From 63d2206f0d961197c5e308e05954ffc919ff4ac8 Mon Sep 17 00:00:00 2001 From: Rodrigo Santos Date: Wed, 10 Apr 2024 12:58:20 -0400 Subject: [PATCH] Rosanto - adding all 5 learn more links (#23) Co-authored-by: Rodrigo Reis Santos (AZURE) Co-authored-by: Zach Trocinski --- .../AVS/privateClouds/recommendations.yaml | 218 ++++++- .../service/recommendations.yaml | 16 +- .../automationAccounts/recommendations.yaml | 7 +- .../Batch/batchAccounts/recommendations.yaml | 4 +- .../Cache/Redis/recommendations.yaml | 6 +- .../Cdn/profiles/recommendations.yaml | 56 +- .../Compute/galleries/recommendations.yaml | 16 +- .../recommendations.yaml | 40 +- .../virtualMachines/recommendations.yaml | 92 +-- .../registries/recommendations.yaml | 42 +- .../managedClusters/recommendations.yaml | 112 +++- .../flexibleServers/recommendations.yaml | 8 +- .../flexibleServers/recommendations.yaml | 8 +- .../workspaces/recommendations.yaml | 100 +-- .../hostPools/recommendations.yaml | 585 +++++++++++++++++- .../Devices/IotHubs/recommendations.yaml | 22 +- .../databaseAccounts/recommendations.yaml | 30 +- .../EventGrid/topics/recommendations.yaml | 9 +- .../EventHub/namespaces/recommendations.yaml | 7 +- .../activityLogAlerts/recommendations.yaml | 14 +- .../Insights/components/recommendations.yaml | 5 +- .../KeyVault/vaults/recommendations.yaml | 14 +- .../netAppAccounts/recommendations.yaml | 52 +- .../recommendations.yaml | 20 +- .../applicationGateways/recommendations.yaml | 50 +- .../azureFirewalls/recommendations.yaml | 22 +- .../Network/connections/recommendations.yaml | 8 +- .../ddosProtectionPlans/recommendations.yaml | 6 +- .../expressRouteCircuits/recommendations.yaml | 30 +- .../expressRoutePorts/recommendations.yaml | 8 +- .../loadBalancers/recommendations.yaml | 18 +- .../recommendations.yaml | 18 +- .../networkWatchers/recommendations.yaml | 8 +- .../privateDnsZones/recommendations.yaml | 10 +- .../privateEndpoints/recommendations.yaml | 5 +- .../publicIPAddresses/recommendations.yaml | 15 +- .../Network/routeTables/recommendations.yaml | 8 +- .../recommendations.yaml | 18 +- .../recommendations.yaml | 48 +- .../virtualNetworks/recommendations.yaml | 22 +- .../recommendations.yaml | 6 +- .../workspaces/recommendations.yaml | 18 +- .../vaults/recommendations.yaml | 19 +- .../resourceGroups/recommendations.yaml | 24 +- .../namespaces/recommendations.yaml | 9 +- .../SignalR/recommendations.yaml | 6 +- .../Sql/servers/recommendations.yaml | 30 +- .../storageAccounts/recommendations.yaml | 42 +- .../subscriptions/recommendations.yaml | 4 +- .../imageTemplates/recommendations.yaml | 8 +- .../Web/serverFarms/recommendations.yaml | 20 +- .../Web/sites/recommendations.yaml | 22 +- .../avd/recommendations.yaml | 18 +- .../avs/recommendations.yaml | 6 +- .../hpc/recommendations.yaml | 55 +- .../sap/recommendations.yaml | 175 +++--- azure-waf/define/recommendations.yaml | 20 +- azure-waf/deploy/recommendations.yaml | 15 +- azure-waf/design/recommendations.yaml | 70 ++- azure-waf/monitor/recommendations.yaml | 38 +- azure-waf/respond/recommendations.yaml | 11 +- azure-waf/test/recommendations.yaml | 36 +- 62 files changed, 1784 insertions(+), 645 deletions(-) diff --git a/azure-resources/AVS/privateClouds/recommendations.yaml b/azure-resources/AVS/privateClouds/recommendations.yaml index 4fd43f7f4..d8a89bc79 100644 --- a/azure-resources/AVS/privateClouds/recommendations.yaml +++ b/azure-resources/AVS/privateClouds/recommendations.yaml @@ -1,4 +1,4 @@ -- description: Configure Azure Service Health notifications and alerts for Azure VMware Solution +- description: Configure Azure Service Health notifications and alerts for Azure VMware Solution aprlGuid: 74fcb9f2-9a25-49a6-8c42-d32851c4afb7 recommendationTypeId: null recommendationControl: Monitoring and Alerting @@ -33,7 +33,7 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Configure and streamline alerts url: "https://learn.microsoft.com/en-us/azure/well-architected/azure-vmware/monitoring#configure-and-streamline-alerts" - description: Monitor when Azure VMware Solution Cluster Size is approaching the host limit @@ -71,7 +71,7 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Connect Private Clouds in the same region url: "https://learn.microsoft.com/en-us/azure/azure-vmware/connect-multiple-private-clouds-same-region" - description: Integrate LDAPS Identity with dual sources for enhanced NSX and vCenter security @@ -90,8 +90,10 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Set an external identity source for vCenter url: "https://learn.microsoft.com/en-us/azure/azure-vmware/configure-identity-source-vcenter" + - name: Set an external identity for NSX-T + url: "https://learn.microsoft.com/en-us/azure/azure-vmware/configure-external-identity-source-nsx-t" - description: Use HCX Network Extension High Availability aprlGuid: bce16eee-0933-4baa-ab4d-8d1bb5653fc2 @@ -109,8 +111,10 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: HCX Network extension high availability url: "https://learn.microsoft.com/en-us/azure/azure-vmware/configure-hcx-network-extension-high-availability" + - name: Understanding Network Extension High Availability + url: "https://docs.vmware.com/en/VMware-HCX/4.8/hcx-user-guide/GUID-E1353511-697A-44B0-82A0-852DB55F97D7.html" - description: Verify Management Networks are not extended with HCX Network Extension aprlGuid: 6be9a543-cf82-4926-82ea-7e1f1ffaad80 @@ -121,14 +125,14 @@ recommendationMetadataState: Active longDescription: | Do not extend the network used by the HCX Management devices to ensure the network's security and stability. - potentialBenefits: Enhanced network safety & performance + potentialBenefits: Enhanced network safety and performance pgVerified: Verified publishedToLearn: false publishedToAdvisor: false automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Requirements for Network Extension url: "https://docs.vmware.com/en/VMware-HCX/4.8/hcx-user-guide/GUID-0C746416-850E-46F7-85DD-4D4326A23785.html" - description: Enable Stretched Clusters for Multi-AZ Availability of the vSAN Datastore @@ -149,6 +153,8 @@ learnMoreLink: - name: Learn More url: "https://learn.microsoft.com/en-us/azure/well-architected/azure-vmware/infrastructure#implement-high-availability" + - name: Stretched Clusters + url: "https://learn.microsoft.com/en-us/azure/azure-vmware/deploy-vsan-stretched-clusters" - description: Verify vSAN FTT configuration aligns with the cluster size aprlGuid: 0943aa90-e3db-4c61-aef1-782b6a6a3881 @@ -166,5 +172,201 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Use fault domains url: "https://learn.microsoft.com/en-us/azure/well-architected/azure-vmware/application-platform#use-fault-domains" + - name: Configure storage policy + url: "https://learn.microsoft.com/en-us/azure/azure-vmware/configure-storage-policy" + +- description: Configure Azure Monitor Alert warning thresholds for vSAN datastore utilization + aprlGuid: 4232eb32-3241-4049-9e14-9b8005817b56 + recommendationTypeId: null + recommendationControl: Monitoring and Alerting + recommendationImpact: High + recommendationResourceType: Microsoft.AVS/privateClouds + recommendationMetadataState: Active + longDescription: | + Ensure VMware vSAN datastore slack space is maintained for SLA by monitoring storage utilization and setting alerts at 70% and 75% utilization to allow for capacity planning. To expand, add hosts or external storage like Azure Elastic SAN, Azure NetApp Files, if CPU and RAM requirements are met. + potentialBenefits: Optimized capacity planning for vSAN + pgVerified: Verified + publishedToLearn: false + publishedToAdvisor: false + automationAvailable: arg + tags: null + learnMoreLink: + - name: Learn More + url: "https://learn.microsoft.com/en-us/azure/azure-vmware/configure-alerts-for-azure-vmware-solution#supported-metrics-and-activities" + +- description: Configure Syslog in Diagnostic Settings for Azure VMware Solution + aprlGuid: fa4ab927-bced-429a-971a-53350de7f14b + recommendationTypeId: null + recommendationControl: Monitoring and Alerting + recommendationImpact: High + recommendationResourceType: Microsoft.AVS/privateClouds + recommendationMetadataState: Active + longDescription: | + Ensure Diagnostic Settings are configured for each private cloud to send syslogs to external sources for analysis and/or archiving. Azure VMware Solution Syslogs contain data for troubleshooting and performance, aiding quicker issue resolution and early detection of issues. + potentialBenefits: Faster issue resolution, early detection + pgVerified: Verified + publishedToLearn: false + publishedToAdvisor: false + automationAvailable: no + tags: null + learnMoreLink: + - name: Learn More + url: "https://learn.microsoft.com/en-us/azure/well-architected/azure-vmware/monitoring#manage-logs-and-archives" + +- description: Monitor CPU Utilization to ensure sufficient resources for workloads + aprlGuid: 4ee5d535-c47b-470a-9557-4a3dd297d62f + recommendationTypeId: null + recommendationControl: Monitoring and Alerting + recommendationImpact: Medium + recommendationResourceType: Microsoft.AVS/privateClouds + recommendationMetadataState: Active + longDescription: | + Ensure sufficient compute resources to avoid host resource exhaustion in Azure VMware Solution, which utilizes vSphere DRS and HA for dynamic workload resource management. However, sustained CPU utilization over 95% may increase CPU Ready times, impacting workloads. + potentialBenefits: Avoids resource exhaustion, optimizes performance + pgVerified: Verified + publishedToLearn: false + publishedToAdvisor: false + automationAvailable: arg + tags: null + learnMoreLink: + - name: Learn More + url: "https://learn.microsoft.com/en-us/azure/well-architected/azure-vmware/monitoring#configure-and-streamline-alerts" + +- description: Monitor Memory Utilization to ensure sufficient resources for workloads + aprlGuid: 029208c8-5186-4a76-8ee8-6e3445fef4dd + recommendationTypeId: null + recommendationControl: Monitoring and Alerting + recommendationImpact: Medium + recommendationResourceType: Microsoft.AVS/privateClouds + recommendationMetadataState: Active + longDescription: | + Ensure sufficient memory resources to prevent host resource exhaustion in Azure VMware Solution. It uses vSphere DRS and vSphere HA for dynamic workload management. Yet, continuous memory use over 95% leads to disk swapping, affecting workloads. + potentialBenefits: Avoids host exhaustion and swapping + pgVerified: Verified + publishedToLearn: false + publishedToAdvisor: false + automationAvailable: arg + tags: null + learnMoreLink: + - name: Learn More + url: "https://learn.microsoft.com/en-us/azure/well-architected/azure-vmware/monitoring#configure-and-streamline-alerts" + +- description: Apply Resource delete lock on the resource group hosting the private cloud + aprlGuid: a5ef7c05-c611-4842-9af5-11efdc99123a + recommendationTypeId: null + recommendationControl: Governance + recommendationImpact: High + recommendationResourceType: Microsoft.AVS/privateClouds + recommendationMetadataState: Active + longDescription: | + Applying a resource delete lock to the Azure VMware Solution Private Cloud resource group prevents unauthorized or accidental deletion by anyone with contributor access, ensuring the protection and reliability of the Azure VMware Solution Private Cloud. + potentialBenefits: Prevents accidental deletion + pgVerified: Verified + publishedToLearn: false + publishedToAdvisor: false + automationAvailable: no + tags: null + learnMoreLink: + - name: Lock your resources to protect your infrastructure + url: "https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources" + +- description: Align ExpressRoute configuration with best practices for circuit resilience + aprlGuid: 6f573d60-be93-4f18-8016-42e923e3c05e + recommendationTypeId: null + recommendationControl: High Availability + recommendationImpact: High + recommendationResourceType: Microsoft.AVS/privateClouds + recommendationMetadataState: Active + longDescription: | + Microsoft suggests using two or more ExpressRoute circuits at distinct peering locations for critical workloads. Connect these circuits and your Azure VMware Solutions private clouds using Global Reach. + potentialBenefits: Enhanced circuit resilience for Azure VMware + pgVerified: Preview + publishedToLearn: false + publishedToAdvisor: false + automationAvailable: no + tags: null + learnMoreLink: + - name: APRL guidance for ExpressRoute circuits + url: "https://azure.github.io/Azure-Proactive-Resiliency-Library/services/networking/expressroute-circuits" + - name: Create a new ExpressRoute circuit + url: "https://learn.microsoft.com/azure/expressroute/expressroute-howto-circuit-portal-resource-manager?pivots=expressroute-preview#create-a-new-expressroute-circuit-preview" + +- description: Deploy dual Azure VMware Solution clouds in different regions for disaster recovery + aprlGuid: bdac462a-2eda-4a67-887d-46d58f141afe + recommendationTypeId: null + recommendationControl: Disaster Recovery + recommendationImpact: High + recommendationResourceType: Microsoft.AVS/privateClouds + recommendationMetadataState: Active + longDescription: | + Two Azure VMware Solution private clouds can be deployed in different regions for business continuity, implementing a mesh network topology based on ExpressRoute Gateway Connections and Global Reach Connections. + potentialBenefits: Enhanced disaster recovery + pgVerified: Verified + publishedToLearn: false + publishedToAdvisor: false + automationAvailable: no + tags: null + learnMoreLink: + - name: Private Clouds in two regions + url: "https://learn.microsoft.com/en-us/azure/azure-vmware/move-azure-vmware-solution-across-regions" + - name: Dual Region Network Topology + url: "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/scenarios/azure-vmware/eslz-dual-region-network-topology" + +- description: Deploy two or more circuits in different peering locations when using stretched clusters + aprlGuid: 91c84596-1c41-48fe-8d5e-3f817e6a273b + recommendationTypeId: null + recommendationControl: High Availability + recommendationImpact: High + recommendationResourceType: Microsoft.AVS/privateClouds + recommendationMetadataState: Active + longDescription: | + Azure VMware Solution vSAN stretched clusters cover 2 Availability Zones plus a third for witness. Use ExpressRoute for added resilience by deploying two circuits in different locations. With Global Reach, create a mesh topology by connecting on-premises circuits to Azure's managed circuits. + potentialBenefits: Enhanced resilience and connectivity + pgVerified: Verified + publishedToLearn: false + publishedToAdvisor: false + automationAvailable: no + tags: null + learnMoreLink: + - name: Deploy vSAN streched cluster + url: "https://learn.microsoft.com/en-us/azure/azure-vmware/deploy-vsan-stretched-clusters#deploy-a-stretched-cluster-private-cloud" + +- description: Use key autorotation for vSAN datastore customer-managed keys + aprlGuid: e0ac2f57-c8c0-4b8c-a7c8-19e5797828b5 + recommendationTypeId: null + recommendationControl: Security + recommendationImpact: High + recommendationResourceType: Microsoft.AVS/privateClouds + recommendationMetadataState: Active + longDescription: | + When using customer-managed keys for encrypting vSAN datastores, leveraging Azure Key Vault for central management and accessing them via a managed identity linked to the private cloud is advised. The expiration of these keys can render the vSAN datastore and its associated workloads inaccessible. + potentialBenefits: Avoid outages with key auto-rotation + pgVerified: Preview + publishedToLearn: false + publishedToAdvisor: false + automationAvailable: no + tags: null + learnMoreLink: + - name: Configure Customer Managed Keys + url: "https://learn.microsoft.com/en-us/azure/azure-vmware/configure-customer-managed-keys?tabs=azure-portal" + +- description: Use multiple DNS servers per private FQDN zone + aprlGuid: fcc2e257-23af-4c68-aac8-9cc03033c939 + recommendationTypeId: null + recommendationControl: High Availability + recommendationImpact: High + recommendationResourceType: Microsoft.AVS/privateClouds + recommendationMetadataState: Active + longDescription: | + Azure VMware Solution private clouds support up to three DNS servers for a single FQDN, preventing a single DNS server from becoming a point of failure. It's crucial to use multiple DNS servers for on-premises FQDN resolution from each private cloud. + potentialBenefits: Enhances reliability and avoids failure + pgVerified: Preview + publishedToLearn: false + publishedToAdvisor: false + automationAvailable: no + tags: null + learnMoreLink: + - name: Configure DNS forwarder + url: "https://learn.microsoft.com/en-us/azure/azure-vmware/configure-dns-azure-vmware-solution#configure-dns-forwarder" diff --git a/azure-resources/ApiManagement/service/recommendations.yaml b/azure-resources/ApiManagement/service/recommendations.yaml index 3527559c2..95ae9d0f0 100644 --- a/azure-resources/ApiManagement/service/recommendations.yaml +++ b/azure-resources/ApiManagement/service/recommendations.yaml @@ -1,4 +1,4 @@ -- description: Migrate API Management services to Premium SKU to support Availability Zones +- description: Migrate API Management services to Premium SKU to support Availability Zones aprlGuid: baf3bfc0-32a2-4c0c-926d-c9bf0b49808e recommendationTypeId: null recommendationControl: High Availability @@ -7,15 +7,17 @@ recommendationMetadataState: Active longDescription: | Upgrading the API Management instance to the Premium SKU adds support for Availability Zones, enhancing availability and resilience by distributing services across physically separate locations within Azure regions. - potentialBenefits: Enhanced availability & resilience + potentialBenefits: Enhanced availability and resilience pgVerified: Preview publishedToLearn: false publishedToAdvisor: false automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Change your API Management service tier url: "https://learn.microsoft.com/en-us/azure/api-management/upgrade-and-scale#change-your-api-management-service-tier" + - name: Migrate Azure API Management to availability zone support + url: "https://learn.microsoft.com/en-us/azure/reliability/migrate-api-mgt" - description: Enable Availability Zones on Premium API Management instances aprlGuid: 740f2c1c-8857-4648-80eb-47d2c56d5a50 @@ -33,8 +35,10 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Ensure API Management availability and reliability url: "https://learn.microsoft.com/en-us/azure/api-management/high-availability#availability-zones" + - name: Migrate Azure API Management to availability zone support + url: "https://learn.microsoft.com/en-us/azure/reliability/migrate-api-mgt" - description: Upgrade to platform version stv2 aprlGuid: e35cf148-8eee-49d1-a1c9-956160f99e0b @@ -52,5 +56,7 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Azure API Management - stv1 platform retirement (August 2024) url: "https://learn.microsoft.com/en-us/azure/api-management/breaking-changes/stv1-platform-retirement-august-2024" + - name: Azure API Management compute platform + url: "https://learn.microsoft.com/en-us/azure/api-management/compute-infrastructure" diff --git a/azure-resources/Automation/automationAccounts/recommendations.yaml b/azure-resources/Automation/automationAccounts/recommendations.yaml index ce19c7d3e..1bb775c0e 100644 --- a/azure-resources/Automation/automationAccounts/recommendations.yaml +++ b/azure-resources/Automation/automationAccounts/recommendations.yaml @@ -1,4 +1,4 @@ -- description: Set up disaster recovery of Automation accounts and its dependent resources +- description: Set up disaster recovery of Automation accounts and its dependent resources aprlGuid: 67205887-0733-466e-b50e-b1cd7316c514 recommendationTypeId: null recommendationControl: High Availability @@ -14,5 +14,8 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Disaster recovery for Automation accounts url: "https://learn.microsoft.com/en-us/azure/automation/automation-disaster-recovery?tabs=win-hrw%2Cps-script%2Coption-one" + - name: Disaster recovery scenarios for cloud and hybrid jobs + url: "https://learn.microsoft.com/en-us/azure/automation/automation-disaster-recovery?tabs=win-hrw%2Cps-script%2Coption-one#scenarios-for-cloud-and-hybrid-jobs" + diff --git a/azure-resources/Batch/batchAccounts/recommendations.yaml b/azure-resources/Batch/batchAccounts/recommendations.yaml index 73ce456e7..7cbebe658 100644 --- a/azure-resources/Batch/batchAccounts/recommendations.yaml +++ b/azure-resources/Batch/batchAccounts/recommendations.yaml @@ -1,4 +1,4 @@ -- description: Monitor Batch Account quota +- description: Monitor Batch Account quota aprlGuid: 3464854d-6f75-4922-95e4-a2a308b53ce6 recommendationTypeId: null recommendationControl: Monitoring and Alerting @@ -26,7 +26,7 @@ recommendationMetadataState: Active longDescription: | When using Virtual Machine Configuration for Azure Batch pools, opting to distribute your pool across Availability Zones bolsters your compute nodes against Azure datacenter failures. - potentialBenefits: Enhanced reliability & failure protection + potentialBenefits: Enhanced reliability and failure protection pgVerified: Preview publishedToLearn: false publishedToAdvisor: false diff --git a/azure-resources/Cache/Redis/recommendations.yaml b/azure-resources/Cache/Redis/recommendations.yaml index d6c410ac7..c4012889d 100644 --- a/azure-resources/Cache/Redis/recommendations.yaml +++ b/azure-resources/Cache/Redis/recommendations.yaml @@ -1,4 +1,4 @@ -- description: Enable zone redundancy for Azure Cache for Redis +- description: Enable zone redundancy for Azure Cache for Redis aprlGuid: 5a44bd30-ae6a-4b81-9b68-dc3a8ffca4d8 recommendationTypeId: null recommendationControl: High Availability @@ -7,12 +7,12 @@ recommendationMetadataState: Active longDescription: | Azure Cache for Redis offers zone redundancy in Premium and Enterprise tiers, using VMs across multiple Availability Zones to ensure greater resilience and availability. - potentialBenefits: Higher resilience & availability + potentialBenefits: Higher resilience and availability pgVerified: Preview publishedToLearn: false publishedToAdvisor: false automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Enable zone redundancy for Azure Cache for Redis url: "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-zone-redundancy" diff --git a/azure-resources/Cdn/profiles/recommendations.yaml b/azure-resources/Cdn/profiles/recommendations.yaml index 140e7d2b7..9571f59c3 100644 --- a/azure-resources/Cdn/profiles/recommendations.yaml +++ b/azure-resources/Cdn/profiles/recommendations.yaml @@ -1,4 +1,4 @@ -- description: Avoid combining Traffic Manager and Front Door +- description: Avoid combining Traffic Manager and Front Door aprlGuid: 9437634c-d69e-2747-b13e-631c13182150 recommendationTypeId: null recommendationControl: Business Continuity @@ -14,8 +14,14 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Azure Load Balancing Options url: "https://learn.microsoft.com/azure/architecture/guide/technology-choices/load-balancing-overview" + - name: Azure Traffic Manager + url: "https://learn.microsoft.com/azure/traffic-manager/traffic-manager-overview" + - name: Azure Front Door + url: "https://learn.microsoft.com/azure/frontdoor/front-door-overview" + - name: Mission-critical global content delivery + url: "https://learn.microsoft.com/en-us/azure/architecture/guide/networking/global-web-applications/mission-critical-content-delivery" - description: Restrict traffic to your origins aprlGuid: 6c40b7ae-2bea-5748-be1a-9e9e3b834649 @@ -26,14 +32,14 @@ recommendationMetadataState: Active longDescription: | Front Door's features perform optimally when traffic exclusively comes through Front Door. It's advised to set up your origin to deny access to traffic that bypasses Front Door. - potentialBenefits: Enhances security & performance + potentialBenefits: Enhances security and performance pgVerified: Verified publishedToLearn: false publishedToAdvisor: false automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Secure traffic to Azure Front Door origins url: "https://learn.microsoft.com/azure/frontdoor/origin-security?tabs=app-service-functions&pivots=front-door-standard-premium" - description: Use the latest API version and SDK version @@ -45,15 +51,19 @@ recommendationMetadataState: Active longDescription: | When working with Azure Front Door through APIs, ARM templates, Bicep, or SDKs, using the latest API or SDK version is crucial. Updates bring new functions, important security patches, and bug fixes. - potentialBenefits: Enhanced security & features + potentialBenefits: Enhanced security and features pgVerified: Verified publishedToLearn: false publishedToAdvisor: false automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: REST API Reference url: "https://learn.microsoft.com/rest/api/frontdoor/" + - name: Client library for Java + url: "https://learn.microsoft.com/java/api/overview/azure/resourcemanager-frontdoor-readme?view=azure-java-preview" + - name: SDK for Python + url: "https://learn.microsoft.com/python/api/overview/azure/front-door?view=azure-python" - description: Configure logs aprlGuid: 1ad74c3c-e3d7-0046-b83f-a2199974ef15 @@ -71,8 +81,12 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Monitor metrics and logs in Azure Front Door url: "https://learn.microsoft.com/azure/frontdoor/front-door-diagnostics?pivots=front-door-standard-premium" + - name: WAF logs + url: "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-monitor?pivots=front-door-standard-premium#waf-logs" + - name: Configure Azure Front Door logs + url: "https://learn.microsoft.com/azure/frontdoor/standard-premium/how-to-logs" - description: Use end-to-end TLS aprlGuid: d9bd6780-0d6f-cd4c-bc66-8ddcab12f3d1 @@ -90,7 +104,7 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: End-to-end TLS with Azure Front Door url: "https://learn.microsoft.com/azure/frontdoor/end-to-end-tls?pivots=front-door-standard-premium" - description: Use HTTP to HTTPS redirection @@ -109,7 +123,7 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Create HTTP to HTTPS redirect rule url: "https://learn.microsoft.com/azure/frontdoor/front-door-how-to-redirect-https#create-http-to-https-redirect-rule" - description: Use managed TLS certificates @@ -128,7 +142,7 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Configure HTTPS on an Azure Front Door custom domain using the Azure portal url: "https://learn.microsoft.com/azure/frontdoor/standard-premium/how-to-configure-https-custom-domain?tabs=powershell" - description: Use latest version for customer-managed certificates @@ -140,14 +154,14 @@ recommendationMetadataState: Active longDescription: | If you use your own TLS certificates, set the Key Vault certificate version to 'Latest' to avoid reconfiguring Azure Front Door for new certificate versions and waiting for deployment across Front Door's environments. - potentialBenefits: Saves time & automates TLS updates + potentialBenefits: Saves time and automates TLS updates pgVerified: Verified publishedToLearn: false publishedToAdvisor: false automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Select the certificate for Azure Front Door to deploy url: "https://learn.microsoft.com/azure/frontdoor/standard-premium/how-to-configure-https-custom-domain?tabs=powershell#select-the-certificate-for-azure-front-door-to-deploy" - description: Use the same domain name on Front Door and your origin @@ -166,7 +180,7 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Preserve the original HTTP host name between a reverse proxy and its back-end web application url: "https://learn.microsoft.com/azure/architecture/best-practices/host-name-preservation" - description: Enable the WAF @@ -185,7 +199,7 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Web Application Firewall on Azure Front Door url: "https://learn.microsoft.com/azure/frontdoor/web-application-firewall" - description: Disable health probes when there is only one origin in an origin group @@ -204,7 +218,7 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Health probes url: "https://learn.microsoft.com/azure/frontdoor/health-probes" - description: Select good health probe endpoints @@ -216,14 +230,14 @@ recommendationMetadataState: Active longDescription: | Consider selecting a webpage or location specifically designed for health monitoring as the endpoint for Azure Front Door's health probes. This should encompass the status of critical components like application servers, databases, and caches to serve production traffic efficiently. - potentialBenefits: Improves traffic routing & uptime + potentialBenefits: Improves traffic routing and uptime pgVerified: Verified publishedToLearn: false publishedToAdvisor: false automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Health Endpoint Monitoring pattern url: "https://learn.microsoft.com/azure/architecture/patterns/health-endpoint-monitoring" - description: Use HEAD health probes @@ -242,7 +256,7 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Supported HTTP methods for health probes url: "https://learn.microsoft.com/azure/frontdoor/health-probes#supported-http-methods-for-health-probes" - description: Use geo-filtering in Azure Front Door @@ -261,7 +275,7 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Geo filter WAF policy - GeoMatch url: "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-geo-filtering" - description: Secure your Origin with Private Link in Azure Front Door @@ -273,12 +287,12 @@ recommendationMetadataState: Active longDescription: | Azure Private Link enables secure access to Azure PaaS and services over a private endpoint in your virtual network, ensuring traffic goes over the Microsoft backbone network, not the public internet. - potentialBenefits: Enhanced security & private connectivity + potentialBenefits: Enhanced security and private connectivity pgVerified: Verified publishedToLearn: false publishedToAdvisor: false automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Private link for Azure Front Door url: "https://learn.microsoft.com/azure/frontdoor/private-link" diff --git a/azure-resources/Compute/galleries/recommendations.yaml b/azure-resources/Compute/galleries/recommendations.yaml index b1ecc51cb..e24a91605 100644 --- a/azure-resources/Compute/galleries/recommendations.yaml +++ b/azure-resources/Compute/galleries/recommendations.yaml @@ -1,4 +1,4 @@ -- description: A minimum of three replicas should be kept for production image versions +- description: A minimum of three replicas should be kept for production image versions aprlGuid: b49a39fd-f431-4b61-9062-f2157849d845 recommendationTypeId: null recommendationControl: High Availability @@ -7,14 +7,14 @@ recommendationMetadataState: Active longDescription: | Keeping a minimum of 3 replicas for production images in Azure's Compute Gallery ensures scalability and prevents throttling in multi-VM deployments by distributing VM deployments across different replicas. This reduces the risk of overloading a single replica. - potentialBenefits: Enhances scalability & avoids throttling + potentialBenefits: Enhances scalability and avoids throttling pgVerified: Verified publishedToLearn: false publishedToAdvisor: false automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Compute Gallery best practices url: "https://learn.microsoft.com/en-us/azure/virtual-machines/azure-compute-gallery#best-practices" - description: Zone redundant storage should be used for image versions @@ -33,8 +33,10 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Compute Gallery best practices url: "https://learn.microsoft.com/en-us/azure/virtual-machines/azure-compute-gallery#best-practices" + - name: Zone-redundant storage + url: "https://learn.microsoft.com/en-us/azure/storage/common/storage-redundancy#zone-redundant-storage" - description: Consider creating TrustedLaunchSupported images where possible aprlGuid: 1c5e1e58-4e56-491c-8529-10f37af9d4ed @@ -52,5 +54,9 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Compute Gallery best practices url: "https://learn.microsoft.com/en-us/azure/virtual-machines/azure-compute-gallery#best-practices" + - name: Generation 1 vs Generation 2 in Hyper-V + url: "https://learn.microsoft.com/en-us/windows-server/virtualization/hyper-v/plan/should-i-create-a-generation-1-or-2-virtual-machine-in-hyper-v" + - name: Images in Compute gallery + url: "https://learn.microsoft.com/en-us/azure/virtual-machines/shared-image-galleries?tabs=azure-cli" diff --git a/azure-resources/Compute/virtualMachineScaleSets/recommendations.yaml b/azure-resources/Compute/virtualMachineScaleSets/recommendations.yaml index b0f54d81c..3d116e719 100644 --- a/azure-resources/Compute/virtualMachineScaleSets/recommendations.yaml +++ b/azure-resources/Compute/virtualMachineScaleSets/recommendations.yaml @@ -1,4 +1,4 @@ -- description: Deploy VMSS with Flex orchestration mode instead of Uniform +- description: Deploy VMSS with Flex orchestration mode instead of Uniform aprlGuid: e7495e1c-0c75-0946-b266-b429b5c7f3bf recommendationTypeId: null recommendationControl: Scalability @@ -7,15 +7,17 @@ recommendationMetadataState: Active longDescription: | Deploying even single instance VMs into a scale set with Flexible orchestration mode future-proofs applications for scaling and availability. This mode guarantees high availability (up to 1000 VMs) by distributing VMs across fault domains in a region or within an Availability Zone. - potentialBenefits: Higher scalability & availability + potentialBenefits: Higher scalability and availability pgVerified: Verified publishedToLearn: false publishedToAdvisor: false automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: When to use VMSS instead of VMs url: "https://learn.microsoft.com/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-design-overview#when-to-use-scale-sets-instead-of-virtual-machines" + - name: Azure Well-Architected Framework review - Virtual Machines and Scale Sets + url: "https://learn.microsoft.com/azure/well-architected/services/compute/virtual-machines/virtual-machines-review" - description: Enable VMSS application health monitoring aprlGuid: 94794d2a-eff0-2345-9b67-6f9349d0a627 @@ -26,14 +28,14 @@ recommendationMetadataState: Active longDescription: | Monitoring application health in Azure Virtual Machine Scale Sets is crucial for deployment management. It supports rolling upgrades such as automatic OS-image upgrades and VM guest patching, leveraging health monitoring for upgrading. - potentialBenefits: Enhances deployment management & upgrades + potentialBenefits: Enhances deployment management and upgrades pgVerified: Verified publishedToLearn: false publishedToAdvisor: false automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Using Application Health extension with Virtual Machine Scale Sets url: "https://learn.microsoft.com/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-health-extension?tabs=rest-api" - description: Enable Automatic Repair policy @@ -52,7 +54,7 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Automatic instance repairs for Azure Virtual Machine Scale Sets url: "https://learn.microsoft.com/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-instance-repairs#requirements-for-using-automatic-instance-repairs" - description: Configure VMSS Autoscale to custom and configure the scaling metrics @@ -64,15 +66,17 @@ recommendationMetadataState: Active longDescription: | Use custom autoscale for VMSS based on metrics and schedules to improve performance and cost effectiveness, adjusting instances as demand changes. - potentialBenefits: Enhances performance & cost-efficiency + potentialBenefits: Enhances performance and cost-efficiency pgVerified: Verified publishedToLearn: false publishedToAdvisor: false automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Get started with autoscale in Azure url: "https://learn.microsoft.com/azure/azure-monitor/autoscale/autoscale-get-started?WT.mc_id=Portal-Microsoft_Azure_Monitoring" + - name: Overview of autoscale in Azure + url: "https://learn.microsoft.com/azure/azure-monitor/autoscale/autoscale-overview" - description: Enable Predictive autoscale and configure at least for Forecast Only aprlGuid: 3f85a51c-e286-9f44-b4dc-51d00768696c @@ -90,7 +94,7 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Use predictive autoscale to scale out before load demands in virtual machine scale sets url: "https://learn.microsoft.com/azure/azure-monitor/autoscale/autoscale-predictive" - description: Disable Force strictly even balance across zones to avoid scale in and out fail attempts @@ -109,7 +113,7 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Use scale-in policies with Azure Virtual Machine Scale Sets url: "https://learn.microsoft.com/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-scale-in-policy" - description: Configure Allocation Policy Spreading algorithm to Max Spreading @@ -128,7 +132,7 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Availability Considerations url: "https://learn.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-use-availability-zones#availability-considerations" - description: Deploy VMSS across availability zones with VMSS Flex @@ -147,8 +151,10 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Create a Virtual Machine Scale Set that uses Availability Zones url: "https://learn.microsoft.com/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-use-availability-zones" + - name: Update scale set to add availability zones + url: "https://learn.microsoft.com/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-use-availability-zones?tabs=cli-1%2Cportal-2#update-scale-set-to-add-availability-zones" - description: Set Patch orchestration options to Azure-orchestrated aprlGuid: e4ffd7b0-ba24-c84e-9352-ba4819f908c0 @@ -166,8 +172,10 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Automatic VM Guest Patching for Azure VMs url: "https://learn.microsoft.com/azure/virtual-machines/automatic-vm-guest-patching" + - name: Auto OS Image Upgrades + url: "https://learn.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-upgrade" - description: Upgrade VMSS Image versions scheduled to be deprecated or already retired aprlGuid: 83d61669-7bd6-9642-a305-175db8adcdf4 @@ -185,7 +193,7 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Deprecated Azure Marketplace images url: "https://learn.microsoft.com/en-us/azure/virtual-machines/deprecated-images" - description: Production VMSS instances should be using SSD disks @@ -197,12 +205,12 @@ recommendationMetadataState: Active longDescription: | Using SSD disks for Production workloads is advised as HDDs could negatively impact resources, being suitable only for non-critical resources or those needing infrequent access. - potentialBenefits: Faster access & reliability for VMSS + potentialBenefits: Faster access and reliability for VMSS pgVerified: Verified publishedToLearn: false publishedToAdvisor: false automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Disk Comparison url: "https://learn.microsoft.com/en-us/azure/virtual-machines/disks-types#disk-type-comparison" diff --git a/azure-resources/Compute/virtualMachines/recommendations.yaml b/azure-resources/Compute/virtualMachines/recommendations.yaml index b45119c93..2cacc49a2 100644 --- a/azure-resources/Compute/virtualMachines/recommendations.yaml +++ b/azure-resources/Compute/virtualMachines/recommendations.yaml @@ -1,4 +1,4 @@ -- description: Run production workloads on two or more VMs using VMSS Flex +- description: Run production workloads on two or more VMs using VMSS Flex aprlGuid: 273f6b30-68e0-4241-85ea-acf15ffb60bf recommendationTypeId: null recommendationControl: High Availability @@ -14,8 +14,10 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: What has changed with Flexible orchestration mode url: "https://learn.microsoft.com/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-orchestration-modes#what-has-changed-with-flexible-orchestration-mode" + - name: Attach or detach a Virtual Machine to or from a Virtual Machine Scale Set + url: "https://learn.microsoft.com/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-attach-detach-vm?branch=main&tabs=portal-1%2Cportal-2%2Cportal-3" - description: Deploy VMs across Availability Zones aprlGuid: 2bd0be95-a825-6f47-a8c6-3db1fb5eb387 @@ -33,7 +35,7 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Create virtual machines in an availability zone using the Azure portal url: "https://learn.microsoft.com/azure/virtual-machines/create-portal-availability-zone?tabs=standard" - description: Migrate VMs using availability sets to VMSS Flex @@ -45,14 +47,14 @@ recommendationMetadataState: Active longDescription: | Availability sets will soon be retired. Migrate workloads from VMs to VMSS Flex for deployment across zones or within the same zone across different fault domains (FDs) and update domains (UD) for better reliability. - potentialBenefits: Enhances reliability & future-proofs VMs + potentialBenefits: Enhances reliability and future-proofs VMs pgVerified: Verified publishedToLearn: false publishedToAdvisor: false automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Resiliency checklist for Virtual Machines url: "https://learn.microsoft.com/azure/architecture/checklist/resiliency-per-service#virtual-machines" - description: Replicate VMs using Azure Site Recovery @@ -71,8 +73,10 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Resiliency checklist for Virtual Machines url: "https://learn.microsoft.com/azure/architecture/checklist/resiliency-per-service#virtual-machines" + - name: Run a test failover (disaster recovery drill) to Azure + url: "https://learn.microsoft.com/azure/site-recovery/site-recovery-test-failover-to-azure" - description: Use Managed Disks for VM disks aprlGuid: 122d11d7-b91f-8747-a562-f56b79bcfbdc @@ -90,8 +94,12 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Migrate your Azure unmanaged disks by Sep 30, 2025 url: "https://learn.microsoft.com/azure/virtual-machines/unmanaged-disks-deprecation" + - name: Migrate Windows VM from unmanaged disks to managed disks + url: "https://learn.microsoft.com/azure/virtual-machines/windows/convert-unmanaged-to-managed-disks" + - name: Migrate Linux VM from unmanaged disks to managed disks + url: "https://learn.microsoft.com/azure/virtual-machines/linux/convert-unmanaged-to-managed-disks" - description: Host database data on a data disk aprlGuid: 4ea2878f-0d69-8d4a-b715-afc10d1e538e @@ -109,8 +117,10 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Introduction to Azure managed disks - Data disks url: "https://learn.microsoft.com/azure/virtual-machines/managed-disks-overview#data-disk" + - name: Azure managed disk types + url: "https://learn.microsoft.com/azure/virtual-machines/disks-types" - description: Backup VMs with Azure Backup service aprlGuid: 1981f704-97b9-b645-9c57-33f8ded9261a @@ -128,7 +138,7 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: What is the Azure Backup service? url: "https://learn.microsoft.com/azure/backup/backup-overview" - description: Production VMs should be using SSD disks @@ -140,14 +150,14 @@ recommendationMetadataState: Active longDescription: | Premium SSD disks support I/O-intensive apps with high performance, low latency, ideal for production. Standard SSDs offer cost-effective solutions for less critical workloads with consistent performance. - potentialBenefits: High-performance & reliability for critical apps + potentialBenefits: High-performance and reliability for critical apps pgVerified: Verified publishedToLearn: false