in the selected regions", + "waf": "Reliability" }, { "category": "Identity", "checklist": "Azure Virtual Desktop Review", "description": "AD DCs in Azure are recommended (at least two in different AZ) to reduce latency for users logging into AVD session hosts, and eventually for Azure NetApp Files and AD integration. A DC need to be able to talk to DCs for ALL child domains. As alternative, on-premise connectivity must be used to reach AD DCs.", "guid": "c14aea7e-65e8-4d9a-9aec-218e6436b073", + "id": "D01.01", "link": "https://docs.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain", "services": [ - "Storage", "AVD", "VNet", - "Entra" + "Entra", + "Storage" ], "severity": "Medium", "subcategory": "Active Directory", - "text": "Create at least two Active Directory Domain Controllers (DCs) in Azure VNet environment close to AVD Host Pool" + "text": "Create at least two Active Directory Domain Controllers (DCs) in Azure VNet environment close to AVD Host Pool", + "waf": "Reliability" }, { "category": "Identity", "checklist": "Azure Virtual Desktop Review", "description": "Recommended to create a separate OU per Host Pool under a separate OU hierarchy. These OUs will contain machine accounts of AVD Session Hosts. ", "guid": "6db55f57-9603-4334-adf9-cc23418db612", + "id": "D01.02", "link": "https://docs.microsoft.com/azure/virtual-desktop/create-host-pools-azure-marketplace", "services": [ "AVD", @@ -15840,13 +15951,15 @@ ], "severity": "Medium", "subcategory": "Active Directory", - "text": "Create a specific OU in Active Directory for each Host Pool" + "text": "Create a specific OU in Active Directory for each Host Pool", + "waf": "Operations" }, { "category": "Identity", "checklist": "Azure Virtual Desktop Review", "description": "Carefully review, and potentially block/filter inheritance of GPOs to the OUs containing AVD Host Pools. ", "guid": "7126504b-b47a-4393-a080-327294798b15", + "id": "D01.03", "link": "https://docs.microsoft.com/previous-versions/windows/desktop/Policy/group-policy-hierarchy", "services": [ "AVD", @@ -15854,13 +15967,15 @@ ], "severity": "Medium", "subcategory": "Active Directory", - "text": "Review Domain GPOs that will be applied to OU and impacting Host Pool Session Hosts functionalities" + "text": "Review Domain GPOs that will be applied to OU and impacting Host Pool Session Hosts functionalities", + "waf": "Operations" }, { "category": "Identity", "checklist": "Azure Virtual Desktop Review", "description": "If Active Directory Domain GPOs are used, it is recommended to configure FSLogix using the built-in provided GPO ADMX template referenced in the companion article in the 'More Info' column", "guid": "2226a8e3-50a4-4ac3-8bd6-ee150553051f", + "id": "D01.04", "link": "https://learn.microsoft.com/fslogix/how-to-use-group-policy-templates", "services": [ "AVD", @@ -15868,28 +15983,32 @@ ], "severity": "Medium", "subcategory": "Active Directory", - "text": "Configure FSLogix settings using the built-in provided GPO ADMX template" + "text": "Configure FSLogix settings using the built-in provided GPO ADMX template", + "waf": "Operations" }, { "category": "Identity", "checklist": "Azure Virtual Desktop Review", "description": "It is recommended to have a specific dedicated account with minimal permissions, and without the default 10 joins limitation. Review the companion article for more details.", "guid": "347dc560-28a7-41ff-b1cd-15dd2f0d5e77", + "id": "D01.05", "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#session-hosts", "services": [ "AVD", - "VM", - "Entra" + "Entra", + "VM" ], "severity": "Medium", "subcategory": "Active Directory", - "text": "Create a dedicated user account with only permissions to join VM to the domain" + "text": "Create a dedicated user account with only permissions to join VM to the domain", + "waf": "Security" }, { "category": "Identity", "checklist": "Azure Virtual Desktop Review", "description": "Avoid granting access per user, instead use AD groups and replicate them using Active Directory Connector (ADC) in Microsoft Entra ID (former Azure AD). ", "guid": "2d41e361-1cc5-47b4-a4b1-410d43958a8c", + "id": "D01.06", "link": "https://docs.microsoft.com/azure/virtual-desktop/manage-app-groups", "services": [ "AVD", @@ -15897,29 +16016,33 @@ ], "severity": "Medium", "subcategory": "Active Directory", - "text": "Create a domain user group for each set of users that will be granted access to each Host Pool Application Group (DAG or RAG)" + "text": "Create a domain user group for each set of users that will be granted access to each Host Pool Application Group (DAG or RAG)", + "waf": "Security" }, { "category": "Identity", "checklist": "Azure Virtual Desktop Review", "description": "If Azure Files Active Directory (AD) integration is used, as part of the configuration procedure, an AD account to represent the storage account (file share) will be created. You can choose to register as a computer account or service logon account, see FAQ for details. For computer accounts, there is a default password expiration age set in AD at 30 days. Similarly, the service logon account may have a default password expiration age set on the AD domain or Organizational Unit (OU). For both account types, we recommend you check the password expiration age configured in your AD environment and plan to update the password of your storage account identity of the AD account before the maximum password age. You can consider creating a new AD Organizational Unit (OU) in AD and disabling password expiration policy on computer accounts or service logon accounts accordingly.", "guid": "2289b3d6-b57c-4fc6-9546-1e1a3e3453a3", + "id": "D01.07", "link": "https://docs.microsoft.com/azure/storage/files/storage-files-identity-ad-ds-enable", "services": [ + "AVD", "AzurePolicy", "Storage", - "AVD", "Entra" ], "severity": "High", "subcategory": "Active Directory", - "text": "Review your organization password expiration policy for accounts used by Azure Files AD integration" + "text": "Review your organization password expiration policy for accounts used by Azure Files AD integration", + "waf": "Security" }, { "category": "Identity", "checklist": "Azure Virtual Desktop Review", "description": "You can configure this using Active Directory Connect (ADC) or Azure AD Domain Services (for hybrid or cloud organizations). Microsoft Entra ID is the new name for Azure Active Directory (Azure AD).", "guid": "5119bf8e-8f58-4542-a7d9-cec166cd072a", + "id": "D01.08", "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#identity", "services": [ "AVD", @@ -15927,44 +16050,50 @@ ], "severity": "High", "subcategory": "Active Directory", - "text": "A Windows Server Active Directory forest/domain must be in sync with Microsoft Entra ID" + "text": "A Windows Server Active Directory forest/domain must be in sync with Microsoft Entra ID", + "waf": "Reliability" }, { "category": "Identity", "checklist": "Azure Virtual Desktop Review", "description": "If Azure Files is used and pre-requisites can be satisfied, it is recommended to configure (Microsoft Entra ID) Kerberos authentication. This configuration will allow to store FSLogix profiles that can be accessed by hybrid user identities from Azure AD-joined session hosts without requiring network line-of-sight to domain controllers.", "guid": "e777fd5e-c5f1-4d6e-8fa9-fc210b88e338", + "id": "D02.01", "link": "https://learn.microsoft.com/azure/storage/files/storage-files-identity-auth-hybrid-identities-enable", "services": [ - "Storage", "AVD", - "Entra" + "Entra", + "Storage" ], "severity": "Medium", "subcategory": "Microsoft Entra ID", - "text": "Configure Azure Files share for Microsoft Entra ID (former Azure AD) Kerberos authentication on Microsoft Entra ID Joined scenario" + "text": "Configure Azure Files share for Microsoft Entra ID (former Azure AD) Kerberos authentication on Microsoft Entra ID Joined scenario", + "waf": "Security" }, { "category": "Identity", "checklist": "Azure Virtual Desktop Review", "description": "An Azure subscription must be parented to the same Microsoft Entra ID (former Azure AD) tenant, that contains a virtual network that either contains or is connected to the Windows Server Active Directory Domain Services or Microsoft Entra ID Domain Services instance.", "guid": "6ceb5443-5125-4922-9442-93bb628537a5", + "id": "D03.01", "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#identity", "services": [ - "Subscriptions", "AVD", "VNet", - "Entra" + "Entra", + "Subscriptions" ], "severity": "High", "subcategory": "Requirements", - "text": "A Microsoft Entra ID tenant must be available with at least one subscription linked" + "text": "A Microsoft Entra ID tenant must be available with at least one subscription linked", + "waf": "Reliability" }, { "category": "Identity", "checklist": "Azure Virtual Desktop Review", - "description": "Azure Virtual Desktop supports different types of identities depending on which configuration you choose. Please review the supported scenarios mentioned in the 'More Info' article and document the design decision accordingly in the 'Comment' column. Critically, external identities (B2B or B2C) are not supported. Be sure to review also the list of supported scenarios in https://learn.microsoft.com/en-us/azure/virtual-desktop/prerequisites?tabs=portal#supported-identity-scenarios.", + "description": "Azure Virtual Desktop supports different types of identities depending on which configuration you choose. Please review the supported scenarios mentioned in the 'More Info' article and document the design decision accordingly in the 'Comment' column. Critically, external identities (B2B or B2C) are not supported. Be sure to review also the list of supported scenarios in https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#supported-identity-scenarios.", "guid": "b4ce4781-7557-4a1f-8043-332ae199d44c", + "id": "D03.02", "link": "https://learn.microsoft.com/azure/virtual-desktop/authentication", "services": [ "AVD", @@ -15972,13 +16101,15 @@ ], "severity": "High", "subcategory": "Requirements", - "text": "Review and document your identity scenario" + "text": "Review and document your identity scenario", + "waf": "Security" }, { "category": "Identity", "checklist": "Azure Virtual Desktop Review", "description": "Users need accounts that are in Microsoft Entra ID (former Azure AD). If you're also using AD DS or Azure AD Domain Services in your deployment of Azure Virtual Desktop, these accounts will need to be hybrid identities, which means the user accounts are synchronized. If you're using Microsoft Entra ID with AD DS, you'll need to configure Azure AD Connect to synchronize user identity data between AD DS and Microsoft Entra ID. If you're using Microsoft Entra ID with Azure AD Domain Services, user accounts are synchronized one way from Microsoft Entra ID to Azure AD Domain Services. This synchronization process is automatic. AVD also supports Microsoft Entra ID native accounts with some restrictions. External identities (B2B or B2C) are not supported.", "guid": "f9b141a8-98a5-435e-9378-97e71ca7da7b", + "id": "D03.03", "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#supported-identity-scenarios", "services": [ "AVD", @@ -15986,13 +16117,15 @@ ], "severity": "Medium", "subcategory": "Requirements", - "text": "Assess User Account types and requirements" + "text": "Assess User Account types and requirements", + "waf": "Security" }, { "category": "Identity", "checklist": "Azure Virtual Desktop Review", "description": "AVD supports SSO using either Active Directory Federation Services (AD FS) or Microsoft Entra ID (former Azure AD) authentication. The latter is recommended, please check the requirements and limitation in the 'More Info' article. Using AD FS could be a viable choice if already present in the customer environment, it is not recommended to deploy a brand new ADFS infrastructure just for AVD SSO implementation.", "guid": "5f9f680a-ba07-4429-bbf7-93d7071561f4", + "id": "D03.04", "link": "https://learn.microsoft.com/azure/virtual-desktop/authentication#single-sign-on-sso", "services": [ "AVD", @@ -16000,28 +16133,32 @@ ], "severity": "Medium", "subcategory": "Requirements", - "text": "If Single-Sign On (SSO) is a requirement, review the supported scenarios and prerequisites" + "text": "If Single-Sign On (SSO) is a requirement, review the supported scenarios and prerequisites", + "waf": "Reliability" }, { "category": "Identity", "checklist": "Azure Virtual Desktop Review", "description": "VMs can be Windows Active Directory (AD) domain-joined, Hybrid AD-joined, Microsoft Entra ID (former Azure AD) Joined or Azure AD Domain Services joined. Be sure to review supported scenarios, limitations and requirements from the referenced article.", "guid": "ea962a15-9394-46da-a7cc-3923266b2258", + "id": "D03.05", "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#supported-identity-scenarios", "services": [ "AVD", - "VM", - "Entra" + "Entra", + "VM" ], "severity": "High", "subcategory": "Requirements", - "text": "Select the proper AVD Session Host domain join type" + "text": "Select the proper AVD Session Host domain join type", + "waf": "Security" }, { "category": "Identity", "checklist": "Azure Virtual Desktop Review", "description": "Compare self-managed Windows Active Directory Domain Services, Microsoft Entra ID (former Azure AD), and managed Azure AD Domain Services (AAD-DS)", "guid": "6f4a1651-bddd-4ea8-a487-cdeb4861bc3b", + "id": "D03.06", "link": "https://docs.microsoft.com/azure/active-directory-domain-services/compare-identity-solutions", "services": [ "AVD", @@ -16029,43 +16166,49 @@ ], "severity": "Low", "subcategory": "Requirements", - "text": "Before using Azure AD Domain Services (AAD-DS) for AVD, be sure to review the limitations." + "text": "Before using Azure AD Domain Services (AAD-DS) for AVD, be sure to review the limitations.", + "waf": "Reliability" }, { "category": "Monitoring and Management", "checklist": "Azure Virtual Desktop Review", "description": "AVD provides administrative templates for Intune and Active Directory GPO. Using these templates it is possible to centrally control several AVD configuration settings: Graphics related data logging, Screen capture protection, RDP Shortpath for managed networks, Watermarking. See companion article in 'More Info' colum for details. NOTE: FSLogix has its own separate template.", "guid": "5549524b-36c0-4f1a-892b-ab3ca78f5db2", + "id": "E01.01", "link": "https://learn.microsoft.com/azure/virtual-desktop/administrative-template", "services": [ - "Entra", "AVD", - "Monitor" + "Monitor", + "Entra" ], "severity": "Low", "subcategory": "Management", - "text": "Use built-in provided administrative templates for AVD settings configuration" + "text": "Use built-in provided administrative templates for AVD settings configuration", + "waf": "Operations" }, { "category": "Monitoring and Management", "checklist": "Azure Virtual Desktop Review", "description": "Determine if a configuration management tool is already in place to manage Host Pool VM configuration after initial deployment, For example SCCM/SCOM, Intune/ConfigurationManager, 3rd-party solutions.", "guid": "3334fdf9-1c23-4418-8b65-285269440b4b", + "id": "E01.02", "link": "https://learn.microsoft.com/azure/virtual-desktop/management", "services": [ "AVD", - "VM", - "Monitor" + "Monitor", + "VM" ], "severity": "Low", "subcategory": "Management", - "text": "Plan AVD Session Hosts configuration management strategy" + "text": "Plan AVD Session Hosts configuration management strategy", + "waf": "Operations" }, { "category": "Monitoring and Management", "checklist": "Azure Virtual Desktop Review", - "description": "We recommend using Microsoft Intune, if requirements can be satisfied, to manage your Azure Virtual Desktop environment. Review supported scenarios and requirements to enable Intune for AVD Session Host management in the referenced article in the “More Info” column. Document your choice in the 'Comment' column. In that article, review the different requirements and capabilities for single-session https://learn.microsoft.com/en-us/mem/intune/fundamentals/windows-virtual-desktop and multi-session https://learn.microsoft.com/en-us/mem/intune/fundamentals/windows-virtual-desktop-multi-session AVD.", + "description": "We recommend using Microsoft Intune, if requirements can be satisfied, to manage your Azure Virtual Desktop environment. Review supported scenarios and requirements to enable Intune for AVD Session Host management in the referenced article in the “More Info” column. Document your choice in the 'Comment' column. In that article, review the different requirements and capabilities for single-session https://learn.microsoft.com/mem/intune/fundamentals/windows-virtual-desktop and multi-session https://learn.microsoft.com/mem/intune/fundamentals/windows-virtual-desktop-multi-session AVD.", "guid": "63a08be1-6004-4b4a-a79b-f3239faae113", + "id": "E01.03", "link": "https://learn.microsoft.com/mem/intune/fundamentals/azure-virtual-desktop", "services": [ "AVD", @@ -16073,98 +16216,110 @@ ], "severity": "Medium", "subcategory": "Management", - "text": "Evaluate Intune for AVD Session Hosts management" + "text": "Evaluate Intune for AVD Session Hosts management", + "waf": "Operations" }, { "category": "Monitoring and Management", "checklist": "Azure Virtual Desktop Review", "description": "The scaling tool provides a low-cost automation option for customers who want to optimize their session host VM costs. You can use the scaling tool to schedule VMs to start and stop based on Peak and Off-Peak business hours, scale out VMs based on number of sessions per CPU core, scale in VMs during Off-Peak hours, leaving the minimum number of session host VMs running. Not available yet for Personal Host Pool type.", "guid": "7138b820-102c-4e16-be30-1e6e872e52e3", + "id": "E01.04", "link": "https://learn.microsoft.com/azure/virtual-desktop/autoscale-scenarios", "services": [ - "Cost", "AVD", + "Monitor", "VM", - "Monitor" + "Cost" ], "severity": "Medium", "subcategory": "Management", - "text": "Assess the requirements for host pool auto-scaling capability" + "text": "Assess the requirements for host pool auto-scaling capability", + "waf": "Reliability" }, { "category": "Monitoring and Management", "checklist": "Azure Virtual Desktop Review", "description": "Start VM On Connect lets you reduce costs by enabling end users to turn on their session host virtual machines (VMs) only when they need them. You can then turn off VMs when they're not needed. You can configure Start VM on Connect for personal or pooled host pools using the Azure portal or PowerShell. Start VM on Connect is a host pool wide setting.", "guid": "55f612fe-f215-4f0d-a956-10e7dd96bcbc", + "id": "E01.05", "link": "https://learn.microsoft.com/azure/virtual-desktop/start-virtual-machine-connect", "services": [ - "Cost", "AVD", - "VM", - "Monitor" + "Monitor", + "Cost", + "VM" ], "severity": "Low", "subcategory": "Management", - "text": "Consider the usage of Start VM on Connect for Personal Host Pools" + "text": "Consider the usage of Start VM on Connect for Personal Host Pools", + "waf": "Cost" }, { "category": "Monitoring and Management", "checklist": "Azure Virtual Desktop Review", "description": "'Start VM On Connect' provides a smart way to automatically start previously stopped Session Hosts but does not provide a mechanism to shut down when not in used. Administrators are encouraged to configure additional policies to sign users out of their sessions and run Azure automation scripts to de-allocate VMs. Users should be not allowed to shut down their Personal Hosts since will not be able to de-allocate Azure VMs, then billing will still be active with no cost reduction.", "guid": "79a686ea-d971-4ea0-a9a8-1aea074c94cb", + "id": "E01.06", "link": "https://learn.microsoft.com/azure/virtual-desktop/start-virtual-machine-connect-faq#are-vms-automatically-deallocated-when-a-user-stops-using-them", "services": [ - "AzurePolicy", - "VM", - "Cost", "AVD", - "Monitor" + "VM", + "Monitor", + "AzurePolicy", + "Cost" ], "severity": "Low", "subcategory": "Management", - "text": "Evaluate the implementation of an ad-hoc mechanism to shut down Personal AVD Session Hosts" + "text": "Evaluate the implementation of an ad-hoc mechanism to shut down Personal AVD Session Hosts", + "waf": "Cost" }, { "category": "Monitoring and Management", "checklist": "Azure Virtual Desktop Review", "description": "Azure Virtual Desktop billing is mainly based on cost associated to compute, networking and storage resources consumed by Host Pools. In addition to this, costs can be generated by dependent resources, for example VPN or ExpressRoute or vWAN, Active Directory Domain Controllers, DNS, etc. There is no direct cost associated to AVD objects like workspaces, host pools or application groups. To make AVD associated costs more evident and grouped by Host Pool, it is recommended to use 'cm-resource-parent' tag. ", "guid": "51bcafca-476a-48fa-9b91-9645a7679f20", + "id": "E01.07", "link": "https://learn.microsoft.com/azure/virtual-desktop/tag-virtual-desktop-resources", "services": [ - "VWAN", "VPN", - "Storage", - "DNS", "AVD", - "Cost", + "DNS", "Monitor", - "ExpressRoute" + "Cost", + "ExpressRoute", + "Storage", + "VWAN" ], "severity": "Low", "subcategory": "Management", - "text": "Review and adopt suggested Azure Tags for Azure Virtual Desktop" + "text": "Review and adopt suggested Azure Tags for Azure Virtual Desktop", + "waf": "Cost" }, { "category": "Monitoring and Management", "checklist": "Azure Virtual Desktop Review", "description": "Azure Advisor analyzes your configurations and telemetry to offer personalized recommendations to solve common problems. With these recommendations, you can optimize your Azure resources for reliability, security, operational excellence, performance, and cost.", "guid": "611dd68c-5a4b-4252-8e44-a59a9c2399c4", + "id": "E01.08", "link": "https://learn.microsoft.com/azure/virtual-desktop/azure-advisor-recommendations", "services": [ - "Monitor", - "Cost", "AVD", - "Entra" + "Monitor", + "Entra", + "Cost" ], "severity": "Low", "subcategory": "Management", - "text": "Periodically check Azure Advisor recommendations for AVD" + "text": "Periodically check Azure Advisor recommendations for AVD", + "waf": "Operations" }, { "category": "Monitoring and Management", "checklist": "Azure Virtual Desktop Review", - "description": "Customers have several options: Microsoft Configuration Manager, this article explains how to automatically apply updates to a Azure Virtual Desktop session hosts running Windows 10/11: https://learn.microsoft.com/en-us/azure/virtual-desktop/configure-automatic-updates, Microsoft Intune: https://docs.microsoft.com/mem/intune/fundamentals/windows-virtual-desktop-multi-session, Azure Update Management and WSUS for Windows Server OS only (client OS not supported: https://learn.microsoft.com/en-us/azure/automation/update-management/operating-system-requirements), 3rd Party tools. Outside an emergency security patching situation, it is recommended to move away from an 'in-place' update strategy patching strategy and adopt a re-imaging approach.", + "description": "Customers have several options: Microsoft Configuration Manager, this article explains how to automatically apply updates to a Azure Virtual Desktop session hosts running Windows 10/11: https://learn.microsoft.com/azure/virtual-desktop/configure-automatic-updates, Microsoft Intune: https://docs.microsoft.com/mem/intune/fundamentals/windows-virtual-desktop-multi-session, Azure Update Management and WSUS for Windows Server OS only (client OS not supported: https://learn.microsoft.com/azure/automation/update-management/operating-system-requirements), 3rd Party tools. Outside an emergency security patching situation, it is recommended to move away from an 'in-place' update strategy patching strategy and adopt a re-imaging approach.", "guid": "04722da2-9c2b-41cd-922f-54b29bade3aa", + "id": "E01.09", "link": "https://learn.microsoft.com/mem/intune/fundamentals/azure-virtual-desktop-multi-session", "services": [ "AVD", @@ -16172,13 +16327,15 @@ ], "severity": "Medium", "subcategory": "Management", - "text": "Plan for a Session Host emergency patching and update strategy" + "text": "Plan for a Session Host emergency patching and update strategy", + "waf": "Operations" }, { "category": "Monitoring and Management", "checklist": "Azure Virtual Desktop Review", "description": "The Scheduled Agent Updates feature lets you create up to two maintenance windows per Host Pool to update AVD components at a convenient time. It is recommended to specify maintenance windows then upgrading Session Hosts will not happen during peak business hours. Scheduled Agent Updates is disabled by default. This means that, unless you enable this setting, the agent can get updated at any time by the agent update flighting service.", "guid": "c067939b-e5ca-4698-b9ce-3bd91843e73f", + "id": "E01.10", "link": "https://learn.microsoft.com/azure/virtual-desktop/scheduled-agent-updates", "services": [ "AVD", @@ -16186,58 +16343,66 @@ ], "severity": "Low", "subcategory": "Management", - "text": "Configure the Scheduled Agent Updates feature" + "text": "Configure the Scheduled Agent Updates feature", + "waf": "Reliability" }, { "category": "Monitoring and Management", "checklist": "Azure Virtual Desktop Review", "description": "Host pools are a collection of one or more identical virtual machines within Azure Virtual Desktop environment. We highly recommend you create a validation host pool where service updates are applied first. This allows you to monitor service updates before the service applies them to your standard or non-validation environment.", "guid": "d1e8c38e-c936-4667-913c-005674b1e944", + "id": "E01.11", "link": "https://docs.microsoft.com/azure/virtual-desktop/create-validation-host-pool", "services": [ "AVD", - "VM", - "Monitor" + "Monitor", + "VM" ], "severity": "Medium", "subcategory": "Management", - "text": "Create a validation (canary) Host Pool" + "text": "Create a validation (canary) Host Pool", + "waf": "Operations" }, { "category": "Monitoring and Management", "checklist": "Azure Virtual Desktop Review", "description": "An AVD Host Pool can be deployed in several ways: Azure Portal, ARM templates, Azure CLI tool, Powershell, manual VM creation with registration token, Terraform, 3rd-party tools. It is important to adopt proper method/s to support automatic deployment through automation and CI/CD tools.", "guid": "a459c373-e7ed-4616-83b3-65a917ecbe48", + "id": "E01.12", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/wvd/eslz-platform-automation-and-devops", "services": [ "AVD", - "VM", - "Monitor" + "Monitor", + "VM" ], "severity": "Medium", "subcategory": "Management", - "text": "Determine Host Pool deployment strategy" + "text": "Determine Host Pool deployment strategy", + "waf": "Operations" }, { "category": "Monitoring and Management", "checklist": "Azure Virtual Desktop Review", "description": "After you register a VM to a host pool within the Azure Virtual Desktop service, the agent regularly refreshes the VM's token whenever the VM is active. The certificate for the registration token is valid for 90 days. Because of this 90-day limit, we recommend VMs to be online for 20 minutes every 90 days so that the machine can refresh its tokens and update the agent and side-by-side stack components.", "guid": "ebe54cd7-df2e-48bb-ac35-81559bb9153e", + "id": "E01.13", "link": "https://docs.microsoft.com/azure/virtual-desktop/faq", "services": [ "AVD", - "VM", - "Monitor" + "Monitor", + "VM" ], "severity": "Medium", "subcategory": "Management", - "text": "Turn on Session Host VMs at least every 90 days for token refresh" + "text": "Turn on Session Host VMs at least every 90 days for token refresh", + "waf": "Operations" }, { "category": "Monitoring and Management", "checklist": "Azure Virtual Desktop Review", "description": "Azure Virtual Desktop Insights is a dashboard built on Azure Monitor Workbooks that helps IT professionals understand their Azure Virtual Desktop environments. Read the referenced article to learn how to set up Azure Monitor for Azure Virtual Desktop to monitor your AVD environments.", "guid": "63cfff1c-ac59-49ef-8d5a-83dd4de36c1c", + "id": "E02.01", "link": "https://learn.microsoft.com/azure/virtual-desktop/insights", "services": [ "AVD", @@ -16245,43 +16410,49 @@ ], "severity": "High", "subcategory": "Monitoring", - "text": "Enable monitoring for AVD" + "text": "Enable monitoring for AVD", + "waf": "Reliability" }, { "category": "Monitoring and Management", "checklist": "Azure Virtual Desktop Review", "description": "Azure Virtual Desktop uses Azure Monitor and Log Analytics for monitoring and alerts like many other Azure services. This lets admins identify issues through a single interface. The service creates activity logs for both user and administrative actions. Each activity log falls under the following categories: Management, Feed, Connections, Host Registration, Errors, Checkpoints. ", "guid": "81770afb-c4c0-4e43-a186-58d2857ed671", + "id": "E02.02", "link": "https://docs.microsoft.com/azure/virtual-desktop/diagnostics-log-analytics", "services": [ "AVD", - "VM", - "Monitor" + "Monitor", + "VM" ], "severity": "Medium", "subcategory": "Monitoring", - "text": "Enable diagnostic settings for Workspaces, Host Pools, Application Groups and Host VMs to Log Analytics workspace" + "text": "Enable diagnostic settings for Workspaces, Host Pools, Application Groups and Host VMs to Log Analytics workspace", + "waf": "Reliability" }, { "category": "Monitoring and Management", "checklist": "Azure Virtual Desktop Review", "description": "See the referenced article and this additional one to setup proper monitoring and alerting for storage: https://docs.microsoft.com/azure/storage/files/storage-troubleshooting-files-performance. ", "guid": "2463cffe-179c-4599-be0d-5973dd4ce32c", + "id": "E02.03", "link": "https://docs.microsoft.com/azure/storage/files/storage-files-monitoring?tabs=azure-portal", "services": [ - "Storage", "AVD", - "Monitor" + "Monitor", + "Storage" ], "severity": "Medium", "subcategory": "Monitoring", - "text": "Create alerts on the profile storage to be alerted in case of high usage and throttling" + "text": "Create alerts on the profile storage to be alerted in case of high usage and throttling", + "waf": "Reliability" }, { "category": "Monitoring and Management", "checklist": "Azure Virtual Desktop Review", "description": "You can use Azure Service Health to monitor service issues and health advisories for Azure Virtual Desktop. Azure Service Health can notify you with different types of alerts (for example, email or SMS), help you understand the effect of an issue, and keep you updated as the issue resolves.", "guid": "18813706-f7c4-4c0d-9e51-4548d2457ed6", + "id": "E02.04", "link": "https://docs.microsoft.com/azure/virtual-desktop/set-up-service-alerts", "services": [ "AVD", @@ -16289,44 +16460,50 @@ ], "severity": "Medium", "subcategory": "Monitoring", - "text": "Configure Azure Service Health for AVD alerts " + "text": "Configure Azure Service Health for AVD alerts ", + "waf": "Reliability" }, { "category": "Networking", "checklist": "Azure Virtual Desktop Review", "description": "If required to connect to on-premises environment, assess the current connectivity option or plan for the required connectivity (ExpressRoute, Azure S2S or 3rd-party NVA VPN). ", "guid": "dd399cfd-7b28-4dc8-9555-6202bfe4563b", + "id": "F01.01", "link": "https://docs.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/", "services": [ - "NVA", "VPN", - "ExpressRoute", - "AVD" + "AVD", + "NVA", + "ExpressRoute" ], "severity": "Medium", "subcategory": "Networking", - "text": "Determine if hybrid connectivity is required to connect to on-premises environment" + "text": "Determine if hybrid connectivity is required to connect to on-premises environment", + "waf": "Reliability" }, { "category": "Networking", "checklist": "Azure Virtual Desktop Review", "description": "AVD Host Pools can be deployed in either Azure Virtual WAN or traditional 'Hub & Spoke' network topologies. It is recommended to deploy each Host Pool in a separate 'spoke' VNet, using 'hub' is not recommended.", "guid": "c8639648-a652-4d6c-85e5-02965388e5de", + "id": "F01.02", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/wvd/eslz-network-topology-and-connectivity", "services": [ - "VWAN", "AVD", - "VNet" + "VNet", + "VWAN" ], "severity": "Medium", "subcategory": "Networking", - "text": "Determine Azure Virtual Network (VNet) placement for each AVD Host Pool" + "text": "Determine Azure Virtual Network (VNet) placement for each AVD Host Pool", + "waf": "Performance" }, { "category": "Networking", "checklist": "Azure Virtual Desktop Review", "description": "Evaluate the bandwidth requirements, ensure VPN/ER bandwidth will be enough, ensure proper routing and firewall rules are in place, test end-to-end latency. ", "guid": "d227dd14-2b06-4c21-a799-9a646f4389a7", + "id": "F01.03", "link": "https://docs.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/", "services": [ "VPN", @@ -16334,72 +16511,82 @@ ], "severity": "Medium", "subcategory": "Networking", - "text": "Assess which on-premises resources are required from AVD Host Pools" + "text": "Assess which on-premises resources are required from AVD Host Pools", + "waf": "Reliability" }, { "category": "Networking", "checklist": "Azure Virtual Desktop Review", "description": "Several options are available. You can use Azure Firewall or equivalent 3rd-party NVA, Network Security Group (NSG) and/or Proxy servers. NSG is not able to enable/disable by URL, only ports and protocols. Proxy should be used only as explicit setting in user browser. Details on using Azure Firewall Premium with AVD are reported in the companion article in the 'More Info' column. Be sure to allow proper access to required AVD URLs. Forced Tunneling to on-premises is not recommended.", "guid": "fc4972cd-3cd2-41bf-9703-6e5e6b4bed3d", - "link": " https://docs.microsoft.com/azure/firewall/protect-windows-virtual-desktop", + "id": "F01.04", + "link": "https://docs.microsoft.com/azure/firewall/protect-windows-virtual-desktop", "services": [ - "NVA", - "Firewall", "AVD", - "VNet" + "NVA", + "VNet", + "Firewall" ], "severity": "Medium", "subcategory": "Networking", - "text": "Need to control/restrict Internet outbound traffic for AVD hosts?" + "text": "Need to control/restrict Internet outbound traffic for AVD hosts?", + "waf": "Security" }, { "category": "Networking", "checklist": "Azure Virtual Desktop Review", "description": "Required URLs for AVD control plane access by session hosts are documented here: https://docs.microsoft.com/azure/virtual-desktop/safe-url-list. A check tool is available to verify connectivity from the session hosts: https://docs.microsoft.com/azure/virtual-desktop/safe-url-list#required-url-check-tool. Forced Tunneling to on-premises is not recommended.", "guid": "65c7acbe-45bb-4e60-ad89-f2e87778424d", + "id": "F01.05", "link": "https://docs.microsoft.com/azure/virtual-desktop/safe-url-list", "services": [ "AVD" ], "severity": "High", "subcategory": "Networking", - "text": "Ensure AVD control plane endpoints are accessible" + "text": "Ensure AVD control plane endpoints are accessible", + "waf": "Reliability" }, { "category": "Networking", "checklist": "Azure Virtual Desktop Review", "description": "Consider the usage of Azure Defender Endpoint or similar 3rd-party agents to control user web navigation, see the Security section for more details.", "guid": "73676ae4-6691-4e88-95ad-a42223e13810", + "id": "F01.06", "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/onboard-windows-multi-session-device?view=o365-worldwide", "services": [ - "Defender", - "AVD" + "AVD", + "Defender" ], "severity": "Medium", "subcategory": "Networking", - "text": "Need to control/restrict Internet outbound traffic only for users on AVD hosts? " + "text": "Need to control/restrict Internet outbound traffic only for users on AVD hosts? ", + "waf": "Security" }, { "category": "Networking", "checklist": "Azure Virtual Desktop Review", - "description": "Custom UDR and NSG can be applied to AVD Host Pool subnets, for example to redirect to Azure Firewall or NVA, or to filter/block network traffic. In this case is recommended to carefully review to ensure optimal path for outbound traffic to AVD control plane is used. Service Tags can now be used with UDR and NSG, then AVD management plane traffic can be easily allowed: https://learn.microsoft.com/en-us/azure/virtual-desktop/safe-url-list.", + "description": "Custom UDR and NSG can be applied to AVD Host Pool subnets, for example to redirect to Azure Firewall or NVA, or to filter/block network traffic. In this case is recommended to carefully review to ensure optimal path for outbound traffic to AVD control plane is used. Service Tags can now be used with UDR and NSG, then AVD management plane traffic can be easily allowed: https://learn.microsoft.com/azure/virtual-desktop/safe-url-list.", "guid": "523181a9-4174-4158-93ff-7ae7c6d37431", + "id": "F01.07", "link": "https://docs.microsoft.com/azure/firewall/protect-windows-virtual-desktop", "services": [ - "NVA", - "Firewall", "AVD", - "VNet" + "NVA", + "VNet", + "Firewall" ], "severity": "Low", "subcategory": "Networking", - "text": "Review custom UDR and NSG for AVD Host Pool subnets" + "text": "Review custom UDR and NSG for AVD Host Pool subnets", + "waf": "Security" }, { "category": "Networking", "checklist": "Azure Virtual Desktop Review", "description": "Network traffic from AVD Session Host VMs to AVD control plane should be as direct as possible. Redirecting this traffic through a Proxy or Firewall with deep packet inspection and/or SSL termination could cause serious issues and bad customer experience. It is recommended to bypass Proxy and Firewall just for the AVD control plane. User generated traffic surfing the web instead, should be filtered by Firewall and/or redirected to a Proxy. For details and guidelines, please see the companion article in the 'More Info' column.", "guid": "cc6edca0-aeca-4566-9e92-cf246f1465af", + "id": "F01.08", "link": "https://learn.microsoft.com/azure/virtual-desktop/proxy-server-support", "services": [ "AVD", @@ -16407,13 +16594,15 @@ ], "severity": "High", "subcategory": "Networking", - "text": "Do not use Proxy servers, SSL termination and Deep Packet Inspection for AVD control plane traffic" + "text": "Do not use Proxy servers, SSL termination and Deep Packet Inspection for AVD control plane traffic", + "waf": "Reliability" }, { "category": "Networking", "checklist": "Azure Virtual Desktop Review", "description": "It is recommended to assess and review networking bandwidth requirements for users, based on the specific workload type. The referenced article provide general estimations and recommendations, but specific measure are required for proper sizing. ", "guid": "516785c6-fa96-4c96-ad88-408f372734c8", + "id": "F01.09", "link": "https://learn.microsoft.com/azure/virtual-desktop/rdp-bandwidth", "services": [ "AVD", @@ -16421,30 +16610,34 @@ ], "severity": "Low", "subcategory": "Networking", - "text": "Check the network bandwidth required for each user and in total for the VM SKU" + "text": "Check the network bandwidth required for each user and in total for the VM SKU", + "waf": "Performance" }, { "category": "Networking", "checklist": "Azure Virtual Desktop Review", "description": "If Azure Files SMB share will be used to store user profiles via FSLogix, the usage of Private Endpoint (PE) for private access to the storage is recommended. AVD Session Hosts will access the storage using a private IP in the same VNet, a separate subnet is recommended. This feature has an additional cost that must be evaluated. If PE will not be used, at least Service Endpoint is recommended (no cost associated).", "guid": "ec27d589-9178-426d-8df2-ff60020f30a6", + "id": "F01.10", "link": "https://learn.microsoft.com/azure/storage/files/storage-files-networking-endpoints", "services": [ - "Cost", - "Storage", - "PrivateLink", "AVD", - "VNet" + "VNet", + "PrivateLink", + "Cost", + "Storage" ], "severity": "Medium", "subcategory": "Networking", - "text": "Evaluate usage Private Endpoint for Azure Files share" + "text": "Evaluate usage Private Endpoint for Azure Files share", + "waf": "Security" }, { "category": "Networking", "checklist": "Azure Virtual Desktop Review", - "description": "Connections to Azure Virtual Desktop can use TCP or UDP. RDP Shortpath is a feature of AVD that establishes a direct UDP-based transport between a supported Windows Remote Desktop client and session host. if clients have line of sight to AVD session hosts from internal network (VPN usage is not recommended), this feature can provide lower latency and best performances as explained in https://learn.microsoft.com/en-us/azure/virtual-desktop/rdp-shortpath?tabs=managed-networks#key-benefits.", + "description": "Connections to Azure Virtual Desktop can use TCP or UDP. RDP Shortpath is a feature of AVD that establishes a direct UDP-based transport between a supported Windows Remote