publishedToAdvisor: false automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Azure managed disk types url: "https://learn.microsoft.com/azure/virtual-machines/disks-types#premium-ssd" - description: Review VMs in stopped state @@ -166,7 +176,7 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: States and billing status of Azure Virtual Machines url: "https://learn.microsoft.com/azure/virtual-machines/states-billing?context=%2Ftroubleshoot%2Fazure%2Fvirtual-machines%2Fcontext%2Fcontext#power-states-and-billing" - description: Enable Accelerated Networking (AccelNet) @@ -178,14 +188,14 @@ recommendationMetadataState: Active longDescription: | Accelerated networking enables SR-IOV to a VM, greatly improving its networking performance by bypassing the host from the data path, which reduces latency, jitter, and CPU utilization for demanding network workloads on supported VM types. - potentialBenefits: Reduces latency, jitter & CPU use + potentialBenefits: Reduces latency, jitter and CPU use pgVerified: Verified publishedToLearn: false publishedToAdvisor: false automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Accelerated Networking (AccelNet) overview url: "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview" - description: When AccelNet is enabled, you must manually update the GuestOS NIC driver @@ -204,7 +214,7 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Accelerated Networking (AccelNet) overview url: "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview" - description: VMs should not have a Public IP directly associated @@ -223,7 +233,7 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Use Source Network Address Translation (SNAT) for outbound connections url: "https://learn.microsoft.com/azure/load-balancer/load-balancer-outbound-connections" - description: VM network interfaces and associated subnets both have a Network Security Group (NSG) associated @@ -242,7 +252,7 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: How network security groups filter network traffic url: "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works#intra-subnet-traffic" - description: IP Forwarding should only be enabled for Network Virtual Appliances @@ -261,7 +271,7 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Enable or disable IP forwarding url: "https://learn.microsoft.com/azure/virtual-network/virtual-network-network-interface?tabs=network-interface-portal#enable-or-disable-ip-forwarding" - description: Customer DNS Servers should be configured in the Virtual Network level @@ -280,7 +290,7 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Name resolution for resources in Azure virtual networks url: "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances" - description: Shared disks should only be enabled in clustered servers @@ -299,7 +309,9 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Azure Shared Disk Introduction + url: "https://learn.microsoft.com/azure/virtual-machines/disks-shared" + - name: Enable Shared Disks url: "https://learn.microsoft.com/azure/virtual-machines/disks-shared-enable?tabs=azure-portal" - description: Network access to the VM disk should be set to Disable public access and enable private access @@ -311,14 +323,14 @@ recommendationMetadataState: Active longDescription: | Recommended changing to "Disable public access and enable private access" and creating a Private Endpoint to improve security by restricting direct public access and ensuring connections are made privately, enhancing data protection and minimizing potential external threats. - potentialBenefits: Enhances VM security & privacy + potentialBenefits: Enhances VM security and privacy pgVerified: Verified publishedToLearn: false publishedToAdvisor: false automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Restrict import/export access for managed disks using Azure Private Link url: "https://learn.microsoft.com/azure/virtual-machines/disks-enable-private-links-for-import-export-portal" - description: Ensure that your VMs are compliant with Azure Policies @@ -330,15 +342,17 @@ recommendationMetadataState: Active longDescription: | Keeping your virtual machine (VM) secure is crucial for the applications you run. This involves using various Azure services and features to ensure secure access to your VMs and the secure storage of your data, aiming for overall security of your VM and applications. - potentialBenefits: Secure VMs & applications + potentialBenefits: Secure VMs and applications pgVerified: Verified publishedToLearn: false publishedToAdvisor: false automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Policy-driven governance url: "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-principles#policy-driven-governance" + - name: Azure Policy Regulatory Compliance controls for Azure Virtual Machines + url: "https://learn.microsoft.com/azure/virtual-machines/security-policy" - description: Enable advanced encryption options for your managed disks aprlGuid: f0a97179-133a-6e4f-8a49-8a44da73ffce @@ -356,7 +370,7 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Overview of managed disk encryption options url: "https://learn.microsoft.com/azure/virtual-machines/disk-encryption-overview" - description: Enable VM Insights @@ -368,15 +382,17 @@ recommendationMetadataState: Active longDescription: | VM Insights monitors VM and scale set performance, health, running processes, and dependencies. It enhances the predictability of application performance and availability by pinpointing performance bottlenecks and network issues, and it clarifies if problems are related to other dependencies. - potentialBenefits: Improves VM performance & health + potentialBenefits: Improves VM performance and health pgVerified: Verified publishedToLearn: false publishedToAdvisor: false automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Overview of VM insights url: "https://learn.microsoft.com/azure/azure-monitor/vm/vminsights-overview" + - name: Did the extension install properly? + url: "https://learn.microsoft.com/azure/azure-monitor/vm/vminsights-troubleshoot#did-the-extension-install-properly" - description: Configure diagnostic settings for all Azure Virtual Machines aprlGuid: 4a9d8973-6dba-0042-b3aa-07924877ebd5 @@ -387,14 +403,14 @@ recommendationMetadataState: Active longDescription: | Azure Monitor Metrics automatically receives platform metrics, but platform logs, which offer detailed diagnostics and auditing for resources and their Azure platform, need to be manually routed for collection. - potentialBenefits: Enhanced diagnostics & auditing capability + potentialBenefits: Enhanced diagnostics and auditing capability pgVerified: Preview publishedToLearn: false publishedToAdvisor: false automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Diagnostic settings in Azure Monitor url: "https://learn.microsoft.com/azure/azure-monitor/essentials/diagnostic-settings?tabs=portal" - description: Use maintenance configurations for the VMs @@ -413,7 +429,7 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Use maintenance configurations to control and manage the VM updates url: "https://learn.microsoft.com/azure/virtual-machines/maintenance-configurations" - description: Don't use A or B-Series VMs for production needing constant full CPU performance @@ -432,7 +448,7 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: B-series burstable virtual machine sizes url: "https://learn.microsoft.com/en-us/azure/virtual-machines/sizes-b-series-burstable" - description: Mission Critical Workloads should be using Premium or Ultra Disks @@ -444,14 +460,14 @@ recommendationMetadataState: Active longDescription: | Azure Premium SSDs provide high-performance, low-latency for IO-intensive VM workloads. Premium SSD v2 offers better performance at a lower cost, with adjustable capacity, throughput, IOPS, ideal for shifting needs, but not as OS Disks. - potentialBenefits: Enhanced performance & cost efficiency + potentialBenefits: Enhanced performance and cost efficiency pgVerified: Verified publishedToLearn: false publishedToAdvisor: false automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Disk type comparison and decision tree url: "https://learn.microsoft.com/en-us/azure/virtual-machines/disks-types#disk-type-comparison" - description: Use Azure Boost VMs for Maintenance sensitive workload @@ -470,8 +486,10 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Microsoft Azure Boost url: "https://learn.microsoft.com/azure/azure-boost/overview" + - name: Announcing the general availability of Azure Boost + url: "https://aka.ms/AzureBoostGABlog" - description: Enable Scheduled Events for Maintenance sensitive workload VMs aprlGuid: 2de8fa5e-14f4-4c4c-857f-1520f87a629f @@ -489,5 +507,9 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Monitor scheduled events for your Azure VMs url: "https://learn.microsoft.com/azure/virtual-machines/windows/scheduled-event-service" + - name: Azure Metadata Service Scheduled Events for Linux VMs + url: "https://learn.microsoft.com/azure/virtual-machines/linux/scheduled-events" + - name: Azure Metadata Service Scheduled Events for Windows VMs + url: "https://learn.microsoft.com/azure/virtual-machines/windows/scheduled-events" diff --git a/azure-resources/ContainerRegistry/registries/recommendations.yaml b/azure-resources/ContainerRegistry/registries/recommendations.yaml index 0f8685565..339b0d336 100644 --- a/azure-resources/ContainerRegistry/registries/recommendations.yaml +++ b/azure-resources/ContainerRegistry/registries/recommendations.yaml @@ -1,4 +1,4 @@ -- description: Use Premium tier for critical production workloads +- description: Use Premium tier for critical production workloads aprlGuid: eb005943-40a8-194b-9db2-474d430046b7 recommendationTypeId: null recommendationControl: Scalability @@ -7,14 +7,14 @@ recommendationMetadataState: Active longDescription: | Choose a service tier of Azure Container Registry to meet your performance needs. Premium offers the most bandwidth and highest rate of read and write operations for high-volume deployments. Use Basic to start, Standard for production, and Premium for hyper-scale performance and geo-replication. - potentialBenefits: High-volume support & geo-replication + potentialBenefits: High-volume support and geo-replication pgVerified: Preview publishedToLearn: false publishedToAdvisor: false automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Container Registry Best Practices url: "https://learn.microsoft.com/en-us/azure/container-registry/container-registry-best-practices" - description: Enable zone redundancy @@ -26,14 +26,14 @@ recommendationMetadataState: Active longDescription: | Azure Container Registry's optional zone redundancy enhances resiliency and high availability for registries or replication resources in a specific region by distributing resources across multiple zones. - potentialBenefits: Enhances resiliency & high availability + potentialBenefits: Enhances resiliency and high availability pgVerified: Preview publishedToLearn: false publishedToAdvisor: false automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Registry best practices - Enable zone redundancy url: "https://review.learn.microsoft.com/en-us/azure/container-registry/zone-redundancy?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json&branch=main" - description: Enable geo-replication @@ -52,8 +52,10 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Registry best practices - Enable geo-replication url: "https://learn.microsoft.com/en-us/azure/container-registry/container-registry-best-practices#geo-replicate-multi-region-deployments" + - name: Geo-Replicate Container Registry + url: "https://learn.microsoft.com/en-us/azure/container-registry/container-registry-geo-replication" - description: Use Repository namespaces aprlGuid: a5a0101a-a240-8742-90ba-81dbde9a0c0c @@ -64,14 +66,14 @@ recommendationMetadataState: Active longDescription: | Using repository namespaces allows a single registry to be shared across multiple groups and deployments within an organization, supporting nested namespaces for group isolation. However, repositories are managed independently, not hierarchically. - potentialBenefits: Enables sharing & group isolation + potentialBenefits: Enables sharing and group isolation pgVerified: Preview publishedToLearn: false publishedToAdvisor: false automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Registry best practices - use repository namespaces url: "https://learn.microsoft.com/en-us/azure/container-registry/container-registry-best-practices#repository-namespaces" - description: Move Container Registry to a dedicated resource group @@ -90,7 +92,7 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Registry best practices - Use dedicated resource group url: "https://learn.microsoft.com/en-us/azure/container-registry/container-registry-best-practices#dedicated-resource-group" - description: Manage registry size @@ -101,7 +103,7 @@ recommendationResourceType: Microsoft.ContainerRegistry/registries recommendationMetadataState: Active longDescription: | - The storage constraints of Azure Container Registry's service tiers align with usage scenarios: Basic for starters, Standard for production, and Premium for high-scale performance & geo-replication. + The storage constraints of Azure Container Registry's service tiers align with usage scenarios: Basic for starters, Standard for production, and Premium for high-scale performance and geo-replication. potentialBenefits: Reduce costs, optimize storage pgVerified: Preview publishedToLearn: false @@ -109,8 +111,10 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Registry best practices - Manage registry size url: "https://learn.microsoft.com/en-us/azure/container-registry/container-registry-best-practices#manage-registry-size" + - name: Retention Policy + url: "https://learn.microsoft.com/en-us/azure/container-registry/container-registry-retention-policy#about-the-retention-policy" - description: Disable anonymous pull access aprlGuid: 03f4a7d8-c5b4-7842-8e6e-14997a34842b @@ -121,14 +125,14 @@ recommendationMetadataState: Active longDescription: | By default, Azure container registry requires authentication for pull/push actions. Enabling anonymous pull access exposes all content for public read actions. This applies to all repositories, potentially allowing unrestricted access if repository-scoped tokens are used. - potentialBenefits: Enhanced security & controlled access + potentialBenefits: Enhanced security and controlled access pgVerified: Preview publishedToLearn: false publishedToAdvisor: false automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Enable anonymous pull access url: "https://learn.microsoft.com/en-us/azure/container-registry/anonymous-pull-access#about-anonymous-pull-access" - description: Configure Diagnostic Settings for all Azure Container Registries @@ -147,8 +151,10 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Monitoring Azure Container Registry data reference - Resource Logs url: "https://learn.microsoft.com/en-us/azure/container-registry/monitor-service-reference#resource-logs" + - name: Monitor Azure Container Registry - Enable diagnostic logs + url: "https://learn.microsoft.com/en-us/azure/container-registry/monitor-service#collection-and-routing" - description: Monitor Azure Container Registry with Azure Monitor aprlGuid: d594cde6-4116-d143-a64a-25f63289a2f8 @@ -159,15 +165,17 @@ recommendationMetadataState: Active longDescription: | Monitoring Azure resources using Azure Monitor enhances their availability, performance, and operation. Azure Container Registry, a full-stack monitoring service, provides features for Azure and other cloud and on-premises resources. - potentialBenefits: Enhanced monitoring & operation + potentialBenefits: Enhanced monitoring and operation pgVerified: Preview publishedToLearn: false publishedToAdvisor: false automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Monitoring Azure Container Registry data reference url: "https://learn.microsoft.com/en-us/azure/container-registry/monitor-service-reference#metrics" + - name: Monitor Azure Container Registry + url: "https://learn.microsoft.com/en-us/azure/container-registry/monitor-service" - description: Enable soft delete policy aprlGuid: e7f0fd54-fba0-054e-9ab8-e676f2851f88 @@ -185,5 +193,5 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Enable soft delete policy url: "https://learn.microsoft.com/en-us/azure/container-registry/container-registry-soft-delete-policy" diff --git a/azure-resources/ContainerService/managedClusters/recommendations.yaml b/azure-resources/ContainerService/managedClusters/recommendations.yaml index 106f3eae5..b98226e97 100644 --- a/azure-resources/ContainerService/managedClusters/recommendations.yaml +++ b/azure-resources/ContainerService/managedClusters/recommendations.yaml @@ -1,4 +1,4 @@ -- description: Deploy AKS cluster across availability zones +- description: Deploy AKS cluster across availability zones aprlGuid: 4f63619f-5001-439c-bacb-8de891287727 recommendationTypeId: null recommendationControl: High Availability @@ -14,8 +14,10 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: AKS Availability Zones url: "https://learn.microsoft.com/en-us/azure/aks/availability-zones" + - name: Zone Balancing + url: "https://learn.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-use-availability-zones#zone-balancing" - description: Isolate system and application pods aprlGuid: 5ee083cd-6ac3-4a83-8913-9549dd36cf56 @@ -33,7 +35,7 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: System and user node pools url: "https://learn.microsoft.com/en-us/azure/aks/use-system-pools?tabs=azure-cli#system-and-user-node-pools" - description: Disable local accounts @@ -45,15 +47,19 @@ recommendationMetadataState: Active longDescription: | Local Kubernetes accounts in AKS, being non-auditable and legacy, are discouraged. Microsoft Entra's integration offers centralized management, multi-factor authentication, RBAC for detailed access, and a secure, scalable authentication system compatible with Azure and external identity providers. - potentialBenefits: Enhanced security & access control + potentialBenefits: Enhanced security and access control pgVerified: Preview publishedToLearn: false publishedToAdvisor: false automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Entra integration url: "https://learn.microsoft.com/en-us/azure/aks/concepts-identity#azure-ad-integration" + - name: Use Azure role-based access control for AKS + url: "https://learn.microsoft.com/en-us/azure/aks/manage-azure-rbac?source=recommendations" + - name: Manage AKS local accounts + url: "https://learn.microsoft.com/en-us/azure/aks/manage-local-accounts-managed-azure-ad?source=recommendations" - description: Configure Azure CNI networking for dynamic allocation of IPs aprlGuid: c22db132-399b-4e7c-995d-577a60881be8 @@ -71,8 +77,10 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Configure Azure CNI networking url: "https://learn.microsoft.com/en-us/azure/aks/configure-azure-cni-dynamic-ip-allocation" + - name: Configure Azure CNI Overlay networking + url: "https://learn.microsoft.com/en-us/azure/aks/azure-cni-overlay" - description: Enable the cluster auto-scaler on an existing cluster aprlGuid: 902c82ff-4910-4b61-942d-0d6ef7f39b67 @@ -83,15 +91,21 @@ recommendationMetadataState: Active longDescription: | The cluster auto-scaler in AKS adjusts node counts based on pod resource needs and available capacity, enabling scaling as per demand to prevent outages. - potentialBenefits: Optimizes scaling & prevents outages + potentialBenefits: Optimizes scaling and prevents outages pgVerified: Preview publishedToLearn: false publishedToAdvisor: false automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Use the Cluster Autoscaler on AKS url: "https://learn.microsoft.com/azure/aks/cluster-autoscaler?tabs=azure-cli" + - name: Best practices for advanced scheduler features + url: "https://learn.microsoft.com/azure/aks/operator-best-practices-advanced-scheduler" + - name: Node pool scaling considerations and best practices + url: "https://learn.microsoft.com/azure/aks/best-practices-performance-scale-large#node-pool-scaling" + - name: Best practices for basic scheduler features + url: "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler" - description: Back up Azure Kubernetes Service aprlGuid: 269a9f1a-6675-460a-831e-b05a887a8c4b @@ -109,8 +123,10 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: AKS Backups url: "https://learn.microsoft.com/en-us/azure/backup/azure-kubernetes-service-cluster-backup" + - name: Best Practices for AKS Backups + url: "https://learn.microsoft.com/en-us/azure/aks/operator-best-practices-storage" - description: Plan an AKS version upgrade aprlGuid: e6188d3b-7fbc-4ecf-a37b-b658f9efcdc4 @@ -128,8 +144,12 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Updating to the latest AKS version url: "https://learn.microsoft.com/azure/aks/operator-best-practices-cluster-security?tabs=azure-cli#regularly-update-to-the-latest-version-of-kubernetes" + - name: Upgrade cluster + url: "https://learn.microsoft.com/azure/aks/upgrade-cluster?tabs=azure-cli" + - name: Auto-upgrading cluster + url: "https://learn.microsoft.com/azure/aks/auto-upgrade-cluster" - description: Use zone-redundant storage for persistent volumes when running multi-zone AKS aprlGuid: d3111036-355d-431b-ab49-8ddad042800b @@ -147,8 +167,16 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More - url: "https://learn.microsoft.com/azure/aks/azure-disk-csi#azure-disk-csi-driver-features" + - name: Availability zones overview + url: "https://learn.microsoft.com/azure/reliability/availability-zones-overview?tabs=azure-cli" + - name: Zone-redundant storage + url: "https://learn.microsoft.com/azure/storage/common/storage-redundancy#zone-redundant-storage" + - name: ZRS disks + url: "https://learn.microsoft.com/azure/virtual-machines/disks-redundancy#zone-redundant-storage-for-managed-disks" + - name: Convert a disk from LRS to ZRS + url: "https://learn.microsoft.com/azure/virtual-machines/disks-migrate-lrs-zrs" + - name: Enable multi-zone storage redundancy in Azure Container Storage + url: "https://learn.microsoft.com/azure/storage/container-storage/enable-multi-zone-redundancy" - description: Upgrade Persistent Volumes using in-tree drivers to Azure CSI drivers aprlGuid: b002c030-72e6-4a37-8217-1cb276c43169 @@ -166,8 +194,10 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More - url: "https://learn.microsoft.com/en-us/azure/aks/csi-storage-drivers" + - name: CSI Storage Drivers + url: "https://learn.microsoft.com/azure/aks/csi-storage-drivers" + - name: CSI Migrate in Tree Volumes + url: "https://learn.microsoft.com/azure/aks/csi-migrate-in-tree-volumes" - description: Implement Resource Quota to ensure that Kubernetes resources do not exceed hard resource limits aprlGuid: 9a1c17e5-c9a0-43db-b920-adaf54d1bcb7 @@ -185,7 +215,7 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Resource Quotas url: "https://kubernetes.io/docs/concepts/policy/resource-quotas/" - description: Attach Virtual Nodes (ACI) to the AKS cluster @@ -204,8 +234,10 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Virtual Nodes url: "https://learn.microsoft.com/azure/aks/virtual-nodes" + - name: Azure Container Instances + url: "https://learn.microsoft.com/azure/container-instances/container-instances-overview" - description: Update AKS tier to Standard aprlGuid: 0611251f-e70f-4243-8ddd-cfe894bec2e7 @@ -216,15 +248,17 @@ recommendationMetadataState: Active longDescription: | Production AKS clusters require the Standard tier for a financially backed SLA and enhanced node scalability, as the free service lacks these features. - potentialBenefits: SLA guarantee & better scalability + potentialBenefits: SLA guarantee and better scalability pgVerified: Preview publishedToLearn: false publishedToAdvisor: false automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Pricing Tiers url: "https://learn.microsoft.com/en-us/azure/aks/free-standard-pricing-tiers" + - name: AKS Baseline Architecture + url: "https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/containers/aks/baseline-aks?toc=https%3A%2F%2Flearn.microsoft.com%2Fen-us%2Fazure%2Faks%2Ftoc.json&bc=https%3A%2F%2Flearn.microsoft.com%2Fen-us%2Fazure%2Fbread%2Ftoc.json#kubernetes-api-server-sla" - description: Enable AKS Monitoring aprlGuid: dcaf8128-94bd-4d53-9235-3a0371df6b74 @@ -242,7 +276,7 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Monitor AKS url: "https://learn.microsoft.com/azure/aks/monitor-aks" - description: Use Ephemeral OS disks on AKS clusters @@ -254,14 +288,18 @@ recommendationMetadataState: Active longDescription: | Ephemeral OS disks on AKS offer lower read/write latency due to local attachment, eliminating the need for replication seen with managed disks. This enhances performance and speeds up cluster operations such as scaling or upgrading due to quicker re-imaging and boot times. - potentialBenefits: Lower latency, faster re-imaging & booting + potentialBenefits: Lower latency, faster re-imaging and booting pgVerified: Verified publishedToLearn: false publishedToAdvisor: false automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Ephemeral OS disk + url: "https://learn.microsoft.com/azure/aks/concepts-storage#ephemeral-os-disk" + - name: Configure an AKS cluster + url: "https://learn.microsoft.com/azure/aks/cluster-configuration" + - name: Everything you want to know about ephemeral OS disks and AKS url: "https://learn.microsoft.com/samples/azure-samples/aks-ephemeral-os-disk/aks-ephemeral-os-disk/" - description: Enable and remediate Azure Policies configured for AKS @@ -273,15 +311,17 @@ recommendationMetadataState: Active longDescription: | Azure Policies in AKS clusters help enforce governance best practices concerning security, authentication, provisioning, networking, and more, ensuring a robust and secure environment for operations. - potentialBenefits: Enhanced AKS governance & security + potentialBenefits: Enhanced AKS governance and security pgVerified: Preview publishedToLearn: false publishedToAdvisor: false automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: AKS Baseline - Policy Management url: "https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/containers/aks/baseline-aks?toc=https%3A%2F%2Flearn.microsoft.com%2Fen-us%2Fazure%2Faks%2Ftoc.json&bc=https%3A%2F%2Flearn.microsoft.com%2Fen-us%2Fazure%2Fbread%2Ftoc.json#policy-management" + - name: Built-in Policy Definitions for AKS + url: "https://learn.microsoft.com/en-us/azure/aks/policy-reference" - description: Enable GitOps when using DevOps frameworks aprlGuid: 5f3cbd68-692a-4121-988c-9770914859a9 @@ -299,8 +339,10 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: GitOps with AKS url: "https://learn.microsoft.com/en-us/azure/architecture/guide/aks/aks-cicd-github-actions-and-gitops" + - name: GitOps for AKS - Reference Architecture + url: "https://learn.microsoft.com/en-us/azure/architecture/example-scenario/gitops-aks/gitops-blueprint-aks" - description: Configure affinity or anti-affinity rules based on application requirements aprlGuid: 928fcc6f-5e9a-42d9-9bd4-260af42de2e5 @@ -318,8 +360,10 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Topology Spread Constraints url: "https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/" + - name: Assign Pod Node + url: "https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/" - description: Configures Pods Liveness, Readiness, and Startup Probes aprlGuid: cd6791b1-c60e-4b37-ac98-9897b1e6f4b8 @@ -337,8 +381,10 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Configure probes url: "https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/" + - name: Assign Pod Node + url: "https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/" - description: Configure pod replica sets in production applications to guarantee availability aprlGuid: bcfe71f1-ebed-49e5-a84a-193b81ad5d27 @@ -356,7 +402,7 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Replica Sets url: "https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/" - description: Configure system nodepool count @@ -375,7 +421,7 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: System nodepools url: "https://learn.microsoft.com/azure/aks/use-system-pools?tabs=azure-cli" - description: Configure user nodepool count @@ -394,7 +440,7 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Azure Well-Architected Framework review for Azure Kubernetes Service (AKS) url: "https://learn.microsoft.com/azure/well-architected/service-guides/azure-kubernetes-service#design-checklist" - description: Configure pod disruption budgets (PDBs) @@ -413,8 +459,10 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Configure PDBs url: "https://kubernetes.io/docs/tasks/run-application/configure-pdb/" + - name: Plan availability using PDBs + url: "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler#plan-for-availability-using-pod-disruption-budgets" - description: Nodepool subnet size needs to accommodate maximum auto-scale settings aprlGuid: e620fa98-7a40-41a0-bfc9-b4407297fb58 @@ -432,7 +480,7 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: AKS Networking url: "https://learn.microsoft.com/azure/aks/concepts-network" - description: Enforce resource quotas at the namespace level @@ -451,5 +499,5 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Resource quotas url: "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler#enforce-resource-quotas" diff --git a/azure-resources/DBforMySQL/flexibleServers/recommendations.yaml b/azure-resources/DBforMySQL/flexibleServers/recommendations.yaml index 57e72c6d5..02797c3f1 100644 --- a/azure-resources/DBforMySQL/flexibleServers/recommendations.yaml +++ b/azure-resources/DBforMySQL/flexibleServers/recommendations.yaml @@ -1,4 +1,4 @@ -- description: Enable HA with zone redundancy +- description: Enable HA with zone redundancy aprlGuid: 88856605-53d8-4bbd-a75b-4a7b14939d32 recommendationTypeId: null recommendationControl: High Availability @@ -7,14 +7,14 @@ recommendationMetadataState: Active longDescription: | Enable HA with zone redundancy on flexible server instances to deploy a standby replica in a different zone, offering automatic failover capability for improved reliability and disaster recovery. - potentialBenefits: Enhanced uptime & data protection + potentialBenefits: Enhanced uptime and data protection pgVerified: Verified publishedToLearn: false publishedToAdvisor: false automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: High availability concepts in Azure Database for MySQL - Flexible Server url: "https://learn.microsoft.com/azure/mysql/flexible-server/concepts-high-availability" - description: Enable custom maintenance schedule @@ -33,5 +33,5 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Scheduled maintenance in Azure Database for MySQL - Flexible Server url: "https://learn.microsoft.com/azure/mysql/flexible-server/concepts-maintenance" diff --git a/azure-resources/DBforPostgreSQL/flexibleServers/recommendations.yaml b/azure-resources/DBforPostgreSQL/flexibleServers/recommendations.yaml index 8337e46c8..3b98d117a 100644 --- a/azure-resources/DBforPostgreSQL/flexibleServers/recommendations.yaml +++ b/azure-resources/DBforPostgreSQL/flexibleServers/recommendations.yaml @@ -1,4 +1,4 @@ -- description: Enable HA with zone redundancy +- description: Enable HA with zone redundancy aprlGuid: ca87914f-aac4-4783-ab67-82a6f936f194 recommendationTypeId: null recommendationControl: High Availability @@ -7,14 +7,14 @@ recommendationMetadataState: Active longDescription: | Enable HA with zone redundancy on flexible server instances to deploy a standby replica in a different zone, offering automatic failover capability for improved reliability and disaster recovery. - potentialBenefits: Enhanced uptime & data protection + potentialBenefits: Enhanced uptime and data protection pgVerified: Verified publishedToLearn: false publishedToAdvisor: false automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Overview of high availability with Azure Database for PostgreSQL url: "https://learn.microsoft.com/azure/postgresql/flexible-server/concepts-high-availability" - description: Enable custom maintenance schedule @@ -33,5 +33,5 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Scheduled maintenance in Azure Database for PostgreSQL - Flexible Server url: "https://learn.microsoft.com/azure/postgresql/flexible-server/concepts-maintenance" diff --git a/azure-resources/Databricks/workspaces/recommendations.yaml b/azure-resources/Databricks/workspaces/recommendations.yaml index 8ec255436..143a66f2b 100644 --- a/azure-resources/Databricks/workspaces/recommendations.yaml +++ b/azure-resources/Databricks/workspaces/recommendations.yaml @@ -1,4 +1,4 @@ -- description: Databricks runtime version is not latest or is not LTS version +- description: Databricks runtime version is not latest or is not LTS version aprlGuid: 0e835cc2-2551-a247-b1f1-3c5f25c9cb70 recommendationTypeId: null recommendationControl: Governance @@ -7,14 +7,14 @@ recommendationMetadataState: Active longDescription: | Databricks recommends migrating workloads to the latest or LTS version of its runtime for enhanced stability and support. If on Runtime 11.3 LTS or above, move directly to the latest 12.x version. If below, first migrate to 11.3 LTS, then to the latest 12.x version as per the migration guide. - potentialBenefits: Enhanced stability & support + potentialBenefits: Enhanced stability and support pgVerified: Verified publishedToLearn: false publishedToAdvisor: false automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Databricks runtime support lifecycles url: "https://learn.microsoft.com/en-us/azure/databricks/release-notes/runtime/databricks-runtime-ver" - description: Use Databricks Pools @@ -33,7 +33,7 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Best practices for reliability url: "https://learn.microsoft.com/en-us/azure/databricks/lakehouse-architecture/reliability/best-practices" - description: Use SSD backed VMs for Worker VM Type and Driver type @@ -52,7 +52,7 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Azure managed disk types url: "https://learn.microsoft.com/azure/virtual-machines/disks-types#premium-ssd" - description: Enable autoscaling for batch workloads @@ -64,14 +64,14 @@ recommendationMetadataState: Active longDescription: | Autoscaling adjusts cluster sizes automatically based on workload demands, offering benefits for many use cases in terms of costs and performance. It includes guidance on when and how to best utilize Autoscaling. For streaming, Delta Live Tables with autoscaling is advised. - potentialBenefits: Cost & performance optimization + potentialBenefits: Cost and performance optimization pgVerified: Verified publishedToLearn: false publishedToAdvisor: false automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Best practices for reliability url: "https://learn.microsoft.com/en-us/azure/databricks/lakehouse-architecture/reliability/best-practices#enable-autoscaling-for-batch-workloadss" - description: Enable autoscaling for SQL warehouse @@ -83,14 +83,14 @@ recommendationMetadataState: Active longDescription: | The scaling parameter of a SQL warehouse defines the min and max number of clusters for distributing queries. By default, it's set to one. Increasing the cluster count can accommodate more concurrent users effectively. - potentialBenefits: Improves concurrency & efficiency + potentialBenefits: Improves concurrency and efficiency pgVerified: Verified publishedToLearn: false publishedToAdvisor: false automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Best practices for reliability url: "https://learn.microsoft.com/en-us/azure/databricks/lakehouse-architecture/reliability/best-practices#enable-autoscaling-for-sql-warehouse" - description: Use Delta Live Tables enhanced autoscaling @@ -102,15 +102,17 @@ recommendationMetadataState: Active longDescription: | Databricks enhanced autoscaling optimizes cluster utilization by automatically allocating cluster resources based on workload volume, with minimal impact on the data processing latency of your pipelines. - potentialBenefits: Optimized resource use & minimal latency + potentialBenefits: Optimized resource use and minimal latency pgVerified: Verified publishedToLearn: false publishedToAdvisor: false automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Best practices for reliability url: "https://learn.microsoft.com/azure/databricks/lakehouse-architecture/reliability/best-practices" + - name: Databricks enhanced autoscaling + url: "https://learn.microsoft.com/azure/databricks/delta-live-tables/settings#use-autoscaling-to-increase-efficiency-and-reduce-resource-usage" - description: Automatic Job Termination is enabled, ensure there are no user-defined local processes aprlGuid: 3d3e53b5-ebd1-db42-b43b-d4fad74824ec @@ -128,7 +130,7 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Best practices for reliability? url: "https://learn.microsoft.com/en-us/azure/databricks/lakehouse-architecture/reliability/best-practices" - description: Enable Logging-Cluster log delivery @@ -140,14 +142,14 @@ recommendationMetadataState: Active longDescription: | When creating a Databricks cluster, you can set a log delivery location for the Spark driver, worker nodes, and events. Logs are delivered every 5 mins and archived hourly. Upon cluster termination, all generated logs until that point are guaranteed to be delivered. - potentialBenefits: Improved troubleshooting & audit + potentialBenefits: Improved troubleshooting and audit pgVerified: Verified publishedToLearn: false publishedToAdvisor: false automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Create a cluster url: "https://learn.microsoft.com/en-us/azure/databricks/clusters/configure#cluster-log-delivery" - description: Use Delta Lake for higher reliability @@ -159,14 +161,14 @@ recommendationMetadataState: Active longDescription: | Delta Lake is an open source storage format enhancing data lakes' reliability with ACID transactions, schema enforcement, and scalable metadata handling. - potentialBenefits: Enhances data reliability & processing + potentialBenefits: Enhances data reliability and processing pgVerified: Verified publishedToLearn: false publishedToAdvisor: false automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Best practices for reliability url: "https://learn.microsoft.com/en-us/azure/databricks/lakehouse-architecture/reliability/best-practices" - description: Use Photon Acceleration @@ -178,14 +180,14 @@ recommendationMetadataState: Active longDescription: | Apache Spark in Databricks Lakehouse ensures resilient distributed data processing by automatically rescheduling failed tasks, aiding in overcoming external issues like network problems or revoked VMs. - potentialBenefits: Boosts speed & reliability for Spark tasks + potentialBenefits: Boosts speed and reliability for Spark tasks pgVerified: Verified publishedToLearn: false publishedToAdvisor: false automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Best practices for reliability url: "https://learn.microsoft.com/en-us/azure/databricks/lakehouse-architecture/reliability/best-practices#use-apache-spark-or-photon-for-distributed-compute" - description: Automatically rescue invalid or nonconforming data with Databricks Auto Loader or Delta Live Tables @@ -204,7 +206,7 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Best practices for reliability url: "https://learn.microsoft.com/en-us/azure/databricks/lakehouse-architecture/reliability/best-practices" - description: Configure jobs for automatic retries and termination @@ -216,14 +218,14 @@ recommendationMetadataState: Active longDescription: | Use Databricks and MLflow for deploying models as Spark UDFs for job scheduling, retries, autoscaling. Model serving offers scalable infrastructure, processes models using MLflow, and serves them via REST API using serverless compute managed in Databricks cloud. - potentialBenefits: Enhanced reliability & autoscaling + potentialBenefits: Enhanced reliability and autoscaling pgVerified: Verified publishedToLearn: false publishedToAdvisor: false automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Best practices for reliability url: "https://learn.microsoft.com/en-us/azure/databricks/lakehouse-architecture/reliability/best-practices" - description: Use a scalable and production-grade model serving infrastructure @@ -235,14 +237,14 @@ recommendationMetadataState: Active longDescription: | Use Databricks and MLflow for deploying models as Apache Spark UDFs, benefiting from job scheduling, retries, autoscaling, etc. - potentialBenefits: Enhances scalability & reliability + potentialBenefits: Enhances scalability and reliability pgVerified: Verified publishedToLearn: false publishedToAdvisor: false automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Best practices for reliability url: "https://learn.microsoft.com/en-us/azure/databricks/lakehouse-architecture/reliability/best-practices" - description: Use a layered storage architecture @@ -254,14 +256,14 @@ recommendationMetadataState: Active longDescription: | Curate data by creating a layered architecture to increase data quality across layers. Start with a raw layer for ingested source data, continue with a curated layer for cleansed and refined data, and finish with a final layer catered to business needs, focusing on security and performance. - potentialBenefits: Enhances data quality & trust + potentialBenefits: Enhances data quality and trust pgVerified: Verified publishedToLearn: false publishedToAdvisor: false automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Best practices for reliability url: "https://learn.microsoft.com/en-us/azure/databricks/lakehouse-architecture/reliability/best-practices" - description: Improve data integrity by reducing data redundancy @@ -280,7 +282,7 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Best practices for reliability url: "https://learn.microsoft.com/en-us/azure/databricks/lakehouse-architecture/reliability/best-practices" - description: Actively manage schemas @@ -292,14 +294,14 @@ recommendationMetadataState: Active longDescription: | Uncontrolled schema changes can lead to invalid data and failing jobs. Databricks validates and enforces schema through Delta Lake, which prevents bad records during ingestion, and Auto Loader, which detects new columns and supports schema evolution to maintain data integrity. - potentialBenefits: Prevents invalid data & job failures + potentialBenefits: Prevents invalid data and job failures pgVerified: Verified publishedToLearn: false publishedToAdvisor: false automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Best practices for reliability url: "https://learn.microsoft.com/en-us/azure/databricks/lakehouse-architecture/reliability/best-practices" - description: Use constraints and data expectations @@ -318,7 +320,7 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Best practices for reliability url: "https://learn.microsoft.com/en-us/azure/databricks/lakehouse-architecture/reliability/best-practices#use-constraints-and-data-expectations" - description: Create regular backups @@ -330,14 +332,14 @@ recommendationMetadataState: Active longDescription: | To recover from a failure, regular backups are needed. The Databricks Labs project migrate lets admins create backups by exporting workspace assets using the Databricks CLI/API. These backups help in restoring