Desktop client and session host. if clients have line of sight to AVD session hosts from internal network (VPN usage is not recommended), this feature can provide lower latency and best performances as explained in https://learn.microsoft.com/azure/virtual-desktop/rdp-shortpath?tabs=managed-networks#key-benefits.", "guid": "b2074747-d01a-4f61-b1aa-92ad793d9ff4", + "id": "F01.11", "link": "https://docs.microsoft.com/azure/virtual-desktop/shortpath", "services": [ "VPN", @@ -16452,71 +16645,81 @@ ], "severity": "Medium", "subcategory": "Networking", - "text": "Evaluate usage of RDP ShortPath for clients connecting from managed internal networks" + "text": "Evaluate usage of RDP ShortPath for clients connecting from managed internal networks", + "waf": "Performance" }, { "category": "Security", "checklist": "Azure Virtual Desktop Review", "description": "Security mechanisms provided by GPO should be used, if available. For example, it is possible to impose desktop screen lock and idle session disconnection time. Existing GPOs applied to on-premises environment should be reviewed and eventually applied also to secure also AVD Hosts when joined to the domain.", "guid": "a135e337-897e-431c-97d6-8cb6a22ac19f", + "id": "G01.01", "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#establish-maximum-inactive-time-and-disconnection-policies", "services": [ "AVD" ], "severity": "Medium", "subcategory": "Active Directory", - "text": "Review Active Directory GPO to secure RDP sessions" + "text": "Review Active Directory GPO to secure RDP sessions", + "waf": "Security" }, { "category": "Security", "checklist": "Azure Virtual Desktop Review", "description": "Microsoft Defender for Endpoint supports Azure Virtual Desktop for Windows 10/11 Enterprise multi-session. Check article for onboarding non-persistent virtual desktop infrastructure (VDI) devices: https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi", "guid": "b1172576-9ef6-4691-a483-5ac932223ece", + "id": "G02.01", "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/deployment-vdi-microsoft-defender-antivirus", "services": [ - "Defender", - "AVD" + "AVD", + "Defender" ], "severity": "High", "subcategory": "Host Configuration", - "text": "Ensure anti-virus and anti-malware solutions are used" + "text": "Ensure anti-virus and anti-malware solutions are used", + "waf": "Security" }, { "category": "Security", "checklist": "Azure Virtual Desktop Review", "description": "Disks in Azure are already encrypted at rest by default with Microsoft managed keys. Host VM OS disk encryption is possible and supported using Azure Disk Encryption (ADE - BitLocker) and Disk Encryption Set (DES - Server Side Encryption), the latter is recommended. Encryption of FSLogix storage using Azure Files can be done using SSE on Azure Storage. For OneDrive encryption, see this article: https://docs.microsoft.com/compliance/assurance/assurance-encryption-for-microsoft-365-services.", "guid": "0fd32907-98bc-4178-adc5-a06ca7144351", + "id": "G02.02", "link": "https://learn.microsoft.com/azure/virtual-machines/disk-encryption-overview", "services": [ - "Storage", - "AKV", "AVD", + "AKV", + "Storage", "VM" ], "severity": "Low", "subcategory": "Host Configuration", - "text": "Assess disk encryption requirements for AVD Session Hosts" + "text": "Assess disk encryption requirements for AVD Session Hosts", + "waf": "Security" }, { "category": "Security", "checklist": "Azure Virtual Desktop Review", - "description": "Trusted launch are Gen2 Azure VMs with enhanced security features aimed to protect against “bottom of the stack” threats through attack vectors such as rootkits, boot kits, and kernel-level malware. Recommended to enable and leverage Secure Boot, Virtual TPM (vTPM) and Integrity Monitoring.", + "description": "Trusted launch are Gen2 Azure VMs with enhanced security features aimed to protect against “bottom of the stack” threats through attack vectors such as rootkits, boot kits, and kernel-level malware. Recommended to enable and leverage Secure Boot, Virtual TPM (vTPM) and Integrity Monitoring.", "guid": "36a5a67f-bb9e-4d5b-9547-8c4479816b28", + "id": "G02.03", "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#azure-virtual-desktop-support-for-trusted-launch", "services": [ "AVD", - "VM", - "Monitor" + "Monitor", + "VM" ], "severity": "Medium", "subcategory": "Host Configuration", - "text": "Enable Trusted launch in Azure Gen2 VM Session Hosts" + "text": "Enable Trusted launch in Azure Gen2 VM Session Hosts", + "waf": "Security" }, { "category": "Security", "checklist": "Azure Virtual Desktop Review", "description": "Trusted Launch and Gen2 VM are not only security and performance enhancing features but also system requirements for Windows 11. When building an AVD environment based on Windows 11, it is essential to enable these features.", "guid": "135d3899-4b31-44d3-bc8f-028871a359d8", + "id": "G02.04", "link": "https://learn.microsoft.com/windows/whats-new/windows-11-requirements", "services": [ "AVD", @@ -16524,141 +16727,161 @@ ], "severity": "High", "subcategory": "Host Configuration", - "text": "Enable Trusted Launch and use Gen2 image are system requirements for Windows 11" + "text": "Enable Trusted Launch and use Gen2 image are system requirements for Windows 11", + "waf": "Security" }, { "category": "Security", "checklist": "Azure Virtual Desktop Review", "description": "Displayed content will be automatically blocked or hidden in screenshots. Keep in mind screen sharing will also be blocked when using Teams or other collaboration software which use screen sharing.", "guid": "a49dc137-7896-4343-b2bc-1a31bf1d30b6", + "id": "G02.05", "link": "https://learn.microsoft.com/azure/virtual-desktop/screen-capture-protection", "services": [ "AVD" ], "severity": "Low", "subcategory": "Host Configuration", - "text": "Consider enabling screen capture protection to prevent sensitive information from being captured" + "text": "Consider enabling screen capture protection to prevent sensitive information from being captured", + "waf": "Security" }, { "category": "Security", "checklist": "Azure Virtual Desktop Review", "description": "If not absolutely required, redirecting drives, printers, and USB devices to a user's local device in a remote desktop session should be disabled or highly restricted. Restrict Windows Explorer access by hiding local and remote drive mappings is also a secure measure to adopt preventing users from discovering unwanted information about system configuration and users.", "guid": "7ce2cd20-85b4-4f82-828e-6558736ede6a", + "id": "G02.06", "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#other-security-tips-for-session-hosts", "services": [ "AVD" ], "severity": "Medium", "subcategory": "Host Configuration", - "text": "Restrict device redirection and drive mapping" + "text": "Restrict device redirection and drive mapping", + "waf": "Security" }, { "category": "Security", "checklist": "Azure Virtual Desktop Review", "description": "When choosing a deployment model, you can either provide remote users access to entire virtual desktops or only select applications. Remote applications, or RemoteApps, provide a seamless experience as the user works with apps on their virtual desktop. RemoteApps reduce risk by only letting the user work with a subset of the remote machine exposed by the application.", "guid": "4e25d70e-3924-44f4-b66f-d6cdd4f4a973", + "id": "G03.01", "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/web-protection-overview", "services": [ "AVD" ], "severity": "Medium", "subcategory": "Management", - "text": "When possible, prefer Remote Apps over Full Desktops (DAG)" + "text": "When possible, prefer Remote Apps over Full Desktops (DAG)", + "waf": "Security" }, { "category": "Security", "checklist": "Azure Virtual Desktop Review", "description": "Web content filtering feature provided by Web Protection capability in Microsoft Defender for Endpoint, can be used to to control user web navigation. If this tool is used, configuration of web filtering for user Internet browsing is recommended. Access by the Guest OS system to required AVD control plane URLs must be guaranteed.", "guid": "e19dd344-29eb-4722-a237-a151c5bb4e4f", + "id": "G03.02", "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/web-protection-overview", "services": [ - "Defender", - "AVD" + "AVD", + "Defender" ], "severity": "Medium", "subcategory": "Management", - "text": "Need to control/restrict user Internet navigation from AVD session hosts?" + "text": "Need to control/restrict user Internet navigation from AVD session hosts?", + "waf": "Security" }, { "category": "Security", "checklist": "Azure Virtual Desktop Review", "description": "We recommend you don't grant your users admin access to virtual desktops. If you need software packages, we recommend you make them available through configuration management utilities.", "guid": "a0cdb3b5-4eb2-4eb0-9dda-a3592718e2ed", + "id": "G03.03", "link": "https://docs.microsoft.com/azure/virtual-desktop/security-guide", "services": [ "AVD" ], "severity": "High", "subcategory": "Management", - "text": "Ensure AVD users will not have local administrator privileges on AVD Hosts" + "text": "Ensure AVD users will not have local administrator privileges on AVD Hosts", + "waf": "Security" }, { "category": "Security", "checklist": "Azure Virtual Desktop Review", - "description": "We recommend you enable Defender for Cloud for the subscriptions, virtual machines, key vaults, and storage accounts used by AVD. With this tool is possible to assess and manage vulnerabilities, assess compliance with common frameworks like PCI, strengthen the overall security of your AVD environment and measure it over time using 'Secure Score': https://learn.microsoft.com/en-us/azure/virtual-desktop/security-guide#improve-your-secure-score.", + "description": "We recommend you enable Defender for Cloud for the subscriptions, virtual machines, key vaults, and storage accounts used by AVD. With this tool is possible to assess and manage vulnerabilities, assess compliance with common frameworks like PCI, strengthen the overall security of your AVD environment and measure it over time using 'Secure Score': https://learn.microsoft.com/azure/virtual-desktop/security-guide#improve-your-secure-score.", "guid": "1814387e-5ca9-4c26-a9b3-2ab5bdfc6998", + "id": "G03.04", "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#enable-microsoft-defender-for-cloud", "services": [ + "AVD", "VM", - "Storage", "AKV", - "AVD", + "Subscriptions", "Defender", - "Subscriptions" + "Storage" ], "severity": "Medium", "subcategory": "Management", - "text": "Enable Microsoft Defender for Cloud to manage AVD Session Hosts security posture" + "text": "Enable Microsoft Defender for Cloud to manage AVD Session Hosts security posture", + "waf": "Security" }, { "category": "Security", "checklist": "Azure Virtual Desktop Review", "description": "Enabling audit log collection lets you view user and admin activity related to Azure Virtual Desktop and store in a central repository like Log Analytics workspace. ", "guid": "a0916a76-4980-4ad0-b278-ee293c1bc352", + "id": "G03.05", "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#collect-audit-logs", "services": [ - "Entra", "AVD", - "Monitor" + "Monitor", + "Entra" ], "severity": "Medium", "subcategory": "Management", - "text": "Enable diagnostic and audit logging" + "text": "Enable diagnostic and audit logging", + "waf": "Security" }, { "category": "Security", "checklist": "Azure Virtual Desktop Review", "description": "Assign the least privilege required by defining administrative, operations, and engineering roles to Azure RBAC roles. To limit access to high privilege roles within your Azure Virtual Desktop landing zone, consider integration with Azure Privileged Identity Management (PIM). Maintaining knowledge of which team is responsible for each particular administrative area helps you determine Azure role-based access control (RBAC) roles and configuration.", "guid": "baaab757-1849-4ab8-893d-c9fc9d1bb73b", + "id": "G03.06", "link": "https://docs.microsoft.com/azure/virtual-desktop/rbac", "services": [ - "RBAC", "AVD", + "RBAC", "Entra" ], "severity": "Low", "subcategory": "Management", - "text": "Assess the requirement to use custom RBAC roles for AVD management" + "text": "Assess the requirement to use custom RBAC roles for AVD management", + "waf": "Security" }, { "category": "Security", "checklist": "Azure Virtual Desktop Review", "description": "AVD users should not have permission to install application. If required, Windows Defender Application Control (WDAC) can be used to control which drivers and applications are allowed to run on their Windows clients. ", "guid": "b9ea80c8-0628-49fc-ae63-125aa4c0a284", + "id": "G03.07", "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#windows-defender-application-control", "services": [ - "Defender", - "AVD" + "AVD", + "Defender" ], "severity": "Medium", "subcategory": "Management", - "text": "Restrict users from installing un-authorized applications" + "text": "Restrict users from installing un-authorized applications", + "waf": "Security" }, { "category": "Security", "checklist": "Azure Virtual Desktop Review", "description": "Enabling MFA and CA lets you manage risks before you grant users access to your AVD environment. When deciding which users to grant access to, we recommend you also consider who the user is, how they sign in, and which device they're using. Additional details and configuration procedures are provided in the companion article. Microsoft Entra ID is the new name for Azure Active Directory (Azure AD).", "guid": "916d697d-8ead-4ed2-9bdd-186f1ac252b9", + "id": "G04.01", "link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-mfa", "services": [ "AVD", @@ -16666,267 +16889,304 @@ ], "severity": "Medium", "subcategory": "Microsoft Entra ID", - "text": "Evaluate the usage of Multi-Factor Authentication (MFA) and Conditional Access (CA) for AVD users" + "text": "Evaluate the usage of Multi-Factor Authentication (MFA) and Conditional Access (CA) for AVD users", + "waf": "Security" }, { "category": "Security", "checklist": "Azure Virtual Desktop Review", "description": "If Zero Trust is a requirement, review the companion article in the 'More Info' column. It provides steps to apply the principles of Zero Trust to an Azure Virtual Desktop deployment.", "guid": "221102d0-90af-49fc-b2b7-8d3fe397e43", + "id": "G05.01", "link": "https://learn.microsoft.com/security/zero-trust/azure-infrastructure-avd", "services": [ "AVD" ], "severity": "Medium", "subcategory": "Zero Trust", - "text": "Review and Apply Zero Trust principles and guidance" + "text": "Review and Apply Zero Trust principles and guidance", + "waf": "Security" }, { "category": "Storage", "checklist": "Azure Virtual Desktop Review", "description": "If used, make sure to check the list of best practices and recommendations described in the referenced article.", "guid": "9164e990-9ae2-48c8-9c33-b6b7808bafe6", + "id": "H01.01", "link": "https://learn.microsoft.com/azure/virtual-desktop/fslogix-containers-azure-files#best-practices-for-azure-virtual-desktop", "services": [ - "Storage", - "AVD" + "AVD", + "Storage" ], "severity": "Medium", "subcategory": "Azure Files", - "text": "Check best-practices for Azure Files" + "text": "Check best-practices for Azure Files", + "waf": "Performance" }, { "category": "Storage", "checklist": "Azure Virtual Desktop Review", "description": "SMB Multichannel enables clients to use multiple network connections that provide increased performance while lowering the cost of ownership. Increased performance is achieved through bandwidth aggregation over multiple NICs and utilizing Receive Side Scaling (RSS) support for NICs to distribute the IO load across multiple CPUs.", "guid": "5784b6ca-5e9e-4bcf-8b54-c95459ea7369", + "id": "H01.02", "link": "https://learn.microsoft.com/azure/storage/files/storage-files-smb-multichannel-performance", "services": [ "ACR", - "Cost", + "AVD", "Storage", - "AVD" + "Cost" ], "severity": "Low", "subcategory": "Azure Files", - "text": "Enable SMB multichannel when using a premium file share to host FSLogix profile containers." + "text": "Enable SMB multichannel when using a premium file share to host FSLogix profile containers.", + "waf": "Performance" }, { "category": "Storage", "checklist": "Azure Virtual Desktop Review", "description": "If a second region is required for DR purposes verify NetApp availability in there as well.", "guid": "4a359836-ee79-4d6c-9d3a-364a5b7abae3", + "id": "H02.01", "link": "https://azure.microsoft.com/global-infrastructure/services/", "services": [ - "Storage", - "AVD" + "AVD", + "Storage" ], "severity": "Medium", "subcategory": "Azure NetApp Files", - "text": "If NetApp Files storage is required, check storage service availability in your specific region." + "text": "If NetApp Files storage is required, check storage service availability in your specific region.", + "waf": "Reliability" }, { "category": "Storage", "checklist": "Azure Virtual Desktop Review", "description": "CA option is a recommended setting in the FSLogix scenario, as it enables a more resilient SMB session between the Session Host and NetApp Files.", "guid": "a2661898-866a-4c8d-9d1f-8cfc86e88024", + "id": "H02.02", "link": "https://learn.microsoft.com/azure/virtual-desktop/create-fslogix-profile-container", "services": [ - "Storage", - "AVD" + "AVD", + "Storage" ], "severity": "Medium", "subcategory": "Azure NetApp Files", - "text": "If NetApp Files storage is used enable CA (Continuous Availability) option to increase resiliency" + "text": "If NetApp Files storage is used enable CA (Continuous Availability) option to increase resiliency", + "waf": "Reliability" }, { "category": "Storage", "checklist": "Azure Virtual Desktop Review", "description": "An Active Directory Site should be created for the Azure virtual network environment where Azure NetApp Files (ANF) subnet will be created, and that site name should be specified in the ANF connection property when executing the join procedure as explained in the reference article.", "guid": "6647e977-db49-48a8-bc35-743f17499d42", + "id": "H02.03", "link": "https://docs.microsoft.com/azure/azure-netapp-files/create-active-directory-connections", "services": [ - "Storage", "AVD", - "VNet" + "VNet", + "Storage" ], "severity": "High", "subcategory": "Azure NetApp Files", - "text": "If Azure NetApp Files storage is used, check Active Directory Site name setting in the Active Directory Connection configuration" + "text": "If Azure NetApp Files storage is used, check Active Directory Site name setting in the Active Directory Connection configuration", + "waf": "Reliability" }, { "category": "Storage", "checklist": "Azure Virtual Desktop Review", "description": "Possible options: Standard HDD, Standard SSD, or Premium SSD. Ephemeral disks are not supported, Ultra-Disks not recommended. Recommended to evaluate Premium for OS disk if user density is not low, and if Cloud Cache will be used. ", "guid": "3611c818-b0a0-4bc5-80e4-3a18a9cd289c", + "id": "H03.01", "link": "https://docs.microsoft.com/azure/virtual-machines/disks-types", "services": [ - "Storage", - "AVD" + "AVD", + "Storage" ], "severity": "Medium", "subcategory": "Capacity Planning", - "text": "Determine which type of managed disk will be used for the Session Hosts" + "text": "Determine which type of managed disk will be used for the Session Hosts", + "waf": "Performance" }, { "category": "Storage", "checklist": "Azure Virtual Desktop Review", "description": "Possible options are: Azure NetApp Files, Azure Files, VM based File Server. File-server it is not recommended. Azure Files Premium typically a good starting point. NetApp usually required for large scale / high-performant environment. For a detailed comparison see the article in the 'More Info' column.", "guid": "ed6b17db-8255-4462-b2ae-e4553afc8339", + "id": "H03.02", "link": "https://docs.microsoft.com/azure/virtual-desktop/store-fslogix-profile", "services": [ - "Storage", "AVD", + "Storage", "VM" ], "severity": "High", "subcategory": "Capacity Planning", - "text": "Determine which storage backend solution will be used for FSLogix Profiles" + "text": "Determine which storage backend solution will be used for FSLogix Profiles", + "waf": "Performance" }, { "category": "Storage", "checklist": "Azure Virtual Desktop Review", "description": "Every Host Pool should use a separate set of storage accounts/volumes (at least one) and shares. Users should have a different profile for each Host Pool since settings and configurations are specific to each Host Pool. Additionally, accessing different Host Pools at the same time can cause errors on the shared user profile VHD/X. Usage of different storage accounts/volumes for multiple shares is also recommended to scale independently.", "guid": "2fad62bd-5004-453c-ace4-64d862e7f5a4", + "id": "H03.03", "link": "https://learn.microsoft.com/azure/virtual-desktop/store-fslogix-profile", "services": [ - "Storage", - "AVD" + "AVD", + "Storage" ], "severity": "High", "subcategory": "Capacity Planning", - "text": "Do not share storage and profiles between different Host Pools" + "text": "Do not share storage and profiles between different Host Pools", + "waf": "Performance" }, { "category": "Storage", "checklist": "Azure Virtual Desktop Review", "description": "As a starting point for estimating profile container storage performance requirements we recommend to assume 10 IOPS per user in the steady state and 50 IOPS per user during sign-in/sign-out. Space requirements is simply obtained based on the maximum profiles size in FSLogix per the total number of users for each Host Pool. Multiple storage accounts can be used for the same Host Pool if required.", "guid": "680e7828-9c93-4665-9d02-bff4564b0d93", + "id": "H03.04", "link": "https://learn.microsoft.com/azure/virtual-desktop/faq#what-s-the-largest-profile-size-fslogix-can-handle-", "services": [ - "Storage", - "AVD" + "AVD", + "Storage" ], "severity": "High", "subcategory": "Capacity Planning", - "text": "Verify storage scalability limits and Host Pool requirements" + "text": "Verify storage scalability limits and Host Pool requirements", + "waf": "Reliability" }, { "category": "Storage", "checklist": "Azure Virtual Desktop Review", "description": "Avoid introducing additional latency and costs associated with cross-region network traffic where possible.", "guid": "8aad53cc-79e2-4e86-9673-57c549675c5e", + "id": "H03.05", "link": "https://docs.microsoft.com/azure/virtual-desktop/fslogix-containers-azure-files", "services": [ - "Cost", + "AVD", "Storage", - "AVD" + "Cost" ], "severity": "High", "subcategory": "Capacity Planning", - "text": "For optimal performance, the storage solution and the FSLogix profile container should be in the same Azure region." + "text": "For optimal performance, the storage solution and the FSLogix profile container should be in the same Azure region.", + "waf": "Performance" }, { "category": "Storage", "checklist": "Azure Virtual Desktop Review", "description": "The recommendation in Azure Virtual Desktop is to use Profile Container without Office Container (ODFC) split unless you are planning for specific Business Continuity and Disaster Recovery (BCDR) scenarios as described in the Disaster Recovery section below. https://docs.microsoft.com/fslogix/profile-container-office-container-cncpt ", "guid": "df47d2d9-2881-4b1c-b5d1-e54a29759e39", + "id": "H04.01", "link": "https://learn.microsoft.com/fslogix/concepts-container-types#when-to-use-profile-and-odfc-containers", "services": [ + "AVD", "Storage", - "ASR", - "AVD" + "ASR" ], "severity": "High", "subcategory": "FSLogix", - "text": "Do not use Office Containers (ODFC) if not strictly required and justified" + "text": "Do not use Office Containers (ODFC) if not strictly required and justified", + "waf": "Reliability" }, { "category": "Storage", "checklist": "Azure Virtual Desktop Review", "description": "Make sure to configure the following antivirus exclusions for FSLogix Profile Container virtual hard drives, as documented in the referenced article in the 'More Info' column.", "guid": "83f63047-22ee-479d-9b5c-3632054b69ba", + "id": "H04.02", "link": "https://learn.microsoft.com/fslogix/overview-prerequisites#configure-antivirus-file-and-folder-exclusions", "services": [ - "Storage", - "AVD" + "AVD", + "Storage" ], "severity": "Medium", "subcategory": "FSLogix", - "text": "Configure the recommended antivirus exclusions for FSLogix (includes not scanning VHD(x) files on connect)." + "text": "Configure the recommended antivirus exclusions for FSLogix (includes not scanning VHD(x) files on connect).", + "waf": "Security" }, { "category": "Storage", "checklist": "Azure Virtual Desktop Review", "description": "Profile containers have a default max size of 30GB. If large Profile Containers are anticipated, and customers wants to try to keep them small, consider using OneDrive to host Office 365 files outside the FSLogix profile.", "guid": "01e6a84d-e5df-443d-8992-481718d5d1e5", + "id": "H04.03", "link": "https://docs.microsoft.com/fslogix/profile-container-configuration-reference", "services": [ - "Storage", - "AVD" + "AVD", + "Storage" ], "severity": "High", "subcategory": "FSLogix", - "text": "Review and confirm configured maximum profile size in FSLogix" + "text": "Review and confirm configured maximum profile size in FSLogix", + "waf": "Cost" }, { "category": "Storage", "checklist": "Azure Virtual Desktop Review", "description": "Defaults and recommended settings are reported in the companion article in the 'More Info' column. If not recommended keys and/or values must be used, be sure to review with a Microsoft AVD expert and clearly document your choices.", "guid": "d34aad5e-8c78-4e1d-9666-7313c405674c", + "id": "H04.04", "link": "https://learn.microsoft.com/fslogix/concepts-configuration-examples", "services": [ - "Storage", "ACR", + "AVD", "AKV", - "AVD" + "Storage" ], "severity": "High", "subcategory": "FSLogix", - "text": "Review FSLogix registry keys and determine which ones to apply" + "text": "Review FSLogix registry keys and determine which ones to apply", + "waf": "Reliability" }, { "category": "Storage", "checklist": "Azure Virtual Desktop Review", "description": "Concurrent or multiple connections are not recommended in Azure Virtual Desktop. Concurrent connections are also not supported by Session Hosts running in an Azure Virtual Desktop Host Pool. OneDrive, if used, doesn't support concurrent or multiple connections using the same container, under any circumstance. For multiple connections, usage of the same profile disk is not recommended.", "guid": "5e985b85-9c77-43e7-b261-623b775a917e", + "id": "H04.05", "link": "https://learn.microsoft.com/fslogix/concepts-multi-concurrent-connections", "services": [ - "Storage", - "AVD" + "AVD", + "Storage" ], "severity": "High", "subcategory": "FSLogix", - "text": "Avoid usage of concurrent or multiple connections" + "text": "Avoid usage of concurrent or multiple connections", + "waf": "Reliability" }, { "category": "Storage", "checklist": "Azure Virtual Desktop Review", - "description": "Cloud Cache uses OS drive as local cache storage and may generate lot of pressure on the VM disk. Depending on the VM SKU and size used, the VM temporary drive can be a viable and performant solution where to relocate Cloud Cache cached content. Before adopting this solution, tests should be executed to confirm performance and stability. More details on Cloud Cache can be found here: https://learn.microsoft.com/en-us/fslogix/concepts-fslogix-cloud-cache. ", + "description": "Cloud Cache uses OS drive as local cache storage and may generate lot of pressure on the VM disk. Depending on the VM SKU and size used, the VM temporary drive can be a viable and performant solution where to relocate Cloud Cache cached content. Before adopting this solution, tests should be executed to confirm performance and stability. More details on Cloud Cache can be found here: https://learn.microsoft.com/fslogix/concepts-fslogix-cloud-cache. ", "guid": "b2d1215a-e114-4ba3-9df5-85ecdcd9bd3b", + "id": "H04.06", "link": "https://docs.microsoft.com/fslogix/cloud-cache-configuration-reference", "services": [ - "Storage", "AVD", + "Storage", "VM" ], "severity": "Low", "subcategory": "FSLogix", - "text": "If FSLogix Cloud Cache is used, consider moving the cache directory to the VM temporary drive." + "text": "If FSLogix Cloud Cache is used, consider moving the cache directory to the VM temporary drive.", + "waf": "Performance" }, { "category": "Storage", "checklist": "Azure Virtual Desktop Review", "description": "REDIRECTION.XML file is used to control what folders are redirected out of the profile container to the 'C:' drive. Exclusions should be the exception and should never be used unless the specific exclusion is completely understood by the person configuring the exclusion. Exclusions should always be fully tested in the environment where they are intended to be implemented. Configuring exclusions may impact functionality, stability and performance.", "guid": "0b50ca97-b1d2-473c-b4d9-6e98b0f912de", + "id": "H04.07", "link": "https://docs.microsoft.com/fslogix/manage-profile-content-cncpt#redirectionsxml", "services": [ - "Storage", - "AVD" + "AVD", + "Storage" ], "severity": "Medium", "subcategory": "FSLogix", - "text": "Review the usage of FSLogix redirection." + "text": "Review the usage of FSLogix redirection.", + "waf": "Cost" }, { "category": "Foundation", @@ -17048,8 +17308,8 @@ "link": "https://learn.microsoft.com/azure/azure-arc/servers/security-overview#identity-and-access-control", "services": [ "Arc", - "RBAC", - "Entra" + "Entra", + "RBAC" ], "severity": "Medium", "subcategory": "Access", @@ -17079,8 +17339,8 @@ "link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#azure-subscription-and-service-limits", "services": [ "Arc", - "Subscriptions", - "Entra" + "Entra", + "Subscriptions" ], "severity": "High", "subcategory": "Requirements", @@ -17095,8 +17355,8 @@ "link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#required-permissions", "services": [ "Arc", - "RBAC", - "Entra" + "Entra", + "RBAC" ], "severity": "Medium", "subcategory": "Requirements", @@ -17111,8 +17371,8 @@ "link": "https://learn.microsoft.com/azure/azure-arc/servers/onboard-service-principal#create-a-service-principal-for-onboarding-at-scale", "services": [ "Arc", - "RBAC", - "Entra" + "Entra", + "RBAC" ], "severity": "Medium", "subcategory": "Security", @@ -17127,8 +17387,8 @@ "link": "https://learn.microsoft.com/azure/azure-arc/servers/onboard-service-principal#create-a-service-principal-for-onboarding-at-scale", "services": [ "Arc", - "RBAC", - "Entra" + "Entra", + "RBAC" ], "severity": "Medium", "subcategory": "Security", @@ -17143,8 +17403,8 @@ "link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#required-permissions", "services": [ "Arc", - "RBAC", - "Entra" + "Entra", + "RBAC" ], "severity": "Medium", "subcategory": "Security", @@ -17189,8 +17449,8 @@ "link": "https://learn.microsoft.com/azure/azure-arc/servers/manage-vm-extensions", "services": [ "Arc", - "AzurePolicy", - "Monitor" + "Monitor", + "AzurePolicy" ], "severity": "Medium", "subcategory": "Management", @@ -17349,8 +17609,8 @@ "services": [ "Arc", "VPN", - "ExpressRoute", - "PrivateLink" + "PrivateLink", + "ExpressRoute" ], "severity": "Medium", "subcategory": "Networking", @@ -17407,8 +17667,8 @@ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/hybrid/arc-enabled-servers/eslz-arc-servers-connectivity#define-extensions-connectivity-method", "services": [ "Arc", - "PrivateLink", - "Monitor" + "Monitor", + "PrivateLink" ], "severity": "Low", "subcategory": "Networking", @@ -17505,9 +17765,9 @@ "link": "https://learn.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal#option-2-create-a-new-application-secret", "services": [ "Arc", - "Storage", + "Entra", "AKV", - "Entra" + "Storage" ], "severity": "High", "subcategory": "Secrets", @@ -17642,10 +17902,10 @@ "guid": "cbe05bbe-209d-4490-ba47-778424d11678", "link": "https://learn.microsoft.com/azure/security-center/", "services": [ - "RBAC", "ASR", - "VM", - "Entra" + "Entra", + "RBAC", + "VM" ], "severity": "Medium", "subcategory": " ", @@ -17657,8 +17917,8 @@ "guid": "5d2fa56c-56ad-4484-88fe-72734c486ba2", "link": "https://learn.microsoft.com/azure/security-center/", "services": [ - "SAP", "ACR", + "SAP", "ASR" ], "severity": "Medium", @@ -17672,8 +17932,8 @@ "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", "services": [ "ASR", - "VM", - "Entra" + "Entra", + "VM" ], "severity": "Medium", "subcategory": " ", @@ -17698,8 +17958,8 @@ "guid": "b3d1325a-e124-4ba3-9df6-85eddce9bd3b", "link": "https://www.microsoft.com/itshowcase/implementing-a-zero-trust-security-model-at-microsoft", "services": [ - "Storage", "ASR", + "Storage", "VM" ], "severity": "Medium", @@ -17736,8 +17996,8 @@ "checklist": "Azure Landing Zone Review", "guid": "81b12318-1a54-4174-8583-3fb4ae3c2df7", "services": [ - "ASR", - "VNet" + "VNet", + "ASR" ], "severity": "Medium", "subcategory": " ", @@ -17748,9 +18008,9 @@ "checklist": "Azure Landing Zone Review", "guid": "43165c3a-cbe0-45bb-b209-d490da477784", "services": [ - "ASR", "VM", - "Entra" + "Entra", + "ASR" ], "severity": "Medium", "subcategory": " ", @@ -17784,9 +18044,9 @@ "guid": "fda1dbf3-dc95-4d48-a7c7-91dca0f6c565", "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/security", "services": [ - "Subscriptions", + "Entra", "RBAC", - "Entra" + "Subscriptions" ], "severity": "High", "subcategory": "Identity", @@ -17799,8 +18059,8 @@ "guid": "45911475-e39e-4530-accc-d979366bcda2", "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration", "services": [ - "SAP", - "Entra" + "Entra", + "SAP" ], "severity": "Medium", "subcategory": "Identity", @@ -17813,8 +18073,8 @@ "guid": "750ab1ab-039d-495d-94c7-c8929cb107d5", "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration", "services": [ - "SAP", - "Entra" + "Entra", + "SAP" ], "severity": "Medium", "subcategory": "Identity", @@ -17826,8 +18086,8 @@ "guid": "325ae525-ba34-4d46-a5e2-213ace7bb122", "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial", "services": [ - "SAP", - "Entra" + "Entra", + "SAP" ], "severity": "Medium", "subcategory": "Identity", @@ -17839,8 +18099,8 @@ "checklist": "Azure Landing Zone Review", "guid": "9eb54dad-7861-4e1c-973a-f3bb003fc9c1", "services": [ - "SAP", - "Entra" + "Entra", + "SAP" ], "severity": "Medium", "subcategory": "Identity", @@ -17853,8 +18113,8 @@ "guid": "f29676ef-0c9c-4c4d-ab21-a55504c0c829", "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial", "services": [ - "SAP", - "Entra" + "Entra", + "SAP" ], "severity": "Medium", "subcategory": "Identity", @@ -17866,9 +18126,9 @@ "checklist": "Azure Landing Zone Review", "guid": "23181aa4-1742-4694-9ff8-ae7d7d474317", "services": [ - "SAP", "AKV", - "Entra" + "Entra", + "SAP" ], "severity": "Medium", "subcategory": "Identity", @@ -17881,9 +18141,9 @@ "guid": "6c8bcbf4-5bbe-4609-b8a0-3e97778424d6", "link": "https://blogs.sap.com/2017/07/12/sap-single-sign-on-protect-your-sap-landscape-with-x.509-certificates/", "services": [ - "SAP", "AKV", - "Entra" + "Entra", + "SAP" ], "severity": "Medium", "subcategory": "Identity", @@ -17895,8 +18155,8 @@ "guid": "16785d6f-a96c-496a-b885-18f482734c88", "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial#configure-sap-netweaver-for-oauth", "services": [ - "SAP", - "Entra" + "Entra", + "SAP" ], "severity": "Medium", "subcategory": "Identity", @@ -17908,8 +18168,8 @@ "guid": "a747c350-8d4c-449c-93af-393dbca77c48", "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/saphana-tutorial", "services": [ - "SAP", - "Entra" + "Entra", + "SAP" ], "severity": "Medium", "subcategory": "Identity", @@ -17921,8 +18181,8 @@ "guid": "c7bae5bf-daf9-4761-9c56-f92891890aa4", "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration#connectivity-with-sap-rise", "services": [ - "SAP", - "Entra" + "Entra", + "SAP" ], "severity": "Medium", "subcategory": "Identity", @@ -17934,8 +18194,8 @@ "guid": "e4e48226-ce54-44b6-bb6b-bfa15bd8f753", "link": "https://github.com/azuredevcollege/SAP/blob/master/sap-oauth-saml-flow/README.md", "services": [ - "SAP", - "Entra" + "Entra", + "SAP" ], "severity": "Medium", "subcategory": "Identity", @@ -17947,8 +18207,8 @@ "guid": "59921095-4980-4fc1-a5b6-524a5a560c79", "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-identity-authentication-tutorial", "services": [ - "SAP", - "Entra" + "Entra", + "SAP" ], "severity": "Medium", "subcategory": "Identity", @@ -17960,8 +18220,8 @@ "guid": "a709c664-317e-41e4-9e34-67d9016a86f4", "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-tutorial", "services": [ - "SAP", - "Entra" + "Entra", + "SAP" ], "severity": "Medium", "subcategory": "Identity", @@ -17973,8 +18233,8 @@ "guid": "01f11b7f-38df-4251-9c76-4dec19abd3e8", "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial", "services": [ - "SAP", - "Entra" + "Entra", + "SAP" ], "severity": "Medium", "subcategory": "Identity", @@ -17986,9 +18246,9 @@ "guid": "6ba28021-4591-4147-9e39-e5309cccd979", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups", "services": [ + "AzurePolicy", "SAP", - "Subscriptions", - "AzurePolicy" + "Subscriptions" ], "severity": "Medium", "subcategory": "Subscriptions", @@ -18028,8 +18288,8 @@ "guid": "ce7bb122-f7c9-45f0-9e15-4e3aa3592829", "link": "https://learn.microsoft.com/azure/quotas/quotas-overview", "services": [ - "Subscriptions", - "VM" + "VM", + "Subscriptions" ], "severity": "High", "subcategory": "Subscriptions", @@ -18054,8 +18314,8 @@ "guid": "cbfad17b-f240-42bf-a1d8-f4f4cee661c8", "link": "https://learn.microsoft.com/azure/quotas/quickstart-increase-quota-portal", "services": [ - "Subscriptions", - "VM" + "VM", + "Subscriptions" ], "severity": "High", "subcategory": "Subscriptions", @@ -18081,8 +18341,8 @@ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-resource-organization", "services": [ "Subscriptions", - "Cost", - "TrafficManager" + "TrafficManager", + "Cost" ], "severity": "Medium", "subcategory": "Subscriptions", @@ -18095,8 +18355,8 @@ "guid": "2f7c95f0-6e15-44e3-aa35-92829e6e2061", "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about", "services": [ - "Backup", - "Monitor" + "Monitor", + "Backup" ], "severity": "High", "subcategory": "BCDR", @@ -18110,9 +18370,9 @@ "link": "https://learn.microsoft.com/azure/azure-netapp-files/azacsnap-introduction", "services": [ "Monitor", - "Storage", "VM", - "Entra" + "Entra", + "Storage" ], "severity": "Medium", "subcategory": "BCDR", @@ -18124,8 +18384,8 @@ "guid": "42d37218-a3a7-45df-bff6-1173e7f249ea", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring", "services": [ - "SAP", - "Monitor" + "Monitor", + "SAP" ], "severity": "High", "subcategory": "Management", @@ -18151,8 +18411,8 @@ "guid": "a491dfc4-9353-4213-9217-eef0949f9467", "link": "https://azure.microsoft.com/pricing/offers/dev-test/", "services": [ - "Cost", - "Monitor" + "Monitor", + "Cost" ], "severity": "Low", "subcategory": "Management", @@ -18165,8 +18425,8 @@ "link": "https://learn.microsoft.com/azure/lighthouse/overview", "services": [ "Monitor", - "SAP", - "Entra" + "Entra", + "SAP" ], "severity": "Medium", "subcategory": "Management", @@ -18178,8 +18438,8 @@ "guid": "4d116785-d2fa-456c-96ad-48408fe72734", "link": "https://learn.microsoft.com/azure/update-manager/scheduled-patching?tabs=schedule-updates-single-machine%2Cschedule-updates-scale-overview", "services": [ - "VM", - "Monitor" + "Monitor", + "VM" ], "severity": "Medium", "subcategory": "Management", @@ -18192,8 +18452,8 @@ "guid": "76c8bcbf-45bb-4e60-ad8a-03e97778424d", "link": "https://learn.microsoft.com/azure/sap/workloads/lama-installation", "services": [ - "SAP", - "Monitor" + "Monitor", + "SAP" ], "severity": "Low", "subcategory": "Management", @@ -18207,8 +18467,8 @@ "link": "https://learn.microsoft.com/azure/sap/monitor/about-azure-monitor-sap-solutions", "services": [ "SQL", - "SAP", - "Monitor" + "Monitor", + "SAP" ], "severity": "Medium", "subcategory": "Monitoring", @@ -18221,10 +18481,10 @@ "guid": "2750ab1a-b039-4d95-b54c-7c8929cb107d", "link": "https://learn.microsoft.com/azure/sap/workloads/vm-extension-for-sap", "services": [ + "Monitor", "Entra", "SAP", - "VM", - "Monitor" + "VM" ], "severity": "High", "subcategory": "Monitoring", @@ -18237,8 +18497,8 @@ "guid": "5325ae52-5ba3-44d4-985e-2213ace7bb12", "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", "services": [ - "AzurePolicy", - "Monitor" + "Monitor", + "AzurePolicy" ], "severity": "Medium", "subcategory": "Monitoring", @@ -18251,9 +18511,9 @@ "guid": "523181aa-4174-4269-93ff-8ae7d7d47431", "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-overview", "services": [ - "SAP", + "Monitor", "NetworkWatcher", - "Monitor" + "SAP" ], "severity": "Medium", "subcategory": "Monitoring", @@ -18266,9 +18526,9 @@ "guid": "d89fd98d-23e4-4b40-a92e-32db9365522c", "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot", "services": [ + "Monitor", "SAP", - "ASR", - "Monitor" + "ASR" ], "severity": "High", "subcategory": "Monitoring", @@ -18281,9 +18541,9 @@ "guid": "73686af4-6791-4f89-95ad-a43324e13811", "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/QualityCheck", "services": [ + "Monitor", "SAP", - "VM", - "Monitor" + "VM" ], "severity": "Medium", "subcategory": "Monitoring", @@ -18295,9 +18555,9 @@ "guid": "616785d6-fa96-4c96-ad88-518f482734c8", "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones", "services": [ + "Monitor", "SAP", - "Subscriptions", - "Monitor" + "Subscriptions" ], "severity": "High", "subcategory": "Monitoring", @@ -18310,9 +18570,9 @@ "guid": "410adcba-db46-424f-a6c4-05ecde75c52e", "link": "https://learn.microsoft.com/azure/advisor/advisor-how-to-improve-reliability", "services": [ + "Monitor", "Storage", - "ASR", - "Monitor" + "ASR" ], "severity": "Medium", "subcategory": "Monitoring", @@ -18325,9 +18585,9 @@ "guid": "86ba2802-1459-4114-95e3-9e5309cccd97", "link": "https://learn.microsoft.com/azure/sentinel/sap/deployment-overview", "services": [ - "SAP", + "Monitor", "Sentinel", - "Monitor" + "SAP" ], "severity": "Medium", "subcategory": "Monitoring", @@ -18340,8 +18600,8 @@ "guid": "579266bc-ca27-45fa-a1ab-fe9d55d04c3c", "link": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance", "services": [ - "Cost", - "Monitor" + "Monitor", + "Cost" ], "severity": "Medium", "subcategory": "Monitoring", @@ -18354,8 +18614,8 @@ "guid": "04b8e5e5-13cb-4b22-af62-5a8ecfcf0337", "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-test-latency?tabs=windows", "services": [ - "VM", - "Monitor" + "Monitor", + "VM" ], "severity": "Low", "subcategory": "Performance", @@ -18367,9 +18627,9 @@ "guid": "07e5ed53-3d96-43d8-87ea-631b77da5aba", "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage", "services": [ + "Monitor", "SAP", - "ASR", - "Monitor" + "ASR" ], "severity": "Medium", "subcategory": "Performance", @@ -18382,9 +18642,9 @@ "guid": "abb6af9c-982c-4cf1-83fb-329fafd1ee56", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring", "services": [ - "SAP", + "Monitor", "Storage", - "Monitor" + "SAP" ], "severity": "Medium", "subcategory": "Performance", @@ -18396,8 +18656,8 @@ "guid": "c027f893-f404-41a9-b33d-39d625a14964", "link": "https://sapit-forme-prod.authentication.eu11.hana.ondemand.com/login", "services": [ - "SAP", - "Monitor" + "Monitor", + "SAP" ], "severity": "Low", "subcategory": "Performance", @@ -18409,9 +18669,9 @@ "guid": "fdafb1f5-3eee-4354-a8c9-deb8127ebc2e", "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/configure-oracle-asm", "services": [ - "SAP", + "Monitor", "Storage", - "Monitor" + "SAP" ], "severity": "Medium", "subcategory": "Performance", @@ -18425,8 +18685,8 @@ "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/announcement-sap-on-azure-oracle-performance-efficiency-scripts/ba-p/3725178", "services": [ "SQL", - "SAP", - "Monitor" + "Monitor", + "SAP" ], "severity": "Medium", "subcategory": "Performance", @@ -18439,8 +18699,8 @@ "guid": "5ba34d46-85e2-4213-ace7-bb122f7c95f0", "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", "services": [ - "WAF", "AzurePolicy", + "WAF", "AppGW" ], "severity": "Medium", @@ -18454,9 +18714,9 @@ "guid": "fa9d30bc-1b82-4e4b-bfdf-6b017938b9e6", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", "services": [ - "SAP", + "VM", "DNS", - "VM" + "SAP" ], "severity": "Medium", "subcategory": "DNS", @@ -18469,9 +18729,9 @@ "guid": "a2858f78-105b-4f52-b7a9-5b0f4439743b", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", "services": [ - "SAP", + "VNet", "DNS", - "VNet" + "SAP" ], "severity": "Medium", "subcategory": "DNS", @@ -18484,9 +18744,9 @@ "guid": "a3592829-e6e2-4061-9368-6af46791f893", "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-peering-overview", "services": [ - "SAP", "ACR", - "VNet" + "VNet", + "SAP" ], "severity": "Medium", "subcategory": "Hybrid", @@ -18513,8 +18773,8 @@ "guid": "7d4bc7d2-c34a-452e-8f1d-6ae3c8eafcc3", "link": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/?source=recommendations", "services": [ - "SAP", "ACR", + "SAP", "VWAN" ], "severity": "Medium", @@ -18544,8 +18804,8 @@ "services": [ "NVA", "VNet", - "SAP", - "VWAN" + "VWAN", + "SAP" ], "severity": "Medium", "subcategory": "Hybrid", @@ -18558,8 +18818,8 @@ "guid": "82734c88-6ba2-4802-8459-11475e39e530", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", "services": [ - "SAP", "VNet", + "SAP", "VM" ], "severity": "High", @@ -18573,8 +18833,8 @@ "guid": "9cccd979-366b-4cda-8750-ab1ab039d95d", "link": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations", "services": [ - "ASR", - "VNet" + "VNet", + "ASR" ], "severity": "High", "subcategory": "IP plan", @@ -18600,8 +18860,8 @@ "guid": "6e154e3a-a359-4282-ae6e-206173686af4", "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-delegate-subnet", "services": [ - "Storage", - "VNet" + "VNet", + "Storage" ], "severity": "Medium", "subcategory": "IP plan", @@ -18626,8 +18886,8 @@ "checklist": "Azure Landing Zone Review", "guid": "d88518f4-8273-44c8-a6ba-280214591147", "services": [ - "SAP", - "AppGW" + "AppGW", + "SAP" ], "severity": "Medium", "subcategory": "Internet", @@ -18639,10 +18899,10 @@ "guid": "5e39e530-9ccc-4d97-a366-bcda2750ab1a", "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", "services": [ - "WAF", - "AzurePolicy", "ACR", - "FrontDoor" + "FrontDoor", + "AzurePolicy", + "WAF" ], "severity": "Medium", "subcategory": "Internet", @@ -18655,10 +18915,10 @@ "guid": "b039d95d-54c7-4c89-89cb-107d5325ae52", "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview", "services": [ - "WAF", - "AzurePolicy", - "AppGW", - "FrontDoor" + "FrontDoor", + "AzurePolicy", + "WAF", + "AppGW" ], "severity": "Medium", "subcategory": "Internet", @@ -18671,8 +18931,8 @@ "guid": "5ada4332-4e13-4811-9231-81aa41742694", "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", "services": [ - "WAF", "LoadBalancer", + "WAF", "AppGW" ], "severity": "Medium", @@ -18686,8 +18946,8 @@ "guid": "e73de7d5-6f36-4217-a526-e1a621ecddde", "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview", "services": [ - "SAP", "ACR", + "SAP", "VWAN" ], "severity": "Medium", @@ -18701,11 +18961,11 @@ "guid": "3c536a3e-1b6b-4e87-95ca-15edb47251c0", "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services", "services": [ - "Backup", - "Storage", + "VNet", "PrivateLink", + "Backup", "ACR", - "VNet" + "Storage" ], "severity": "Medium", "subcategory": "Internet", @@ -18745,9 +19005,9 @@ "guid": "6791f893-5ada-4433-84e1-3811523181aa", "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works", "services": [ + "VNet", "SAP", - "VM", - "VNet" + "VM" ], "severity": "Medium", "subcategory": "Segmentation", @@ -18760,8 +19020,8 @@ "guid": "45bbe609-d8a0-43e9-9778-424d616785d6", "link": "https://me.sap.com/notes/2015553", "services": [ - "SAP", - "VNet" + "VNet", + "SAP" ], "severity": "High", "subcategory": "Segmentation", @@ -18800,9 +19060,9 @@ "guid": "b65c878b-4b14-4f4e-92d8-d873936493f2", "link": "https://me.sap.com/notes/2015553", "services": [ + "VNet", "SAP", - "Cost", - "VNet" + "Cost" ], "severity": "High", "subcategory": "Segmentation", @@ -18842,8 +19102,8 @@ "guid": "87585797-5551-4d53-bb7d-a94ee415734d", "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration", "services": [ - "SAP", - "VNet" + "VNet", + "SAP" ], "severity": "Medium", "subcategory": "Segmentation", @@ -18855,9 +19115,9 @@ "guid": "209d490d-a477-4784-84d1-16785d2fa56c", "link": "https://learn.microsoft.com/azure/governance/policy/overview", "services": [ + "RBAC", "SAP", - "Subscriptions", - "RBAC" + "Subscriptions" ], "severity": "High", "subcategory": "Governance", @@ -18883,10 +19143,10 @@ "guid": "cf65de8e-1309-4ccc-b579-266bcca275fa", "link": "https://learn.microsoft.com/azure/governance/policy/overview", "services": [ - "Backup", "SQL", "Storage", - "SAP" + "SAP", + "Backup" ], "severity": "Medium", "subcategory": "Governance", @@ -18954,8 +19214,8 @@ "guid": "2223ece8-1b12-4318-8a54-17415833fb4a", "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", "services": [ - "AzurePolicy", - "AKV" + "AKV", + "AzurePolicy" ], "severity": "Medium", "subcategory": "Secrets", @@ -18967,8 +19227,8 @@ "guid": "e3c2df74-3165-4c3a-abe0-5bbe209d490d", "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", "services": [ - "AzurePolicy", "AKV", + "AzurePolicy", "RBAC" ], "severity": "Medium", @@ -18981,9 +19241,9 @@ "guid": "a4777842-4d11-4678-9d2f-a56c56ad4840", "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", "services": [ - "SAP", - "AzurePolicy", "AKV", + "AzurePolicy", + "SAP", "Defender" ], "severity": "Medium", @@ -18996,9 +19256,9 @@ "guid": "8fe72734-c486-4ba2-a0dc-0591cf65de8e", "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", "services": [ - "SAP", "AKV", - "RBAC" + "RBAC", + "SAP" ], "severity": "Medium", "subcategory": "Secrets", @@ -19010,8 +19270,8 @@ "guid": "1309cccd-5792-466b-aca2-75faa1abfe9d", "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", "services": [ - "SAP", - "AKV" + "AKV", + "SAP" ], "severity": "Medium", "subcategory": "Secrets", @@ -19023,9 +19283,9 @@ "guid": "55d04c3c-4919-4cb1-a3d1-325ae124ba34", "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", "services": [ - "SAP", "AKV", - "Entra" + "Entra", + "SAP" ], "severity": "Medium", "subcategory": "Secrets", @@ -19037,8 +19297,8 @@ "guid": "df685edd-ce9b-4d3b-a0cd-b3b55eb2ec14", "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", "services": [ - "SAP", - "AKV" + "AKV", + "SAP" ], "severity": "Medium", "subcategory": "Secrets", @@ -19111,8 +19371,8 @@ "guid": "349f0364-d28d-442e-abbb-c868255abc91", "link": "https://learn.microsoft.com/azure/security-center/enable-azure-defender", "services": [ - "Defender", - "Monitor" + "Monitor", + "Defender" ], "severity": "High", "subcategory": "Pricing & Settings", @@ -19148,8 +19408,8 @@ "guid": "e6b84ee5-ef43-4d29-a248-1718d5d1f5f7", "link": "https://learn.microsoft.com/azure/security-center/security-center-enable-data-collection", "services": [ - "Defender", - "AzurePolicy" + "AzurePolicy", + "Defender" ], "severity": "Medium", "subcategory": "Pricing & Settings", @@ -19161,8 +19421,8 @@ "guid": "25759e35-680e-4782-9ac9-32213d027ff4", "link": "https://learn.microsoft.com/azure/security-center/security-center-provide-security-contact-details", "services": [ - "Defender", - "AzurePolicy" + "AzurePolicy", + "Defender" ], "severity": "Low", "subcategory": "Pricing & Settings", @@ -19198,8 +19458,8 @@ "guid": "05675c5e-985b-4859-a774-f7e371623b87", "link": "https://learn.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal", "services": [ - "Defender", - "EventHubs" + "EventHubs", + "Defender" ], "severity": "High", "subcategory": "Pricing & Settings", @@ -19211,9 +19471,9 @@ "guid": "5a917e1f-349f-4036-9d28-d42e8bbbc868", "link": "https://learn.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal", "services": [ - "Defender", + "Monitor", "Sentinel", - "Monitor" + "Defender" ], "severity": "Medium", "subcategory": "Pricing & Settings", @@ -19249,9 +19509,9 @@ "guid": "cce9bdf6-b483-45a0-85ec-c8232b230652", "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy-integrate-with-microsoft-cloud-application-security", "services": [ + "Monitor", "Entra", - "Defender", - "Monitor" + "Defender" ], "severity": "Low", "subcategory": "Pricing & Settings", @@ -19288,8 +19548,8 @@ "guid": "50259226-4429-42bb-9285-37a55119bf8e", "link": "https://learn.microsoft.com/azure/defender-for-cloud/tutorial-security-incident", "services": [ - "Defender", - "Monitor" + "Monitor", + "Defender" ], "severity": "Medium", "subcategory": "Security Alerts", @@ -19365,8 +19625,8 @@ "guid": "9603334b-df9c-4c23-918d-b61171265f4b", "link": "https://techcommunity.microsoft.com/t5/azure-network-security/azure-firewall-manager-is-now-integrated-with-azure-security/ba-p/2228679", "services": [ - "Defender", - "Firewall" + "Firewall", + "Defender" ], "severity": "Medium", "subcategory": "Firewall Manager", @@ -19379,9 +19639,9 @@ "guid": "b47a393a-0803-4272-a479-8b1578a219a4", "link": "https://learn.microsoft.com/azure/security/fundamentals/network-best-practices", "services": [ - "Defender", + "VNet", "Firewall", - "VNet" + "Defender" ], "severity": "Medium", "subcategory": "Firewall Manager", @@ -19393,9 +19653,9 @@ "guid": "6ceb5443-5025-4922-9442-92bb628537a5", "link": "https://azure.microsoft.com/blog/how-azure-security-center-detects-ddos-attack-using-cyber-threat-intelligence/", "services": [ - "Defender", + "DDoS", "Firewall", - "DDoS" + "Defender" ], "severity": "Medium", "subcategory": "Firewall Manager", @@ -19407,8 +19667,8 @@ "guid": "5119bf8e-8f58-4542-a7d9-cdc166cd072a", "link": "https://learn.microsoft.com/azure/security-center/security-center-get-started?WT.mc_id=Portal-Microsoft_Azure_Security", "services": [ - "Subscriptions", - "Defender" + "Defender", + "Subscriptions" ], "severity": "High", "subcategory": "Coverage", @@ -19420,8 +19680,8 @@ "guid": "4df585ec-dce9-4793-a7bc-db3b51eb2eb0", "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/public-ip-addresses", "services": [ - "VM", - "VNet" + "VNet", + "VM" ], "severity": "High", "subcategory": "Public IPs", @@ -19434,9 +19694,9 @@ "guid": "3dda6e59-d7c8-4a2e-bb11-7d6769af669c", "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/public-ip-addresses", "services": [ + "EventHubs", "Firewall", - "VM", - "EventHubs" + "VM" ], "severity": "High", "subcategory": "Public IPs", @@ -19461,8 +19721,8 @@ "guid": "158e3ea3-a93c-42de-9e31-65c3a87a04b7", "link": "https://learn.microsoft.com/azure/virtual-network/network-security-groups-overview", "services": [ - "RBAC", - "VNet" + "VNet", + "RBAC" ], "severity": "Medium", "subcategory": "NSG", @@ -19513,8 +19773,8 @@ "guid": "a6c97be9-955d-404c-9c49-c986cb2d1215", "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-nsg-manage-log", "services": [ - "Sentinel", - "VNet" + "VNet", + "Sentinel" ], "severity": "Medium", "subcategory": "NSG", @@ -19526,8 +19786,8 @@ "guid": "aa124b6e-4df5-485e-adce-9793b7bcdb3b", "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview", "services": [ - "RBAC", - "VNet" + "VNet", + "RBAC" ], "severity": "Medium", "subcategory": "UDR", @@ -19539,8 +19799,8 @@ "guid": "51eb2eb0-3dda-46e5-ad7c-8a2edb117d67", "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview", "services": [ - "Firewall", - "VNet" + "VNet", + "Firewall" ], "severity": "High", "subcategory": "UDR", @@ -19578,8 +19838,8 @@ "guid": "a87a04b7-a209-4939-ada4-7778f24c1167", "link": "https://github.com/MicrosoftDocs/azure-docs/issues/53672", "services": [ - "RBAC", - "VNet" + "VNet", + "RBAC" ], "severity": "Medium", "subcategory": "Virtual Networks", @@ -19627,8 +19887,8 @@ "guid": "1f625659-ee55-480a-9824-9c931213dbd7", "link": "https://learn.microsoft.com/azure/private-link/private-endpoint-overview", "services": [ - "PrivateLink", - "VNet" + "VNet", + "PrivateLink" ], "severity": "High", "subcategory": "Virtual Networks", @@ -19640,8 +19900,8 @@ "guid": "fb012f70-943f-4630-9722-ea39d2b1ce63", "link": "https://learn.microsoft.com/azure/virtual-network/monitor-virtual-network", "services": [ - "VNet", - "Monitor" + "Monitor", + "VNet" ], "severity": "High", "subcategory": "Virtual Networks", @@ -19680,9 +19940,9 @@ "guid": "b375a917-ecbe-448f-ae64-dd7df2e8bbbc", "link": "https://learn.microsoft.com/azure/virtual-network/monitor-virtual-network", "services": [ - "Sentinel", + "Monitor", "VNet", - "Monitor" + "Sentinel" ], "severity": "High", "subcategory": "Virtual Networks", @@ -19720,8 +19980,8 @@ "guid": "718d1dca-1f62-4565-aee5-580a38249c93", "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-global-transit-network-architecture", "services": [ - "VWAN", - "Monitor" + "Monitor", + "VWAN" ], "severity": "High", "subcategory": "Virtual WAN", @@ -19733,8 +19993,8 @@ "guid": "1213dbd7-fb01-42f7-8943-f6304722ea39", "link": "https://learn.microsoft.com/azure/web-application-firewall/overview", "services": [ - "RBAC", - "AppGW" + "AppGW", + "RBAC" ], "severity": "High", "subcategory": "Application Gateway", @@ -19746,8 +20006,8 @@ "guid": "d2b1ce63-2055-4b29-aade-4aad1e8c39ec", "link": "https://learn.microsoft.com/azure/application-gateway/configuration-front-end-ip", "services": [ - "WAF", "EventHubs", + "WAF", "AppGW" ], "severity": "High", @@ -19760,8 +20020,8 @@ "guid": "94666731-3c00-4567-9c1e-945b459c373e", "link": "https://learn.microsoft.com/azure/application-gateway/configuration-front-end-ip", "services": [ - "WAF", "EventHubs", + "WAF", "AppGW" ], "severity": "High", @@ -19786,8 +20046,8 @@ "guid": "f2e8bbbc-4681-455a-ac91-64e9909aed8c", "link": "https://learn.microsoft.com/azure/frontdoor/", "services": [ - "RBAC", - "FrontDoor" + "FrontDoor", + "RBAC" ], "severity": "High", "subcategory": "FrontDoor", @@ -19799,9 +20059,9 @@ "guid": "44cf3b2b-3818-4baf-a2cf-2149d013a923", "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/front-door-security-baseline?toc=/azure/frontdoor/TOC.json", "services": [ - "WAF", + "FrontDoor", "AzurePolicy", - "FrontDoor" + "WAF" ], "severity": "High", "subcategory": "FrontDoor", @@ -19813,8 +20073,8 @@ "guid": "ce574dcc-bd8a-4c2a-aebc-a2a44da1dbf3", "link": "https://learn.microsoft.com/azure/frontdoor/front-door-custom-domain-https", "services": [ - "AzurePolicy", - "FrontDoor" + "FrontDoor", + "AzurePolicy" ], "severity": "High", "subcategory": "FrontDoor", @@ -19838,8 +20098,8 @@ "guid": "38249c93-1213-4dbd-9fb0-12f70943f630", "link": "https://learn.microsoft.com/azure/frontdoor/front-door-diagnostics", "services": [ - "Sentinel", - "FrontDoor" + "FrontDoor", + "Sentinel" ], "severity": "High", "subcategory": "FrontDoor", @@ -19947,8 +20207,8 @@ "guid": "e0d968d3-87f6-41fb-a4f9-d852f1673f4c", "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices#6-use-groups-for-azure-ad-role-assignments-and-delegate-the-role-assignment", "services": [ - "RBAC", - "Entra" + "Entra", + "RBAC" ], "severity": "High", "subcategory": "Privileged administration", @@ -19985,8 +20245,8 @@ "guid": "922ac19f-916d-4697-b8ea-ded26bdd186f", "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-admins#admin-workstation-security", "services": [ - "Entra", - "Monitor" + "Monitor", + "Entra" ], "severity": "Medium", "subcategory": "Privileged administration", @@ -20022,8 +20282,8 @@ "guid": "be64dd7d-f2e8-4bbb-a468-155abc9164e9", "link": "https://learn.microsoft.com/azure/active-directory/external-identities/delegate-invitations", "services": [ - "RBAC", - "Entra" + "Entra", + "RBAC" ], "severity": "High", "subcategory": "External Identities", @@ -20180,9 +20440,9 @@ "guid": "7fb012f7-0943-4f63-8472-2ea39d2b1ce6", "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/overview-monitoring", "services": [ - "Entra", + "Monitor", "Sentinel", - "Monitor" + "Entra" ], "severity": "High", "subcategory": "Diagnostic Settings", @@ -20397,8 +20657,8 @@ "guid": "f219e4a1-eb58-4879-935d-227886d30b66", "link": "https://learn.microsoft.com/azure/backup/backup-azure-vms-first-look-arm", "services": [ - "ASR", - "VM" + "VM", + "ASR" ], "severity": "Medium", "subcategory": "High Availability ", @@ -20458,8 +20718,8 @@ "guid": "650c3fc1-4eeb-4b36-a382-9e3eec218368", "link": "https://learn.microsoft.com/azure/security-center/security-center-partner-integration", "services": [ - "Defender", - "VM" + "VM", + "Defender" ], "severity": "High", "subcategory": "Protect against malware", @@ -20495,8 +20755,8 @@ "guid": "02145901-465d-438e-9309-ccbd979266bc", "link": "https://learn.microsoft.com/azure/security-center/asset-inventory", "services": [ - "Defender", - "VM" + "VM", + "Defender" ], "severity": "High", "subcategory": "Manage VM Updates", @@ -20545,8 +20805,8 @@ "guid": "5173676a-e466-491e-a835-ad942223e138", "link": "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles", "services": [ - "VM", - "Entra" + "Entra", + "VM" ], "severity": "High", "subcategory": "Restrict direct internet connection ", @@ -20558,8 +20818,8 @@ "guid": "10523081-a941-4741-9833-ff7ad7c6d373", "link": "https://learn.microsoft.com/azure/security-center/security-center-partner-integration", "services": [ - "VM", - "Entra" + "Entra", + "VM" ], "severity": "High", "subcategory": "Restrict direct internet connection ", @@ -20621,8 +20881,8 @@ "guid": "cd5d1e54-a297-459e-9968-0e78289c9356", "link": "https://learn.microsoft.com/azure/sentinel/quickstart-onboard", "services": [ - "Sentinel", - "Monitor" + "Monitor", + "Sentinel" ], "severity": "High", "subcategory": "Architecture ", @@ -20646,9 +20906,9 @@ "guid": "e8f5c586-c7d9-4cdc-86ac-c075ef9b141a", "link": "https://learn.microsoft.com/azure/sentinel/multiple-workspace-view", "services": [ - "Sentinel", "ACR", - "Monitor" + "Monitor", + "Sentinel" ], "severity": "Medium", "subcategory": "Architecture ", @@ -20734,8 +20994,8 @@ "guid": "8e13f9cc-bd46-4826-9abc-a264f9a19bfe", "link": "https://learn.microsoft.com/azure/sentinel/connect-defender-for-cloud", "services": [ - "Defender", - "Sentinel" + "Sentinel", + "Defender" ], "severity": "High", "subcategory": "Data Connectors", @@ -20893,8 +21153,8 @@ "guid": "8093dc9f-c9d1-4bb7-9b36-a5a67fbb9ed5", "link": "https://learn.microsoft.com/azure/firewall/firewall-diagnostics", "services": [ - "Firewall", - "Monitor" + "Monitor", + "Firewall" ], "severity": "Medium", "subcategory": "Diagnostic Settings", @@ -20906,8 +21166,8 @@ "guid": "b35478c3-4798-416b-8863-cffe1cac599e", "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview", "services": [ - "Firewall", - "VNet" + "VNet", + "Firewall" ], "severity": "High", "subcategory": "Firewall Manager", @@ -20919,8 +21179,8 @@ "guid": "f0d5a73d-d4de-436c-8c81-770afbc4c0e4", "link": "https://techcommunity.microsoft.com/t5/azure-network-security/role-based-access-control-for-azure-firewall/ba-p/2245598", "services": [ - "Firewall", "AzurePolicy", + "Firewall", "RBAC" ], "severity": "High", @@ -20933,8 +21193,8 @@ "guid": "5c3a87af-4a79-41f8-a39b-da47768e14c1", "link": "https://learn.microsoft.com/azure/firewall-manager/policy-overview", "services": [ - "Firewall", - "AzurePolicy" + "AzurePolicy", + "Firewall" ], "severity": "High", "subcategory": "Firewall Manager", @@ -20946,8 +21206,8 @@ "guid": "15675c1e-a55b-446a-a48f-f8ae7d7e4b47", "link": "https://learn.microsoft.com/azure/firewall/rule-processing", "services": [ - "Firewall", - "AzurePolicy" + "AzurePolicy", + "Firewall" ], "severity": "High", "subcategory": "Firewall Manager", @@ -20959,8 +21219,8 @@ "guid": "5b6c8bcb-f59b-4ce6-9de8-a03f97879468", "link": "https://learn.microsoft.com/azure/firewall/rule-processing", "services": [ - "Firewall", - "AzurePolicy" + "AzurePolicy", + "Firewall" ], "severity": "High", "subcategory": "Firewall Manager", @@ -20972,8 +21232,8 @@ "guid": "d66a786d-60e9-46c9-9ad8-855d04c2b39c", "link": "https://learn.microsoft.com/azure/firewall/rule-processing", "services": [ - "Firewall", - "AzurePolicy" + "AzurePolicy", + "Firewall" ], "severity": "High", "subcategory": "Firewall Manager", @@ -20985,8 +21245,8 @@ "guid": "986bb2c1-2149-4a11-9b5e-3df574ecccd9", "link": "https://learn.microsoft.com/azure/firewall/features", "services": [ - "Firewall", - "AzurePolicy" + "AzurePolicy", + "Firewall" ], "severity": "High", "subcategory": "Firewall Manager", @@ -21071,8 +21331,8 @@ "guid": "dbcbd8ac-2aae-4bca-8a43-da1dae2cc992", "link": "https://learn.microsoft.com/azure/security/fundamentals/ddos-best-practices", "services": [ - "Firewall", - "DDoS" + "DDoS", + "Firewall" ], "severity": "Medium", "subcategory": "DDOS Protection", @@ -21081,7 +21341,7 @@ ], "metadata": { "name": "Master checklist", - "timestamp": "November 07, 2023" + "timestamp": "November 09, 2023" }, "severities": [ { diff --git a/spreadsheet/macrofree/avd_checklist.en.xlsx b/spreadsheet/macrofree/avd_checklist.en.xlsx index 708eb0dd6..9566b5a90 100644 Binary files a/spreadsheet/macrofree/avd_checklist.en.xlsx and b/spreadsheet/macrofree/avd_checklist.en.xlsx differ diff --git a/spreadsheet/macrofree/avd_checklist.es.xlsx b/spreadsheet/macrofree/avd_checklist.es.xlsx index 071b9529a..b30e0d231 100644 Binary files a/spreadsheet/macrofree/avd_checklist.es.xlsx and b/spreadsheet/macrofree/avd_checklist.es.xlsx differ diff --git a/spreadsheet/macrofree/avd_checklist.ja.xlsx b/spreadsheet/macrofree/avd_checklist.ja.xlsx index 008ab0d8b..ad4cd02b5 100644 Binary files a/spreadsheet/macrofree/avd_checklist.ja.xlsx and b/spreadsheet/macrofree/avd_checklist.ja.xlsx differ diff --git a/spreadsheet/macrofree/avd_checklist.ko.xlsx b/spreadsheet/macrofree/avd_checklist.ko.xlsx index 71c3281ee..71f276563 100644 Binary files a/spreadsheet/macrofree/avd_checklist.ko.xlsx and b/spreadsheet/macrofree/avd_checklist.ko.xlsx differ diff --git a/spreadsheet/macrofree/avd_checklist.pt.xlsx b/spreadsheet/macrofree/avd_checklist.pt.xlsx index cafa611db..4bfe141d0 100644 Binary files a/spreadsheet/macrofree/avd_checklist.pt.xlsx and b/spreadsheet/macrofree/avd_checklist.pt.xlsx differ diff --git a/spreadsheet/macrofree/checklist.en.master.xlsx b/spreadsheet/macrofree/checklist.en.master.xlsx index affaed8ef..9f5e35690 100644 Binary files a/spreadsheet/macrofree/checklist.en.master.xlsx and b/spreadsheet/macrofree/checklist.en.master.xlsx differ diff --git a/workbooks/alz_checklist.en_network_counters.json b/workbooks/alz_checklist.en_network_counters.json index 11911e76f..4102214c9 100644 --- a/workbooks/alz_checklist.en_network_counters.json +++ b/workbooks/alz_checklist.en_network_counters.json @@ -778,7 +778,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "{Query17Stats:$.Success}" + "resultVal": "{Query9Stats:$.Success}+{Query10Stats:$.Success}" } } ] @@ -797,7 +797,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "{Query17Stats:$.Total}" + "resultVal": "{Query9Stats:$.Total}+{Query10Stats:$.Total}" } } ] @@ -892,7 +892,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "{Query11Stats:$.Success}+{Query12Stats:$.Success}+{Query13Stats:$.Success}+{Query14Stats:$.Success}+{Query15Stats:$.Success}+{Query16Stats:$.Success}" + "resultVal": "{Query17Stats:$.Success}" } } ] @@ -911,7 +911,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "{Query11Stats:$.Total}+{Query12Stats:$.Total}+{Query13Stats:$.Total}+{Query14Stats:$.Total}+{Query15Stats:$.Total}+{Query16Stats:$.Total}" + "resultVal": "{Query17Stats:$.Total}" } } ] @@ -949,7 +949,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "{Query18Stats:$.Success}+{Query19Stats:$.Success}+{Query20Stats:$.Success}+{Query21Stats:$.Success}" + "resultVal": "{Query0Stats:$.Success}+{Query1Stats:$.Success}+{Query2Stats:$.Success}+{Query3Stats:$.Success}" } } ] @@ -968,7 +968,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "{Query18Stats:$.Total}+{Query19Stats:$.Total}+{Query20Stats:$.Total}+{Query21Stats:$.Total}" + "resultVal": "{Query0Stats:$.Total}+{Query1Stats:$.Total}+{Query2Stats:$.Total}+{Query3Stats:$.Total}" } } ] @@ -1006,7 +1006,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "{Query9Stats:$.Success}+{Query10Stats:$.Success}" + "resultVal": "{Query11Stats:$.Success}+{Query12Stats:$.Success}+{Query13Stats:$.Success}+{Query14Stats:$.Success}+{Query15Stats:$.Success}+{Query16Stats:$.Success}" } } ] @@ -1025,7 +1025,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "{Query9Stats:$.Total}+{Query10Stats:$.Total}" + "resultVal": "{Query11Stats:$.Total}+{Query12Stats:$.Total}+{Query13Stats:$.Total}+{Query14Stats:$.Total}+{Query15Stats:$.Total}+{Query16Stats:$.Total}" } } ] @@ -1063,7 +1063,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "{Query0Stats:$.Success}+{Query1Stats:$.Success}+{Query2Stats:$.Success}+{Query3Stats:$.Success}" + "resultVal": "{Query18Stats:$.Success}+{Query19Stats:$.Success}+{Query20Stats:$.Success}+{Query21Stats:$.Success}" } } ] @@ -1082,7 +1082,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "{Query0Stats:$.Total}+{Query1Stats:$.Total}+{Query2Stats:$.Total}+{Query3Stats:$.Total}" + "resultVal": "{Query18Stats:$.Total}+{Query19Stats:$.Total}+{Query20Stats:$.Total}+{Query21Stats:$.Total}" } } ] @@ -1120,7 +1120,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "{Query22Stats:$.Total}+{Query17Stats:$.Total}+{Query4Stats:$.Total}+{Query5Stats:$.Total}+{Query6Stats:$.Total}+{Query7Stats:$.Total}+{Query8Stats:$.Total}+{Query11Stats:$.Total}+{Query12Stats:$.Total}+{Query13Stats:$.Total}+{Query14Stats:$.Total}+{Query15Stats:$.Total}+{Query16Stats:$.Total}+{Query18Stats:$.Total}+{Query19Stats:$.Total}+{Query20Stats:$.Total}+{Query21Stats:$.Total}+{Query9Stats:$.Total}+{Query10Stats:$.Total}+{Query0Stats:$.Total}+{Query1Stats:$.Total}+{Query2Stats:$.Total}+{Query3Stats:$.Total}" + "resultVal": "{Query22Stats:$.Total}+{Query9Stats:$.Total}+{Query10Stats:$.Total}+{Query4Stats:$.Total}+{Query5Stats:$.Total}+{Query6Stats:$.Total}+{Query7Stats:$.Total}+{Query8Stats:$.Total}+{Query17Stats:$.Total}+{Query0Stats:$.Total}+{Query1Stats:$.Total}+{Query2Stats:$.Total}+{Query3Stats:$.Total}+{Query11Stats:$.Total}+{Query12Stats:$.Total}+{Query13Stats:$.Total}+{Query14Stats:$.Total}+{Query15Stats:$.Total}+{Query16Stats:$.Total}+{Query18Stats:$.Total}+{Query19Stats:$.Total}+{Query20Stats:$.Total}+{Query21Stats:$.Total}" } } ] @@ -1139,7 +1139,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "{Query22Stats:$.Success}+{Query17Stats:$.Success}+{Query4Stats:$.Success}+{Query5Stats:$.Success}+{Query6Stats:$.Success}+{Query7Stats:$.Success}+{Query8Stats:$.Success}+{Query11Stats:$.Success}+{Query12Stats:$.Success}+{Query13Stats:$.Success}+{Query14Stats:$.Success}+{Query15Stats:$.Success}+{Query16Stats:$.Success}+{Query18Stats:$.Success}+{Query19Stats:$.Success}+{Query20Stats:$.Success}+{Query21Stats:$.Success}+{Query9Stats:$.Success}+{Query10Stats:$.Success}+{Query0Stats:$.Success}+{Query1Stats:$.Success}+{Query2Stats:$.Success}+{Query3Stats:$.Success}" + "resultVal": "{Query22Stats:$.Success}+{Query9Stats:$.Success}+{Query10Stats:$.Success}+{Query4Stats:$.Success}+{Query5Stats:$.Success}+{Query6Stats:$.Success}+{Query7Stats:$.Success}+{Query8Stats:$.Success}+{Query17Stats:$.Success}+{Query0Stats:$.Success}+{Query1Stats:$.Success}+{Query2Stats:$.Success}+{Query3Stats:$.Success}+{Query11Stats:$.Success}+{Query12Stats:$.Success}+{Query13Stats:$.Success}+{Query14Stats:$.Success}+{Query15Stats:$.Success}+{Query16Stats:$.Success}+{Query18Stats:$.Success}+{Query19Stats:$.Success}+{Query20Stats:$.Success}+{Query21Stats:$.Success}" } } ] @@ -1213,7 +1213,7 @@ "style": "tabs", "links": [ { - "id": "c4855ecf-5880-4f84-bcfa-f13640ed8b67", + "id": "07e83af3-57c9-40e0-be1c-1cc73dfe8820", "cellValue": "VisibleTab", "linkTarget": "parameter", "linkLabel": "Virtual WAN ({Tab0Success:value}/{Tab0Total:value})", @@ -1222,16 +1222,16 @@ "style": "primary" }, { - "id": "56f134fd-be1e-4af8-b478-8a167b7c3645", + "id": "b6f41a58-ac9d-4e51-98c5-ea060e0e09ce", "cellValue": "VisibleTab", "linkTarget": "parameter", - "linkLabel": "PaaS ({Tab1Success:value}/{Tab1Total:value})", + "linkLabel": "IP plan ({Tab1Success:value}/{Tab1Total:value})", "subTarget": "tab1", - "preText": "PaaS", + "preText": "IP plan", "style": "primary" }, { - "id": "0745a7e2-5a73-438a-bfb4-9f72ef5d7009", + "id": "bcf151b8-7eba-42db-b445-a91e287845c6", "cellValue": "VisibleTab", "linkTarget": "parameter", "linkLabel": "Hybrid ({Tab2Success:value}/{Tab2Total:value})", @@ -1240,39 +1240,39 @@ "style": "primary" }, { - "id": "06fa9f55-c84c-4db7-b7d8-837edd4cf003", + "id": "286405de-f504-47d0-9a2b-7b1771b5931f", "cellValue": "VisibleTab", "linkTarget": "parameter", - "linkLabel": "Internet ({Tab3Success:value}/{Tab3Total:value})", + "linkLabel": "PaaS ({Tab3Success:value}/{Tab3Total:value})", "subTarget": "tab3", - "preText": "Internet", + "preText": "PaaS", "style": "primary" }, { - "id": "1df955e7-c6d2-4011-9da3-71fbfb4e94eb", + "id": "10ec320e-1bdf-40ac-a43b-ffbf9b7a53cb", "cellValue": "VisibleTab", "linkTarget": "parameter", - "linkLabel": "Segmentation ({Tab4Success:value}/{Tab4Total:value})", + "linkLabel": "Hub and spoke ({Tab4Success:value}/{Tab4Total:value})", "subTarget": "tab4", - "preText": "Segmentation", + "preText": "Hub and spoke", "style": "primary" }, { - "id": "eba8ba0d-66a7-4975-b5cf-714738fd2b7f", + "id": "715c5a5f-3938-47c3-b862-ec58b694f66d", "cellValue": "VisibleTab", "linkTarget": "parameter", - "linkLabel": "IP plan ({Tab5Success:value}/{Tab5Total:value})", + "linkLabel": "Internet ({Tab5Success:value}/{Tab5Total:value})", "subTarget": "tab5", - "preText": "IP plan", + "preText": "Internet", "style": "primary" }, { - "id": "524997a9-65c8-4681-bb86-7d6b1686069e", + "id": "9b3b5315-4c94-49df-8e65-9bfde53efd4d", "cellValue": "VisibleTab", "linkTarget": "parameter", - "linkLabel": "Hub and spoke ({Tab6Success:value}/{Tab6Total:value})", + "linkLabel": "Segmentation ({Tab6Success:value}/{Tab6Total:value})", "subTarget": "tab6", - "preText": "Hub and spoke", + "preText": "Segmentation", "style": "primary" } ] @@ -1372,22 +1372,22 @@ { "type": 1, "content": { - "json": "## PaaS" + "json": "## IP plan" }, "name": "tab1title" }, { "type": 1, "content": { - "json": "Don't enable virtual network service endpoints by default on all subnets. Check [this link](https://learn.microsoft.com/azure/app-service/networking-features) for further information.. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn) can help to educate yourself on this." + "json": "Use IP addresses from the address allocation ranges for private internets (RFC 1918). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this." }, - "name": "querytext17" + "name": "querytext9" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\.|172\\.(1[6-9]|2[0-9]|3[01])\\.|192\\.168\\.)') | project id, compliant, cidr | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -1436,7 +1436,69 @@ ] } }, - "name": "query17" + "name": "query9" + }, + { + "type": 1, + "content": { + "json": "Ensure that IP address space isn't wasted, don't create unnecessarily large virtual networks (for example /16). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this." + }, + "name": "querytext10" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "size": 4, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources", + "crossComponentResources": [ + "{Subscription}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "id", + "formatter": 0, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + } + } + }, + { + "columnMatch": "compliant", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "1", + "representation": "success", + "text": "Success" + }, + { + "operator": "==", + "thresholdValue": "0", + "representation": "failed", + "text": "Failed" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "unknown", + "text": "Unknown" + } + ] + } + } + ] + } + }, + "name": "query10" } ] }, @@ -1788,22 +1850,22 @@ { "type": 1, "content": { - "json": "## Internet" + "json": "## PaaS" }, "name": "tab3title" }, { "type": 1, "content": { - "json": "Use Azure Bastion in a subnet /26 or larger. Check [this link](https://learn.microsoft.com/azure/bastion/bastion-faq#subnet) for further information." + "json": "Don't enable virtual network service endpoints by default on all subnets. Check [this link](https://learn.microsoft.com/azure/app-service/networking-features) for further information.. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn) can help to educate yourself on this." }, - "name": "querytext11" + "name": "querytext17" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -1852,82 +1914,42 @@ ] } }, - "name": "query11" - }, + "name": "query17" + } + ] + }, + "conditionalVisibility": { + "parameterName": "VisibleTab", + "comparison": "isEqualTo", + "value": "tab3" + }, + "name": "tab3" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ { "type": 1, "content": { - "json": "Use FQDN-based network rules and Azure Firewall with DNS proxy to filter egress traffic to the Internet over protocols not supported by application rules. Check [this link](https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules) for further information." - }, - "name": "querytext12" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", - "size": 4, - "queryType": 1, - "resourceType": "microsoft.resourcegraph/resources", - "crossComponentResources": [ - "{Subscription}" - ], - "gridSettings": { - "formatters": [ - { - "columnMatch": "id", - "formatter": 0, - "numberFormat": { - "unit": 0, - "options": { - "style": "decimal" - } - } - }, - { - "columnMatch": "compliant", - "formatter": 18, - "formatOptions": { - "thresholdsOptions": "icons", - "thresholdsGrid": [ - { - "operator": "==", - "thresholdValue": "1", - "representation": "success", - "text": "Success" - }, - { - "operator": "==", - "thresholdValue": "0", - "representation": "failed", - "text": "Failed" - }, - { - "operator": "Default", - "thresholdValue": null, - "representation": "unknown", - "text": "Unknown" - } - ] - } - } - ] - } + "json": "## Hub and spoke" }, - "name": "query12" + "name": "tab4title" }, { "type": 1, "content": { - "json": "Use Azure Firewall Premium for additional security and protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features) for further information." + "json": "If using Route Server, use a /27 prefix for the Route Server subnet. Check [this link](https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1) for further information." }, - "name": "querytext13" + "name": "querytext0" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -1976,20 +1998,20 @@ ] } }, - "name": "query13" + "name": "query0" }, { "type": 1, "content": { - "json": "Configure Azure Firewall Threat Intelligence mode to Alert and Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features) for further information." + "json": "When connecting spoke virtual networks to the central hub virtual network, consider VNet peering limits (500), the maximum number of prefixes that can be advertised via ExpressRoute (1000). Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information." }, - "name": "querytext14" + "name": "querytext1" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -2038,20 +2060,20 @@ ] } }, - "name": "query14" + "name": "query1" }, { "type": 1, "content": { - "json": "Configure Azure Firewall IDPS mode to Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features#idps) for further information." + "json": "Consider the limit of routes per route table (400). Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information." }, - "name": "querytext15" + "name": "querytext2" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -2100,20 +2122,20 @@ ] } }, - "name": "query15" + "name": "query2" }, { "type": 1, "content": { - "json": "For subnets in VNets not connected to Virtual WAN, attach a route table so that Internet traffic is redirected to Azure Firewall or a Network Virtual Appliance. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview) for further information." + "json": "Use the setting 'Allow traffic to remote virtual network' when configuring VNet peerings. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering) for further information." }, - "name": "querytext16" + "name": "querytext3" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -2162,16 +2184,16 @@ ] } }, - "name": "query16" + "name": "query3" } ] }, "conditionalVisibility": { "parameterName": "VisibleTab", "comparison": "isEqualTo", - "value": "tab3" + "value": "tab4" }, - "name": "tab3" + "name": "tab4" }, { "type": 12, @@ -2182,22 +2204,22 @@ { "type": 1, "content": { - "json": "## Segmentation" + "json": "## Internet" }, - "name": "tab4title" + "name": "tab5title" }, { "type": 1, "content": { - "json": "Use a /26 prefix for your Azure Firewall subnets. Check [this link](https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size) for further information." + "json": "Use Azure Bastion in a subnet /26 or larger. Check [this link](https://learn.microsoft.com/azure/bastion/bastion-faq#subnet) for further information." }, - "name": "querytext18" + "name": "querytext11" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -2246,20 +2268,20 @@ ] } }, - "name": "query18" + "name": "query11" }, { "type": 1, "content": { - "json": "Use at least a /27 prefix for your Gateway subnets. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway) for further information." + "json": "Use FQDN-based network rules and Azure Firewall with DNS proxy to filter egress traffic to the Internet over protocols not supported by application rules. Check [this link](https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules) for further information." }, - "name": "querytext19" + "name": "querytext12" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -2308,20 +2330,20 @@ ] } }, - "name": "query19" + "name": "query12" }, { "type": 1, "content": { - "json": "Don't rely on the NSG inbound default rules using the VirtualNetwork service tag to limit connectivity. Check [this link](https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags) for further information." + "json": "Use Azure Firewall Premium for additional security and protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features) for further information." }, - "name": "querytext20" + "name": "querytext13" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -2370,20 +2392,20 @@ ] } }, - "name": "query20" + "name": "query13" }, { "type": 1, "content": { - "json": "The application team should use application security groups at the subnet-level NSGs to help protect multi-tier VMs within the landing zone. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/) can help to educate yourself on this." + "json": "Configure Azure Firewall Threat Intelligence mode to Alert and Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features) for further information." }, - "name": "querytext21" + "name": "querytext14" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetName=subnets.name,subnetNsg=subnets.properties.networkSecurityGroup | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend compliant = isnotnull(subnetNsg) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -2432,42 +2454,20 @@ ] } }, - "name": "query21" - } - ] - }, - "conditionalVisibility": { - "parameterName": "VisibleTab", - "comparison": "isEqualTo", - "value": "tab4" - }, - "name": "tab4" - }, - { - "type": 12, - "content": { - "version": "NotebookGroup/1.0", - "groupType": "editable", - "items": [ - { - "type": 1, - "content": { - "json": "## IP plan" - }, - "name": "tab5title" + "name": "query14" }, { "type": 1, "content": { - "json": "Use IP addresses from the address allocation ranges for private internets (RFC 1918). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this." + "json": "Configure Azure Firewall IDPS mode to Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features#idps) for further information." }, - "name": "querytext9" + "name": "querytext15" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\.|172\\.(1[6-9]|2[0-9]|3[01])\\.|192\\.168\\.)') | project id, compliant, cidr | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -2516,20 +2516,20 @@ ] } }, - "name": "query9" + "name": "query15" }, { "type": 1, "content": { - "json": "Ensure that IP address space isn't wasted, don't create unnecessarily large virtual networks (for example /16). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this." + "json": "For subnets in VNets not connected to Virtual WAN, attach a route table so that Internet traffic is redirected to Azure Firewall or a Network Virtual Appliance. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview) for further information." }, - "name": "querytext10" + "name": "querytext16" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -2578,7 +2578,7 @@ ] } }, - "name": "query10" + "name": "query16" } ] }, @@ -2598,22 +2598,22 @@ { "type": 1, "content": { - "json": "## Hub and spoke" + "json": "## Segmentation" }, "name": "tab6title" }, { "type": 1, "content": { - "json": "If using Route Server, use a /27 prefix for the Route Server subnet. Check [this link](https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1) for further information." + "json": "Use a /26 prefix for your Azure Firewall subnets. Check [this link](https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size) for further information." }, - "name": "querytext0" + "name": "querytext18" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -2662,20 +2662,20 @@ ] } }, - "name": "query0" + "name": "query18" }, { "type": 1, "content": { - "json": "When connecting spoke virtual networks to the central hub virtual network, consider VNet peering limits (500), the maximum number of prefixes that can be advertised via ExpressRoute (1000). Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information." + "json": "Use at least a /27 prefix for your Gateway subnets. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway) for further information." }, - "name": "querytext1" + "name": "querytext19" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -2724,20 +2724,20 @@ ] } }, - "name": "query1" + "name": "query19" }, { "type": 1, "content": { - "json": "Consider the limit of routes per route table (400). Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information." + "json": "Don't rely on the NSG inbound default rules using the VirtualNetwork service tag to limit connectivity. Check [this link](https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags) for further information." }, - "name": "querytext2" + "name": "querytext20" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -2786,20 +2786,20 @@ ] } }, - "name": "query2" + "name": "query20" }, { "type": 1, "content": { - "json": "Use the setting 'Allow traffic to remote virtual network' when configuring VNet peerings. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering) for further information." + "json": "The application team should use application security groups at the subnet-level NSGs to help protect multi-tier VMs within the landing zone. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/) can help to educate yourself on this." }, - "name": "querytext3" + "name": "querytext21" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetName=subnets.name,subnetNsg=subnets.properties.networkSecurityGroup | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend compliant = isnotnull(subnetNsg) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -2848,7 +2848,7 @@ ] } }, - "name": "query3" + "name": "query21" } ] }, diff --git a/workbooks/alz_checklist.en_network_counters_template.json b/workbooks/alz_checklist.en_network_counters_template.json index 6625db7ca..4a5f50c5a 100644 --- a/workbooks/alz_checklist.en_network_counters_template.json +++ b/workbooks/alz_checklist.en_network_counters_template.json @@ -41,7 +41,7 @@ "dependsOn": [], "properties": { "displayName": "[parameters('workbookDisplayName')]", - "serializedData": "{\n \"version\": \"Notebook/1.0\",\n \"items\": [\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"parameters\": [\n {\n \"id\": \"497a107e-dde8-433e-b263-35ac8e8f7834\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Subscription\",\n \"type\": 6,\n \"multiSelect\": true,\n \"quote\": \"'\",\n \"delimiter\": \",\",\n \"typeSettings\": {\n \"additionalResourceOptions\": [\n \"value::all\"\n ],\n \"includeAll\": true,\n \"showDefault\": false\n },\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"value\": [\n \"value::all\"\n ]\n },\n {\n \"id\": \"844e4f4e-df51-4e3c-8eaf-0dc78b92c721\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"OnlyFailed\",\n \"label\": \"Only show failed\",\n \"type\": 2,\n \"typeSettings\": {\n \"additionalResourceOptions\": [],\n \"showDefault\": false\n },\n \"jsonData\": \"[\\r\\n { \\\"value\\\":true, \\\"label\\\":\\\"True\\\" },\\r\\n { \\\"value\\\":false, \\\"label\\\":\\\"False\\\", \\\"selected\\\":true }\\r\\n]\"\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 0,\n \"resourceType\": \"microsoft.operationalinsights/workspaces\"\n },\n \"name\": \"WorkbookSelectors\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"If you set \\\"Only show failed\\\" to \\\"Yes\\\", the different queries will only show items that have failed their compliance checks.\",\n \"style\": \"info\"\n },\n \"name\": \"InfoBox\"\n },\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"crossComponentResources\": [\n \"value::all\"\n ],\n \"parameters\": [\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query0Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query0FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query0Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query1Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query1FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query1Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query2Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query2FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query2Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query3Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query3FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query3Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query4Stats\",\n \"type\": 1,\n \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query4FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query4Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query5Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query5FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query5Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query6Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query6FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query6Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query7Stats\",\n \"type\": 1,\n \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query7FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query7Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query8Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query8FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query8Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query9Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)') | project id, compliant, cidr| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query9FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query9Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query10Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query10FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query10Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query11Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query11FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query11Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query12Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query12FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query12Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query13Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query13FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query13Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query14Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query14FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query14Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query15Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query15FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query15Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query16Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query16FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query16Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query17Stats\",\n \"type\": 1,\n \"query\": \"resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query17FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query17Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query18Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query18FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query18Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query19Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query19FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query19Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query20Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query20FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query20Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query21Stats\",\n \"type\": 1,\n \"query\": \"Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetName=subnets.name,subnetNsg=subnets.properties.networkSecurityGroup | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend compliant = isnotnull(subnetNsg)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query21FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query21Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query22Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query22FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query22Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab0Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query22Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab0Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query22Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab0Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab0Success}/{Tab0Total})\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab1Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query17Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab1Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query17Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab1Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab1Success}/{Tab1Total})\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab2Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query4Stats:$.Success}+{Query5Stats:$.Success}+{Query6Stats:$.Success}+{Query7Stats:$.Success}+{Query8Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab2Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query4Stats:$.Total}+{Query5Stats:$.Total}+{Query6Stats:$.Total}+{Query7Stats:$.Total}+{Query8Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab2Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab2Success}/{Tab2Total})\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab3Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query11Stats:$.Success}+{Query12Stats:$.Success}+{Query13Stats:$.Success}+{Query14Stats:$.Success}+{Query15Stats:$.Success}+{Query16Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab3Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query11Stats:$.Total}+{Query12Stats:$.Total}+{Query13Stats:$.Total}+{Query14Stats:$.Total}+{Query15Stats:$.Total}+{Query16Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab3Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab3Success}/{Tab3Total})\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab4Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query18Stats:$.Success}+{Query19Stats:$.Success}+{Query20Stats:$.Success}+{Query21Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab4Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query18Stats:$.Total}+{Query19Stats:$.Total}+{Query20Stats:$.Total}+{Query21Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab4Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab4Success}/{Tab4Total})\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab5Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query9Stats:$.Success}+{Query10Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab5Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query9Stats:$.Total}+{Query10Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab5Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab5Success}/{Tab5Total})\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab6Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query0Stats:$.Success}+{Query1Stats:$.Success}+{Query2Stats:$.Success}+{Query3Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab6Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query0Stats:$.Total}+{Query1Stats:$.Total}+{Query2Stats:$.Total}+{Query3Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab6Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab6Success}/{Tab6Total})\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"WorkbookTotal\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query22Stats:$.Total}+{Query17Stats:$.Total}+{Query4Stats:$.Total}+{Query5Stats:$.Total}+{Query6Stats:$.Total}+{Query7Stats:$.Total}+{Query8Stats:$.Total}+{Query11Stats:$.Total}+{Query12Stats:$.Total}+{Query13Stats:$.Total}+{Query14Stats:$.Total}+{Query15Stats:$.Total}+{Query16Stats:$.Total}+{Query18Stats:$.Total}+{Query19Stats:$.Total}+{Query20Stats:$.Total}+{Query21Stats:$.Total}+{Query9Stats:$.Total}+{Query10Stats:$.Total}+{Query0Stats:$.Total}+{Query1Stats:$.Total}+{Query2Stats:$.Total}+{Query3Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"WorkbookSuccess\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query22Stats:$.Success}+{Query17Stats:$.Success}+{Query4Stats:$.Success}+{Query5Stats:$.Success}+{Query6Stats:$.Success}+{Query7Stats:$.Success}+{Query8Stats:$.Success}+{Query11Stats:$.Success}+{Query12Stats:$.Success}+{Query13Stats:$.Success}+{Query14Stats:$.Success}+{Query15Stats:$.Success}+{Query16Stats:$.Success}+{Query18Stats:$.Success}+{Query19Stats:$.Success}+{Query20Stats:$.Success}+{Query21Stats:$.Success}+{Query9Stats:$.Success}+{Query10Stats:$.Success}+{Query0Stats:$.Success}+{Query1Stats:$.Success}+{Query2Stats:$.Success}+{Query3Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"WorkbookPercent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{WorkbookSuccess}/{WorkbookTotal})\"\n }\n }\n ]\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n \"name\": \"InvisibleParameters\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Azure Landing Zone Review - Network\\n\\n---\\n\\nThis workbook has been automatically generated out of the checklists in the [Azure Review Checklists repo](https://github.com/Azure/review-checklists). This repo contains best practices and recommendations around generic Landing Zones as well as specific services such as Azure Virtual Desktop, Azure Kubernetes Service or Azure VMware Solution, to name a few. This repository of best practices is curated by Azure engineers, but open to anybody to contribute.\\n\\nIf you see a problem in the queries that are part of this workbook, please open a Github issue [here](https://github.com/Azure/review-checklists/issues/new).\"\n },\n \"customWidth\": \"50\",\n \"name\": \"MarkdownHeader\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"WorkbookPercent\\\\\\\": \\\\\\\"{WorkbookPercent}\\\\\\\", \\\\\\\"SubTitle\\\\\\\": \\\\\\\"Percent of successful checks\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"size\": 4,\n \"queryType\": 8,\n \"visualization\": \"tiles\",\n \"tileSettings\": {\n \"titleContent\": {\n \"columnMatch\": \"WorkbookPercent\",\n \"formatter\": 4,\n \"formatOptions\": {\n \"min\": 0,\n \"max\": 100,\n \"palette\": \"redGreen\"\n }\n },\n \"subtitleContent\": {\n \"columnMatch\": \"SubTitle\",\n \"formatter\": 1\n },\n \"showBorder\": true\n }\n },\n \"customWidth\": \"50\",\n \"name\": \"ProgressTile\"\n },\n {\n \"type\": 11,\n \"content\": {\n \"version\": \"LinkItem/1.0\",\n \"style\": \"tabs\",\n \"links\": [\n {\n \"id\": \"c4855ecf-5880-4f84-bcfa-f13640ed8b67\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Virtual WAN ({Tab0Success:value}/{Tab0Total:value})\",\n \"subTarget\": \"tab0\",\n \"preText\": \"Virtual WAN\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"56f134fd-be1e-4af8-b478-8a167b7c3645\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"PaaS ({Tab1Success:value}/{Tab1Total:value})\",\n \"subTarget\": \"tab1\",\n \"preText\": \"PaaS\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"0745a7e2-5a73-438a-bfb4-9f72ef5d7009\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Hybrid ({Tab2Success:value}/{Tab2Total:value})\",\n \"subTarget\": \"tab2\",\n \"preText\": \"Hybrid\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"06fa9f55-c84c-4db7-b7d8-837edd4cf003\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Internet ({Tab3Success:value}/{Tab3Total:value})\",\n \"subTarget\": \"tab3\",\n \"preText\": \"Internet\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"1df955e7-c6d2-4011-9da3-71fbfb4e94eb\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Segmentation ({Tab4Success:value}/{Tab4Total:value})\",\n \"subTarget\": \"tab4\",\n \"preText\": \"Segmentation\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"eba8ba0d-66a7-4975-b5cf-714738fd2b7f\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"IP plan ({Tab5Success:value}/{Tab5Total:value})\",\n \"subTarget\": \"tab5\",\n \"preText\": \"IP plan\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"524997a9-65c8-4681-bb86-7d6b1686069e\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Hub and spoke ({Tab6Success:value}/{Tab6Total:value})\",\n \"subTarget\": \"tab6\",\n \"preText\": \"Hub and spoke\",\n \"style\": \"primary\"\n }\n ]\n },\n \"name\": \"Tabs\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Virtual WAN\"\n },\n \"name\": \"tab0title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"For outbound Internet traffic protection and filtering, deploy Azure Firewall in secured hubs. Check [this link](https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext22\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query22\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab0\"\n },\n \"name\": \"tab0\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## PaaS\"\n },\n \"name\": \"tab1title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Don't enable virtual network service endpoints by default on all subnets. Check [this link](https://learn.microsoft.com/azure/app-service/networking-features) for further information.. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn) can help to educate yourself on this.\"\n },\n \"name\": \"querytext17\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query17\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab1\"\n },\n \"name\": \"tab1\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Hybrid\"\n },\n \"name\": \"tab2title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Ensure that you're using the right SKU for the ExpressRoute/VPN gateways based on bandwidth and performance requirements. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-routing) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext4\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query4\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Ensure that you're using unlimited-data ExpressRoute circuits only if you reach the bandwidth that justifies their cost. Check [this link](https://learn.microsoft.com/azure/expressroute/plan-manage-cost) for further information.\"\n },\n \"name\": \"querytext5\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query5\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Leverage the Local SKU of ExpressRoute to reduce the cost of your circuits, if your circuits' peering location supports your Azure regions for the Local SKU. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local) for further information.\"\n },\n \"name\": \"querytext6\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query6\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Deploy a zone-redundant ExpressRoute gateway in the supported Azure regions. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext7\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query7\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use VPN gateways to connect branches or remote locations to Azure. For higher resilience, deploy zone-redundant gateways (where available). Check [this link](https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway) for further information.. [This training](https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext8\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query8\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab2\"\n },\n \"name\": \"tab2\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Internet\"\n },\n \"name\": \"tab3title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use Azure Bastion in a subnet /26 or larger. Check [this link](https://learn.microsoft.com/azure/bastion/bastion-faq#subnet) for further information.\"\n },\n \"name\": \"querytext11\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query11\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use FQDN-based network rules and Azure Firewall with DNS proxy to filter egress traffic to the Internet over protocols not supported by application rules. Check [this link](https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules) for further information.\"\n },\n \"name\": \"querytext12\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query12\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use Azure Firewall Premium for additional security and protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features) for further information.\"\n },\n \"name\": \"querytext13\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query13\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Configure Azure Firewall Threat Intelligence mode to Alert and Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features) for further information.\"\n },\n \"name\": \"querytext14\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query14\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Configure Azure Firewall IDPS mode to Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features#idps) for further information.\"\n },\n \"name\": \"querytext15\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query15\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"For subnets in VNets not connected to Virtual WAN, attach a route table so that Internet traffic is redirected to Azure Firewall or a Network Virtual Appliance. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview) for further information.\"\n },\n \"name\": \"querytext16\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query16\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab3\"\n },\n \"name\": \"tab3\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Segmentation\"\n },\n \"name\": \"tab4title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use a /26 prefix for your Azure Firewall subnets. Check [this link](https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size) for further information.\"\n },\n \"name\": \"querytext18\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query18\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use at least a /27 prefix for your Gateway subnets. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway) for further information.\"\n },\n \"name\": \"querytext19\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query19\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Don't rely on the NSG inbound default rules using the VirtualNetwork service tag to limit connectivity. Check [this link](https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags) for further information.\"\n },\n \"name\": \"querytext20\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query20\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"The application team should use application security groups at the subnet-level NSGs to help protect multi-tier VMs within the landing zone. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext21\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetName=subnets.name,subnetNsg=subnets.properties.networkSecurityGroup | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend compliant = isnotnull(subnetNsg) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query21\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab4\"\n },\n \"name\": \"tab4\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## IP plan\"\n },\n \"name\": \"tab5title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use IP addresses from the address allocation ranges for private internets (RFC 1918). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext9\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)') | project id, compliant, cidr | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query9\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Ensure that IP address space isn't wasted, don't create unnecessarily large virtual networks (for example /16). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext10\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query10\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab5\"\n },\n \"name\": \"tab5\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Hub and spoke\"\n },\n \"name\": \"tab6title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"If using Route Server, use a /27 prefix for the Route Server subnet. Check [this link](https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1) for further information.\"\n },\n \"name\": \"querytext0\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query0\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"When connecting spoke virtual networks to the central hub virtual network, consider VNet peering limits (500), the maximum number of prefixes that can be advertised via ExpressRoute (1000). Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information.\"\n },\n \"name\": \"querytext1\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query1\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Consider the limit of routes per route table (400). Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information.\"\n },\n \"name\": \"querytext2\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query2\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use the setting 'Allow traffic to remote virtual network' when configuring VNet peerings. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering) for further information.\"\n },\n \"name\": \"querytext3\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query3\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab6\"\n },\n \"name\": \"tab6\"\n }\n ],\n \"$schema\": \"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"\n}", + "serializedData": "{\n \"version\": \"Notebook/1.0\",\n \"items\": [\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"parameters\": [\n {\n \"id\": \"497a107e-dde8-433e-b263-35ac8e8f7834\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Subscription\",\n \"type\": 6,\n \"multiSelect\": true,\n \"quote\": \"'\",\n \"delimiter\": \",\",\n \"typeSettings\": {\n \"additionalResourceOptions\": [\n \"value::all\"\n ],\n \"includeAll\": true,\n \"showDefault\": false\n },\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"value\": [\n \"value::all\"\n ]\n },\n {\n \"id\": \"844e4f4e-df51-4e3c-8eaf-0dc78b92c721\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"OnlyFailed\",\n \"label\": \"Only show failed\",\n \"type\": 2,\n \"typeSettings\": {\n \"additionalResourceOptions\": [],\n \"showDefault\": false\n },\n \"jsonData\": \"[\\r\\n { \\\"value\\\":true, \\\"label\\\":\\\"True\\\" },\\r\\n { \\\"value\\\":false, \\\"label\\\":\\\"False\\\", \\\"selected\\\":true }\\r\\n]\"\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 0,\n \"resourceType\": \"microsoft.operationalinsights/workspaces\"\n },\n \"name\": \"WorkbookSelectors\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"If you set \\\"Only show failed\\\" to \\\"Yes\\\", the different queries will only show items that have failed their compliance checks.\",\n \"style\": \"info\"\n },\n \"name\": \"InfoBox\"\n },\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"crossComponentResources\": [\n \"value::all\"\n ],\n \"parameters\": [\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query0Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query0FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query0Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query1Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query1FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query1Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query2Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query2FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query2Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query3Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query3FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query3Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query4Stats\",\n \"type\": 1,\n \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query4FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query4Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query5Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query5FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query5Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query6Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query6FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query6Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query7Stats\",\n \"type\": 1,\n \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query7FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query7Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query8Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query8FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query8Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query9Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)') | project id, compliant, cidr| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query9FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query9Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query10Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query10FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query10Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query11Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query11FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query11Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query12Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query12FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query12Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query13Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query13FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query13Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query14Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query14FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query14Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query15Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query15FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query15Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query16Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query16FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query16Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query17Stats\",\n \"type\": 1,\n \"query\": \"resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query17FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query17Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query18Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query18FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query18Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query19Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query19FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query19Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query20Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query20FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query20Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query21Stats\",\n \"type\": 1,\n \"query\": \"Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetName=subnets.name,subnetNsg=subnets.properties.networkSecurityGroup | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend compliant = isnotnull(subnetNsg)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query21FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query21Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query22Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query22FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query22Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab0Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query22Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab0Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query22Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab0Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab0Success}/{Tab0Total})\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab1Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query9Stats:$.Success}+{Query10Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab1Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query9Stats:$.Total}+{Query10Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab1Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab1Success}/{Tab1Total})\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab2Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query4Stats:$.Success}+{Query5Stats:$.Success}+{Query6Stats:$.Success}+{Query7Stats:$.Success}+{Query8Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab2Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query4Stats:$.Total}+{Query5Stats:$.Total}+{Query6Stats:$.Total}+{Query7Stats:$.Total}+{Query8Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab2Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab2Success}/{Tab2Total})\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab3Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query17Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab3Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query17Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab3Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab3Success}/{Tab3Total})\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab4Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query0Stats:$.Success}+{Query1Stats:$.Success}+{Query2Stats:$.Success}+{Query3Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab4Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query0Stats:$.Total}+{Query1Stats:$.Total}+{Query2Stats:$.Total}+{Query3Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab4Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab4Success}/{Tab4Total})\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab5Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query11Stats:$.Success}+{Query12Stats:$.Success}+{Query13Stats:$.Success}+{Query14Stats:$.Success}+{Query15Stats:$.Success}+{Query16Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab5Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query11Stats:$.Total}+{Query12Stats:$.Total}+{Query13Stats:$.Total}+{Query14Stats:$.Total}+{Query15Stats:$.Total}+{Query16Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab5Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab5Success}/{Tab5Total})\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab6Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query18Stats:$.Success}+{Query19Stats:$.Success}+{Query20Stats:$.Success}+{Query21Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab6Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query18Stats:$.Total}+{Query19Stats:$.Total}+{Query20Stats:$.Total}+{Query21Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab6Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab6Success}/{Tab6Total})\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"WorkbookTotal\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query22Stats:$.Total}+{Query9Stats:$.Total}+{Query10Stats:$.Total}+{Query4Stats:$.Total}+{Query5Stats:$.Total}+{Query6Stats:$.Total}+{Query7Stats:$.Total}+{Query8Stats:$.Total}+{Query17Stats:$.Total}+{Query0Stats:$.Total}+{Query1Stats:$.Total}+{Query2Stats:$.Total}+{Query3Stats:$.Total}+{Query11Stats:$.Total}+{Query12Stats:$.Total}+{Query13Stats:$.Total}+{Query14Stats:$.Total}+{Query15Stats:$.Total}+{Query16Stats:$.Total}+{Query18Stats:$.Total}+{Query19Stats:$.Total}+{Query20Stats:$.Total}+{Query21Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"WorkbookSuccess\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query22Stats:$.Success}+{Query9Stats:$.Success}+{Query10Stats:$.Success}+{Query4Stats:$.Success}+{Query5Stats:$.Success}+{Query6Stats:$.Success}+{Query7Stats:$.Success}+{Query8Stats:$.Success}+{Query17Stats:$.Success}+{Query0Stats:$.Success}+{Query1Stats:$.Success}+{Query2Stats:$.Success}+{Query3Stats:$.Success}+{Query11Stats:$.Success}+{Query12Stats:$.Success}+{Query13Stats:$.Success}+{Query14Stats:$.Success}+{Query15Stats:$.Success}+{Query16Stats:$.Success}+{Query18Stats:$.Success}+{Query19Stats:$.Success}+{Query20Stats:$.Success}+{Query21Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"WorkbookPercent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{WorkbookSuccess}/{WorkbookTotal})\"\n }\n }\n ]\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n \"name\": \"InvisibleParameters\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Azure Landing Zone Review - Network\\n\\n---\\n\\nThis workbook has been automatically generated out of the checklists in the [Azure Review Checklists repo](https://github.com/Azure/review-checklists). This repo contains best practices and recommendations around generic Landing Zones as well as specific services such as Azure Virtual Desktop, Azure Kubernetes Service or Azure VMware Solution, to name a few. This repository of best practices is curated by Azure engineers, but open to anybody to contribute.\\n\\nIf you see a problem in the queries that are part of this workbook, please open a Github issue [here](https://github.com/Azure/review-checklists/issues/new).