or migrating workspaces. - potentialBenefits: Ensures data recovery & migration + potentialBenefits: Ensures data recovery and migration pgVerified: Verified publishedToLearn: false publishedToAdvisor: false automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Best practices for reliability url: "https://learn.microsoft.com/en-us/azure/databricks/lakehouse-architecture/reliability/best-practices#create-regular-backups" - description: Recover from Structured Streaming query failures @@ -349,14 +351,14 @@ recommendationMetadataState: Active longDescription: | Structured Streaming ensures fault-tolerance and data consistency in streaming queries. With Azure Databricks workflows, you can set up your queries to automatically restart after failure, picking up precisely where they left off. - potentialBenefits: Fault-tolerance & auto-restart for queries + potentialBenefits: Fault-tolerance and auto-restart for queries pgVerified: Verified publishedToLearn: false publishedToAdvisor: false automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Best practices for reliability url: "https://learn.microsoft.com/en-us/azure/databricks/lakehouse-architecture/reliability/best-practices#recover-from-structured-streaming-query-failures" - description: Recover ETL jobs based on Delta time travel @@ -375,7 +377,7 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Best practices for reliability url: "https://learn.microsoft.com/en-us/azure/databricks/lakehouse-architecture/reliability/best-practices#recover-etl-jobs-based-on-delta-time-travel" - description: Use Databricks Workflows and built-in recovery @@ -394,7 +396,7 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Best practices for reliability url: "https://learn.microsoft.com/en-us/azure/databricks/lakehouse-architecture/reliability/best-practices" - description: Configure a disaster recovery pattern @@ -413,7 +415,7 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Azure Databricks Best Practices url: "https://github.com/Azure/AzureDatabricksBestPractices/tree/master" - description: Automate deployments and workloads @@ -432,7 +434,7 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Best practices for operational excellence url: "https://learn.microsoft.com/en-us/azure/databricks/lakehouse-architecture/operational-excellence/best-practices#2-automate-deployments-and-workloads" - description: Set up monitoring, alerting, and logging @@ -444,14 +446,14 @@ recommendationMetadataState: Active longDescription: | The Databricks Terraform provider is a flexible, powerful tool for managing Azure Databricks workspaces and cloud infrastructure. - potentialBenefits: Enhanced reliability & automation + potentialBenefits: Enhanced reliability and automation pgVerified: Preview publishedToLearn: false publishedToAdvisor: false automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Best practices for operational excellence url: "https://learn.microsoft.com/en-us/azure/databricks/lakehouse-architecture/operational-excellence/best-practices#system-monitoring" - description: Deploy workspaces in separate Subscriptions @@ -470,7 +472,7 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Azure Databricks Best Practices url: "https://github.com/Azure/AzureDatabricksBestPractices/blob/master/toc.md#deploy-workspaces-in-multiple-subscriptions-to-honor-azure-capacity-limits" - description: Isolate each workspace in its own Vnet @@ -482,14 +484,14 @@ recommendationMetadataState: Active longDescription: | Deploying only one Databricks Workspace per VNet aligns with ADB's isolation model. - potentialBenefits: Enhanced security & resource isolation + potentialBenefits: Enhanced security and resource isolation pgVerified: Preview publishedToLearn: false publishedToAdvisor: false automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Azure Databricks Best Practices url: "https://github.com/Azure/AzureDatabricksBestPractices/blob/master/toc.md#consider-isolating-each-workspace-in-its-own-vnet" - description: Do not Store any Production Data in Default DBFS Folders @@ -508,7 +510,7 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Azure Databricks Best Practices url: "https://github.com/Azure/AzureDatabricksBestPractices/blob/master/toc.md#do-not-store-any-production-data-in-default-dbfs-foldersr" - description: Do not use Azure Spot VMs for critical Production workloads @@ -527,7 +529,7 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Use Azure Spot Virtual Machines url: "https://learn.microsoft.com/en-us/azure/virtual-machines/spot-vms" - description: Migrate Legacy Workspaces @@ -546,8 +548,12 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Azure Databricks regions - IP addresses and domains url: "https://learn.microsoft.com/azure/databricks/resources/supported-regions#--ip-addresses-and-domains" + - name: Migrate - maintained by Databricks Inc. + url: "https://github.com/databrickslabs/migrate" + - name: Databricks Terraform Exporter - maintained by Databricks Inc. (Experimental) + url: "https://registry.terraform.io/providers/databricks/databricks/latest/docs/guides/experimental-exporter" - description: Define alternate VM SKUs aprlGuid: 028593be-956e-4736-bccf-074cb10b92f4 @@ -565,5 +571,7 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Compute configuration best practices url: "https://learn.microsoft.com/azure/databricks/compute/cluster-config-best-practices" + - name: GPU-enabled compute + url: "https://learn.microsoft.com/azure/databricks/compute/gpu" diff --git a/azure-resources/DesktopVirtualization/hostPools/recommendations.yaml b/azure-resources/DesktopVirtualization/hostPools/recommendations.yaml index e2017440b..6c581adc8 100644 --- a/azure-resources/DesktopVirtualization/hostPools/recommendations.yaml +++ b/azure-resources/DesktopVirtualization/hostPools/recommendations.yaml @@ -1,4 +1,4 @@ -- description: (Personal) Create a validation pool for testing of planned updates +- description: (Personal) Create a validation pool for testing of planned updates aprlGuid: 97d4d8c1-eeb4-4506-b338-79a4949c993b recommendationTypeId: null recommendationControl: Governance @@ -9,7 +9,7 @@ At least one Validation Pool to have early warning if a planned update to AVD causes an issue. Also check that the host pool has been used regularly to test planned updates. Host pools are a collection of one or more identical virtual machines within Azure Virtual Desktop environment. We highly recommend you create a validation host pool where service updates are applied first. Validation host pools let you monitor service updates before the service applies them to your standard or non-validation environment. Without a validation host pool, you may not discover changes that introduce errors, which could result in downtime for users in your standard environment. To ensure your apps work with the latest updates, the validation host pool should be as similar to host pools in your non-validation environment as possible. Users should connect as frequently to the validation host pool as they do to the standard host pool. If you have automated testing on your host pool, you should include automated testing on the validation host pool. - potentialBenefits: Early issue detection & testing for AVD updates + potentialBenefits: Early issue detection and testing for AVD updates pgVerified: Verified publishedToLearn: false publishedToAdvisor: false @@ -60,3 +60,584 @@ learnMoreLink: - name: Learn More url: "https://learn.microsoft.com/en-us/azure/virtual-desktop/configure-validation-environment?tabs=azure-portal" + +- description: Use Private link when connecting to File Share or Key Vault + aprlGuid: dc55be60-6f8c-461e-a9d5-a3c7686ed94e + recommendationTypeId: null + recommendationControl: Security + recommendationImpact: Medium + recommendationResourceType: Microsoft.DesktopVirtualization/hostPools + recommendationMetadataState: Active + longDescription: | + Private Link is available for other Azure services that work in conjunction with Azure Virtual Desktop, such as Azure Files and Key Vault. From a resiliency standpoint, we recommending implementing private endpoints for these services to reduce exposure to potential internet-related issues such as latency, packet loss, and/or downtime. This can lead to more reliable communication between AVD and dependent services. + potentialBenefits: Enhances AVD reliability + pgVerified: Verified + publishedToLearn: false + publishedToAdvisor: false + automationAvailable: no + tags: null + learnMoreLink: + - name: Learn More + url: "https://learn.microsoft.com/en-us/azure/well-architected/azure-virtual-desktop/networking#private-endpoints-private-link" + - name: Private link + url: "https://learn.microsoft.com/en-us/azure/well-architected/azure-virtual-desktop/networking#private-endpoints-private-link" + +- description: Configure AVD Insights Workbook + aprlGuid: 0cf72d91-644d-4591-9bb7-84ba3f705a41 + recommendationTypeId: null + recommendationControl: Monitoring and Alerting + recommendationImpact: High + recommendationResourceType: Microsoft.DesktopVirtualization/hostPools + recommendationMetadataState: Active + longDescription: | + AVD Insights is an Azure Workbook template provided by the AVD product team. It is highly recommended in order to monitor and troubleshoot AVD workloads across metrics, logs, events, and more. Both Production and DR workloads should be enabled with AVD Insights. + potentialBenefits: Enhanced AVD monitoring and troubleshooting + pgVerified: Verified + publishedToLearn: false + publishedToAdvisor: false + automationAvailable: no + tags: null + learnMoreLink: + - name: Learn More + url: "https://learn.microsoft.com/en-us/azure/virtual-desktop/insights?tabs=monitor" + +- description: Provision Secondary Key Vault for Disaster Recovery + aprlGuid: 1f57434f-f884-41f3-b818-129bbe3c5d3b + recommendationTypeId: null + recommendationControl: Disaster Recovery + recommendationImpact: High + recommendationResourceType: Microsoft.DesktopVirtualization/hostPools + recommendationMetadataState: Active + longDescription: | + To ensure continuous availability and disaster recovery readiness, it is recommended to provision a secondary Key Vault in a secondary region. In the event of a primary region failure, this secondary Key Vault will ensure that critical secrets are accessible for use in deployments in the secondary region. + potentialBenefits: Ensures DR readiness and access + pgVerified: Verified + publishedToLearn: false + publishedToAdvisor: false + automationAvailable: no + tags: null + learnMoreLink: + - name: Learn More + url: "https://learn.microsoft.com/en-us/azure/key-vault/general/disaster-recovery-guidance" + +- description: Ensure virtual networks isolation with separate IP space and NSGs for Prod and DR + aprlGuid: 37d1091b-e599-4548-a067-a9286be16e45 + recommendationTypeId: null + recommendationControl: Business Continuity + recommendationImpact: Medium + recommendationResourceType: Microsoft.DesktopVirtualization/hostPools + recommendationMetadataState: Active + longDescription: | + NSG and ASG per AVD persona and IP space per Prod/DR regions. + It's important your organization plans for IP addressing in Azure. Planning ensures the IP address space doesn't overlap across on-premises locations and Azure regions. Overlapping IP address spaces across on-premises and Azure regions create major contention challenges. + potentialBenefits: Enhances security and prevents IP conflicts + pgVerified: Verified + publishedToLearn: false + publishedToAdvisor: false + automationAvailable: no + tags: null + learnMoreLink: + - name: Learn More + url: "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing" + +- description: Ensure virtual networks have route tables/route server configured for all regions + aprlGuid: db1727d1-5c8e-4a01-a31e-f0d58cfd95b1 + recommendationTypeId: null + recommendationControl: High Availability + recommendationImpact: Medium + recommendationResourceType: Microsoft.DesktopVirtualization/hostPools + recommendationMetadataState: Active + longDescription: | + For high availability connections back to on-premises datacenters should consider backup paths across the regions that have been utilized. Ensure redundancy in routing by having a secondary route table in the secondary region. + potentialBenefits: Enhanced availability and routing + pgVerified: Verified + publishedToLearn: false + publishedToAdvisor: false + automationAvailable: no + tags: null + learnMoreLink: + - name: Learn More + url: "https://learn.microsoft.com/en-us/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#need-for-redundant-connectivity-solution" + +- description: Segregate App attach storage in disaster recovery plans with distinct file shares + aprlGuid: 7d9c96a6-1ce5-4cf0-ad1b-638a37f753cb + recommendationTypeId: null + recommendationControl: Disaster Recovery + recommendationImpact: Medium + recommendationResourceType: Microsoft.DesktopVirtualization/hostPools + recommendationMetadataState: Active + longDescription: | + App Attach packages should be on a separate share from profiles. And App Attach files should be backed up. + Best practice is to separate App Attach VHD files in a separate file share away from user profiles, both for performance and scalability purposes. Requirements can vary greatly depending on how many packaged applications are stored in an image, and you need to test your applications to understand your requirements. + Your file share should be in the same Azure region as your session hosts. + potentialBenefits: Enhances performance and scalability + pgVerified: Verified + publishedToLearn: false + publishedToAdvisor: false + automationAvailable: no + tags: null + learnMoreLink: + - name: Learn More + url: "https://learn.microsoft.com/en-us/azure/virtual-desktop/app-attach-overview?pivots=msix-app-attach" + +- description: Turn on Continuous Availability for ANF if using App Attach + aprlGuid: 9b2301af-9cac-4f1a-871a-f17475d01812 + recommendationTypeId: null + recommendationControl: High Availability + recommendationImpact: Medium + recommendationResourceType: Microsoft.DesktopVirtualization/hostPools + recommendationMetadataState: Active + longDescription: | + Turn on Continuous Availability if using Azure Netapp Files. + Verify the number of users connecting to each file share to make sure the SMB path can handle the number of file connections. Currently, Azure Files supports up to 10k handles per root directory. + potentialBenefits: Enhanced stability and user limit checks + pgVerified: Verified + publishedToLearn: false + publishedToAdvisor: false + automationAvailable: no + tags: null + learnMoreLink: + - name: Learn More + url: "https://learn.microsoft.com/en-us/azure/virtual-desktop/app-attach-overview?pivots=msix-app-attach" + +- description: Manually update new FSLogix image when available + aprlGuid: d51e0a70-8b50-4be3-af8a-7c9065e47360 + recommendationTypeId: null + recommendationControl: Governance + recommendationImpact: Low + recommendationResourceType: Microsoft.DesktopVirtualization/hostPools + recommendationMetadataState: Active + longDescription: | + Ensure a process is in place to regularly check for FSLogix agent upgrades and maintain FSLogix up to date. We recommend customers upgrade to the latest version of FSLogix as quickly as their deployment process can allow. FSLogix will provide hotfix releases which address current and potential bugs that impact customer deployments. Additionally, it is the first requirement when opening any support case. + potentialBenefits: Enhanced reliability and support + pgVerified: Verified + publishedToLearn: false + publishedToAdvisor: false + automationAvailable: no + tags: null + learnMoreLink: + - name: Learn More + url: "https://learn.microsoft.com/en-us/fslogix/how-to-install-fslogix" + +- description: Configure Diagnostic Settings for FSLogix logs and enable review for accounts + aprlGuid: 483f5a00-84a0-49f7-903b-ef6f1fc0c389 + recommendationTypeId: null + recommendationControl: Monitoring and Alerting + recommendationImpact: Medium + recommendationResourceType: Microsoft.DesktopVirtualization/hostPools + recommendationMetadataState: Active + longDescription: | + Regularly review FSLogix logs for errors and issues related to login and mounting the profile. Events can be reviewed by looking locally inside the Session Host and also in Log Analytics when the Azure Monitor Agent is used. + potentialBenefits: Enhanced AVD error tracking and resolution + pgVerified: Verified + publishedToLearn: false + publishedToAdvisor: false + automationAvailable: no + tags: null + learnMoreLink: + - name: Learn More + url: "https://learn.microsoft.com/en-us/fslogix/troubleshooting-events-logs-diagnostics" + +- description: Ensure user permissions are set correctly on SMB shares + aprlGuid: 7b170ddd-5770-4945-9bc3-cd1ccf5f8672 + recommendationTypeId: null + recommendationControl: Security + recommendationImpact: High + recommendationResourceType: Microsoft.DesktopVirtualization/hostPools + recommendationMetadataState: Active + longDescription: | + Verify user permissions are correctly set on SMB shares so that users have appropriate access to only their own profile and not other user profiles, while administrators have full access at the root volume. Also ensure secondary storage path permissions are set in case of a DR event. + potentialBenefits: Enhanced security and disaster recovery + pgVerified: Verified + publishedToLearn: false + publishedToAdvisor: false + automationAvailable: no + tags: null + learnMoreLink: + - name: Learn More + url: "https://learn.microsoft.com/en-us/fslogix/how-to-configure-storage-permissions" + +- description: Ensure the standard FSLogix configuration is deployed + aprlGuid: c15b2b73-52a1-4db2-88dd-d592424ff4e4 + recommendationTypeId: null + recommendationControl: Governance + recommendationImpact: High + recommendationResourceType: Microsoft.DesktopVirtualization/hostPools + recommendationMetadataState: Active + longDescription: | + Ensure all session hosts have the standard FSLogix configuration deployed. Regularly validate settings for consistency and alignment with best practices. + potentialBenefits: Optimized session reliability and performance + pgVerified: Verified + publishedToLearn: false + publishedToAdvisor: false + automationAvailable: no + tags: null + learnMoreLink: + - name: Learn More + url: "https://learn.microsoft.com/en-us/fslogix/reference-configuration-settings?tabs=profiles" + +- description: Ensure a unique OU when deploying VMs to Domain + aprlGuid: 939cb85c-102a-4e0a-ab82-5c92116d3778 + recommendationTypeId: null + recommendationControl: Governance + recommendationImpact: Medium + recommendationResourceType: Microsoft.DesktopVirtualization/hostPools + recommendationMetadataState: Active + longDescription: | + Hybrid VMs should be in a unique OU. + When using AD-joined session hosts will benefit from using a unique OU to target specific AVD configurations per hostpool. Examples include Fslogix, time out limits, session controls, and much more. It�s also important to segment Prod and DR organization units to ensure resources are configured per environment. + potentialBenefits: Improved AVD hostpool config and segmentation + pgVerified: Verified + publishedToLearn: false + publishedToAdvisor: false + automationAvailable: no + tags: null + learnMoreLink: + - name: Learn More + url: "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/virtual-dc/adds-on-azure-vm#configure-the-vms-and-install-active-directory-domain-services" + +- description: Use Azure Site Recovery or Backups on VMs supporting personal desktops + aprlGuid: 38721758-2cc2-4d6b-b7b7-8b47dadbf7df + recommendationTypeId: null + recommendationControl: Disaster Recovery + recommendationImpact: Medium + recommendationResourceType: Microsoft.DesktopVirtualization/hostPools + recommendationMetadataState: Active + longDescription: | + Leverage Azure Site Recovery (ASR) or implement Azure Backup for personal host pools for seamless failover and failback capabilities, enabling the replication of VMs supporting personal desktops to a secondary Azure region. In the event of a disaster or unexpected outage, this ensures the recovery of these VMs from a known-state. + potentialBenefits: Ensures VM recovery and failover + pgVerified: Verified + publishedToLearn: false + publishedToAdvisor: false + automationAvailable: no + tags: null + learnMoreLink: + - name: Learn More + url: "https://learn.microsoft.com/en-us/azure/virtual-desktop/scheduled-agent-updates" + +- description: Create updated image version and replace session hosts rather than updating host directly + aprlGuid: 2831dab9-6a43-44a1-8aec-90a8e84894bc + recommendationTypeId: null + recommendationControl: Governance + recommendationImpact: Low + recommendationResourceType: Microsoft.DesktopVirtualization/hostPools + recommendationMetadataState: Active + longDescription: | + Establish a systematic process for handling image updates within your Azure Virtual Desktop environment. Instead of directly updating individual session hosts, create a new version of the updated image. This process involves creating and configuring a golden image with the necessary updates and configurations. Once the new image is prepared, replace existing session hosts with instances using the updated image. This approach ensures consistency across all session hosts and minimizes the risk of configuration drift. Additionally, it enables quick rollback to a previous image version in case of any issues with the update. Implementing this process helps streamline maintenance activities and ensures that all session hosts are up-to-date with the latest configurations and updates. + potentialBenefits: Ensures consistency; minimizes drift + pgVerified: Verified + publishedToLearn: false + publishedToAdvisor: false + automationAvailable: no + tags: null + learnMoreLink: + - name: Learn More + url: "https://learn.microsoft.com/en-us/training/modules/create-manage-session-host-image/" + +- description: Monitor Service Health and Resource Health of AVD + aprlGuid: a75a20e7-8cc0-4f7b-b4a9-e2476bd72429 + recommendationTypeId: null + recommendationControl: Monitoring and Alerting + recommendationImpact: High + recommendationResourceType: Microsoft.DesktopVirtualization/hostPools + recommendationMetadataState: Active + longDescription: | + Use Service Health to stay informed about the health of the Azure services and regions that you use to insure their availability. + Set up Service Health alerts so that you stay aware of service issues, planned maintenance, or other changes that might affect your Azure Virtual Desktop resources. + Use Resource Health to monitor your VMs and storage solutions. + potentialBenefits: Enhanced AVD uptime and awareness + pgVerified: Verified + publishedToLearn: false + publishedToAdvisor: false + automationAvailable: no + tags: null + learnMoreLink: + - name: Learn More + url: "https://learn.microsoft.com/en-us/azure/well-architected/azure-virtual-desktop/monitoring#resource-health" + +- description: Deploy Domain Controllers and DNS Servers in Azure Virtual Network Across Availability Zones + aprlGuid: 99bf5c94-aa68-4bb3-8b7f-45d1c5f09b5d + recommendationTypeId: null + recommendationControl: High Availability + recommendationImpact: High + recommendationResourceType: Microsoft.DesktopVirtualization/hostPools + recommendationMetadataState: Active + longDescription: | + When using an AD DS identity solution with AVD, it is recommended to deploy domain controllers and DNS servers on Azure virtual machines across availability zones. This improves the environment�s reliability by removing a dependency on an on-premises service and improves performance by creating a shorter path for user authentication. + This recommendation is not relevant when you are utilizing Microsoft Entra as the identity provider. + potentialBenefits: Enhanced reliability and performance + pgVerified: Verified + publishedToLearn: false + publishedToAdvisor: false + automationAvailable: no + tags: null + learnMoreLink: + - name: Learn More + url: "https://learn.microsoft.com/en-us/azure/architecture/example-scenario/identity/adds-extend-domain#reliability" + +- description: Implement RDP Shortpath for Public or Managed Networks + aprlGuid: 3835b4b3-0479-4be8-9ffd-34ae29fa33b9 + recommendationTypeId: null + recommendationControl: Other Best Practices + recommendationImpact: Medium + recommendationResourceType: Microsoft.DesktopVirtualization/hostPools + recommendationMetadataState: Active + longDescription: | + It is recommended to enable RDP Shortpath for AVD. RDP Shortpath is a feature of Azure Virtual Desktop that establishes a direct UDP-based transport between a supported Windows Remote Desktop client and session host. By default, Remote Desktop Protocol (RDP) tries to establish connection using UDP and uses a TCP-based reverse connect transport as a fallback connection mechanism. TCP-based reverse connect transport provides the best compatibility with various networking configurations and has a high success rate for establishing RDP connections. UDP-based transport offers better connection reliability and more consistent latency. + potentialBenefits: Better reliability and consistent latency + pgVerified: Verified + publishedToLearn: false + publishedToAdvisor: false + automationAvailable: no + tags: null + learnMoreLink: + - name: Learn More + url: "https://learn.microsoft.com/en-us/azure/virtual-desktop/rdp-shortpath?tabs=managed-networks" + +- description: Implement a Multi-Region BCDR Plan + aprlGuid: 0714d039-535e-468d-9732-e32b5c094faa + recommendationTypeId: null + recommendationControl: Disaster Recovery + recommendationImpact: Medium + recommendationResourceType: Microsoft.DesktopVirtualization/hostPools + recommendationMetadataState: Active + longDescription: | + It is recommended to adopt a multi-region deployment (active-active) for AVD. Each region should contain at least identity, name resolution, AVD management resources, and session hosts in case of a primary region outage. + potentialBenefits: Enhanced resilience and uptime + pgVerified: Verified + publishedToLearn: false + publishedToAdvisor: false + automationAvailable: no + tags: null + learnMoreLink: + - name: Multi-region BCDR + url: "https://learn.microsoft.com/en-us/azure/architecture/example-scenario/wvd/azure-virtual-desktop-multi-region-bcdr" + - name: Learn More + url: "https://learn.microsoft.com/en-us/azure/well-architected/azure-virtual-desktop/business-continuity#active-active-scenarios" + +- description: Store Golden Image Redundantly for Disaster Recovery + aprlGuid: 0bf1a2bb-7617-4ab2-a784-e7ea40c5f01b + recommendationTypeId: null + recommendationControl: Disaster Recovery + recommendationImpact: Low + recommendationResourceType: Microsoft.DesktopVirtualization/hostPools + recommendationMetadataState: Active + longDescription: | + If a full BCDR strategy is not in place, consider using zone-redundant storage to store golden images across availability zones. Having the image available will allow for faster recovery in case of zonal or regional outage. + potentialBenefits: Faster recovery from outages + pgVerified: Verified + publishedToLearn: false + publishedToAdvisor: false + automationAvailable: no + tags: null + learnMoreLink: + - name: Golden Image + url: "https://learn.microsoft.com/en-us/azure/well-architected/azure-virtual-desktop/business-continuity#golden-images" + - name: Learn More + url: "https://learn.microsoft.com/en-us/azure/well-architected/azure-virtual-desktop/application-delivery#fault-tolerance" + +- description: Capacity Planning for AVD Resources + aprlGuid: ef4b3561-c85f-47cf-8cb0-51fae9ddf929 + recommendationTypeId: null + recommendationControl: Disaster Recovery + recommendationImpact: Low + recommendationResourceType: Microsoft.DesktopVirtualization/hostPools + recommendationMetadataState: Active + longDescription: | + Monitor and plan for subscription limits and API throttling limits. Closely monitor your Azure Virtual Desktop deployments, and keep track of resource usage within your subscription. By proactively monitoring capacity, you can identify potential challenges early on, and you can take suitable actions to avoid reaching limits. + Consider scaling across multiple subscriptions if further scaling is required, or work with Azure support to adjust limits based on your business requirements. + To handle a large number of users, consider scaling horizontally by creating multiple host pools. + potentialBenefits: Avoids limits, ensures smooth scaling + pgVerified: Verified + publishedToLearn: false + publishedToAdvisor: false + automationAvailable: no + tags: null + learnMoreLink: + - name: Capacity Planning + url: "https://learn.microsoft.com/en-us/azure/well-architected/azure-virtual-desktop/business-continuity#capacity-planning" + - name: Learn More + url: "https://learn.microsoft.com/en-us/azure/architecture/example-scenario/wvd/windows-virtual-desktop#azure-virtual-desktop-limitations" + +- description: Ensure separate log analytics workspaces for Prod and DR + aprlGuid: 89b4d8f6-6345-4d66-9012-c3fc2aef94e8 + recommendationTypeId: null + recommendationControl: Disaster Recovery + recommendationImpact: Low + recommendationResourceType: Microsoft.DesktopVirtualization/hostPools + recommendationMetadataState: Active + longDescription: | + Having separate Log Analytics ensures that your DR environment is fully operational for visibility of the metrics, performance, and other auditing tools your workload teams will rely on in the event of an incident. + potentialBenefits: Improved DR visibility and operation + pgVerified: Verified + publishedToLearn: false + publishedToAdvisor: false + automationAvailable: no + tags: null + learnMoreLink: + - name: Learn More + url: "https://learn.microsoft.com/en-us/azure/virtual-desktop/diagnostics-log-analytics" + +- description: Ensure that FSLogix Storage Account is Redundant + aprlGuid: ed1f0327-0914-49e8-9518-16acb0d6b8d6 + recommendationTypeId: null + recommendationControl: High Availability + recommendationImpact: Medium + recommendationResourceType: Microsoft.DesktopVirtualization/hostPools + recommendationMetadataState: Active + longDescription: | + It is important to ensure the redundancy of our user profiles when using FSLogix. When using FSLogix with AVD, it is deployed on a file share in a storage account. Data in an Azure Storage account is always replicated three times in the primary region. Below are the options for how your data is replicated in the primary or paired region: + LRS for least expensive replication (not recommended for apps with high availability and durability) + + - LRS provides eleven 9s durability and replicates three time in a single physical location. + - ZRS is recommended for apps requiring high availability across zones. ZRS provides twelve 9s durability. Replicated across three availability zones + - GRS replicates an additional three copies to secondary region and provides sixteen 9s durability. + - GZRS provides both high availability and redundancy across geo replication. It provides sixteen 9s durability over a given year. + + Generally, it is recommended to store your data as secure and redundant as possible. + potentialBenefits: Improves data durability and availability + pgVerified: Verified + publishedToLearn: false + publishedToAdvisor: false + automationAvailable: no + tags: null + learnMoreLink: + - name: Learn More + url: "https://learn.microsoft.com/en-us/azure/well-architected/azure-virtual-desktop/storage#user-profiles" + +- description: Scaling plans should be created per region and not scaled across regions + aprlGuid: e091419d-10ba-4a8e-bdb0-67380cc021a9 + recommendationTypeId: null + recommendationControl: Disaster Recovery + recommendationImpact: Medium + recommendationResourceType: Microsoft.DesktopVirtualization/hostPools + recommendationMetadataState: Active + longDescription: | + Each region has its own scaling plans assigned to host pools within that region. However, these plans can become inaccessible if there's a regional failure. To mitigate this risk, it's advisable to create a secondary scaling plan in another region. + potentialBenefits: Enhances reliability across failures + pgVerified: Verified + publishedToLearn: false + publishedToAdvisor: false + automationAvailable: no + tags: null + learnMoreLink: + - name: Learn More + url: "https://learn.microsoft.com/en-us/azure/virtual-desktop/autoscale-scaling-plan?tabs=portal" + +- description: Validate AVD Session Host Connectivity to the AVD Control Plane and UDP Ports open if in use + aprlGuid: e718ac1a-ebab-4f75-9e4a-1a5ccef20d1f + recommendationTypeId: null + recommendationControl: Governance + recommendationImpact: Medium + recommendationResourceType: Microsoft.DesktopVirtualization/hostPools + recommendationMetadataState: Active + longDescription: | + Ensure that AVD session hosts can effectively communicate with the AVD control plane and that UDP ports are open if UDP is utilized. Validate the connectivity of VMs to the AVD Control Plane and confirm the accessibility of UDP TURN ports. Whitelist global URLs and ensure that UDP/TURN ports are open and accessible to facilitate smooth user connections. Proper connectivity validation guarantees optimal performance and user experience within the AVD environment. + potentialBenefits: Enhanced performance and user experience + pgVerified: Verified + publishedToLearn: false + publishedToAdvisor: false + automationAvailable: no + tags: null + learnMoreLink: + - name: Learn More + url: "https://learn.microsoft.com/en-us/azure/virtual-desktop/troubleshoot-rdp-shortpath" + +- description: Ensure Secondary Entra ID connect synchronization server + aprlGuid: d984eaf9-0fa1-4f8d-a326-bda751993c6f + recommendationTypeId: null + recommendationControl: Security + recommendationImpact: Low + recommendationResourceType: Microsoft.DesktopVirtualization/hostPools + recommendationMetadataState: Active + longDescription: | + Hybrid - Entra ID Connect best to run in Azure but can be hosted on-prem. Secondary or more VMs should be setup in staging mode in event of failover. + Set up secondary server in staging mode for Entra Connect for syncing to Entra in case of primary server outage. + potentialBenefits: Improved failover reliability + pgVerified: Verified + publishedToLearn: false + publishedToAdvisor: false + automationAvailable: no + tags: null + learnMoreLink: + - name: Learn More + url: "https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-install-multiple-domains" + +- description: Deploy paired Domain Controllers in the same region as AVD session hosts + aprlGuid: d61f6ee8-de1b-4fd9-9ce3-316cfe11ee05 + recommendationTypeId: null + recommendationControl: Disaster Recovery + recommendationImpact: High + recommendationResourceType: Microsoft.DesktopVirtualization/hostPools + recommendationMetadataState: Active + longDescription: | + Ensure each region with session hosts has multiple domain controllers in the same region to support high availability with regards to identity. + For a hybrid scenario, each Azure region with AVD session hosts should have Active Directory Domain Controllers in Azure and use Availability Zones or Availability Sets for resilience within the region. This also mitigates dependency on ER/VPN/Inter-Azure dependencies. + potentialBenefits: Enhanced identity resilience + pgVerified: Verified + publishedToLearn: false + publishedToAdvisor: false + automationAvailable: no + tags: null + learnMoreLink: + - name: Learn More + url: "https://learn.microsoft.com/en-us/azure/architecture/example-scenario/azure-virtual-desktop/azure-virtual-desktop-multi-region-bcdr" + +- description: Ensure DNS regions are replicated to avoid single point of failure + aprlGuid: e1a34ac6-8761-4020-b537-d60c0be7514e + recommendationTypeId: null + recommendationControl: High Availability + recommendationImpact: Medium + recommendationResourceType: Microsoft.DesktopVirtualization/hostPools + recommendationMetadataState: Active + longDescription: | + Active Directory Domain Services (AD DS) integrated DNS/other should target Secondary/Tertiary customer DNS across multi-region zones. If using custom DNS, ensure there are redundant DNS servers to avoid a single point of failure. + potentialBenefits: Improves uptime and resilience + pgVerified: Verified + publishedToLearn: false + publishedToAdvisor: false + automationAvailable: no + tags: null + learnMoreLink: + - name: Learn More + url: "https://learn.microsoft.com/en-us/azure/architecture/example-scenario/azure-virtual-desktop/azure-virtual-desktop-multi-region-bcdr" + +- description: Enable Azure Backup for FSLogix Storage Account + aprlGuid: 0025ed2e-41f4-4ada-93c1-12484cef8b0c + recommendationTypeId: null + recommendationControl: High Availability + recommendationImpact: Medium + recommendationResourceType: Microsoft.DesktopVirtualization/hostPools + recommendationMetadataState: Active + longDescription: | + It is recommended to enable backup on the FSLogix Storage Account. Ensuring the user profiles are resilient will allow user data and experience to be consistent through outages. + potentialBenefits: Ensures data resilience and consistency + pgVerified: Verified + publishedToLearn: false + publishedToAdvisor: false + automationAvailable: no + tags: null + learnMoreLink: + - name: FSLogix + url: "https://learn.microsoft.com/en-us/fslogix/overview-what-is-fslogix" + - name: Backup Storage Account + url: "https://learn.microsoft.com/en-us/azure/backup/blob-backup-configure-manage?tabs=operational-backup" + +- description: Organize AVD resources using the AVD Scale unit model described by the AVD Landing Zone Methodology + aprlGuid: 204b56b0-9710-4c16-b506-bafb5fb318ed + recommendationTypeId: null + recommendationControl: Governance + recommendationImpact: Low + recommendationResourceType: Microsoft.DesktopVirtualization/hostPools + recommendationMetadataState: Active + longDescription: | + Follow AVD Landing Zone best practices using multiple resource groups based on resource type and associated shared resources for AVD workloads. + potentialBenefits: Enhanced organization and scalability + pgVerified: Verified + publishedToLearn: false + publishedToAdvisor: false + automationAvailable: no + tags: null + learnMoreLink: + - name: Learn More + url: "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/scenarios/azure-virtual-desktop/enterprise-scale-landing-zone" diff --git a/azure-resources/Devices/IotHubs/recommendations.yaml b/azure-resources/Devices/IotHubs/recommendations.yaml index 4d80893ed..b31f335eb 100644 --- a/azure-resources/Devices/IotHubs/recommendations.yaml +++ b/azure-resources/Devices/IotHubs/recommendations.yaml @@ -1,4 +1,4 @@ -- description: Device Identities are exported to a secondary region +- description: Device Identities are exported to a secondary region aprlGuid: 783c6c18-760b-4867-9ced-3010a0bc5aa3 recommendationTypeId: null recommendationControl: Disaster Recovery @@ -14,8 +14,10 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Import and export IoT Hub device identities in bulk url: "https://learn.microsoft.com/en-us/azure/iot-hub/iot-hub-bulk-identity-mgmt" + - name: IoT Hub high availability and disaster recovery + url: "https://learn.microsoft.com/en-us/azure/iot-hub/iot-hub-ha-dr#manual-failover" - description: Do not use free tier aprlGuid: eeba3a49-fef0-481f-a471-7ff01139b474 @@ -33,7 +35,7 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Choose the right IoT Hub tier and size for your solution url: "https://learn.microsoft.com/en-us/azure/iot-hub/iot-hub-scaling" - description: Use Availability Zones @@ -52,7 +54,7 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Azure IoT Hub high availability and disaster recovery url: "https://learn.microsoft.com/en-us/azure/iot-hub/iot-hub-ha-dr#availability-zones" - description: Use Device Provisioning Service @@ -64,15 +66,19 @@ recommendationMetadataState: Active longDescription: | Device Provisioning Service (DPS) enables easy redistribution of IoT devices for scaling and availability, allowing devices to be reassigned and not bound to specific IoT Hub instances. Devices in IoT Hubs using DPS should be verified for DPS utilization. - potentialBenefits: Enhances scalability & availability + potentialBenefits: Enhances scalability and availability pgVerified: Preview publishedToLearn: false publishedToAdvisor: false automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: IoT Hub Device Provisioning Service (DPS) terminology url: "https://learn.microsoft.com/en-us/azure/iot-dps/concepts-service" + - name: Best practices for large-scale IoT device deployments + url: "https://learn.microsoft.com/en-us/azure/iot-dps/concepts-deploy-at-scale" + - name: IoT Hub Device Provisioning Service high availability and disaster recovery + url: "https://learn.microsoft.com/en-us/azure/iot-dps/iot-dps-ha-dr" - description: Define Failover Guidelines aprlGuid: 02568a5d-335e-4e51-9f7c-fe2ada977300 @@ -90,7 +96,7 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: IoT Hub high availability and disaster recovery url: "https://learn.microsoft.com/en-us/azure/iot-hub/iot-hub-ha-dr" - description: Disabled Fallback Route @@ -109,5 +115,5 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Use message routing - Fallback route url: "https://learn.microsoft.com/en-us/azure/iot-hub/iot-hub-devguide-messages-d2c#fallback-route" diff --git a/azure-resources/DocumentDB/databaseAccounts/recommendations.yaml b/azure-resources/DocumentDB/databaseAccounts/recommendations.yaml index 585666069..01d4c81f3 100644 --- a/azure-resources/DocumentDB/databaseAccounts/recommendations.yaml +++ b/azure-resources/DocumentDB/databaseAccounts/recommendations.yaml @@ -1,4 +1,4 @@ -- description: Configure at least two regions for high availability +- description: Configure at least two regions for high availability aprlGuid: 43663217-a1d3-844b-80ea-571a2ce37c6c recommendationTypeId: null recommendationControl: High Availability @@ -7,15 +7,17 @@ recommendationMetadataState: Active longDescription: | Azure leverages a multi-tier isolation approach (rack, DC, zone, region) for Cosmos DB's default resilience with four replicas. - potentialBenefits: Enhances SLA & resilience + potentialBenefits: Enhances SLA and resilience pgVerified: Verified publishedToLearn: false publishedToAdvisor: false automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Distribute data globally with Azure Cosmos DB | Microsoft Learn url: "https://learn.microsoft.com/en-us/azure/cosmos-db/distribute-data-globally" + - name: Tips for building highly available applications | Microsoft Learn + url: "https://learn.microsoft.com/en-us/azure/cosmos-db/high-availability#tips-for-building-highly-available-applications" - description: Enable service-managed failover for multi-region accounts with single write region aprlGuid: 9cabded7-a1fc-6e4a-944b-d7dd98ea31a2 @@ -33,7 +35,7 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Manage an Azure Cosmos DB account by using the Azure portal | Microsoft Learn url: "https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-manage-database-account#automatic-failover" - description: Evaluate multi-region write capability @@ -52,8 +54,10 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Distribute data globally with Azure Cosmos DB | Microsoft Learn url: "https://learn.microsoft.com/en-us/azure/cosmos-db/distribute-data-globally" + - name: Conflict resolution types and resolution policies in Azure Cosmos DB | Microsoft Learn + url: "https://learn.microsoft.com/en-us/azure/cosmos-db/conflict-resolution-policies" - description: Choose appropriate consistency mode reflecting data durability requirements aprlGuid: 23ebe97d-c546-204b-8b0d-00e61a5524f7 @@ -64,14 +68,14 @@ recommendationMetadataState: Active longDescription: | In a globally distributed database, consistency level impacts data durability in region-wide outages. For business continuity, gauge data loss tolerance post-disruption. - potentialBenefits: Enhances data durability & recovery + potentialBenefits: Enhances data durability and recovery pgVerified: Preview publishedToLearn: false publishedToAdvisor: false automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Consistency level choices - Azure Cosmos DB | Microsoft Learn url: "https://learn.microsoft.com/en-us/azure/cosmos-db/consistency-levels" - description: Configure continuous backup mode @@ -90,7 +94,7 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Continuous backup with point in time restore feature in Azure Cosmos DB | Microsoft Learn url: "https://learn.microsoft.com/en-us/azure/cosmos-db/continuous-backup-restore-introduction" - description: Ensure query results are fully drained @@ -109,7 +113,7 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Pagination in Azure Cosmos DB | Microsoft Learn url: "https://learn.microsoft.com/en-us/azure/cosmos-db/nosql/query/pagination#handling-multiple-pages-of-results" - description: Maintain singleton pattern in your client @@ -121,14 +125,14 @@ recommendationMetadataState: Active longDescription: | Establishing and maintaining database connections is costly. Using a single instance of the SDK client for each account and application is crucial as connections are tied to the client. Compute environments have a limit on open connections, affecting connectivity when exceeded. - potentialBenefits: Reduces costs & prevents connectivity issues + potentialBenefits: Reduces costs and prevents connectivity issues pgVerified: Verified publishedToLearn: false publishedToAdvisor: false automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Designing resilient applications with Azure Cosmos DB SDKs | Microsoft Learn url: "https://learn.microsoft.com/en-us/azure/cosmos-db/nosql/conceptual-resilient-sdk-applications" - description: Implement retry logic in your client @@ -147,7 +151,7 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Designing resilient applications with Azure Cosmos DB SDKs | Microsoft Learn url: "https://learn.microsoft.com/en-us/azure/cosmos-db/nosql/conceptual-resilient-sdk-applications" - description: Monitor Cosmos DB health and set up alerts @@ -166,5 +170,5 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Create alerts for Azure Cosmos DB using Azure Monitor | Microsoft Learn url: "https://learn.microsoft.com/en-us/azure/cosmos-db/create-alerts" diff --git a/azure-resources/EventGrid/topics/recommendations.yaml b/azure-resources/EventGrid/topics/recommendations.yaml index 39d4712cf..b4d794de0 100644 --- a/azure-resources/EventGrid/topics/recommendations.yaml +++ b/azure-resources/EventGrid/topics/recommendations.yaml @@ -1,4 +1,4 @@ -- description: Configure Diagnostic Settings for all Azure Event Grid resources +- description: Configure Diagnostic Settings for all Azure Event Grid resources aprlGuid: 54c3191b-b535-1946-bba9-b754f44060f6 recommendationTypeId: null recommendationControl: Monitoring and Alerting @@ -14,7 +14,7 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Azure Event Grid - Enable diagnostic logs for Event Grid resources url: "https://learn.microsoft.com/en-us/azure/event-grid/enable-diagnostic-logs-topic" - description: Configure Dead-letter to save events that cannot be delivered @@ -33,7 +33,7 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Azure Event Grid delivery and retry url: "https://learn.microsoft.com/en-us/azure/event-grid/delivery-and-retry#dead-letter-events" - description: Configure Private Endpoints @@ -52,5 +52,6 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Configure private endpoints for Azure Event Grid topics or domains url: "https://learn.microsoft.com/en-us/azure/event-grid/configure-private-endpoints" + diff --git a/azure-resources/EventHub/namespaces/recommendations.yaml b/azure-resources/EventHub/namespaces/recommendations.yaml index a7eb43352..44392db53 100644 --- a/azure-resources/EventHub/namespaces/recommendations.yaml +++ b/azure-resources/EventHub/namespaces/recommendations.yaml @@ -1,4 +1,4 @@ -- description: Enable zone redundancy for Event Hub namespace +- description: Enable zone redundancy for Event Hub namespace aprlGuid: 84636c6c-b317-4722-b603-7b1ffc16384b recommendationTypeId: null recommendationControl: High Availability @@ -14,7 +14,7 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Azure Event Hubs - Geo-disaster recovery url: "https://learn.microsoft.com/azure/event-hubs/event-hubs-geo-dr?tabs=portal#availability-zones" - description: Enable auto-inflate on Event Hub Standard tier @@ -33,5 +33,6 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Azure Event Hubs - Automatically scale throughput units url: "https://learn.microsoft.com/azure/event-hubs/event-hubs-auto-inflate" + diff --git a/azure-resources/Insights/activityLogAlerts/recommendations.yaml b/azure-resources/Insights/activityLogAlerts/recommendations.yaml index f7b61d1e5..3047068be 100644 --- a/azure-resources/Insights/activityLogAlerts/recommendations.yaml +++ b/azure-resources/Insights/activityLogAlerts/recommendations.yaml @@ -1,4 +1,4 @@ -- description: Configure Resource Health Alerts +- description: Configure Resource Health Alerts aprlGuid: be448849-0d7d-49ba-9c94-9573ee533d5d recommendationTypeId: null recommendationControl: Monitoring and Alerting @@ -14,8 +14,12 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Resource Health url: "https://learn.microsoft.com/en-us/azure/service-health/resource-health-overview" + - name: Configure Resource Health alerts in the Azure portal + url: "https://learn.microsoft.com/en-us/azure/service-health/resource-health-alert-monitor-guide#create-a-resource-health-alert-rule-in-the-azure-portal" + - name: Alerts Health + url: "https://learn.microsoft.com/en-us/azure/service-health/alerts-activity-log-service-notifications-portal" - description: Configure Service Health Alerts aprlGuid: 9729c89d-8118-41b4-a39b-e12468fa872b @@ -26,12 +30,14 @@ recommendationMetadataState: Active longDescription: | Service health gives a personalized health view of Azure services and regions used, offering the best place for notifications on outages, planned maintenance, and health advisories by knowing the services used. - potentialBenefits: Proactive outage & maintenance alerts + potentialBenefits: Proactive outage and maintenance alerts pgVerified: Verified publishedToLearn: false publishedToAdvisor: false automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: What is Azure Service Health? url: "https://learn.microsoft.com/azure/service-health/overview" + - name: Configure alerts for service health events + url: "https://learn.microsoft.com/azure/service-health/alerts-activity-log-service-notifications-portal" diff --git a/azure-resources/Insights/components/recommendations.yaml b/azure-resources/Insights/components/recommendations.yaml index 43c9c7d20..4d4e07c86 100644 --- a/azure-resources/Insights/components/recommendations.yaml +++ b/azure-resources/Insights/components/recommendations.yaml @@ -1,4 +1,4 @@ -- description: Convert Classic Deployments +- description: Convert Classic Deployments aprlGuid: dac421ec-2832-4c37-839e-b6dc5a38f2fa recommendationTypeId: null recommendationControl: Service Upgrade And Retirement @@ -14,5 +14,6 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Migrate an Application Insights classic resource to a workspace-based resource url: "https://learn.microsoft.com/en-us/azure/azure-monitor/app/convert-classic-resource" + diff --git a/azure-resources/KeyVault/vaults/recommendations.yaml b/azure-resources/KeyVault/vaults/recommendations.yaml index b74dc8760..1634954a5 100644 --- a/azure-resources/KeyVault/vaults/recommendations.yaml +++ b/azure-resources/KeyVault/vaults/recommendations.yaml @@ -1,4 +1,4 @@ -- description: Key vaults should have soft delete enabled +- description: Key vaults should have soft delete enabled aprlGuid: 1cca00d2-d9ab-8e42-a788-5d40f49405cb recommendationTypeId: null recommendationControl: Disaster Recovery @@ -14,7 +14,7 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Azure Key Vault soft-delete overview url: "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview" - description: Key vaults should have purge protection enabled @@ -33,7 +33,7 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Azure Key Vault purge-protection overview url: "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview#purge-protection" - description: Enable Azure Private Link Service for Key vault @@ -52,7 +52,7 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Azure Key Vault Private Link Service overview url: "https://learn.microsoft.com/azure/key-vault/general/security-features#network-security" - description: Use separate key vaults per application per environment @@ -71,7 +71,7 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Azure Key Vault best practices overview url: "https://learn.microsoft.com/azure/key-vault/general/best-practices#why-we-recommend-separate-key-vaults" - description: Diagnostic logs in Key Vault should be enabled @@ -83,12 +83,12 @@ recommendationMetadataState: Active longDescription: | Enable logs, set up alerts, and adhere to retention requirements for improved monitoring and security of Key Vault access, detailing the frequency and identity of users. - potentialBenefits: Enhanced monitoring & security compliance + potentialBenefits: Enhanced monitoring and security compliance pgVerified: Preview publishedToLearn: false publishedToAdvisor: false automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Azure Key Vault logging overview url: "https://learn.microsoft.com/azure/key-vault/general/logging?tabs=Vault" diff --git a/azure-resources/NetApp/netAppAccounts/recommendations.yaml b/azure-resources/NetApp/netAppAccounts/recommendations.yaml index 2ce11bd14..3a3d1e128 100644 --- a/azure-resources/NetApp/netAppAccounts/recommendations.yaml +++ b/azure-resources/NetApp/netAppAccounts/recommendations.yaml @@ -1,4 +1,4 @@ -- description: Use the correct service level and volume quota size for the expected performance level +- description: Use the correct service level and volume quota size for the expected performance level aprlGuid: af426a99-62a6-6b4c-9662-42d220b413b8 recommendationTypeId: null recommendationControl: Scalability @@ -7,14 +7,14 @@ recommendationMetadataState: Active longDescription: | Service levels, part of capacity pool attributes, determine the maximum throughput per volume quota in Azure NetApp Files. It combines read and write speed, offering three levels: Standard (16 MiB/s per 1TiB), Premium (64 MiB/s per 1TiB), and Ultra (128 MiB/s per 1TiB) throughput. - potentialBenefits: Optimized performance & cost efficiency + potentialBenefits: Optimized performance and cost efficiency pgVerified: Verified publishedToLearn: false publishedToAdvisor: false automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Service levels for Azure NetApp Files | Microsoft Learn url: "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-service-levels" - description: Use standard network features for production in Azure NetApp Files @@ -26,14 +26,14 @@ recommendationMetadataState: Active longDescription: | Standard network feature in Azure NetApp Files enhances IP limits and VNet capabilities, including network security groups, user-defined routes on subnets, and diverse connectivity options. - potentialBenefits: Enhanced connectivity & security + potentialBenefits: Enhanced connectivity and security pgVerified: Verified publishedToLearn: false publishedToAdvisor: false automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Guidelines for Azure NetApp Files network planning | Microsoft Learn url: "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-network-topologies" - description: Use availability zones for high availability in Azure NetApp Files @@ -52,7 +52,7 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Use availability zones for high availability in Azure NetApp Files | Microsoft Learn url: "https://learn.microsoft.com/azure/azure-netapp-files/use-availability-zones" - description: Use snapshots for data protection in Azure NetApp Files @@ -71,7 +71,7 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: How Azure NetApp Files snapshots work | Microsoft Learn url: "https://learn.microsoft.com/azure/azure-netapp-files/snapshots-introduction" - description: Enable backup for data protection in Azure NetApp Files @@ -83,18 +83,18 @@ recommendationMetadataState: Active longDescription: | Azure NetApp Files offers a fully managed backup solution enhancing long-term recovery, archiving, and compliance. - potentialBenefits: Enhances data recovery & compliance + potentialBenefits: Enhances data recovery and compliance pgVerified: Verified publishedToLearn: false publishedToAdvisor: false automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Understand Azure NetApp Files backup | Microsoft Learn url: "https://learn.microsoft.com/azure/azure-netapp-files/backup-introduction" - description: Enable Cross-region replication of Azure NetApp Files volumes - aprlGuid: b2fb3e60-97ec-e34d-af29-b16a0d61c2ac + aprlGuid: e30317d2-c502-4dfe-a2d3-0a737cc79545 recommendationTypeId: null recommendationControl: Disaster Recovery recommendationImpact: High @@ -102,15 +102,15 @@ recommendationMetadataState: Active longDescription: | Azure NetApp Files replication offers data protection by allowing asynchronous cross-region volume replication for application failover in case of regional outages. Volumes can be replicated across regions, not concurrently with cross-zone replication. - potentialBenefits: Enhanced data protection & disaster recovery + potentialBenefits: Enhanced data protection and disaster recovery pgVerified: Verified publishedToLearn: false publishedToAdvisor: false automationAvailable: arg tags: null learnMoreLink: - - name: Learn More - url: "https://learn.microsoft.com/azure/azure-netapp-files/cross-region-replication-introduction" + - name: Cross-region replication of Azure NetApp Files volumes + url: "https://learn.microsoft.com/en-us/azure/azure-netapp-files/cross-region-replication-introduction" - description: Enable Cross-zone replication of Azure NetApp Files volumes aprlGuid: e3d742e1-dacd-9b48-b6b1-510ec9f87c96 @@ -128,7 +128,7 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Cross-zone replication of Azure NetApp Files volumes | Microsoft Learn url: "https://learn.microsoft.com/azure/azure-netapp-files/cross-zone-replication-introduction" - description: Monitor Azure NetApp Files metrics to better understand usage pattern and performance @@ -140,14 +140,14 @@ recommendationMetadataState: Active longDescription: | Azure NetApp Files offers metrics like allocated storage, actual usage, volume IOPS, and latency, enabling a better understanding of usage patterns and volume performance for NetApp accounts. - potentialBenefits: Optimize usage & performance + potentialBenefits: Optimize usage and performance pgVerified: Verified publishedToLearn: false publishedToAdvisor: false automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Ways to monitor Azure NetApp Files | Microsoft Learn url: "https://learn.microsoft.com/azure/azure-netapp-files/monitor-azure-netapp-files" - description: Enforce standards and assess compliance in Azure NetApp Files with Azure policy @@ -159,15 +159,17 @@ recommendationMetadataState: Active longDescription: | Azure NetApp Files supports Azure policy integration using either built-in policy definitions or by creating custom ones to maintain organizational standards and compliance. - potentialBenefits: Enforce standards & assess compliance + potentialBenefits: Enforce standards and assess compliance pgVerified: Verified publishedToLearn: false publishedToAdvisor: false automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Azure Policy definitions for Azure NetApp Files | Microsoft Learn url: "https://learn.microsoft.com/azure/azure-netapp-files/azure-policy-definitions" + - name: Creating custom policy definitions | Microsoft Learn + url: "https://learn.microsoft.com/azure/governance/policy/tutorials/create-custom-policy-definition" - description: Restrict default access to Azure NetApp Files volumes aprlGuid: cfa2244b-5436-47de-8287-b217875d3b0a @@ -185,8 +187,16 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Configure network features for an Azure NetApp Files volume url: "https://learn.microsoft.com/azure/azure-netapp-files/configure-network-features" + - name: Manage SMB share ACLs in Azure NetApp Files + url: "https://learn.microsoft.com/azure/azure-netapp-files/manage-smb-share-access-control-lists" + - name: Configure export policy for NFS or dual-protocol volumes + url: "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-configure-export-policy" + - name: Configure access control lists on NFSv4.1 volumes for Azure NetApp Files + url: "https://learn.microsoft.com/azure/azure-netapp-files/configure-access-control-lists" + - name: Configure Unix permissions and change ownership mode for NFS and dual-protocol volumes + url: "https://learn.microsoft.com/azure/azure-netapp-files/configure-unix-permissions-change-ownership-mode" - description: Make use of SMB continuous availability for supported applications aprlGuid: d1e7ccc3-e6c1-40e9-a36e-fd134711c808 @@ -204,7 +214,7 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Do I need to take special precautions for SMB-based applications? | Microsoft Learn url: "https://learn.microsoft.com/azure/azure-netapp-files/faq-application-resilience#do-i-need-to-take-special-precautions-for-smb-based-applications" - description: Ensure application resilience for service maintenance events @@ -223,5 +233,5 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: What do you recommend for handling potential application disruptions due to storage service maintenance events? | Microsoft Learn url: "https://learn.microsoft.com/azure/azure-netapp-files/faq-application-resilience#what-do-you-recommend-for-handling-potential-application-disruptions-due-to-storage-service-maintenance-events" diff --git a/azure-resources/Network/FrontDoorWebApplicationFirewallPolicies/recommendations.yaml b/azure-resources/Network/FrontDoorWebApplicationFirewallPolicies/recommendations.yaml index 680986dfc..378f6f96d 100644 --- a/azure-resources/Network/FrontDoorWebApplicationFirewallPolicies/recommendations.yaml +++ b/azure-resources/Network/FrontDoorWebApplicationFirewallPolicies/recommendations.yaml @@ -1,4 +1,4 @@ -- description: Inspect Azure Front Door WAF logs for wrongfully blocked legitimate requests +- description: Inspect Azure Front Door WAF logs for wrongfully blocked legitimate requests aprlGuid: d0cfe47f-686b-5043-bf83-5a3868acb80a recommendationTypeId: null recommendationControl: Monitoring and Alerting @@ -14,8 +14,14 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Azure Web Application Firewall monitoring and logging - Access Log url: "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-monitor?pivots=front-door-standard-premium#access-logs" + - name: Understanding WAF logs + url: "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-tuning?pivots=front-door-standard-premium#understanding-waf-logs" + - name: Web Application Firewall exclusion lists + url: "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-configuration?tabs=portal" + - name: Fixing a false positive + url: "https://learn.microsoft.com/azure/web-application-firewall/ag/web-application-firewall-troubleshoot#fixing-false-positives" - description: Check Azure Application Gateway WAF logs for mistakenly blocked valid requests aprlGuid: 537b4d94-edd1-4041-b13d-8217dfa485f0 @@ -33,8 +39,10 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Azure Web Application Firewall Monitoring and Logging url: "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-metrics#logs-and-diagnostics" + - name: Diagnostic logs + url: "https://learn.microsoft.com/azure/web-application-firewall/ag/web-application-firewall-logs#diagnostic-logs" - description: Monitor Web Application Firewall aprlGuid: 5357ae22-0f52-1a49-9fd4-1f00ace6add0 @@ -45,12 +53,14 @@ recommendationMetadataState: Active longDescription: | Monitoring the health of your Web Application Firewall and the applications it protects is crucial. This can be achieved through integration with Microsoft Defender for Cloud, Azure Monitor, and Azure Monitor logs, ensuring optimal performance and security. - potentialBenefits: Enhanced security & health insight + potentialBenefits: Enhanced security and health insight pgVerified: Preview publishedToLearn: false publishedToAdvisor: false automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: WAF monitoring url: "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview#waf-monitoring" + - name: Azure Monitor Workbook for WAF + url: "https://github.com/Azure/Azure-Network-Security/tree/master/Azure%20WAF/Workbook%20-%20WAF%20Monitor%20Workbook" diff --git a/azure-resources/Network/applicationGateways/recommendations.yaml b/azure-resources/Network/applicationGateways/recommendations.yaml index 455648015..62e3e35a1 100644 --- a/azure-resources/Network/applicationGateways/recommendations.yaml +++ b/azure-resources/Network/applicationGateways/recommendations.yaml @@ -1,4 +1,4 @@ -- description: Set a minimum instance count of 2 +- description: Set a minimum instance count of 2 aprlGuid: 