\"\n },\n \"customWidth\": \"50\",\n \"name\": \"MarkdownHeader\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"WorkbookPercent\\\\\\\": \\\\\\\"{WorkbookPercent}\\\\\\\", \\\\\\\"SubTitle\\\\\\\": \\\\\\\"Percent of successful checks\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"size\": 4,\n \"queryType\": 8,\n \"visualization\": \"tiles\",\n \"tileSettings\": {\n \"titleContent\": {\n \"columnMatch\": \"WorkbookPercent\",\n \"formatter\": 4,\n \"formatOptions\": {\n \"min\": 0,\n \"max\": 100,\n \"palette\": \"redGreen\"\n }\n },\n \"subtitleContent\": {\n \"columnMatch\": \"SubTitle\",\n \"formatter\": 1\n },\n \"showBorder\": true\n }\n },\n \"customWidth\": \"50\",\n \"name\": \"ProgressTile\"\n },\n {\n \"type\": 11,\n \"content\": {\n \"version\": \"LinkItem/1.0\",\n \"style\": \"tabs\",\n \"links\": [\n {\n \"id\": \"07e83af3-57c9-40e0-be1c-1cc73dfe8820\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Virtual WAN ({Tab0Success:value}/{Tab0Total:value})\",\n \"subTarget\": \"tab0\",\n \"preText\": \"Virtual WAN\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"b6f41a58-ac9d-4e51-98c5-ea060e0e09ce\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"IP plan ({Tab1Success:value}/{Tab1Total:value})\",\n \"subTarget\": \"tab1\",\n \"preText\": \"IP plan\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"bcf151b8-7eba-42db-b445-a91e287845c6\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Hybrid ({Tab2Success:value}/{Tab2Total:value})\",\n \"subTarget\": \"tab2\",\n \"preText\": \"Hybrid\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"286405de-f504-47d0-9a2b-7b1771b5931f\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"PaaS ({Tab3Success:value}/{Tab3Total:value})\",\n \"subTarget\": \"tab3\",\n \"preText\": \"PaaS\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"10ec320e-1bdf-40ac-a43b-ffbf9b7a53cb\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Hub and spoke ({Tab4Success:value}/{Tab4Total:value})\",\n \"subTarget\": \"tab4\",\n \"preText\": \"Hub and spoke\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"715c5a5f-3938-47c3-b862-ec58b694f66d\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Internet ({Tab5Success:value}/{Tab5Total:value})\",\n \"subTarget\": \"tab5\",\n \"preText\": \"Internet\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"9b3b5315-4c94-49df-8e65-9bfde53efd4d\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Segmentation ({Tab6Success:value}/{Tab6Total:value})\",\n \"subTarget\": \"tab6\",\n \"preText\": \"Segmentation\",\n \"style\": \"primary\"\n }\n ]\n },\n \"name\": \"Tabs\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Virtual WAN\"\n },\n \"name\": \"tab0title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"For outbound Internet traffic protection and filtering, deploy Azure Firewall in secured hubs. Check [this link](https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext22\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query22\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab0\"\n },\n \"name\": \"tab0\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## IP plan\"\n },\n \"name\": \"tab1title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use IP addresses from the address allocation ranges for private internets (RFC 1918). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext9\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)') | project id, compliant, cidr | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query9\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Ensure that IP address space isn't wasted, don't create unnecessarily large virtual networks (for example /16). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext10\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query10\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab1\"\n },\n \"name\": \"tab1\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Hybrid\"\n },\n \"name\": \"tab2title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Ensure that you're using the right SKU for the ExpressRoute/VPN gateways based on bandwidth and performance requirements. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-routing) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext4\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query4\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Ensure that you're using unlimited-data ExpressRoute circuits only if you reach the bandwidth that justifies their cost. Check [this link](https://learn.microsoft.com/azure/expressroute/plan-manage-cost) for further information.\"\n },\n \"name\": \"querytext5\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query5\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Leverage the Local SKU of ExpressRoute to reduce the cost of your circuits, if your circuits' peering location supports your Azure regions for the Local SKU. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local) for further information.\"\n },\n \"name\": \"querytext6\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query6\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Deploy a zone-redundant ExpressRoute gateway in the supported Azure regions. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext7\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query7\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use VPN gateways to connect branches or remote locations to Azure. For higher resilience, deploy zone-redundant gateways (where available). Check [this link](https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway) for further information.. [This training](https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext8\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query8\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab2\"\n },\n \"name\": \"tab2\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## PaaS\"\n },\n \"name\": \"tab3title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Don't enable virtual network service endpoints by default on all subnets. Check [this link](https://learn.microsoft.com/azure/app-service/networking-features) for further information.. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn) can help to educate yourself on this.\"\n },\n \"name\": \"querytext17\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query17\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab3\"\n },\n \"name\": \"tab3\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Hub and spoke\"\n },\n \"name\": \"tab4title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"If using Route Server, use a /27 prefix for the Route Server subnet. Check [this link](https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1) for further information.\"\n },\n \"name\": \"querytext0\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query0\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"When connecting spoke virtual networks to the central hub virtual network, consider VNet peering limits (500), the maximum number of prefixes that can be advertised via ExpressRoute (1000). Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information.\"\n },\n \"name\": \"querytext1\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query1\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Consider the limit of routes per route table (400). Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information.\"\n },\n \"name\": \"querytext2\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query2\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use the setting 'Allow traffic to remote virtual network' when configuring VNet peerings. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering) for further information.\"\n },\n \"name\": \"querytext3\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query3\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab4\"\n },\n \"name\": \"tab4\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Internet\"\n },\n \"name\": \"tab5title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use Azure Bastion in a subnet /26 or larger. Check [this link](https://learn.microsoft.com/azure/bastion/bastion-faq#subnet) for further information.\"\n },\n \"name\": \"querytext11\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query11\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use FQDN-based network rules and Azure Firewall with DNS proxy to filter egress traffic to the Internet over protocols not supported by application rules. Check [this link](https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules) for further information.\"\n },\n \"name\": \"querytext12\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query12\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use Azure Firewall Premium for additional security and protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features) for further information.\"\n },\n \"name\": \"querytext13\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query13\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Configure Azure Firewall Threat Intelligence mode to Alert and Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features) for further information.\"\n },\n \"name\": \"querytext14\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query14\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Configure Azure Firewall IDPS mode to Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features#idps) for further information.\"\n },\n \"name\": \"querytext15\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query15\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"For subnets in VNets not connected to Virtual WAN, attach a route table so that Internet traffic is redirected to Azure Firewall or a Network Virtual Appliance. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview) for further information.\"\n },\n \"name\": \"querytext16\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query16\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab5\"\n },\n \"name\": \"tab5\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Segmentation\"\n },\n \"name\": \"tab6title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use a /26 prefix for your Azure Firewall subnets. Check [this link](https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size) for further information.\"\n },\n \"name\": \"querytext18\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query18\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use at least a /27 prefix for your Gateway subnets. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway) for further information.\"\n },\n \"name\": \"querytext19\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query19\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Don't rely on the NSG inbound default rules using the VirtualNetwork service tag to limit connectivity. Check [this link](https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags) for further information.\"\n },\n \"name\": \"querytext20\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query20\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"The application team should use application security groups at the subnet-level NSGs to help protect multi-tier VMs within the landing zone. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext21\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetName=subnets.name,subnetNsg=subnets.properties.networkSecurityGroup | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend compliant = isnotnull(subnetNsg) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query21\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab6\"\n },\n \"name\": \"tab6\"\n }\n ],\n \"$schema\": \"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"\n}", "version": "1.0", "sourceId": "[parameters('workbookSourceId')]", "category": "[parameters('workbookType')]" diff --git a/workbooks/alz_checklist.en_network_tabcounters.json b/workbooks/alz_checklist.en_network_tabcounters.json index 613e6b0e3..f1d3ba1a5 100644 --- a/workbooks/alz_checklist.en_network_tabcounters.json +++ b/workbooks/alz_checklist.en_network_tabcounters.json @@ -70,43 +70,43 @@ "style": "tabs", "links": [ { - "id": "83066dd7-fe41-4c3d-b323-739e33e472af", + "id": "34d85edb-5614-41cc-921e-6d8799f040ed", "cellValue": "VisibleTab", "linkTarget": "parameter", - "linkLabel": "Internet", + "linkLabel": "IP plan", "subTarget": "tab0", - "preText": "Internet", + "preText": "IP plan", "style": "primary" }, { - "id": "3112a5e9-e4cf-461b-abe3-562ac9198c68", + "id": "5b00ddc3-d5b6-4b3b-9940-58f4b0e1e31b", "cellValue": "VisibleTab", "linkTarget": "parameter", - "linkLabel": "IP plan", + "linkLabel": "Hybrid", "subTarget": "tab1", - "preText": "IP plan", + "preText": "Hybrid", "style": "primary" }, { - "id": "57e23d04-2910-4843-9512-6209bb792a78", + "id": "10700cc4-a0e1-4175-b40b-a1ba29983df6", "cellValue": "VisibleTab", "linkTarget": "parameter", - "linkLabel": "PaaS", + "linkLabel": "Internet", "subTarget": "tab2", - "preText": "PaaS", + "preText": "Internet", "style": "primary" }, { - "id": "f693fc02-37d1-4708-8bb1-72c0dfcf258d", + "id": "7f31508c-63e9-4612-bb80-21daf3d5c7b7", "cellValue": "VisibleTab", "linkTarget": "parameter", - "linkLabel": "Hybrid", + "linkLabel": "Virtual WAN", "subTarget": "tab3", - "preText": "Hybrid", + "preText": "Virtual WAN", "style": "primary" }, { - "id": "1e7d7f42-accd-42ca-8bdf-e2cdac8cd38c", + "id": "37e10656-8c70-4bef-81e1-63be8f4503d9", "cellValue": "VisibleTab", "linkTarget": "parameter", "linkLabel": "Segmentation", @@ -115,21 +115,21 @@ "style": "primary" }, { - "id": "3370d02c-0ef0-40d2-8cbb-4865f4da5f88", + "id": "6b9db623-fee7-4997-aa68-e3871ed06131", "cellValue": "VisibleTab", "linkTarget": "parameter", - "linkLabel": "Virtual WAN", + "linkLabel": "Hub and spoke", "subTarget": "tab5", - "preText": "Virtual WAN", + "preText": "Hub and spoke", "style": "primary" }, { - "id": "67215900-d1a6-465d-b072-c0f1fd2a4236", + "id": "85482b61-4c03-4527-aef7-823e11ca2196", "cellValue": "VisibleTab", "linkTarget": "parameter", - "linkLabel": "Hub and spoke", + "linkLabel": "PaaS", "subTarget": "tab6", - "preText": "Hub and spoke", + "preText": "PaaS", "style": "primary" } ] @@ -153,121 +153,9 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Query11Stats", - "type": 1, - "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", - "crossComponentResources": [ - "{Subscription}" - ], - "isHiddenWhenLocked": true, - "timeContext": { - "durationMs": 86400000 - }, - "queryType": 1, - "resourceType": "microsoft.resourcegraph/resources" - }, - { - "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", - "version": "KqlParameterItem/1.0", - "name": "Query11FullyCompliant", - "type": 1, - "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query11Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", - "isHiddenWhenLocked": true, - "timeContext": { - "durationMs": 86400000 - }, - "queryType": 8 - }, - { - "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", - "version": "KqlParameterItem/1.0", - "name": "Query12Stats", - "type": 1, - "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", - "crossComponentResources": [ - "{Subscription}" - ], - "isHiddenWhenLocked": true, - "timeContext": { - "durationMs": 86400000 - }, - "queryType": 1, - "resourceType": "microsoft.resourcegraph/resources" - }, - { - "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", - "version": "KqlParameterItem/1.0", - "name": "Query12FullyCompliant", - "type": 1, - "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query12Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", - "isHiddenWhenLocked": true, - "timeContext": { - "durationMs": 86400000 - }, - "queryType": 8 - }, - { - "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", - "version": "KqlParameterItem/1.0", - "name": "Query13Stats", - "type": 1, - "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", - "crossComponentResources": [ - "{Subscription}" - ], - "isHiddenWhenLocked": true, - "timeContext": { - "durationMs": 86400000 - }, - "queryType": 1, - "resourceType": "microsoft.resourcegraph/resources" - }, - { - "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", - "version": "KqlParameterItem/1.0", - "name": "Query13FullyCompliant", - "type": 1, - "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query13Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", - "isHiddenWhenLocked": true, - "timeContext": { - "durationMs": 86400000 - }, - "queryType": 8 - }, - { - "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", - "version": "KqlParameterItem/1.0", - "name": "Query14Stats", - "type": 1, - "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", - "crossComponentResources": [ - "{Subscription}" - ], - "isHiddenWhenLocked": true, - "timeContext": { - "durationMs": 86400000 - }, - "queryType": 1, - "resourceType": "microsoft.resourcegraph/resources" - }, - { - "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", - "version": "KqlParameterItem/1.0", - "name": "Query14FullyCompliant", - "type": 1, - "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query14Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", - "isHiddenWhenLocked": true, - "timeContext": { - "durationMs": 86400000 - }, - "queryType": 8 - }, - { - "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", - "version": "KqlParameterItem/1.0", - "name": "Query15Stats", + "name": "Query9Stats", "type": 1, - "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", + "query": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\.|172\\.(1[6-9]|2[0-9]|3[01])\\.|192\\.168\\.)') | project id, compliant, cidr| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", "crossComponentResources": [ "{Subscription}" ], @@ -281,9 +169,9 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Query15FullyCompliant", + "name": "Query9FullyCompliant", "type": 1, - "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query15Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", + "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query9Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", "isHiddenWhenLocked": true, "timeContext": { "durationMs": 86400000 @@ -293,9 +181,9 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Query16Stats", + "name": "Query10Stats", "type": 1, - "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", + "query": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", "crossComponentResources": [ "{Subscription}" ], @@ -309,9 +197,9 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Query16FullyCompliant", + "name": "Query10FullyCompliant", "type": 1, - "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query16Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", + "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query10Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", "isHiddenWhenLocked": true, "timeContext": { "durationMs": 86400000 @@ -332,7 +220,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "{Query11Stats:$.Success}+{Query12Stats:$.Success}+{Query13Stats:$.Success}+{Query14Stats:$.Success}+{Query15Stats:$.Success}+{Query16Stats:$.Success}" + "resultVal": "{Query9Stats:$.Success}+{Query10Stats:$.Success}" } } ] @@ -351,7 +239,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "{Query11Stats:$.Total}+{Query12Stats:$.Total}+{Query13Stats:$.Total}+{Query14Stats:$.Total}+{Query15Stats:$.Total}+{Query16Stats:$.Total}" + "resultVal": "{Query9Stats:$.Total}+{Query10Stats:$.Total}" } } ] @@ -385,7 +273,7 @@ { "type": 1, "content": { - "json": "## Internet" + "json": "## IP plan" }, "customWidth": "50", "name": "tab0title" @@ -426,15 +314,15 @@ { "type": 1, "content": { - "json": "Use Azure Bastion in a subnet /26 or larger. Check [this link](https://learn.microsoft.com/azure/bastion/bastion-faq#subnet) for further information." + "json": "Use IP addresses from the address allocation ranges for private internets (RFC 1918). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this." }, - "name": "querytext11" + "name": "querytext9" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\.|172\\.(1[6-9]|2[0-9]|3[01])\\.|192\\.168\\.)') | project id, compliant, cidr | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -483,20 +371,20 @@ ] } }, - "name": "query11" + "name": "query9" }, { "type": 1, "content": { - "json": "Use FQDN-based network rules and Azure Firewall with DNS proxy to filter egress traffic to the Internet over protocols not supported by application rules. Check [this link](https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules) for further information." + "json": "Ensure that IP address space isn't wasted, don't create unnecessarily large virtual networks (for example /16). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this." }, - "name": "querytext12" + "name": "querytext10" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -545,285 +433,93 @@ ] } }, - "name": "query12" - }, - { - "type": 1, - "content": { - "json": "Use Azure Firewall Premium for additional security and protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features) for further information." - }, - "name": "querytext13" - }, + "name": "query10" + } + ] + }, + "conditionalVisibility": { + "parameterName": "VisibleTab", + "comparison": "isEqualTo", + "value": "tab0" + }, + "name": "tab0" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ { - "type": 3, + "type": 9, "content": { - "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", - "size": 4, - "queryType": 1, - "resourceType": "microsoft.resourcegraph/resources", + "version": "KqlParameterItem/1.0", "crossComponentResources": [ "{Subscription}" ], - "gridSettings": { - "formatters": [ - { - "columnMatch": "id", - "formatter": 0, - "numberFormat": { - "unit": 0, - "options": { - "style": "decimal" - } - } + "parameters": [ + { + "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", + "version": "KqlParameterItem/1.0", + "name": "Query4Stats", + "type": 1, + "query": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", + "crossComponentResources": [ + "{Subscription}" + ], + "isHiddenWhenLocked": true, + "timeContext": { + "durationMs": 86400000 }, - { - "columnMatch": "compliant", - "formatter": 18, - "formatOptions": { - "thresholdsOptions": "icons", - "thresholdsGrid": [ - { - "operator": "==", - "thresholdValue": "1", - "representation": "success", - "text": "Success" - }, - { - "operator": "==", - "thresholdValue": "0", - "representation": "failed", - "text": "Failed" - }, - { - "operator": "Default", - "thresholdValue": null, - "representation": "unknown", - "text": "Unknown" - } - ] - } - } - ] - } - }, - "name": "query13" - }, - { - "type": 1, - "content": { - "json": "Configure Azure Firewall Threat Intelligence mode to Alert and Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features) for further information." - }, - "name": "querytext14" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", - "size": 4, - "queryType": 1, - "resourceType": "microsoft.resourcegraph/resources", - "crossComponentResources": [ - "{Subscription}" - ], - "gridSettings": { - "formatters": [ - { - "columnMatch": "id", - "formatter": 0, - "numberFormat": { - "unit": 0, - "options": { - "style": "decimal" - } - } + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources" + }, + { + "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", + "version": "KqlParameterItem/1.0", + "name": "Query4FullyCompliant", + "type": 1, + "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query4Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", + "isHiddenWhenLocked": true, + "timeContext": { + "durationMs": 86400000 }, - { - "columnMatch": "compliant", - "formatter": 18, - "formatOptions": { - "thresholdsOptions": "icons", - "thresholdsGrid": [ - { - "operator": "==", - "thresholdValue": "1", - "representation": "success", - "text": "Success" - }, - { - "operator": "==", - "thresholdValue": "0", - "representation": "failed", - "text": "Failed" - }, - { - "operator": "Default", - "thresholdValue": null, - "representation": "unknown", - "text": "Unknown" - } - ] - } - } - ] - } - }, - "name": "query14" - }, - { - "type": 1, - "content": { - "json": "Configure Azure Firewall IDPS mode to Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features#idps) for further information." - }, - "name": "querytext15" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", - "size": 4, - "queryType": 1, - "resourceType": "microsoft.resourcegraph/resources", - "crossComponentResources": [ - "{Subscription}" - ], - "gridSettings": { - "formatters": [ - { - "columnMatch": "id", - "formatter": 0, - "numberFormat": { - "unit": 0, - "options": { - "style": "decimal" - } - } + "queryType": 8 + }, + { + "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", + "version": "KqlParameterItem/1.0", + "name": "Query5Stats", + "type": 1, + "query": "resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", + "crossComponentResources": [ + "{Subscription}" + ], + "isHiddenWhenLocked": true, + "timeContext": { + "durationMs": 86400000 }, - { - "columnMatch": "compliant", - "formatter": 18, - "formatOptions": { - "thresholdsOptions": "icons", - "thresholdsGrid": [ - { - "operator": "==", - "thresholdValue": "1", - "representation": "success", - "text": "Success" - }, - { - "operator": "==", - "thresholdValue": "0", - "representation": "failed", - "text": "Failed" - }, - { - "operator": "Default", - "thresholdValue": null, - "representation": "unknown", - "text": "Unknown" - } - ] - } - } - ] - } - }, - "name": "query15" - }, - { - "type": 1, - "content": { - "json": "For subnets in VNets not connected to Virtual WAN, attach a route table so that Internet traffic is redirected to Azure Firewall or a Network Virtual Appliance. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview) for further information." - }, - "name": "querytext16" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", - "size": 4, - "queryType": 1, - "resourceType": "microsoft.resourcegraph/resources", - "crossComponentResources": [ - "{Subscription}" - ], - "gridSettings": { - "formatters": [ - { - "columnMatch": "id", - "formatter": 0, - "numberFormat": { - "unit": 0, - "options": { - "style": "decimal" - } - } + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources" + }, + { + "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", + "version": "KqlParameterItem/1.0", + "name": "Query5FullyCompliant", + "type": 1, + "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query5Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", + "isHiddenWhenLocked": true, + "timeContext": { + "durationMs": 86400000 }, - { - "columnMatch": "compliant", - "formatter": 18, - "formatOptions": { - "thresholdsOptions": "icons", - "thresholdsGrid": [ - { - "operator": "==", - "thresholdValue": "1", - "representation": "success", - "text": "Success" - }, - { - "operator": "==", - "thresholdValue": "0", - "representation": "failed", - "text": "Failed" - }, - { - "operator": "Default", - "thresholdValue": null, - "representation": "unknown", - "text": "Unknown" - } - ] - } - } - ] - } - }, - "name": "query16" - } - ] - }, - "conditionalVisibility": { - "parameterName": "VisibleTab", - "comparison": "isEqualTo", - "value": "tab0" - }, - "name": "tab0" - }, - { - "type": 12, - "content": { - "version": "NotebookGroup/1.0", - "groupType": "editable", - "items": [ - { - "type": 9, - "content": { - "version": "KqlParameterItem/1.0", - "crossComponentResources": [ - "{Subscription}" - ], - "parameters": [ + "queryType": 8 + }, { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Query9Stats", + "name": "Query6Stats", "type": 1, - "query": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\.|172\\.(1[6-9]|2[0-9]|3[01])\\.|192\\.168\\.)') | project id, compliant, cidr| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", + "query": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", "crossComponentResources": [ "{Subscription}" ], @@ -837,9 +533,9 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Query9FullyCompliant", + "name": "Query6FullyCompliant", "type": 1, - "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query9Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", + "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query6Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", "isHiddenWhenLocked": true, "timeContext": { "durationMs": 86400000 @@ -849,9 +545,9 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Query10Stats", + "name": "Query7Stats", "type": 1, - "query": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", + "query": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", "crossComponentResources": [ "{Subscription}" ], @@ -865,9 +561,37 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Query10FullyCompliant", + "name": "Query7FullyCompliant", "type": 1, - "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query10Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", + "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query7Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", + "isHiddenWhenLocked": true, + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 8 + }, + { + "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", + "version": "KqlParameterItem/1.0", + "name": "Query8Stats", + "type": 1, + "query": "resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", + "crossComponentResources": [ + "{Subscription}" + ], + "isHiddenWhenLocked": true, + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources" + }, + { + "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", + "version": "KqlParameterItem/1.0", + "name": "Query8FullyCompliant", + "type": 1, + "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query8Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", "isHiddenWhenLocked": true, "timeContext": { "durationMs": 86400000 @@ -888,7 +612,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "{Query9Stats:$.Success}+{Query10Stats:$.Success}" + "resultVal": "{Query4Stats:$.Success}+{Query5Stats:$.Success}+{Query6Stats:$.Success}+{Query7Stats:$.Success}+{Query8Stats:$.Success}" } } ] @@ -907,7 +631,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "{Query9Stats:$.Total}+{Query10Stats:$.Total}" + "resultVal": "{Query4Stats:$.Total}+{Query5Stats:$.Total}+{Query6Stats:$.Total}+{Query7Stats:$.Total}+{Query8Stats:$.Total}" } } ] @@ -941,7 +665,7 @@ { "type": 1, "content": { - "json": "## IP plan" + "json": "## Hybrid" }, "customWidth": "50", "name": "tab1title" @@ -982,15 +706,15 @@ { "type": 1, "content": { - "json": "Use IP addresses from the address allocation ranges for private internets (RFC 1918). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this." + "json": "Ensure that you're using the right SKU for the ExpressRoute/VPN gateways based on bandwidth and performance requirements. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-routing) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this." }, - "name": "querytext9" + "name": "querytext4" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\.|172\\.(1[6-9]|2[0-9]|3[01])\\.|192\\.168\\.)') | project id, compliant, cidr | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -1039,20 +763,20 @@ ] } }, - "name": "query9" + "name": "query4" }, { "type": 1, "content": { - "json": "Ensure that IP address space isn't wasted, don't create unnecessarily large virtual networks (for example /16). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this." + "json": "Ensure that you're using unlimited-data ExpressRoute circuits only if you reach the bandwidth that justifies their cost. Check [this link](https://learn.microsoft.com/azure/expressroute/plan-manage-cost) for further information." }, - "name": "querytext10" + "name": "querytext5" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -1101,176 +825,144 @@ ] } }, - "name": "query10" - } - ] - }, - "conditionalVisibility": { - "parameterName": "VisibleTab", - "comparison": "isEqualTo", - "value": "tab1" - }, - "name": "tab1" - }, - { - "type": 12, - "content": { - "version": "NotebookGroup/1.0", - "groupType": "editable", - "items": [ + "name": "query5" + }, { - "type": 9, + "type": 1, "content": { - "version": "KqlParameterItem/1.0", + "json": "Leverage the Local SKU of ExpressRoute to reduce the cost of your circuits, if your circuits' peering location supports your Azure regions for the Local SKU. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local) for further information." + }, + "name": "querytext6" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "size": 4, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources", "crossComponentResources": [ "{Subscription}" ], - "parameters": [ - { - "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", - "version": "KqlParameterItem/1.0", - "name": "Query17Stats", - "type": 1, - "query": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", - "crossComponentResources": [ - "{Subscription}" - ], - "isHiddenWhenLocked": true, - "timeContext": { - "durationMs": 86400000 - }, - "queryType": 1, - "resourceType": "microsoft.resourcegraph/resources" - }, - { - "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", - "version": "KqlParameterItem/1.0", - "name": "Query17FullyCompliant", - "type": 1, - "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query17Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", - "isHiddenWhenLocked": true, - "timeContext": { - "durationMs": 86400000 - }, - "queryType": 8 - }, - { - "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", - "version": "KqlParameterItem/1.0", - "name": "Tab2Success", - "type": 1, - "isHiddenWhenLocked": true, - "timeContext": { - "durationMs": 86400000 - }, - "criteriaData": [ - { - "criteriaContext": { - "operator": "Default", - "resultValType": "expression", - "resultVal": "{Query17Stats:$.Success}" - } - } - ] - }, - { - "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", - "version": "KqlParameterItem/1.0", - "name": "Tab2Total", - "type": 1, - "isHiddenWhenLocked": true, - "timeContext": { - "durationMs": 86400000 - }, - "criteriaData": [ - { - "criteriaContext": { - "operator": "Default", - "resultValType": "expression", - "resultVal": "{Query17Stats:$.Total}" + "gridSettings": { + "formatters": [ + { + "columnMatch": "id", + "formatter": 0, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" } } - ] - }, - { - "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", - "version": "KqlParameterItem/1.0", - "name": "Tab2Percent", - "type": 1, - "isHiddenWhenLocked": true, - "timeContext": { - "durationMs": 86400000 }, - "criteriaData": [ - { - "criteriaContext": { - "operator": "Default", - "resultValType": "expression", - "resultVal": "round(100*{Tab2Success}/{Tab2Total})" - } + { + "columnMatch": "compliant", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "1", + "representation": "success", + "text": "Success" + }, + { + "operator": "==", + "thresholdValue": "0", + "representation": "failed", + "text": "Failed" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "unknown", + "text": "Unknown" + } + ] } - ] - } - ], - "style": "pills", - "queryType": 1, - "resourceType": "microsoft.resourcegraph/resources" + } + ] + } }, - "name": "TabInvisibleParameters" + "name": "query6" }, { "type": 1, "content": { - "json": "## PaaS" - }, - "customWidth": "50", - "name": "tab2title" + "json": "Deploy a zone-redundant ExpressRoute gateway in the supported Azure regions. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this." + }, + "name": "querytext7" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"Column1\\\": \\\"{Tab2Percent}\\\", \\\"Column2\\\": \\\"Percent of successful checks\\\"}\",\"transformers\":null}", - "size": 3, - "queryType": 8, - "visualization": "tiles", - "tileSettings": { - "titleContent": { - "columnMatch": "Column1", - "formatter": 4, - "formatOptions": { - "min": 0, - "max": 100, - "palette": "redGreen" + "query": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "size": 4, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources", + "crossComponentResources": [ + "{Subscription}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "id", + "formatter": 0, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + } + } }, - "numberFormat": { - "unit": 0, - "options": { - "style": "decimal" + { + "columnMatch": "compliant", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "1", + "representation": "success", + "text": "Success" + }, + { + "operator": "==", + "thresholdValue": "0", + "representation": "failed", + "text": "Failed" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "unknown", + "text": "Unknown" + } + ] } } - }, - "subtitleContent": { - "columnMatch": "Column2" - }, - "showBorder": true + ] } }, - "customWidth": "50", - "name": "TabPercentTile" + "name": "query7" }, { "type": 1, "content": { - "json": "Don't enable virtual network service endpoints by default on all subnets. Check [this link](https://learn.microsoft.com/azure/app-service/networking-features) for further information.. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn) can help to educate yourself on this." + "json": "Use VPN gateways to connect branches or remote locations to Azure. For higher resilience, deploy zone-redundant gateways (where available). Check [this link](https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway) for further information.. [This training](https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/) can help to educate yourself on this." }, - "name": "querytext17" + "name": "querytext8" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -1319,16 +1011,16 @@ ] } }, - "name": "query17" + "name": "query8" } ] }, "conditionalVisibility": { "parameterName": "VisibleTab", "comparison": "isEqualTo", - "value": "tab2" + "value": "tab1" }, - "name": "tab2" + "name": "tab1" }, { "type": 12, @@ -1347,9 +1039,9 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Query4Stats", + "name": "Query11Stats", "type": 1, - "query": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", + "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", "crossComponentResources": [ "{Subscription}" ], @@ -1363,9 +1055,9 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Query4FullyCompliant", + "name": "Query11FullyCompliant", "type": 1, - "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query4Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", + "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query11Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", "isHiddenWhenLocked": true, "timeContext": { "durationMs": 86400000 @@ -1375,9 +1067,9 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Query5Stats", + "name": "Query12Stats", "type": 1, - "query": "resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", + "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", "crossComponentResources": [ "{Subscription}" ], @@ -1391,9 +1083,9 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Query5FullyCompliant", + "name": "Query12FullyCompliant", "type": 1, - "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query5Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", + "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query12Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", "isHiddenWhenLocked": true, "timeContext": { "durationMs": 86400000 @@ -1403,9 +1095,9 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Query6Stats", + "name": "Query13Stats", "type": 1, - "query": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", + "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", "crossComponentResources": [ "{Subscription}" ], @@ -1419,9 +1111,9 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Query6FullyCompliant", + "name": "Query13FullyCompliant", "type": 1, - "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query6Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", + "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query13Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", "isHiddenWhenLocked": true, "timeContext": { "durationMs": 86400000 @@ -1431,9 +1123,9 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Query7Stats", + "name": "Query14Stats", "type": 1, - "query": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", + "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", "crossComponentResources": [ "{Subscription}" ], @@ -1447,9 +1139,9 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Query7FullyCompliant", + "name": "Query14FullyCompliant", "type": 1, - "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query7Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", + "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query14Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", "isHiddenWhenLocked": true, "timeContext": { "durationMs": 86400000 @@ -1459,9 +1151,9 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Query8Stats", + "name": "Query15Stats", "type": 1, - "query": "resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", + "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", "crossComponentResources": [ "{Subscription}" ], @@ -1475,9 +1167,9 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Query8FullyCompliant", + "name": "Query15FullyCompliant", "type": 1, - "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query8Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", + "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query15Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", "isHiddenWhenLocked": true, "timeContext": { "durationMs": 86400000 @@ -1487,7 +1179,35 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Tab3Success", + "name": "Query16Stats", + "type": 1, + "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", + "crossComponentResources": [ + "{Subscription}" + ], + "isHiddenWhenLocked": true, + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources" + }, + { + "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", + "version": "KqlParameterItem/1.0", + "name": "Query16FullyCompliant", + "type": 1, + "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query16Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", + "isHiddenWhenLocked": true, + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 8 + }, + { + "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", + "version": "KqlParameterItem/1.0", + "name": "Tab2Success", "type": 1, "isHiddenWhenLocked": true, "timeContext": { @@ -1498,7 +1218,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "{Query4Stats:$.Success}+{Query5Stats:$.Success}+{Query6Stats:$.Success}+{Query7Stats:$.Success}+{Query8Stats:$.Success}" + "resultVal": "{Query11Stats:$.Success}+{Query12Stats:$.Success}+{Query13Stats:$.Success}+{Query14Stats:$.Success}+{Query15Stats:$.Success}+{Query16Stats:$.Success}" } } ] @@ -1506,7 +1226,7 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Tab3Total", + "name": "Tab2Total", "type": 1, "isHiddenWhenLocked": true, "timeContext": { @@ -1517,7 +1237,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "{Query4Stats:$.Total}+{Query5Stats:$.Total}+{Query6Stats:$.Total}+{Query7Stats:$.Total}+{Query8Stats:$.Total}" + "resultVal": "{Query11Stats:$.Total}+{Query12Stats:$.Total}+{Query13Stats:$.Total}+{Query14Stats:$.Total}+{Query15Stats:$.Total}+{Query16Stats:$.Total}" } } ] @@ -1525,7 +1245,7 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Tab3Percent", + "name": "Tab2Percent", "type": 1, "isHiddenWhenLocked": true, "timeContext": { @@ -1536,71 +1256,195 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "round(100*{Tab3Success}/{Tab3Total})" + "resultVal": "round(100*{Tab2Success}/{Tab2Total})" + } + } + ] + } + ], + "style": "pills", + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources" + }, + "name": "TabInvisibleParameters" + }, + { + "type": 1, + "content": { + "json": "## Internet" + }, + "customWidth": "50", + "name": "tab2title" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"Column1\\\": \\\"{Tab2Percent}\\\", \\\"Column2\\\": \\\"Percent of successful checks\\\"}\",\"transformers\":null}", + "size": 3, + "queryType": 8, + "visualization": "tiles", + "tileSettings": { + "titleContent": { + "columnMatch": "Column1", + "formatter": 4, + "formatOptions": { + "min": 0, + "max": 100, + "palette": "redGreen" + }, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + } + } + }, + "subtitleContent": { + "columnMatch": "Column2" + }, + "showBorder": true + } + }, + "customWidth": "50", + "name": "TabPercentTile" + }, + { + "type": 1, + "content": { + "json": "Use Azure Bastion in a subnet /26 or larger. Check [this link](https://learn.microsoft.com/azure/bastion/bastion-faq#subnet) for further information." + }, + "name": "querytext11" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "size": 4, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources", + "crossComponentResources": [ + "{Subscription}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "id", + "formatter": 0, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" } } - ] - } - ], - "style": "pills", - "queryType": 1, - "resourceType": "microsoft.resourcegraph/resources" + }, + { + "columnMatch": "compliant", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "1", + "representation": "success", + "text": "Success" + }, + { + "operator": "==", + "thresholdValue": "0", + "representation": "failed", + "text": "Failed" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "unknown", + "text": "Unknown" + } + ] + } + } + ] + } }, - "name": "TabInvisibleParameters" + "name": "query11" }, { "type": 1, "content": { - "json": "## Hybrid" + "json": "Use FQDN-based network rules and Azure Firewall with DNS proxy to filter egress traffic to the Internet over protocols not supported by application rules. Check [this link](https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules) for further information." }, - "customWidth": "50", - "name": "tab3title" + "name": "querytext12" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"Column1\\\": \\\"{Tab3Percent}\\\", \\\"Column2\\\": \\\"Percent of successful checks\\\"}\",\"transformers\":null}", - "size": 3, - "queryType": 8, - "visualization": "tiles", - "tileSettings": { - "titleContent": { - "columnMatch": "Column1", - "formatter": 4, - "formatOptions": { - "min": 0, - "max": 100, - "palette": "redGreen" + "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "size": 4, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources", + "crossComponentResources": [ + "{Subscription}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "id", + "formatter": 0, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + } + } }, - "numberFormat": { - "unit": 0, - "options": { - "style": "decimal" + { + "columnMatch": "compliant", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "1", + "representation": "success", + "text": "Success" + }, + { + "operator": "==", + "thresholdValue": "0", + "representation": "failed", + "text": "Failed" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "unknown", + "text": "Unknown" + } + ] } } - }, - "subtitleContent": { - "columnMatch": "Column2" - }, - "showBorder": true + ] } }, - "customWidth": "50", - "name": "TabPercentTile" + "name": "query12" }, { "type": 1, "content": { - "json": "Ensure that you're using the right SKU for the ExpressRoute/VPN gateways based on bandwidth and performance requirements. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-routing) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this." + "json": "Use Azure Firewall Premium for additional security and protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features) for further information." }, - "name": "querytext4" + "name": "querytext13" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -1649,20 +1493,20 @@ ] } }, - "name": "query4" + "name": "query13" }, { "type": 1, "content": { - "json": "Ensure that you're using unlimited-data ExpressRoute circuits only if you reach the bandwidth that justifies their cost. Check [this link](https://learn.microsoft.com/azure/expressroute/plan-manage-cost) for further information." + "json": "Configure Azure Firewall Threat Intelligence mode to Alert and Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features) for further information." }, - "name": "querytext5" + "name": "querytext14" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -1711,20 +1555,20 @@ ] } }, - "name": "query5" + "name": "query14" }, { "type": 1, "content": { - "json": "Leverage the Local SKU of ExpressRoute to reduce the cost of your circuits, if your circuits' peering location supports your Azure regions for the Local SKU. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local) for further information." + "json": "Configure Azure Firewall IDPS mode to Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features#idps) for further information." }, - "name": "querytext6" + "name": "querytext15" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -1773,20 +1617,20 @@ ] } }, - "name": "query6" + "name": "query15" }, { "type": 1, "content": { - "json": "Deploy a zone-redundant ExpressRoute gateway in the supported Azure regions. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this." + "json": "For subnets in VNets not connected to Virtual WAN, attach a route table so that Internet traffic is redirected to Azure Firewall or a Network Virtual Appliance. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview) for further information." }, - "name": "querytext7" + "name": "querytext16" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -1832,23 +1676,179 @@ ] } } - ] + ] + } + }, + "name": "query16" + } + ] + }, + "conditionalVisibility": { + "parameterName": "VisibleTab", + "comparison": "isEqualTo", + "value": "tab2" + }, + "name": "tab2" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "crossComponentResources": [ + "{Subscription}" + ], + "parameters": [ + { + "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", + "version": "KqlParameterItem/1.0", + "name": "Query22Stats", + "type": 1, + "query": "resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", + "crossComponentResources": [ + "{Subscription}" + ], + "isHiddenWhenLocked": true, + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources" + }, + { + "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", + "version": "KqlParameterItem/1.0", + "name": "Query22FullyCompliant", + "type": 1, + "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query22Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", + "isHiddenWhenLocked": true, + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 8 + }, + { + "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", + "version": "KqlParameterItem/1.0", + "name": "Tab3Success", + "type": 1, + "isHiddenWhenLocked": true, + "timeContext": { + "durationMs": 86400000 + }, + "criteriaData": [ + { + "criteriaContext": { + "operator": "Default", + "resultValType": "expression", + "resultVal": "{Query22Stats:$.Success}" + } + } + ] + }, + { + "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", + "version": "KqlParameterItem/1.0", + "name": "Tab3Total", + "type": 1, + "isHiddenWhenLocked": true, + "timeContext": { + "durationMs": 86400000 + }, + "criteriaData": [ + { + "criteriaContext": { + "operator": "Default", + "resultValType": "expression", + "resultVal": "{Query22Stats:$.Total}" + } + } + ] + }, + { + "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", + "version": "KqlParameterItem/1.0", + "name": "Tab3Percent", + "type": 1, + "isHiddenWhenLocked": true, + "timeContext": { + "durationMs": 86400000 + }, + "criteriaData": [ + { + "criteriaContext": { + "operator": "Default", + "resultValType": "expression", + "resultVal": "round(100*{Tab3Success}/{Tab3Total})" + } + } + ] + } + ], + "style": "pills", + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources" + }, + "name": "TabInvisibleParameters" + }, + { + "type": 1, + "content": { + "json": "## Virtual WAN" + }, + "customWidth": "50", + "name": "tab3title" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"Column1\\\": \\\"{Tab3Percent}\\\", \\\"Column2\\\": \\\"Percent of successful checks\\\"}\",\"transformers\":null}", + "size": 3, + "queryType": 8, + "visualization": "tiles", + "tileSettings": { + "titleContent": { + "columnMatch": "Column1", + "formatter": 4, + "formatOptions": { + "min": 0, + "max": 100, + "palette": "redGreen" + }, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + } + } + }, + "subtitleContent": { + "columnMatch": "Column2" + }, + "showBorder": true } }, - "name": "query7" + "customWidth": "50", + "name": "TabPercentTile" }, { "type": 1, "content": { - "json": "Use VPN gateways to connect branches or remote locations to Azure. For higher resilience, deploy zone-redundant gateways (where available). Check [this link](https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway) for further information.. [This training](https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/) can help to educate yourself on this." + "json": "For outbound Internet traffic protection and filtering, deploy Azure Firewall in secured hubs. Check [this link](https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/) can help to educate yourself on this." }, - "name": "querytext8" + "name": "querytext22" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -1897,7 +1897,7 @@ ] } }, - "name": "query8" + "name": "query22" } ] }, @@ -2313,248 +2313,30 @@ }, { "operator": "Default", - "thresholdValue": null, - "representation": "unknown", - "text": "Unknown" - } - ] - } - } - ] - } - }, - "name": "query20" - }, - { - "type": 1, - "content": { - "json": "The application team should use application security groups at the subnet-level NSGs to help protect multi-tier VMs within the landing zone. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/) can help to educate yourself on this." - }, - "name": "querytext21" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetName=subnets.name,subnetNsg=subnets.properties.networkSecurityGroup | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend compliant = isnotnull(subnetNsg) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", - "size": 4, - "queryType": 1, - "resourceType": "microsoft.resourcegraph/resources", - "crossComponentResources": [ - "{Subscription}" - ], - "gridSettings": { - "formatters": [ - { - "columnMatch": "id", - "formatter": 0, - "numberFormat": { - "unit": 0, - "options": { - "style": "decimal" - } - } - }, - { - "columnMatch": "compliant", - "formatter": 18, - "formatOptions": { - "thresholdsOptions": "icons", - "thresholdsGrid": [ - { - "operator": "==", - "thresholdValue": "1", - "representation": "success", - "text": "Success" - }, - { - "operator": "==", - "thresholdValue": "0", - "representation": "failed", - "text": "Failed" - }, - { - "operator": "Default", - "thresholdValue": null, - "representation": "unknown", - "text": "Unknown" - } - ] - } - } - ] - } - }, - "name": "query21" - } - ] - }, - "conditionalVisibility": { - "parameterName": "VisibleTab", - "comparison": "isEqualTo", - "value": "tab4" - }, - "name": "tab4" - }, - { - "type": 12, - "content": { - "version": "NotebookGroup/1.0", - "groupType": "editable", - "items": [ - { - "type": 9, - "content": { - "version": "KqlParameterItem/1.0", - "crossComponentResources": [ - "{Subscription}" - ], - "parameters": [ - { - "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", - "version": "KqlParameterItem/1.0", - "name": "Query22Stats", - "type": 1, - "query": "resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", - "crossComponentResources": [ - "{Subscription}" - ], - "isHiddenWhenLocked": true, - "timeContext": { - "durationMs": 86400000 - }, - "queryType": 1, - "resourceType": "microsoft.resourcegraph/resources" - }, - { - "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", - "version": "KqlParameterItem/1.0", - "name": "Query22FullyCompliant", - "type": 1, - "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query22Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", - "isHiddenWhenLocked": true, - "timeContext": { - "durationMs": 86400000 - }, - "queryType": 8 - }, - { - "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", - "version": "KqlParameterItem/1.0", - "name": "Tab5Success", - "type": 1, - "isHiddenWhenLocked": true, - "timeContext": { - "durationMs": 86400000 - }, - "criteriaData": [ - { - "criteriaContext": { - "operator": "Default", - "resultValType": "expression", - "resultVal": "{Query22Stats:$.Success}" - } - } - ] - }, - { - "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", - "version": "KqlParameterItem/1.0", - "name": "Tab5Total", - "type": 1, - "isHiddenWhenLocked": true, - "timeContext": { - "durationMs": 86400000 - }, - "criteriaData": [ - { - "criteriaContext": { - "operator": "Default", - "resultValType": "expression", - "resultVal": "{Query22Stats:$.Total}" - } - } - ] - }, - { - "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", - "version": "KqlParameterItem/1.0", - "name": "Tab5Percent", - "type": 1, - "isHiddenWhenLocked": true, - "timeContext": { - "durationMs": 86400000 - }, - "criteriaData": [ - { - "criteriaContext": { - "operator": "Default", - "resultValType": "expression", - "resultVal": "round(100*{Tab5Success}/{Tab5Total})" - } - } - ] - } - ], - "style": "pills", - "queryType": 1, - "resourceType": "microsoft.resourcegraph/resources" - }, - "name": "TabInvisibleParameters" - }, - { - "type": 1, - "content": { - "json": "## Virtual WAN" - }, - "customWidth": "50", - "name": "tab5title" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"Column1\\\": \\\"{Tab5Percent}\\\", \\\"Column2\\\": \\\"Percent of successful checks\\\"}\",\"transformers\":null}", - "size": 3, - "queryType": 8, - "visualization": "tiles", - "tileSettings": { - "titleContent": { - "columnMatch": "Column1", - "formatter": 4, - "formatOptions": { - "min": 0, - "max": 100, - "palette": "redGreen" - }, - "numberFormat": { - "unit": 0, - "options": { - "style": "decimal" + "thresholdValue": null, + "representation": "unknown", + "text": "Unknown" + } + ] } } - }, - "subtitleContent": { - "columnMatch": "Column2" - }, - "showBorder": true + ] } }, - "customWidth": "50", - "name": "TabPercentTile" + "name": "query20" }, { "type": 1, "content": { - "json": "For outbound Internet traffic protection and filtering, deploy Azure Firewall in secured hubs. Check [this link](https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/) can help to educate yourself on this." + "json": "The application team should use application security groups at the subnet-level NSGs to help protect multi-tier VMs within the landing zone. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/) can help to educate yourself on this." }, - "name": "querytext22" + "name": "querytext21" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetName=subnets.name,subnetNsg=subnets.properties.networkSecurityGroup | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend compliant = isnotnull(subnetNsg) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -2603,16 +2385,16 @@ ] } }, - "name": "query22" + "name": "query21" } ] }, "conditionalVisibility": { "parameterName": "VisibleTab", "comparison": "isEqualTo", - "value": "tab5" + "value": "tab4" }, - "name": "tab5" + "name": "tab4" }, { "type": 12, @@ -2743,7 +2525,7 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Tab6Success", + "name": "Tab5Success", "type": 1, "isHiddenWhenLocked": true, "timeContext": { @@ -2762,7 +2544,7 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Tab6Total", + "name": "Tab5Total", "type": 1, "isHiddenWhenLocked": true, "timeContext": { @@ -2781,7 +2563,7 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Tab6Percent", + "name": "Tab5Percent", "type": 1, "isHiddenWhenLocked": true, "timeContext": { @@ -2792,7 +2574,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "round(100*{Tab6Success}/{Tab6Total})" + "resultVal": "round(100*{Tab5Success}/{Tab5Total})" } } ] @@ -2810,13 +2592,13 @@ "json": "## Hub and spoke" }, "customWidth": "50", - "name": "tab6title" + "name": "tab5title" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"Column1\\\": \\\"{Tab6Percent}\\\", \\\"Column2\\\": \\\"Percent of successful checks\\\"}\",\"transformers\":null}", + "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"Column1\\\": \\\"{Tab5Percent}\\\", \\\"Column2\\\": \\\"Percent of successful checks\\\"}\",\"transformers\":null}", "size": 3, "queryType": 8, "visualization": "tiles", @@ -3095,6 +2877,224 @@ } ] }, + "conditionalVisibility": { + "parameterName": "VisibleTab", + "comparison": "isEqualTo", + "value": "tab5" + }, + "name": "tab5" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "crossComponentResources": [ + "{Subscription}" + ], + "parameters": [ + { + "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", + "version": "KqlParameterItem/1.0", + "name": "Query17Stats", + "type": 1, + "query": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", + "crossComponentResources": [ + "{Subscription}" + ], + "isHiddenWhenLocked": true, + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources" + }, + { + "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", + "version": "KqlParameterItem/1.0", + "name": "Query17FullyCompliant", + "type": 1, + "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query17Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", + "isHiddenWhenLocked": true, + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 8 + }, + { + "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", + "version": "KqlParameterItem/1.0", + "name": "Tab6Success", + "type": 1, + "isHiddenWhenLocked": true, + "timeContext": { + "durationMs": 86400000 + }, + "criteriaData": [ + { + "criteriaContext": { + "operator": "Default", + "resultValType": "expression", + "resultVal": "{Query17Stats:$.Success}" + } + } + ] + }, + { + "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", + "version": "KqlParameterItem/1.0", + "name": "Tab6Total", + "type": 1, + "isHiddenWhenLocked": true, + "timeContext": { + "durationMs": 86400000 + }, + "criteriaData": [ + { + "criteriaContext": { + "operator": "Default", + "resultValType": "expression", + "resultVal": "{Query17Stats:$.Total}" + } + } + ] + }, + { + "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", + "version": "KqlParameterItem/1.0", + "name": "Tab6Percent", + "type": 1, + "isHiddenWhenLocked": true, + "timeContext": { + "durationMs": 86400000 + }, + "criteriaData": [ + { + "criteriaContext": { + "operator": "Default", + "resultValType": "expression", + "resultVal": "round(100*{Tab6Success}/{Tab6Total})" + } + } + ] + } + ], + "style": "pills", + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources" + }, + "name": "TabInvisibleParameters" + }, + { + "type": 1, + "content": { + "json": "## PaaS" + }, + "customWidth": "50", + "name": "tab6title" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"Column1\\\": \\\"{Tab6Percent}\\\", \\\"Column2\\\": \\\"Percent of successful checks\\\"}\",\"transformers\":null}", + "size": 3, + "queryType": 8, + "visualization": "tiles", + "tileSettings": { + "titleContent": { + "columnMatch": "Column1", + "formatter": 4, + "formatOptions": { + "min": 0, + "max": 100, + "palette": "redGreen" + }, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + } + } + }, + "subtitleContent": { + "columnMatch": "Column2" + }, + "showBorder": true + } + }, + "customWidth": "50", + "name": "TabPercentTile" + }, + { + "type": 1, + "content": { + "json": "Don't enable virtual network service endpoints by default on all subnets. Check [this link](https://learn.microsoft.com/azure/app-service/networking-features) for further information.. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn) can help to educate yourself on this." + }, + "name": "querytext17" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "size": 4, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources", + "crossComponentResources": [ + "{Subscription}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "id", + "formatter": 0, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + } + } + }, + { + "columnMatch": "compliant", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "1", + "representation": "success", + "text": "Success" + }, + { + "operator": "==", + "thresholdValue": "0", + "representation": "failed", + "text": "Failed" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "unknown", + "text": "Unknown" + } + ] + } + } + ] + } + }, + "name": "query17" + } + ] + }, "conditionalVisibility": { "parameterName": "VisibleTab", "comparison": "isEqualTo", diff --git a/workbooks/alz_checklist.en_network_tabcounters_template.json b/workbooks/alz_checklist.en_network_tabcounters_template.json index e207c7d72..ff79fc7ed 100644 --- a/workbooks/alz_checklist.en_network_tabcounters_template.json +++ b/workbooks/alz_checklist.en_network_tabcounters_template.json @@ -41,7 +41,7 @@ "dependsOn": [], "properties": { "displayName": "[parameters('workbookDisplayName')]", - "serializedData": "{\n \"version\": \"Notebook/1.0\",\n \"items\": [\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"parameters\": [\n {\n \"id\": \"497a107e-dde8-433e-b263-35ac8e8f7834\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Subscription\",\n \"type\": 6,\n \"multiSelect\": true,\n \"quote\": \"'\",\n \"delimiter\": \",\",\n \"typeSettings\": {\n \"additionalResourceOptions\": [\n \"value::all\"\n ],\n \"includeAll\": true,\n \"showDefault\": false\n },\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"value\": [\n \"value::all\"\n ]\n },\n {\n \"id\": \"844e4f4e-df51-4e3c-8eaf-0dc78b92c721\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"OnlyFailed\",\n \"label\": \"Only show failed\",\n \"type\": 2,\n \"typeSettings\": {\n \"additionalResourceOptions\": [],\n \"showDefault\": false\n },\n \"jsonData\": \"[\\r\\n { \\\"value\\\":true, \\\"label\\\":\\\"True\\\" },\\r\\n { \\\"value\\\":false, \\\"label\\\":\\\"False\\\", \\\"selected\\\":true }\\r\\n]\"\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 0,\n \"resourceType\": \"microsoft.operationalinsights/workspaces\"\n },\n \"name\": \"WorkbookSelectors\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"If you set \\\"Only show failed\\\" to \\\"Yes\\\", the different queries will only show items that have failed their compliance checks.\",\n \"style\": \"info\"\n },\n \"name\": \"InfoBox\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Azure Landing Zone Review - Network\\n\\n---\\n\\nThis workbook has been automatically generated out of the checklists in the [Azure Review Checklists repo](https://github.com/Azure/review-checklists). This repo contains best practices and recommendations around generic Landing Zones as well as specific services such as Azure Virtual Desktop, Azure Kubernetes Service or Azure VMware Solution, to name a few. This repository of best practices is curated by Azure engineers, but open to anybody to contribute.\\n\\nIf you see a problem in the queries that are part of this workbook, please open a Github issue [here](https://github.com/Azure/review-checklists/issues/new).\"\n },\n \"customWidth\": \"100\",\n \"name\": \"MarkdownHeader\"\n },\n {\n \"type\": 11,\n \"content\": {\n \"version\": \"LinkItem/1.0\",\n \"style\": \"tabs\",\n \"links\": [\n {\n \"id\": \"83066dd7-fe41-4c3d-b323-739e33e472af\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Internet\",\n \"subTarget\": \"tab0\",\n \"preText\": \"Internet\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"3112a5e9-e4cf-461b-abe3-562ac9198c68\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"IP plan\",\n \"subTarget\": \"tab1\",\n \"preText\": \"IP plan\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"57e23d04-2910-4843-9512-6209bb792a78\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"PaaS\",\n \"subTarget\": \"tab2\",\n \"preText\": \"PaaS\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"f693fc02-37d1-4708-8bb1-72c0dfcf258d\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Hybrid\",\n \"subTarget\": \"tab3\",\n \"preText\": \"Hybrid\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"1e7d7f42-accd-42ca-8bdf-e2cdac8cd38c\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Segmentation\",\n \"subTarget\": \"tab4\",\n \"preText\": \"Segmentation\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"3370d02c-0ef0-40d2-8cbb-4865f4da5f88\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Virtual WAN\",\n \"subTarget\": \"tab5\",\n \"preText\": \"Virtual WAN\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"67215900-d1a6-465d-b072-c0f1fd2a4236\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Hub and spoke\",\n \"subTarget\": \"tab6\",\n \"preText\": \"Hub and spoke\",\n \"style\": \"primary\"\n }\n ]\n },\n \"name\": \"Tabs\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"parameters\": [\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query11Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query11FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query11Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query12Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query12FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query12Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query13Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query13FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query13Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query14Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query14FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query14Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query15Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query15FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query15Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query16Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query16FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query16Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab0Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query11Stats:$.Success}+{Query12Stats:$.Success}+{Query13Stats:$.Success}+{Query14Stats:$.Success}+{Query15Stats:$.Success}+{Query16Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab0Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query11Stats:$.Total}+{Query12Stats:$.Total}+{Query13Stats:$.Total}+{Query14Stats:$.Total}+{Query15Stats:$.Total}+{Query16Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab0Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab0Success}/{Tab0Total})\"\n }\n }\n ]\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n \"name\": \"TabInvisibleParameters\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Internet\"\n },\n \"customWidth\": \"50\",\n \"name\": \"tab0title\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"Column1\\\\\\\": \\\\\\\"{Tab0Percent}\\\\\\\", \\\\\\\"Column2\\\\\\\": \\\\\\\"Percent of successful checks\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"size\": 3,\n \"queryType\": 8,\n \"visualization\": \"tiles\",\n \"tileSettings\": {\n \"titleContent\": {\n \"columnMatch\": \"Column1\",\n \"formatter\": 4,\n \"formatOptions\": {\n \"min\": 0,\n \"max\": 100,\n \"palette\": \"redGreen\"\n },\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n \"subtitleContent\": {\n \"columnMatch\": \"Column2\"\n },\n \"showBorder\": true\n }\n },\n \"customWidth\": \"50\",\n \"name\": \"TabPercentTile\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use Azure Bastion in a subnet /26 or larger. Check [this link](https://learn.microsoft.com/azure/bastion/bastion-faq#subnet) for further information.\"\n },\n \"name\": \"querytext11\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query11\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use FQDN-based network rules and Azure Firewall with DNS proxy to filter egress traffic to the Internet over protocols not supported by application rules. Check [this link](https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules) for further information.\"\n },\n \"name\": \"querytext12\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query12\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use Azure Firewall Premium for additional security and protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features) for further information.\"\n },\n \"name\": \"querytext13\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query13\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Configure Azure Firewall Threat Intelligence mode to Alert and Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features) for further information.\"\n },\n \"name\": \"querytext14\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query14\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Configure Azure Firewall IDPS mode to Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features#idps) for further information.\"\n },\n \"name\": \"querytext15\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query15\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"For subnets in VNets not connected to Virtual WAN, attach a route table so that Internet traffic is redirected to Azure Firewall or a Network Virtual Appliance. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview) for further information.\"\n },\n \"name\": \"querytext16\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query16\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab0\"\n },\n \"name\": \"tab0\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"parameters\": [\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query9Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)') | project id, compliant, cidr| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query9FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query9Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query10Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query10FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query10Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab1Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query9Stats:$.Success}+{Query10Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab1Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query9Stats:$.Total}+{Query10Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab1Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab1Success}/{Tab1Total})\"\n }\n }\n ]\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n \"name\": \"TabInvisibleParameters\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## IP plan\"\n },\n \"customWidth\": \"50\",\n \"name\": \"tab1title\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"Column1\\\\\\\": \\\\\\\"{Tab1Percent}\\\\\\\", \\\\\\\"Column2\\\\\\\": \\\\\\\"Percent of successful checks\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"size\": 3,\n \"queryType\": 8,\n \"visualization\": \"tiles\",\n \"tileSettings\": {\n \"titleContent\": {\n \"columnMatch\": \"Column1\",\n \"formatter\": 4,\n \"formatOptions\": {\n \"min\": 0,\n \"max\": 100,\n \"palette\": \"redGreen\"\n },\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n \"subtitleContent\": {\n \"columnMatch\": \"Column2\"\n },\n \"showBorder\": true\n }\n },\n \"customWidth\": \"50\",\n \"name\": \"TabPercentTile\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use IP addresses from the address allocation ranges for private internets (RFC 1918). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext9\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)') | project id, compliant, cidr | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query9\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Ensure that IP address space isn't wasted, don't create unnecessarily large virtual networks (for example /16). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext10\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query10\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab1\"\n },\n \"name\": \"tab1\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"parameters\": [\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query17Stats\",\n \"type\": 1,\n \"query\": \"resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query17FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query17Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab2Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query17Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab2Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query17Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab2Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab2Success}/{Tab2Total})\"\n }\n }\n ]\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n \"name\": \"TabInvisibleParameters\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## PaaS\"\n },\n \"customWidth\": \"50\",\n \"name\": \"tab2title\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"Column1\\\\\\\": \\\\\\\"{Tab2Percent}\\\\\\\", \\\\\\\"Column2\\\\\\\": \\\\\\\"Percent of successful checks\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"size\": 3,\n \"queryType\": 8,\n \"visualization\": \"tiles\",\n \"tileSettings\": {\n \"titleContent\": {\n \"columnMatch\": \"Column1\",\n \"formatter\": 4,\n \"formatOptions\": {\n \"min\": 0,\n \"max\": 100,\n \"palette\": \"redGreen\"\n },\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n \"subtitleContent\": {\n \"columnMatch\": \"Column2\"\n },\n \"showBorder\": true\n }\n },\n \"customWidth\": \"50\",\n \"name\": \"TabPercentTile\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Don't enable virtual network service endpoints by default on all subnets. Check [this link](https://learn.microsoft.com/azure/app-service/networking-features) for further information.. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn) can help to educate yourself on this.\"\n },\n \"name\": \"querytext17\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query17\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab2\"\n },\n \"name\": \"tab2\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"parameters\": [\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query4Stats\",\n \"type\": 1,\n \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query4FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query4Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query5Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query5FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query5Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query6Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query6FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query6Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query7Stats\",\n \"type\": 1,\n \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query7FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query7Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query8Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query8FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query8Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab3Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query4Stats:$.Success}+{Query5Stats:$.Success}+{Query6Stats:$.Success}+{Query7Stats:$.Success}+{Query8Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab3Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query4Stats:$.Total}+{Query5Stats:$.Total}+{Query6Stats:$.Total}+{Query7Stats:$.Total}+{Query8Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab3Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab3Success}/{Tab3Total})\"\n }\n }\n ]\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n \"name\": \"TabInvisibleParameters\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Hybrid\"\n },\n \"customWidth\": \"50\",\n \"name\": \"tab3title\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"Column1\\\\\\\": \\\\\\\"{Tab3Percent}\\\\\\\", \\\\\\\"Column2\\\\\\\": \\\\\\\"Percent of successful checks\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"size\": 3,\n \"queryType\": 8,\n \"visualization\": \"tiles\",\n \"tileSettings\": {\n \"titleContent\": {\n \"columnMatch\": \"Column1\",\n \"formatter\": 4,\n \"formatOptions\": {\n \"min\": 0,\n \"max\": 100,\n \"palette\": \"redGreen\"\n },\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n \"subtitleContent\": {\n \"columnMatch\": \"Column2\"\n },\n \"showBorder\": true\n }\n },\n \"customWidth\": \"50\",\n \"name\": \"TabPercentTile\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Ensure that you're using the right SKU for the ExpressRoute/VPN gateways based on bandwidth and performance requirements. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-routing) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext4\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query4\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Ensure that you're using unlimited-data ExpressRoute circuits only if you reach the bandwidth that justifies their cost. Check [this link](https://learn.microsoft.com/azure/expressroute/plan-manage-cost) for further information.\"\n },\n \"name\": \"querytext5\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query5\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Leverage the Local SKU of ExpressRoute to reduce the cost of your circuits, if your circuits' peering location supports your Azure regions for the Local SKU. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local) for further information.\"\n },\n \"name\": \"querytext6\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query6\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Deploy a zone-redundant ExpressRoute gateway in the supported Azure regions. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext7\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query7\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use VPN gateways to connect branches or remote locations to Azure. For higher resilience, deploy zone-redundant gateways (where available). Check [this link](https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway) for further information.. [This training](https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext8\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query8\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab3\"\n },\n \"name\": \"tab3\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"parameters\": [\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query18Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query18FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query18Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query19Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query19FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query19Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query20Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query20FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query20Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query21Stats\",\n \"type\": 1,\n \"query\": \"Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetName=subnets.name,subnetNsg=subnets.properties.networkSecurityGroup | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend compliant = isnotnull(subnetNsg)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query21FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query21Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab4Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query18Stats:$.Success}+{Query19Stats:$.Success}+{Query20Stats:$.Success}+{Query21Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab4Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query18Stats:$.Total}+{Query19Stats:$.Total}+{Query20Stats:$.Total}+{Query21Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab4Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab4Success}/{Tab4Total})\"\n }\n }\n ]\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n \"name\": \"TabInvisibleParameters\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Segmentation\"\n },\n \"customWidth\": \"50\",\n \"name\": \"tab4title\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"Column1\\\\\\\": \\\\\\\"{Tab4Percent}\\\\\\\", \\\\\\\"Column2\\\\\\\": \\\\\\\"Percent of successful checks\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"size\": 3,\n \"queryType\": 8,\n \"visualization\": \"tiles\",\n \"tileSettings\": {\n \"titleContent\": {\n \"columnMatch\": \"Column1\",\n \"formatter\": 4,\n \"formatOptions\": {\n \"min\": 0,\n \"max\": 100,\n \"palette\": \"redGreen\"\n },\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n \"subtitleContent\": {\n \"columnMatch\": \"Column2\"\n },\n \"showBorder\": true\n }\n },\n \"customWidth\": \"50\",\n \"name\": \"TabPercentTile\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use a /26 prefix for your Azure Firewall subnets. Check [this link](https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size) for further information.\"\n },\n \"name\": \"querytext18\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query18\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use at least a /27 prefix for your Gateway subnets. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway) for further information.\"\n },\n \"name\": \"querytext19\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query19\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Don't rely on the NSG inbound default rules using the VirtualNetwork service tag to limit connectivity. Check [this link](https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags) for further information.\"\n },\n \"name\": \"querytext20\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query20\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"The application team should use application security groups at the subnet-level NSGs to help protect multi-tier VMs within the landing zone. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext21\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetName=subnets.name,subnetNsg=subnets.properties.networkSecurityGroup | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend compliant = isnotnull(subnetNsg) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query21\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab4\"\n },\n \"name\": \"tab4\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"parameters\": [\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query22Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query22FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query22Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab5Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query22Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab5Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query22Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab5Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab5Success}/{Tab5Total})\"\n }\n }\n ]\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n \"name\": \"TabInvisibleParameters\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Virtual WAN\"\n },\n \"customWidth\": \"50\",\n \"name\": \"tab5title\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"Column1\\\\\\\": \\\\\\\"{Tab5Percent}\\\\\\\", \\\\\\\"Column2\\\\\\\": \\\\\\\"Percent of successful checks\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"size\": 3,\n \"queryType\": 8,\n \"visualization\": \"tiles\",\n \"tileSettings\": {\n \"titleContent\": {\n \"columnMatch\": \"Column1\",\n \"formatter\": 4,\n \"formatOptions\": {\n \"min\": 0,\n \"max\": 100,\n \"palette\": \"redGreen\"\n },\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n \"subtitleContent\": {\n \"columnMatch\": \"Column2\"\n },\n \"showBorder\": true\n }\n },\n \"customWidth\": \"50\",\n \"name\": \"TabPercentTile\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"For outbound Internet traffic protection and filtering, deploy Azure Firewall in secured hubs. Check [this link](https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext22\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query22\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab5\"\n },\n \"name\": \"tab5\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"parameters\": [\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query0Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query0FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query0Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query1Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query1FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query1Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query2Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query2FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query2Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query3Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query3FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query3Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab6Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query0Stats:$.Success}+{Query1Stats:$.Success}+{Query2Stats:$.Success}+{Query3Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab6Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query0Stats:$.Total}+{Query1Stats:$.Total}+{Query2Stats:$.Total}+{Query3Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab6Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab6Success}/{Tab6Total})\"\n }\n }\n ]\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n \"name\": \"TabInvisibleParameters\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Hub and spoke\"\n },\n \"customWidth\": \"50\",\n \"name\": \"tab6title\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"Column1\\\\\\\": \\\\\\\"{Tab6Percent}\\\\\\\", \\\\\\\"Column2\\\\\\\": \\\\\\\"Percent of successful checks\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"size\": 3,\n \"queryType\": 8,\n \"visualization\": \"tiles\",\n \"tileSettings\": {\n \"titleContent\": {\n \"columnMatch\": \"Column1\",\n \"formatter\": 4,\n \"formatOptions\": {\n \"min\": 0,\n \"max\": 100,\n \"palette\": \"redGreen\"\n },\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n \"subtitleContent\": {\n \"columnMatch\": \"Column2\"\n },\n \"showBorder\": true\n }\n },\n \"customWidth\": \"50\",\n \"name\": \"TabPercentTile\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"If using Route Server, use a /27 prefix for the Route Server subnet. Check [this link](https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1) for further information.\"\n },\n \"name\": \"querytext0\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query0\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"When connecting spoke virtual networks to the central hub virtual network, consider VNet peering limits (500), the maximum number of prefixes that can be advertised via ExpressRoute (1000). Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information.\"\n },\n \"name\": \"querytext1\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query1\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Consider the limit of routes per route table (400). Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information.\"\n },\n \"name\": \"querytext2\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query2\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use the setting 'Allow traffic to remote virtual network' when configuring VNet peerings. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering) for further information.\"\n },\n \"name\": \"querytext3\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query3\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab6\"\n },\n \"name\": \"tab6\"\n }\n ],\n \"$schema\": \"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"\n}", + "serializedData": "{\n \"version\": \"Notebook/1.0\",\n \"items\": [\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"parameters\": [\n {\n \"id\": \"497a107e-dde8-433e-b263-35ac8e8f7834\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Subscription\",\n \"type\": 6,\n \"multiSelect\": true,\n \"quote\": \"'\",\n \"delimiter\": \",\",\n \"typeSettings\": {\n \"additionalResourceOptions\": [\n \"value::all\"\n ],\n \"includeAll\": true,\n \"showDefault\": false\n },\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"value\": [\n \"value::all\"\n ]\n },\n {\n \"id\": \"844e4f4e-df51-4e3c-8eaf-0dc78b92c721\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"OnlyFailed\",\n \"label\": \"Only show failed\",\n \"type\": 2,\n \"typeSettings\": {\n \"additionalResourceOptions\": [],\n \"showDefault\": false\n },\n \"jsonData\": \"[\\r\\n { \\\"value\\\":true, \\\"label\\\":\\\"True\\\" },\\r\\n { \\\"value\\\":false, \\\"label\\\":\\\"False\\\", \\\"selected\\\":true }\\r\\n]\"\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 0,\n \"resourceType\": \"microsoft.operationalinsights/workspaces\"\n },\n \"name\": \"WorkbookSelectors\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"If you set \\\"Only show failed\\\" to \\\"Yes\\\", the different queries will only show items that have failed their compliance checks.\",\n \"style\": \"info\"\n },\n \"name\": \"InfoBox\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Azure Landing Zone Review - Network\\n\\n---\\n\\nThis workbook has been automatically generated out of the checklists in the [Azure Review Checklists repo](https://github.com/Azure/review-checklists). This repo contains best practices and recommendations around generic Landing Zones as well as specific services such as Azure Virtual Desktop, Azure Kubernetes Service or Azure VMware Solution, to name a few. This repository of best practices is curated by Azure engineers, but open to anybody to contribute.\\n\\nIf you see a problem in the queries that are part of this workbook, please open a Github issue [here](https://github.com/Azure/review-checklists/issues/new).\"\n },\n \"customWidth\": \"100\",\n \"name\": \"MarkdownHeader\"\n },\n {\n \"type\": 11,\n \"content\": {\n \"version\": \"LinkItem/1.0\",\n \"style\": \"tabs\",\n \"links\": [\n {\n \"id\": \"34d85edb-5614-41cc-921e-6d8799f040ed\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"IP plan\",\n \"subTarget\": \"tab0\",\n \"preText\": \"IP plan\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"5b00ddc3-d5b6-4b3b-9940-58f4b0e1e31b\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Hybrid\",\n \"subTarget\": \"tab1\",\n \"preText\": \"Hybrid\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"10700cc4-a0e1-4175-b40b-a1ba29983df6\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Internet\",\n \"subTarget\": \"tab2\",\n \"preText\": \"Internet\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"7f31508c-63e9-4612-bb80-21daf3d5c7b7\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Virtual WAN\",\n \"subTarget\": \"tab3\",\n \"preText\": \"Virtual WAN\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"37e10656-8c70-4bef-81e1-63be8f4503d9\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Segmentation\",\n \"subTarget\": \"tab4\",\n \"preText\": \"Segmentation\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"6b9db623-fee7-4997-aa68-e3871ed06131\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Hub and spoke\",\n \"subTarget\": \"tab5\",\n \"preText\": \"Hub and spoke\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"85482b61-4c03-4527-aef7-823e11ca2196\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"PaaS\",\n \"subTarget\": \"tab6\",\n \"preText\": \"PaaS\",\n \"style\": \"primary\"\n }\n ]\n },\n \"name\": \"Tabs\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"parameters\": [\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query9Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)') | project id, compliant, cidr| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query9FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query9Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query10Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query10FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query10Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab0Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query9Stats:$.Success}+{Query10Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab0Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query9Stats:$.Total}+{Query10Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab0Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab0Success}/{Tab0Total})\"\n }\n }\n ]\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n \"name\": \"TabInvisibleParameters\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## IP plan\"\n },\n \"customWidth\": \"50\",\n \"name\": \"tab0title\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"Column1\\\\\\\": \\\\\\\"{Tab0Percent}\\\\\\\", \\\\\\\"Column2\\\\\\\": \\\\\\\"Percent of successful checks\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"size\": 3,\n \"queryType\": 8,\n \"visualization\": \"tiles\",\n \"tileSettings\": {\n \"titleContent\": {\n \"columnMatch\": \"Column1\",\n \"formatter\": 4,\n \"formatOptions\": {\n \"min\": 0,\n \"max\": 100,\n \"palette\": \"redGreen\"\n },\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n \"subtitleContent\": {\n \"columnMatch\": \"Column2\"\n },\n \"showBorder\": true\n }\n },\n \"customWidth\": \"50\",\n \"name\": \"TabPercentTile\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use IP addresses from the address allocation ranges for private internets (RFC 1918). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext9\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)') | project id, compliant, cidr | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query9\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Ensure that IP address space isn't wasted, don't create unnecessarily large virtual networks (for example /16). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext10\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query10\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab0\"\n },\n \"name\": \"tab0\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"parameters\": [\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query4Stats\",\n \"type\": 1,\n \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query4FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query4Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query5Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query5FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query5Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query6Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query6FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query6Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query7Stats\",\n \"type\": 1,\n \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query7FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query7Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query8Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query8FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query8Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab1Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query4Stats:$.Success}+{Query5Stats:$.Success}+{Query6Stats:$.Success}+{Query7Stats:$.Success}+{Query8Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab1Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query4Stats:$.Total}+{Query5Stats:$.Total}+{Query6Stats:$.Total}+{Query7Stats:$.Total}+{Query8Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab1Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab1Success}/{Tab1Total})\"\n }\n }\n ]\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n \"name\": \"TabInvisibleParameters\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Hybrid\"\n },\n \"customWidth\": \"50\",\n \"name\": \"tab1title\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"Column1\\\\\\\": \\\\\\\"{Tab1Percent}\\\\\\\", \\\\\\\"Column2\\\\\\\": \\\\\\\"Percent of successful checks\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"size\": 3,\n \"queryType\": 8,\n \"visualization\": \"tiles\",\n \"tileSettings\": {\n \"titleContent\": {\n \"columnMatch\": \"Column1\",\n \"formatter\": 4,\n \"formatOptions\": {\n \"min\": 0,\n \"max\": 100,\n \"palette\": \"redGreen\"\n },\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n \"subtitleContent\": {\n \"columnMatch\": \"Column2\"\n },\n \"showBorder\": true\n }\n },\n \"customWidth\": \"50\",\n \"name\": \"TabPercentTile\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Ensure that you're using the right SKU for the ExpressRoute/VPN gateways based on bandwidth and performance requirements. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-routing) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext4\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query4\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Ensure that you're using unlimited-data ExpressRoute circuits only if you reach the bandwidth that justifies their cost. Check [this link](https://learn.microsoft.com/azure/expressroute/plan-manage-cost) for further information.\"\n },\n \"name\": \"querytext5\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query5\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Leverage the Local SKU of ExpressRoute to reduce the cost of your circuits, if your circuits' peering location supports your Azure regions for the Local SKU. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local) for further information.\"\n },\n \"name\": \"querytext6\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query6\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Deploy a zone-redundant ExpressRoute gateway in the supported Azure regions. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext7\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query7\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use VPN gateways to connect branches or remote locations to Azure. For higher resilience, deploy zone-redundant gateways (where available). Check [this link](https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway) for further information.. [This training](https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext8\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query8\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab1\"\n },\n \"name\": \"tab1\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"parameters\": [\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query11Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query11FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query11Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query12Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query12FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query12Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query13Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query13FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query13Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query14Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query14FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query14Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query15Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query15FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query15Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query16Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query16FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query16Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab2Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query11Stats:$.Success}+{Query12Stats:$.Success}+{Query13Stats:$.Success}+{Query14Stats:$.Success}+{Query15Stats:$.Success}+{Query16Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab2Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query11Stats:$.Total}+{Query12Stats:$.Total}+{Query13Stats:$.Total}+{Query14Stats:$.Total}+{Query15Stats:$.Total}+{Query16Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab2Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab2Success}/{Tab2Total})\"\n }\n }\n ]\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n \"name\": \"TabInvisibleParameters\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Internet\"\n },\n \"customWidth\": \"50\",\n \"name\": \"tab2title\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"Column1\\\\\\\": \\\\\\\"{Tab2Percent}\\\\\\\", \\\\\\\"Column2\\\\\\\": \\\\\\\"Percent of successful checks\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"size\": 3,\n \"queryType\": 8,\n \"visualization\": \"tiles\",\n \"tileSettings\": {\n \"titleContent\": {\n \"columnMatch\": \"Column1\",\n \"formatter\": 4,\n \"formatOptions\": {\n \"min\": 0,\n \"max\": 100,\n \"palette\": \"redGreen\"\n },\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n \"subtitleContent\": {\n \"columnMatch\": \"Column2\"\n },\n \"showBorder\": true\n }\n },\n \"customWidth\": \"50\",\n \"name\": \"TabPercentTile\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use Azure Bastion in a subnet /26 or larger. Check [this link](https://learn.microsoft.com/azure/bastion/bastion-faq#subnet) for further information.\"\n },\n \"name\": \"querytext11\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query11\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use FQDN-based network rules and Azure Firewall with DNS proxy to filter egress traffic to the Internet over protocols not supported by application rules. Check [this link](https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules) for further information.\"\n },\n \"name\": \"querytext12\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query12\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use Azure Firewall Premium for additional security and protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features) for further information.\"\n },\n \"name\": \"querytext13\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query13\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Configure Azure Firewall Threat Intelligence mode to Alert and Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features) for further information.\"\n },\n \"name\": \"querytext14\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query14\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Configure Azure Firewall IDPS mode to Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features#idps) for further information.\"\n },\n \"name\": \"querytext15\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query15\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"For subnets in VNets not connected to Virtual WAN, attach a route table so that Internet traffic is redirected to Azure Firewall or a Network Virtual Appliance. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview) for further information.\"\n },\n \"name\": \"querytext16\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query16\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab2\"\n },\n \"name\": \"tab2\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"parameters\": [\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query22Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query22FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query22Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab3Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query22Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab3Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query22Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab3Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab3Success}/{Tab3Total})\"\n }\n }\n ]\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n \"name\": \"TabInvisibleParameters\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Virtual WAN\"\n },\n \"customWidth\": \"50\",\n \"name\": \"tab3title\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"Column1\\\\\\\": \\\\\\\"{Tab3Percent}\\\\\\\", \\\\\\\"Column2\\\\\\\": \\\\\\\"Percent of successful checks\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"size\": 3,\n \"queryType\": 8,\n \"visualization\": \"tiles\",\n \"tileSettings\": {\n \"titleContent\": {\n \"columnMatch\": \"Column1\",\n \"formatter\": 4,\n \"formatOptions\": {\n \"min\": 0,\n \"max\": 100,\n \"palette\": \"redGreen\"\n },\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n \"subtitleContent\": {\n \"columnMatch\": \"Column2\"\n },\n \"showBorder\": true\n }\n },\n \"customWidth\": \"50\",\n \"name\": \"TabPercentTile\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"For outbound Internet traffic protection and filtering, deploy Azure Firewall in secured hubs. Check [this link](https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext22\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query22\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab3\"\n },\n \"name\": \"tab3\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"parameters\": [\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query18Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query18FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query18Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query19Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query19FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query19Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query20Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query20FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query20Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query21Stats\",\n \"type\": 1,\n \"query\": \"Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetName=subnets.name,subnetNsg=subnets.properties.networkSecurityGroup | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend compliant = isnotnull(subnetNsg)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query21FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query21Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab4Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query18Stats:$.Success}+{Query19Stats:$.Success}+{Query20Stats:$.Success}+{Query21Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab4Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query18Stats:$.Total}+{Query19Stats:$.Total}+{Query20Stats:$.Total}+{Query21Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab4Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab4Success}/{Tab4Total})\"\n }\n }\n ]\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n \"name\": \"TabInvisibleParameters\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Segmentation\"\n },\n \"customWidth\": \"50\",\n \"name\": \"tab4title\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"Column1\\\\\\\": \\\\\\\"{Tab4Percent}\\\\\\\", \\\\\\\"Column2\\\\\\\": \\\\\\\"Percent of successful checks\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"size\": 3,\n \"queryType\": 8,\n \"visualization\": \"tiles\",\n \"tileSettings\": {\n \"titleContent\": {\n \"columnMatch\": \"Column1\",\n \"formatter\": 4,\n \"formatOptions\": {\n \"min\": 0,\n \"max\": 100,\n \"palette\": \"redGreen\"\n },\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n \"subtitleContent\": {\n \"columnMatch\": \"Column2\"\n },\n \"showBorder\": true\n }\n },\n \"customWidth\": \"50\",\n \"name\": \"TabPercentTile\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use a /26 prefix for your Azure Firewall subnets. Check [this link](https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size) for further information.\"\n },\n \"name\": \"querytext18\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query18\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use at least a /27 prefix for your Gateway subnets. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway) for further information.\"\n },\n \"name\": \"querytext19\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query19\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Don't rely on the NSG inbound default rules using the VirtualNetwork service tag to limit connectivity. Check [this link](https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags) for further information.\"\n },\n \"name\": \"querytext20\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query20\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"The application team should use application security groups at the subnet-level NSGs to help protect multi-tier VMs within the landing zone. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext21\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetName=subnets.name,subnetNsg=subnets.properties.networkSecurityGroup | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend compliant = isnotnull(subnetNsg) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query21\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab4\"\n },\n \"name\": \"tab4\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"parameters\": [\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query0Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query0FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query0Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query1Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query1FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query1Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query2Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query2FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query2Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query3Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query3FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query3Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab5Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query0Stats:$.Success}+{Query1Stats:$.Success}+{Query2Stats:$.Success}+{Query3Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab5Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query0Stats:$.Total}+{Query1Stats:$.Total}+{Query2Stats:$.Total}+{Query3Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab5Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab5Success}/{Tab5Total})\"\n }\n }\n ]\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n \"name\": \"TabInvisibleParameters\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Hub and spoke\"\n },\n \"customWidth\": \"50\",\n \"name\": \"tab5title\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"Column1\\\\\\\": \\\\\\\"{Tab5Percent}\\\\\\\", \\\\\\\"Column2\\\\\\\": \\\\\\\"Percent of successful checks\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"size\": 3,\n \"queryType\": 8,\n \"visualization\": \"tiles\",\n \"tileSettings\": {\n \"titleContent\": {\n \"columnMatch\": \"Column1\",\n \"formatter\": 4,\n \"formatOptions\": {\n \"min\": 0,\n \"max\": 100,\n \"palette\": \"redGreen\"\n },\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n \"subtitleContent\": {\n \"columnMatch\": \"Column2\"\n },\n \"showBorder\": true\n }\n },\n \"customWidth\": \"50\",\n \"name\": \"TabPercentTile\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"If using Route Server, use a /27 prefix for the Route Server subnet. Check [this link](https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1) for further information.\"\n },\n \"name\": \"querytext0\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query0\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"When connecting spoke virtual networks to the central hub virtual network, consider VNet peering limits (500), the maximum number of prefixes that can be advertised via ExpressRoute (1000). Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information.\"\n },\n \"name\": \"querytext1\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query1\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Consider the limit of routes per route table (400). Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information.\"\n },\n \"name\": \"querytext2\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query2\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use the setting 'Allow traffic to remote virtual network' when configuring VNet peerings. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering) for further information.\"\n },\n \"name\": \"querytext3\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query3\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab5\"\n },\n \"name\": \"tab5\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"parameters\": [\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query17Stats\",\n \"type\": 1,\n \"query\": \"resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query17FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query17Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab6Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query17Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab6Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query17Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab6Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab6Success}/{Tab6Total})\"\n }\n }\n ]\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n \"name\": \"TabInvisibleParameters\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## PaaS\"\n },\n \"customWidth\": \"50\",\n \"name\": \"tab6title\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"Column1\\\\\\\": \\\\\\\"{Tab6Percent}\\\\\\\", \\\\\\\"Column2\\\\\\\": \\\\\\\"Percent of successful checks\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"size\": 3,\n \"queryType\": 8,\n \"visualization\": \"tiles\",\n \"tileSettings\": {\n \"titleContent\": {\n \"columnMatch\": \"Column1\",\n \"formatter\": 4,\n \"formatOptions\": {\n \"min\": 0,\n \"max\": 100,\n \"palette\": \"redGreen\"\n },\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n \"subtitleContent\": {\n \"columnMatch\": \"Column2\"\n },\n \"showBorder\": true\n }\n },\n \"customWidth\": \"50\",\n \"name\": \"TabPercentTile\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Don't enable virtual network service endpoints by default on all subnets. Check [this link](https://learn.microsoft.com/azure/app-service/networking-features) for further information.. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn) can help to educate yourself on this.\"\n },\n \"name\": \"querytext17\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query17\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab6\"\n },\n \"name\": \"tab6\"\n }\n ],\n \"$schema\": \"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"\n}", "version": "1.0", "sourceId": "[parameters('workbookSourceId')]", "category": "[parameters('workbookType')]" diff --git a/workbooks/alz_checklist.en_network_workbook.json b/workbooks/alz_checklist.en_network_workbook.json index 7f93428b1..317091a56 100644 --- a/workbooks/alz_checklist.en_network_workbook.json +++ b/workbooks/alz_checklist.en_network_workbook.json @@ -70,66 +70,66 @@ "style": "tabs", "links": [ { - "id": "648b263a-8765-46e0-ac4d-52c6ad741b81", + "id": "a5f272f5-6396-4923-bc6a-e75b5a8bb6b5", "cellValue": "VisibleTab", "linkTarget": "parameter", - "linkLabel": "Hybrid", + "linkLabel": "Internet", "subTarget": "tab0", - "preText": "Hybrid", + "preText": "Internet", "style": "primary" }, { - "id": "d275e72c-9af1-48a7-a725-4f33aaeb7d8a", + "id": "0ac8752b-e9ea-442a-9522-f02af89b45a7", "cellValue": "VisibleTab", "linkTarget": "parameter", - "linkLabel": "Hub and spoke", + "linkLabel": "IP plan", "subTarget": "tab1", - "preText": "Hub and spoke", + "preText": "IP plan", "style": "primary" }, { - "id": "2e4e358a-31be-4c54-945a-25c24efffb71", + "id": "5d8a00a8-c917-44b1-bffe-07147e5cd0ad", "cellValue": "VisibleTab", "linkTarget": "parameter", - "linkLabel": "PaaS", + "linkLabel": "Segmentation", "subTarget": "tab2", - "preText": "PaaS", + "preText": "Segmentation", "style": "primary" }, { - "id": "4b2fa760-d685-46e0-9de0-3f52d18f37a3", + "id": "4798c0eb-6542-4fca-a5a9-5a7e938b8b64", "cellValue": "VisibleTab", "linkTarget": "parameter", - "linkLabel": "Segmentation", + "linkLabel": "Virtual WAN", "subTarget": "tab3", - "preText": "Segmentation", + "preText": "Virtual WAN", "style": "primary" }, { - "id": "ae6335f8-c01a-4c0d-9590-7a5c712351a7", + "id": "b6f69f78-ddc3-4368-8e45-219b5d9abd1e", "cellValue": "VisibleTab", "linkTarget": "parameter", - "linkLabel": "Virtual WAN", + "linkLabel": "Hybrid", "subTarget": "tab4", - "preText": "Virtual WAN", + "preText": "Hybrid", "style": "primary" }, { - "id": "7fdfbad4-a770-43c9-a9ea-55f40293d48e", + "id": "e19f6153-ac78-4d1a-9cab-bbcd0fbc2f7d", "cellValue": "VisibleTab", "linkTarget": "parameter", - "linkLabel": "Internet", + "linkLabel": "PaaS", "subTarget": "tab5", - "preText": "Internet", + "preText": "PaaS", "style": "primary" }, { - "id": "8fabfe3a-d912-4da8-8cf1-f452f552bbb2", + "id": "91837681-a4af-4db1-b731-6602704c9314", "cellValue": "VisibleTab", "linkTarget": "parameter", - "linkLabel": "IP plan", + "linkLabel": "Hub and spoke", "subTarget": "tab6", - "preText": "IP plan", + "preText": "Hub and spoke", "style": "primary" } ] @@ -145,22 +145,22 @@ { "type": 1, "content": { - "json": "## Hybrid" + "json": "## Internet" }, "name": "tab0title" }, { "type": 1, "content": { - "json": "Ensure that you're using the right SKU for the ExpressRoute/VPN gateways based on bandwidth and performance requirements. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-routing) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this." + "json": "Use Azure Bastion in a subnet /26 or larger. Check [this link](https://learn.microsoft.com/azure/bastion/bastion-faq#subnet) for further information." }, - "name": "querytext4" + "name": "querytext11" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -209,20 +209,20 @@ ] } }, - "name": "query4" + "name": "query11" }, { "type": 1, "content": { - "json": "Ensure that you're using unlimited-data ExpressRoute circuits only if you reach the bandwidth that justifies their cost. Check [this link](https://learn.microsoft.com/azure/expressroute/plan-manage-cost) for further information." + "json": "Use FQDN-based network rules and Azure Firewall with DNS proxy to filter egress traffic to the Internet over protocols not supported by application rules. Check [this link](https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules) for further information." }, - "name": "querytext5" + "name": "querytext12" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -271,20 +271,20 @@ ] } }, - "name": "query5" + "name": "query12" }, { "type": 1, "content": { - "json": "Leverage the Local SKU of ExpressRoute to reduce the cost of your circuits, if your circuits' peering location supports your Azure regions for the Local SKU. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local) for further information." + "json": "Use Azure Firewall Premium for additional security and protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features) for further information." }, - "name": "querytext6" + "name": "querytext13" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -333,20 +333,20 @@ ] } }, - "name": "query6" + "name": "query13" }, { "type": 1, "content": { - "json": "Deploy a zone-redundant ExpressRoute gateway in the supported Azure regions. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this." + "json": "Configure Azure Firewall Threat Intelligence mode to Alert and Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features) for further information." }, - "name": "querytext7" + "name": "querytext14" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -395,20 +395,20 @@ ] } }, - "name": "query7" + "name": "query14" }, { "type": 1, "content": { - "json": "Use VPN gateways to connect branches or remote locations to Azure. For higher resilience, deploy zone-redundant gateways (where available). Check [this link](https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway) for further information.. [This training](https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/) can help to educate yourself on this." + "json": "Configure Azure Firewall IDPS mode to Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features#idps) for further information." }, - "name": "querytext8" + "name": "querytext15" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -457,42 +457,20 @@ ] } }, - "name": "query8" - } - ] - }, - "conditionalVisibility": { - "parameterName": "VisibleTab", - "comparison": "isEqualTo", - "value": "tab0" - }, - "name": "tab0" - }, - { - "type": 12, - "content": { - "version": "NotebookGroup/1.0", - "groupType": "editable", - "items": [ - { - "type": 1, - "content": { - "json": "## Hub and spoke" - }, - "name": "tab1title" + "name": "query15" }, { "type": 1, "content": { - "json": "If using Route Server, use a /27 prefix for the Route Server subnet. Check [this link](https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1) for further information." + "json": "For subnets in VNets not connected to Virtual WAN, attach a route table so that Internet traffic is redirected to Azure Firewall or a Network Virtual Appliance. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview) for further information." }, - "name": "querytext0" + "name": "querytext16" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -541,20 +519,42 @@ ] } }, - "name": "query0" + "name": "query16" + } + ] + }, + "conditionalVisibility": { + "parameterName": "VisibleTab", + "comparison": "isEqualTo", + "value": "tab0" + }, + "name": "tab0" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## IP plan" + }, + "name": "tab1title" }, { "type": 1, "content": { - "json": "When connecting spoke virtual networks to the central hub virtual network, consider VNet peering limits (500), the maximum number of prefixes that can be advertised via ExpressRoute (1000). Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information." + "json": "Use IP addresses from the address allocation ranges for private internets (RFC 1918). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this." }, - "name": "querytext1" + "name": "querytext9" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\.|172\\.(1[6-9]|2[0-9]|3[01])\\.|192\\.168\\.)') | project id, compliant, cidr | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -603,20 +603,20 @@ ] } }, - "name": "query1" + "name": "query9" }, { "type": 1, "content": { - "json": "Consider the limit of routes per route table (400). Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information." + "json": "Ensure that IP address space isn't wasted, don't create unnecessarily large virtual networks (for example /16). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this." }, - "name": "querytext2" + "name": "querytext10" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -665,20 +665,42 @@ ] } }, - "name": "query2" + "name": "query10" + } + ] + }, + "conditionalVisibility": { + "parameterName": "VisibleTab", + "comparison": "isEqualTo", + "value": "tab1" + }, + "name": "tab1" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Segmentation" + }, + "name": "tab2title" }, { "type": 1, "content": { - "json": "Use the setting 'Allow traffic to remote virtual network' when configuring VNet peerings. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering) for further information." + "json": "Use a /26 prefix for your Azure Firewall subnets. Check [this link](https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size) for further information." }, - "name": "querytext3" + "name": "querytext18" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -727,42 +749,20 @@ ] } }, - "name": "query3" - } - ] - }, - "conditionalVisibility": { - "parameterName": "VisibleTab", - "comparison": "isEqualTo", - "value": "tab1" - }, - "name": "tab1" - }, - { - "type": 12, - "content": { - "version": "NotebookGroup/1.0", - "groupType": "editable", - "items": [ - { - "type": 1, - "content": { - "json": "## PaaS" - }, - "name": "tab2title" + "name": "query18" }, { "type": 1, "content": { - "json": "Don't enable virtual network service endpoints by default on all subnets. Check [this link](https://learn.microsoft.com/azure/app-service/networking-features) for further information.. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn) can help to educate yourself on this." + "json": "Use at least a /27 prefix for your Gateway subnets. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway) for further information." }, - "name": "querytext17" + "name": "querytext19" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -811,42 +811,20 @@ ] } }, - "name": "query17" - } - ] - }, - "conditionalVisibility": { - "parameterName": "VisibleTab", - "comparison": "isEqualTo", - "value": "tab2" - }, - "name": "tab2" - }, - { - "type": 12, - "content": { - "version": "NotebookGroup/1.0", - "groupType": "editable", - "items": [ - { - "type": 1, - "content": { - "json": "## Segmentation" - }, - "name": "tab3title" + "name": "query19" }, { "type": 1, "content": { - "json": "Use a /26 prefix for your Azure Firewall subnets. Check [this link](https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size) for further information." + "json": "Don't rely on the NSG inbound default rules using the VirtualNetwork service tag to limit connectivity. Check [this link](https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags) for further information." }, - "name": "querytext18" + "name": "querytext20" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -895,20 +873,20 @@ ] } }, - "name": "query18" + "name": "query20" }, { "type": 1, "content": { - "json": "Use at least a /27 prefix for your Gateway subnets. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway) for further information." + "json": "The application team should use application security groups at the subnet-level NSGs to help protect multi-tier VMs within the landing zone. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/) can help to educate yourself on this." }, - "name": "querytext19" + "name": "querytext21" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetName=subnets.name,subnetNsg=subnets.properties.networkSecurityGroup | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend compliant = isnotnull(subnetNsg) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -957,20 +935,42 @@ ] } }, - "name": "query19" + "name": "query21" + } + ] + }, + "conditionalVisibility": { + "parameterName": "VisibleTab", + "comparison": "isEqualTo", + "value": "tab2" + }, + "name": "tab2" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Virtual WAN" + }, + "name": "tab3title" }, { "type": 1, "content": { - "json": "Don't rely on the NSG inbound default rules using the VirtualNetwork service tag to limit connectivity. Check [this link](https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags) for further information." + "json": "For outbound Internet traffic protection and filtering, deploy Azure Firewall in secured hubs. Check [this link](https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/) can help to educate yourself on this." }, - "name": "querytext20" + "name": "querytext22" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -1019,20 +1019,42 @@ ] } }, - "name": "query20" + "name": "query22" + } + ] + }, + "conditionalVisibility": { + "parameterName": "VisibleTab", + "comparison": "isEqualTo", + "value": "tab3" + }, + "name": "tab3" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Hybrid" + }, + "name": "tab4title" }, { "type": 1, "content": { - "json": "The application team should use application security groups at the subnet-level NSGs to help protect multi-tier VMs within the landing zone. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/) can help to educate yourself on this." + "json": "Ensure that you're using the right SKU for the ExpressRoute/VPN gateways based on bandwidth and performance requirements. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-routing) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this." }, - "name": "querytext21" + "name": "querytext4" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetName=subnets.name,subnetNsg=subnets.properties.networkSecurityGroup | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend compliant = isnotnull(subnetNsg) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -1081,42 +1103,20 @@ ] } }, - "name": "query21" - } - ] - }, - "conditionalVisibility": { - "parameterName": "VisibleTab", - "comparison": "isEqualTo", - "value": "tab3" - }, - "name": "tab3" - }, - { - "type": 12, - "content": { - "version": "NotebookGroup/1.0", - "groupType": "editable", - "items": [ - { - "type": 1, - "content": { - "json": "## Virtual WAN" - }, - "name": "tab4title" + "name": "query4" }, { "type": 1, "content": { - "json": "For outbound Internet traffic protection and filtering, deploy Azure Firewall in secured hubs. Check [this link](https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/) can help to educate yourself on this." + "json": "Ensure that you're using unlimited-data ExpressRoute circuits only if you reach the bandwidth that justifies their cost. Check [this link](https://learn.microsoft.com/azure/expressroute/plan-manage-cost) for further information." }, - "name": "querytext22" + "name": "querytext5" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -1165,42 +1165,20 @@ ] } }, - "name": "query22" - } - ] - }, - "conditionalVisibility": { - "parameterName": "VisibleTab", - "comparison": "isEqualTo", - "value": "tab4" - }, - "name": "tab4" - }, - { - "type": 12, - "content": { - "version": "NotebookGroup/1.0", - "groupType": "editable", - "items": [ - { - "type": 1, - "content": { - "json": "## Internet" - }, - "name": "tab5title" + "name": "query5" }, { "type": 1, "content": { - "json": "Use Azure Bastion in a subnet /26 or larger. Check [this link](https://learn.microsoft.com/azure/bastion/bastion-faq#subnet) for further information." + "json": "Leverage the Local SKU of ExpressRoute to reduce the cost of your circuits, if your circuits' peering location supports your Azure regions for the Local SKU. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local) for further information." }, - "name": "querytext11" + "name": "querytext6" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -1249,20 +1227,20 @@ ] } }, - "name": "query11" + "name": "query6" }, { "type": 1, "content": { - "json": "Use FQDN-based network rules and Azure Firewall with DNS proxy to filter egress traffic to the Internet over protocols not supported by application rules. Check [this link](https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules) for further information." + "json": "Deploy a zone-redundant ExpressRoute gateway in the supported Azure regions. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this." }, - "name": "querytext12" + "name": "querytext7" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -1311,20 +1289,20 @@ ] } }, - "name": "query12" + "name": "query7" }, { "type": 1, "content": { - "json": "Use Azure Firewall Premium for additional security and protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features) for further information." + "json": "Use VPN gateways to connect branches or remote locations to Azure. For higher resilience, deploy zone-redundant gateways (where available). Check [this link](https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway) for further information.. [This training](https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/) can help to educate yourself on this." }, - "name": "querytext13" + "name": "querytext8" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -1373,20 +1351,42 @@ ] } }, - "name": "query13" + "name": "query8" + } + ] + }, + "conditionalVisibility": { + "parameterName": "VisibleTab", + "comparison": "isEqualTo", + "value": "tab4" + }, + "name": "tab4" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## PaaS" + }, + "name": "tab5title" }, { "type": 1, "content": { - "json": "Configure Azure Firewall Threat Intelligence mode to Alert and Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features) for further information." + "json": "Don't enable virtual network service endpoints by default on all subnets. Check [this link](https://learn.microsoft.com/azure/app-service/networking-features) for further information.. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn) can help to educate yourself on this." }, - "name": "querytext14" + "name": "querytext17" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -1435,20 +1435,42 @@ ] } }, - "name": "query14" + "name": "query17" + } + ] + }, + "conditionalVisibility": { + "parameterName": "VisibleTab", + "comparison": "isEqualTo", + "value": "tab5" + }, + "name": "tab5" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Hub and spoke" + }, + "name": "tab6title" }, { "type": 1, "content": { - "json": "Configure Azure Firewall IDPS mode to Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features#idps) for further information." + "json": "If using Route Server, use a /27 prefix for the Route Server subnet. Check [this link](https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1) for further information." }, - "name": "querytext15" + "name": "querytext0" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -1497,20 +1519,20 @@ ] } }, - "name": "query15" + "name": "query0" }, { "type": 1, "content": { - "json": "For subnets in VNets not connected to Virtual WAN, attach a route table so that Internet traffic is redirected to Azure Firewall or a Network Virtual Appliance. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview) for further information." + "json": "When connecting spoke virtual networks to the central hub virtual network, consider VNet peering limits (500), the maximum number of prefixes that can be advertised via ExpressRoute (1000). Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information." }, - "name": "querytext16" + "name": "querytext1" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -1559,42 +1581,20 @@ ] } }, - "name": "query16" - } - ] - }, - "conditionalVisibility": { - "parameterName": "VisibleTab", - "comparison": "isEqualTo", - "value": "tab5" - }, - "name": "tab5" - }, - { - "type": 12, - "content": { - "version": "NotebookGroup/1.0", - "groupType": "editable", - "items": [ - { - "type": 1, - "content": { - "json": "## IP plan" - }, - "name": "tab6title" + "name": "query1" }, { "type": 1, "content": { - "json": "Use IP addresses from the address allocation ranges for private internets (RFC 1918). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this." + "json": "Consider the limit of routes per route table (400). Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information." }, - "name": "querytext9" + "name": "querytext2" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\.|172\\.(1[6-9]|2[0-9]|3[01])\\.|192\\.168\\.)') | project id, compliant, cidr | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -1643,20 +1643,20 @@ ] } }, - "name": "query9" + "name": "query2" }, { "type": 1, "content": { - "json": "Ensure that IP address space isn't wasted, don't create unnecessarily large virtual networks (for example /16). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this." + "json": "Use the setting 'Allow traffic to remote virtual network' when configuring VNet peerings. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering) for further information." }, - "name": "querytext10" + "name": "querytext3" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -1705,7 +1705,7 @@ ] } }, - "name": "query10" + "name": "query3" } ] }, diff --git a/workbooks/alz_checklist.en_network_workbook_template.json b/workbooks/alz_checklist.en_network_workbook_template.json index 2d91dce71..2a6f5a4a1 100644 --- a/workbooks/alz_checklist.en_network_workbook_template.json +++ b/workbooks/alz_checklist.en_network_workbook_template.json @@ -41,7 +41,7 @@ "dependsOn": [], "properties": { "displayName": "[parameters('workbookDisplayName')]", - "serializedData": "{\n \"version\": \"Notebook/1.0\",\n \"items\": [\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"parameters\": [\n {\n \"id\": \"497a107e-dde8-433e-b263-35ac8e8f7834\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Subscription\",\n \"type\": 6,\n \"multiSelect\": true,\n \"quote\": \"'\",\n \"delimiter\": \",\",\n \"typeSettings\": {\n \"additionalResourceOptions\": [\n \"value::all\"\n ],\n \"includeAll\": true,\n \"showDefault\": false\n },\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"value\": [\n \"value::all\"\n ]\n },\n {\n \"id\": \"844e4f4e-df51-4e3c-8eaf-0dc78b92c721\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"OnlyFailed\",\n \"label\": \"Only show failed\",\n \"type\": 2,\n \"typeSettings\": {\n \"additionalResourceOptions\": [],\n \"showDefault\": false\n },\n \"jsonData\": \"[\\r\\n { \\\"value\\\":true, \\\"label\\\":\\\"True\\\" },\\r\\n { \\\"value\\\":false, \\\"label\\\":\\\"False\\\", \\\"selected\\\":true }\\r\\n]\"\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 0,\n \"resourceType\": \"microsoft.operationalinsights/workspaces\"\n },\n \"name\": \"WorkbookSelectors\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"If you set \\\"Only show failed\\\" to \\\"Yes\\\", the different queries will only show items that have failed their compliance checks.\",\n \"style\": \"info\"\n },\n \"name\": \"InfoBox\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Azure Landing Zone Review - Network\\n\\n---\\n\\nThis workbook has been automatically generated out of the checklists in the [Azure Review Checklists repo](https://github.com/Azure/review-checklists). This repo contains best practices and recommendations around generic Landing Zones as well as specific services such as Azure Virtual Desktop, Azure Kubernetes Service or Azure VMware Solution, to name a few. This repository of best practices is curated by Azure engineers, but open to anybody to contribute.\\n\\nIf you see a problem in the queries that are part of this workbook, please open a Github issue [here](https://github.com/Azure/review-checklists/issues/new).\"\n },\n \"customWidth\": \"100\",\n \"name\": \"MarkdownHeader\"\n },\n {\n \"type\": 11,\n \"content\": {\n \"version\": \"LinkItem/1.0\",\n \"style\": \"tabs\",\n \"links\": [\n {\n \"id\": \"648b263a-8765-46e0-ac4d-52c6ad741b81\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Hybrid\",\n \"subTarget\": \"tab0\",\n \"preText\": \"Hybrid\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"d275e72c-9af1-48a7-a725-4f33aaeb7d8a\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Hub and spoke\",\n \"subTarget\": \"tab1\",\n \"preText\": \"Hub and spoke\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"2e4e358a-31be-4c54-945a-25c24efffb71\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"PaaS\",\n \"subTarget\": \"tab2\",\n \"preText\": \"PaaS\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"4b2fa760-d685-46e0-9de0-3f52d18f37a3\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Segmentation\",\n \"subTarget\": \"tab3\",\n \"preText\": \"Segmentation\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"ae6335f8-c01a-4c0d-9590-7a5c712351a7\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Virtual WAN\",\n \"subTarget\": \"tab4\",\n \"preText\": \"Virtual WAN\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"7fdfbad4-a770-43c9-a9ea-55f40293d48e\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Internet\",\n \"subTarget\": \"tab5\",\n \"preText\": \"Internet\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"8fabfe3a-d912-4da8-8cf1-f452f552bbb2\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"IP plan\",\n \"subTarget\": \"tab6\",\n \"preText\": \"IP plan\",\n \"style\": \"primary\"\n }\n ]\n },\n \"name\": \"Tabs\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Hybrid\"\n },\n \"name\": \"tab0title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Ensure that you're using the right SKU for the ExpressRoute/VPN gateways based on bandwidth and performance requirements. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-routing) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext4\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query4\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Ensure that you're using unlimited-data ExpressRoute circuits only if you reach the bandwidth that justifies their cost. Check [this link](https://learn.microsoft.com/azure/expressroute/plan-manage-cost) for further information.\"\n },\n \"name\": \"querytext5\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query5\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Leverage the Local SKU of ExpressRoute to reduce the cost of your circuits, if your circuits' peering location supports your Azure regions for the Local SKU. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local) for further information.\"\n },\n \"name\": \"querytext6\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query6\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Deploy a zone-redundant ExpressRoute gateway in the supported Azure regions. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext7\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query7\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use VPN gateways to connect branches or remote locations to Azure. For higher resilience, deploy zone-redundant gateways (where available). Check [this link](https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway) for further information.. [This training](https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext8\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query8\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab0\"\n },\n \"name\": \"tab0\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Hub and spoke\"\n },\n \"name\": \"tab1title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"If using Route Server, use a /27 prefix for the Route Server subnet. Check [this link](https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1) for further information.\"\n },\n \"name\": \"querytext0\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query0\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"When connecting spoke virtual networks to the central hub virtual network, consider VNet peering limits (500), the maximum number of prefixes that can be advertised via ExpressRoute (1000). Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information.\"\n },\n \"name\": \"querytext1\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query1\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Consider the limit of routes per route table (400). Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information.\"\n },\n \"name\": \"querytext2\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query2\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use the setting 'Allow traffic to remote virtual network' when configuring VNet peerings. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering) for further information.\"\n },\n \"name\": \"querytext3\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query3\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab1\"\n },\n \"name\": \"tab1\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## PaaS\"\n },\n \"name\": \"tab2title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Don't enable virtual network service endpoints by default on all subnets. Check [this link](https://learn.microsoft.com/azure/app-service/networking-features) for further information.. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn) can help to educate yourself on this.\"\n },\n \"name\": \"querytext17\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query17\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab2\"\n },\n \"name\": \"tab2\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Segmentation\"\n },\n \"name\": \"tab3title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use a /26 prefix for your Azure Firewall subnets. Check [this link](https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size) for further information.\"\n },\n \"name\": \"querytext18\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query18\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use at least a /27 prefix for your Gateway subnets. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway) for further information.\"\n },\n \"name\": \"querytext19\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query19\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Don't rely on the NSG inbound default rules using the VirtualNetwork service tag to limit connectivity. Check [this link](https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags) for further information.\"\n },\n \"name\": \"querytext20\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query20\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"The application team should use application security groups at the subnet-level NSGs to help protect multi-tier VMs within the landing zone. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext21\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetName=subnets.name,subnetNsg=subnets.properties.networkSecurityGroup | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend compliant = isnotnull(subnetNsg) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query21\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab3\"\n },\n \"name\": \"tab3\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Virtual WAN\"\n },\n \"name\": \"tab4title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"For outbound Internet traffic protection and filtering, deploy Azure Firewall in secured hubs. Check [this link](https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext22\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query22\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab4\"\n },\n \"name\": \"tab4\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Internet\"\n },\n \"name\": \"tab5title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use Azure Bastion in a subnet /26 or larger. Check [this link](https://learn.microsoft.com/azure/bastion/bastion-faq#subnet) for further information.\"\n },\n \"name\": \"querytext11\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query11\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use FQDN-based network rules and Azure Firewall with DNS proxy to filter egress traffic to the Internet over protocols not supported by application rules. Check [this link](https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules) for further information.\"\n },\n \"name\": \"querytext12\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query12\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use Azure Firewall Premium for additional security and protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features) for further information.\"\n },\n \"name\": \"querytext13\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query13\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Configure Azure Firewall Threat Intelligence mode to Alert and Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features) for further information.\"\n },\n \"name\": \"querytext14\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query14\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Configure Azure Firewall IDPS mode to Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features#idps) for further information.\"\n },\n \"name\": \"querytext15\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query15\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"For subnets in VNets not connected to Virtual WAN, attach a route table so that Internet traffic is redirected to Azure Firewall or a Network Virtual Appliance. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview) for further information.\"\n },\n \"name\": \"querytext16\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query16\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab5\"\n },\n \"name\": \"tab5\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## IP plan\"\n },\n \"name\": \"tab6title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use IP addresses from the address allocation ranges for private internets (RFC 1918). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext9\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)') | project id, compliant, cidr | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query9\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Ensure that IP address space isn't wasted, don't create unnecessarily large virtual networks (for example /16). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext10\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query10\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab6\"\n },\n \"name\": \"tab6\"\n }\n ],\n \"$schema\": \"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"\n}", + "serializedData": "{\n \"version\": \"Notebook/1.0\",\n \"items\": [\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"parameters\": [\n {\n \"id\": \"497a107e-dde8-433e-b263-35ac8e8f7834\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Subscription\",\n \"type\": 6,\n \"multiSelect\": true,\n \"quote\": \"'\",\n \"delimiter\": \",\",\n \"typeSettings\": {\n \"additionalResourceOptions\": [\n \"value::all\"\n ],\n \"includeAll\": true,\n \"showDefault\": false\n },\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"value\": [\n \"value::all\"\n ]\n },\n {\n \"id\": \"844e4f4e-df51-4e3c-8eaf-0dc78b92c721\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"OnlyFailed\",\n \"label\": \"Only show failed\",\n \"type\": 2,\n \"typeSettings\": {\n \"additionalResourceOptions\": [],\n \"showDefault\": false\n },\n \"jsonData\": \"[\\r\\n { \\\"value\\\":true, \\\"label\\\":\\\"True\\\" },\\r\\n { \\\"value\\\":false, \\\"label\\\":\\\"False\\\", \\\"selected\\\":true }\\r\\n]\"\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 0,\n \"resourceType\": \"microsoft.operationalinsights/workspaces\"\n },\n \"name\": \"WorkbookSelectors\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"If you set \\\"Only show failed\\\" to \\\"Yes\\\", the different queries will only show items that have failed their compliance checks.\",\n \"style\": \"info\"\n },\n \"name\": \"InfoBox\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Azure Landing Zone Review - Network\\n\\n---\\n\\nThis workbook has been automatically generated out of the checklists in the [Azure Review Checklists repo](https://github.com/Azure/review-checklists). This repo contains best practices and recommendations around generic Landing Zones as well as specific services such as Azure Virtual Desktop, Azure Kubernetes Service or Azure VMware Solution, to name a few. This repository of best practices is curated by Azure engineers, but open to anybody to contribute.\\n\\nIf you see a problem in the queries that are part of this workbook, please open a Github issue [here](https://github.com/Azure/review-checklists/issues/new).\"\n },\n \"customWidth\": \"100\",\n \"name\": \"MarkdownHeader\"\n },\n {\n \"type\": 11,\n \"content\": {\n \"version\": \"LinkItem/1.0\",\n \"style\": \"tabs\",\n \"links\": [\n {\n \"id\": \"a5f272f5-6396-4923-bc6a-e75b5a8bb6b5\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Internet\",\n \"subTarget\": \"tab0\",\n \"preText\": \"Internet\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"0ac8752b-e9ea-442a-9522-f02af89b45a7\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"IP plan\",\n \"subTarget\": \"tab1\",\n \"preText\": \"IP plan\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"5d8a00a8-c917-44b1-bffe-07147e5cd0ad\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Segmentation\",\n \"subTarget\": \"tab2\",\n \"preText\": \"Segmentation\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"4798c0eb-6542-4fca-a5a9-5a7e938b8b64\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Virtual WAN\",\n \"subTarget\": \"tab3\",\n \"preText\": \"Virtual WAN\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"b6f69f78-ddc3-4368-8e45-219b5d9abd1e\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Hybrid\",\n \"subTarget\": \"tab4\",\n \"preText\": \"Hybrid\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"e19f6153-ac78-4d1a-9cab-bbcd0fbc2f7d\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"PaaS\",\n \"subTarget\": \"tab5\",\n \"preText\": \"PaaS\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"91837681-a4af-4db1-b731-6602704c9314\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Hub and spoke\",\n \"subTarget\": \"tab6\",\n \"preText\": \"Hub and spoke\",\n \"style\": \"primary\"\n }\n ]\n },\n \"name\": \"Tabs\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Internet\"\n },\n \"name\": \"tab0title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use Azure Bastion in a subnet /26 or larger. Check [this link](https://learn.microsoft.com/azure/bastion/bastion-faq#subnet) for further information.\"\n },\n \"name\": \"querytext11\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query11\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use FQDN-based network rules and Azure Firewall with DNS proxy to filter egress traffic to the Internet over protocols not supported by application rules. Check [this link](https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules) for further information.\"\n },\n \"name\": \"querytext12\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query12\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use Azure Firewall Premium for additional security and protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features) for further information.\"\n },\n \"name\": \"querytext13\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query13\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Configure Azure Firewall Threat Intelligence mode to Alert and Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features) for further information.\"\n },\n \"name\": \"querytext14\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query14\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Configure Azure Firewall IDPS mode to Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features#idps) for further information.\"\n },\n \"name\": \"querytext15\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query15\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"For subnets in VNets not connected to Virtual WAN, attach a route table so that Internet traffic is redirected to Azure Firewall or a Network Virtual Appliance. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview) for further information.\"\n },\n \"name\": \"querytext16\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query16\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab0\"\n },\n \"name\": \"tab0\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## IP plan\"\n },\n \"name\": \"tab1title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use IP addresses from the address allocation ranges for private internets (RFC 1918). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext9\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)') | project id, compliant, cidr | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query9\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Ensure that IP address space isn't wasted, don't create unnecessarily large virtual networks (for example /16). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext10\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query10\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab1\"\n },\n \"name\": \"tab1\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Segmentation\"\n },\n \"name\": \"tab2title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use a /26 prefix for your Azure Firewall subnets. Check [this link](https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size) for further information.\"\n },\n \"name\": \"querytext18\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query18\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use at least a /27 prefix for your Gateway subnets. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway) for further information.\"\n },\n \"name\": \"querytext19\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query19\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Don't rely on the NSG inbound default rules using the VirtualNetwork service tag to limit connectivity. Check [this link](https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags) for further information.\"\n },\n \"name\": \"querytext20\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query20\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"The application team should use application security groups at the subnet-level NSGs to help protect multi-tier VMs within the landing zone. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext21\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetName=subnets.name,subnetNsg=subnets.properties.networkSecurityGroup | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend compliant = isnotnull(subnetNsg) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query21\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab2\"\n },\n \"name\": \"tab2\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Virtual WAN\"\n },\n \"name\": \"tab3title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"For outbound Internet traffic protection and filtering, deploy Azure Firewall in secured hubs. Check [this link](https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext22\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query22\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab3\"\n },\n \"name\": \"tab3\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Hybrid\"\n },\n \"name\": \"tab4title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Ensure that you're using the right SKU for the ExpressRoute/VPN gateways based on bandwidth and performance requirements. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-routing) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext4\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query4\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Ensure that you're using unlimited-data ExpressRoute circuits only if you reach the bandwidth that justifies their cost. Check [this link](https://learn.microsoft.com/azure/expressroute/plan-manage-cost) for further information.\"\n },\n \"name\": \"querytext5\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query5\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Leverage the Local SKU of ExpressRoute to reduce the cost of your circuits, if your circuits' peering location supports your Azure regions for the Local SKU. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local) for further information.\"\n },\n \"name\": \"querytext6\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query6\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Deploy a zone-redundant ExpressRoute gateway in the supported Azure regions. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext7\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query7\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use VPN gateways to connect branches or remote locations to Azure. For higher resilience, deploy zone-redundant gateways (where available). Check [this link](https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway) for further information.. [This training](https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext8\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query8\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab4\"\n },\n \"name\": \"tab4\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## PaaS\"\n },\n \"name\": \"tab5title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Don't enable virtual network service endpoints by default on all subnets. Check [this link](https://learn.microsoft.com/azure/app-service/networking-features) for further information.. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn) can help to educate yourself on this.\"\n },\n \"name\": \"querytext17\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query17\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab5\"\n },\n \"name\": \"tab5\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Hub and spoke\"\n },\n \"name\": \"tab6title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"If using Route Server, use a /27 prefix for the Route Server subnet. Check [this link](https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1) for further information.\"\n },\n \"name\": \"querytext0\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query0\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"When connecting spoke virtual networks to the central hub virtual network, consider VNet peering limits (500), the maximum number of prefixes that can be advertised via ExpressRoute (1000). Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information.\"\n },\n \"name\": \"querytext1\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query1\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Consider the limit of routes per route table (400). Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information.\"\n },\n \"name\": \"querytext2\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query2\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use the setting 'Allow traffic to remote virtual network' when configuring VNet peerings. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering) for further information.\"\n },\n \"name\": \"querytext3\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query3\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab6\"\n },\n \"name\": \"tab6\"\n }\n ],\n \"$schema\": \"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"\n}", "version": "1.0", "sourceId": "[parameters('workbookSourceId')]", "category": "[parameters('workbookType')]"