823b0cff-05c0-2e4e-a1e7-9965e1cfa16f recommendationTypeId: null recommendationControl: Scalability @@ -7,14 +7,14 @@ recommendationMetadataState: Active longDescription: | Azure Application Gateways v2 are deployed highly available with multiple instances by default. - potentialBenefits: Enhances uptime & enables autoscaling + potentialBenefits: Enhances uptime and enables autoscaling pgVerified: Preview publishedToLearn: false publishedToAdvisor: false automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Application Gateway Autoscaling Zone-Redundant url: "https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant#autoscaling-and-high-availability" - description: Secure all incoming connections with SSL @@ -26,15 +26,23 @@ recommendationMetadataState: Active longDescription: | Secure all incoming connections using HTTPS for production services with end-to-end SSL/TLS or SSL/TLS termination at the Application Gateway to protect against attacks and ensure data remains private and encrypted between the web server and browsers. - potentialBenefits: Enhanced security & privacy + potentialBenefits: Enhanced security and privacy pgVerified: Preview publishedToLearn: false publishedToAdvisor: false automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Application Gateway Security url: "https://learn.microsoft.com/azure/well-architected/services/networking/azure-application-gateway#security" + - name: Application Gateway SSL Overview + url: "https://learn.microsoft.com/azure/application-gateway/ssl-overview" + - name: Application Gateway SSL Policy Overview + url: "https://learn.microsoft.com/azure/application-gateway/application-gateway-ssl-policy-overview" + - name: Application Gateway KeyVault Certs + url: "https://learn.microsoft.com/azure/application-gateway/key-vault-certs" + - name: Application Gateway SSL Cert Management + url: "https://learn.microsoft.com/azure/application-gateway/ssl-certificate-management" - description: Enable Web Application Firewall policies aprlGuid: 8d9223c4-730d-ca47-af88-a9a024c37270 @@ -52,8 +60,10 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Well-Architected Framework Application Gateway Overview url: "https://learn.microsoft.com/azure/well-architected/services/networking/azure-application-gateway" + - name: Application Gateway - Web Application Firewall + url: "https://learn.microsoft.com/azure/application-gateway/features#web-application-firewall" - description: Use Application GW V2 instead of V1 aprlGuid: 7893f0b3-8622-1d47-beed-4b50a19f7895 @@ -71,8 +81,12 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Application Gateway Overview V2 url: "https://learn.microsoft.com/azure/application-gateway/overview-v2" + - name: Application Gateway Feature Comparison Between V1 and V2 + url: "https://learn.microsoft.com/azure/application-gateway/overview-v2#feature-comparison-between-v1-sku-and-v2-sku" + - name: Application Gateway V1 Retirement + url: "https://azure.microsoft.com/updates/application-gateway-v1-will-be-retired-on-28-april-2026-transition-to-application-gateway-v2/" - description: Monitor and Log the configurations and traffic aprlGuid: 5d035919-898d-a047-8d5d-454e199692e5 @@ -83,15 +97,17 @@ recommendationMetadataState: Active longDescription: | Enable logging in storage accounts, Log Analytics, and monitoring services for auditing and insights. If using NSGs, enable NSG flow logs to be stored, providing in-depth traffic analysis into Azure Cloud. - potentialBenefits: Enhanced traffic insight & audit + potentialBenefits: Enhanced traffic insight and audit pgVerified: Preview publishedToLearn: false publishedToAdvisor: false automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Application Gateway Metrics url: "https://learn.microsoft.com/azure/application-gateway/application-gateway-metrics" + - name: Application Gateway Diagnostics + url: "https://learn.microsoft.com/azure/application-gateway/application-gateway-diagnostics" - description: Use Health Probes to detect backend availability aprlGuid: 847a8d88-21c4-bc48-a94e-562206edd767 @@ -109,8 +125,10 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Application Gateway Probe Overview url: "https://learn.microsoft.com/azure/application-gateway/application-gateway-probe-overview" + - name: Well-Architected Framework Application Gateway Overview + url: "https://learn.microsoft.com/azure/well-architected/services/networking/azure-application-gateway" - description: Deploy Application Gateway in a zone-redundant configuration aprlGuid: c9c00f2a-3888-714b-a72b-b4c9e8fcffb2 @@ -121,15 +139,17 @@ recommendationMetadataState: Active longDescription: | Deploying Application Gateway in a zone-aware configuration ensures continued customer access to services even if a specific zone goes down, as services in other zones remain available. - potentialBenefits: Enhanced uptime & customer access + potentialBenefits: Enhanced uptime and customer access pgVerified: Preview publishedToLearn: false publishedToAdvisor: false automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Well-Architected Framework Application Gateway Reliability url: "https://learn.microsoft.com/azure/well-architected/services/networking/azure-application-gateway#reliability" + - name: Application Gateway V2 Overview + url: "https://learn.microsoft.com/azure/application-gateway/overview-v2" - description: Plan for backend maintenance by using connection draining aprlGuid: 10f02bc6-e2e7-004d-a2c2-f9bf9f16b915 @@ -147,8 +167,10 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Application Gateway Connection Draining url: "https://learn.microsoft.com/azure/application-gateway/features#connection-draining" + - name: Application Gateway Connection Draining HTTP Settings + url: "https://learn.microsoft.com/azure/application-gateway/configuration-http-settings#connection-draining" - description: Ensure Application Gateway Subnet is using a /24 subnet mask aprlGuid: 8364fd0a-7c0e-e240-9d95-4bf965aec243 @@ -166,5 +188,5 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Azure Application Gateway infrastructure configuration | Microsoft Learn url: "https://learn.microsoft.com/en-us/azure/application-gateway/configuration-infrastructure#size-of-the-subnet" diff --git a/azure-resources/Network/azureFirewalls/recommendations.yaml b/azure-resources/Network/azureFirewalls/recommendations.yaml index 53e6e88f6..4f4895b4c 100644 --- a/azure-resources/Network/azureFirewalls/recommendations.yaml +++ b/azure-resources/Network/azureFirewalls/recommendations.yaml @@ -1,4 +1,4 @@ -- description: Deploy Azure Firewall across multiple availability zones +- description: Deploy Azure Firewall across multiple availability zones aprlGuid: c72b7fee-1fa0-5b4b-98e5-54bcae95bb74 recommendationTypeId: null recommendationControl: High Availability @@ -14,8 +14,10 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Azure Well Architected Framework - Azure Firewall url: "https://learn.microsoft.com/azure/architecture/framework/services/networking/azure-firewall" + - name: Deploy Azure Firewall across multiple availability zones + url: "https://learn.microsoft.com/azure/firewall/deploy-availability-zone-powershell" - description: Monitor Azure Firewall metrics aprlGuid: 3c8fa7c6-6b78-a24a-a63f-348a7c71acb9 @@ -26,15 +28,17 @@ recommendationMetadataState: Active longDescription: | Monitor Azure Firewall for overall health, processed throughput, and outbound SNAT port usage. Get alerted before limits impact services. Consider NAT gateway integration with zonal deployments; note limitations with zone redundant firewalls and secure virtual hub networks. - potentialBenefits: Improve health & performance monitoring + potentialBenefits: Improve health and performance monitoring pgVerified: Verified publishedToLearn: false publishedToAdvisor: false automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Azure Firewall metrics supported in Azure Monitor url: "https://learn.microsoft.com/azure/azure-monitor/essentials/metrics-supported#microsoftnetworkazurefirewalls" + - name: Azure Firewall performance + url: "https://learn.microsoft.com/azure/firewall/firewall-performance" - description: Configure DDoS Protection on the Azure Firewall VNet aprlGuid: 1b2dbf4a-8a0b-5e4b-8f4e-3f758188910d @@ -52,7 +56,7 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Azure DDoS Protection overview url: "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview" - description: Leverage Azure Policy inheritance model @@ -71,7 +75,7 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Azure Firewall Policy hierarchy url: "https://learn.microsoft.com/azure/firewall-manager/rule-hierarchy" - description: Configure 2-4 PIPs for SNAT Port utilization @@ -90,7 +94,7 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Azure Well-Architected Framework review - Azure Firewall url: "https://learn.microsoft.com/en-us/azure/well-architected/service-guides/azure-firewall#recommendations" - description: Monitor AZFW Latency Probes metric @@ -109,5 +113,7 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Azure Well-Architected Framework review - Azure Firewall url: "https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall#recommendations" + - name: Azure Firewall metrics overview + url: "https://learn.microsoft.com/azure/firewall/metrics" diff --git a/azure-resources/Network/connections/recommendations.yaml b/azure-resources/Network/connections/recommendations.yaml index a3fb89b7d..34ec04f4a 100644 --- a/azure-resources/Network/connections/recommendations.yaml +++ b/azure-resources/Network/connections/recommendations.yaml @@ -1,4 +1,4 @@ -- description: For better data path performance enable FastPath on ExpressRoute Direct and Gateway +- description: For better data path performance enable FastPath on ExpressRoute Direct and Gateway aprlGuid: f6a14b32-a727-4ace-b5fa-7b1c6bdff402 recommendationTypeId: null recommendationControl: Scalability @@ -7,14 +7,14 @@ recommendationMetadataState: Active longDescription: | ExpressRoute gateways facilitate network traffic and route exchanges. FastPath enhances on-premises to virtual network data path performance by directing traffic straight to virtual machines, bypassing the gateway for improved resiliency through reduced gateway utilization. - potentialBenefits: Enhances speed & resiliency + potentialBenefits: Enhances speed and resiliency pgVerified: Verified publishedToLearn: false publishedToAdvisor: false automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: About ExpressRoute FastPath url: "https://learn.microsoft.com/en-us/azure/expressroute/about-fastpath" - description: Configure an Azure Resource Lock on connections to prevent accidental deletion @@ -33,5 +33,5 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Protect your Azure resources with a lock - Azure Resource Manager | Microsoft Learn url: "https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json" diff --git a/azure-resources/Network/ddosProtectionPlans/recommendations.yaml b/azure-resources/Network/ddosProtectionPlans/recommendations.yaml index 0b19e5768..e45e9e1db 100644 --- a/azure-resources/Network/ddosProtectionPlans/recommendations.yaml +++ b/azure-resources/Network/ddosProtectionPlans/recommendations.yaml @@ -1,4 +1,4 @@ -- description: Monitor Azure DDoS Protection Plan metrics +- description: Monitor Azure DDoS Protection Plan metrics aprlGuid: ae054bf2-aefa-cf4a-8282-741194cef8da recommendationTypeId: null recommendationControl: Security @@ -7,12 +7,12 @@ recommendationMetadataState: Active longDescription: | Azure DDoS Plan metrics differentiate packets and bytes by tags: null Dropped (packets scrubbed by DDoS), Forwarded (packets to VIP not filtered), and No tag (total packets, sum of dropped and forwarded). - potentialBenefits: Enhanced security & traffic insight + potentialBenefits: Enhanced security and traffic insight pgVerified: Preview publishedToLearn: false publishedToAdvisor: false automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Monitoring Azure DDoS Protection url: "https://learn.microsoft.com/en-us/azure/ddos-protection/monitor-ddos-protection-reference" diff --git a/azure-resources/Network/expressRouteCircuits/recommendations.yaml b/azure-resources/Network/expressRouteCircuits/recommendations.yaml index 799a066ff..0fdf1fb7a 100644 --- a/azure-resources/Network/expressRouteCircuits/recommendations.yaml +++ b/azure-resources/Network/expressRouteCircuits/recommendations.yaml @@ -1,4 +1,4 @@ -- description: Connect on-prem networks to Azure critical workloads via multiple ExpressRoutes +- description: Connect on-prem networks to Azure critical workloads via multiple ExpressRoutes aprlGuid: 4d703025-dafc-f840-a183-5dc440456134 recommendationTypeId: null recommendationControl: High Availability @@ -7,14 +7,14 @@ recommendationMetadataState: Active longDescription: | Connecting each ExpressRoute Gateway to a minimum of two circuits in different peering locations enhances redundancy and reliability by ensuring alternate pathways for data in case one circuit fails. - potentialBenefits: Enhanced reliability & redundancy + potentialBenefits: Enhanced reliability and redundancy pgVerified: Verified publishedToLearn: false publishedToAdvisor: false automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Designing for disaster recovery with ExpressRoute private peering url: "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering" - description: Ensure ExpressRoute's physical links connect to distinct network edge devices @@ -26,15 +26,17 @@ recommendationMetadataState: Active longDescription: | Microsoft or the ExpressRoute provider always ensures physical redundancy in their services. It's essential to maintain this level of physical redundancy (two devices, two links) from the ExpressRoute peering location to your network for optimal performance and reliability. - potentialBenefits: Enhanced reliability & fault tolerance + potentialBenefits: Enhanced reliability and fault tolerance pgVerified: Verified publishedToLearn: false publishedToAdvisor: false automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Designing for high availability with ExpressRoute url: "https://learn.microsoft.com/en-us/azure/expressroute/designing-for-high-availability-with-expressroute" + - name: Azure Well-Architected Framework review - Azure ExpressRoute - Design Checklist + url: "https://learn.microsoft.com/azure/well-architected/services/networking/azure-expressroute#recommendations" - description: Ensure both connections of an ExpressRoute circuit are configured in active-active mode aprlGuid: f06a2bbe-5839-d447-9f39-fc3d20562d88 @@ -52,7 +54,7 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Designing for high availability with ExpressRoute - Active-active connections url: "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute#active-active-connections" - description: Activate Bidirectional Forwarding Detection on edge devices for faster failover @@ -71,7 +73,7 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Configure BFD over ExpressRoute url: "https://learn.microsoft.com/azure/expressroute/expressroute-bfd" - description: Configure monitoring and alerting for ExpressRoute circuits @@ -83,15 +85,19 @@ recommendationMetadataState: Active longDescription: | Use Network Insights for monitoring ExpressRoute circuit availability, QoS, and throughput. Set alerts based on Azure Monitor Baseline Alerts for availability, QoS metrics, and throughput metrics exceeding specific thresholds. - potentialBenefits: Enhanced network performance & health + potentialBenefits: Enhanced network performance and health pgVerified: Verified publishedToLearn: false publishedToAdvisor: false automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Azure ExpressRoute Insights using Network Insights | Microsoft Learn url: "https://learn.microsoft.com/en-us/azure/expressroute/expressroute-network-insights" + - name: Monitoring Azure ExpressRoute + url: "https://learn.microsoft.com/azure/expressroute/monitor-expressroute" + - name: Configure Traffic Collector for ExpressRoute Direct - Azure ExpressRoute | Microsoft Learn + url: "https://learn.microsoft.com/en-us/azure/expressroute/how-to-configure-traffic-collector#deploy-expressroute-traffic-collector" - description: Configure service health to receive ExpressRoute circuit maintenance notification aprlGuid: 26cb547f-aabc-dc40-be02-d0a9b6b04b1a @@ -109,7 +115,7 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: How to view and configure alerts for Azure ExpressRoute circuit maintenance url: "https://learn.microsoft.com/azure/expressroute/maintenance-alerts" - description: Use a site-to-site VPN as an interim backup solution for a single ExpressRoute circuit @@ -121,12 +127,12 @@ recommendationMetadataState: Active longDescription: | If you haven't added a second ExpressRoute circuit, use a site-to-site VPN as a temporary solution until the second circuit is available. This ensures network reliability and continuity of service. - potentialBenefits: Ensures continuity & reliability + potentialBenefits: Ensures continuity and reliability pgVerified: Verified publishedToLearn: false publishedToAdvisor: false automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Using S2S VPN as a backup for ExpressRoute private peering url: "https://learn.microsoft.com/azure/expressroute/use-s2s-vpn-as-backup-for-expressroute-privatepeering" diff --git a/azure-resources/Network/expressRoutePorts/recommendations.yaml b/azure-resources/Network/expressRoutePorts/recommendations.yaml index 46228a673..0f03180e3 100644 --- a/azure-resources/Network/expressRoutePorts/recommendations.yaml +++ b/azure-resources/Network/expressRoutePorts/recommendations.yaml @@ -1,4 +1,4 @@ -- description: The Admin State of both Links of an ExpressRoute Direct should be in Enabled state +- description: The Admin State of both Links of an ExpressRoute Direct should be in Enabled state aprlGuid: 60077378-7cb1-4b35-89bb-393884d9921d recommendationTypeId: null recommendationControl: High Availability @@ -14,7 +14,7 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: How to configure ExpressRoute Direct Change Admin State of links url: "https://learn.microsoft.com/en-us/azure/expressroute/expressroute-howto-erdirect#state" - description: Ensure you do not over-subscribe an ExpressRoute Direct @@ -33,7 +33,7 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: About ExpressRoute Direct Circuit Sizes url: "https://learn.microsoft.com/en-us/azure/expressroute/expressroute-erdirect-about?source=recommendations#circuit-sizes" - description: Implement rate-limiting across ExpressRoute Direct Circuits to optimize network flow @@ -52,5 +52,5 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Rate limiting for ExpressRoute Direct circuits (Preview) url: "https://learn.microsoft.com/en-us/azure/expressroute/rate-limit" diff --git a/azure-resources/Network/loadBalancers/recommendations.yaml b/azure-resources/Network/loadBalancers/recommendations.yaml index b496080ab..ee87de136 100644 --- a/azure-resources/Network/loadBalancers/recommendations.yaml +++ b/azure-resources/Network/loadBalancers/recommendations.yaml @@ -1,4 +1,4 @@ -- description: Use Standard Load Balancer SKU +- description: Use Standard Load Balancer SKU aprlGuid: 38c3bca1-97a1-eb42-8cd3-838b243f35ba recommendationTypeId: null recommendationControl: High Availability @@ -7,15 +7,17 @@ recommendationMetadataState: Active longDescription: | Selecting Standard SKU Load Balancer enhances reliability through availability zones and zone resiliency, ensuring deployments withstand zone and region failures. Unlike Basic, it supports global load balancing and offers an SLA. - potentialBenefits: Enhanced reliability & SLA support + potentialBenefits: Enhanced reliability and SLA support pgVerified: Verified publishedToLearn: false publishedToAdvisor: false automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Reliability and Azure Load Balancer url: "https://learn.microsoft.com/azure/architecture/framework/services/networking/azure-load-balancer/reliability" + - name: Resiliency checklist for specific Azure services- Azure Load Balancer + url: "https://learn.microsoft.com/azure/architecture/checklist/resiliency-per-service#azure-load-balancer" - description: Ensure the Backend Pool contains at least two instances aprlGuid: 6d82d042-6d61-ad49-86f0-6a5455398081 @@ -26,14 +28,14 @@ recommendationMetadataState: Active longDescription: | Deploying Azure Load Balancers with at least two instances in the backend prevents a single point of failure and supports scalability. Pairing with Virtual Machine Scale Sets is advised for optimal scale building. - potentialBenefits: Enhances reliability & scalability + potentialBenefits: Enhances reliability and scalability pgVerified: Verified publishedToLearn: false publishedToAdvisor: false automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Resiliency checklist for specific Azure services- Azure Load Balancer url: "https://learn.microsoft.com/azure/architecture/checklist/resiliency-per-service#azure-load-balancer" - description: Use NAT Gateway instead of Outbound Rules for Production Workloads @@ -52,7 +54,7 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Resiliency checklist for specific Azure services- Azure Load Balancer url: "https://learn.microsoft.com/azure/architecture/checklist/resiliency-per-service#azure-load-balancer" - description: Ensure Standard Load Balancer is zone-redundant @@ -64,12 +66,12 @@ recommendationMetadataState: Active longDescription: | In regions with Availability Zones, assigning a zone-redundant frontend IP to a Standard Load Balancer ensures continuous traffic distribution even if one availability zone fails, provided other healthy zones and backend instances are available to receive the traffic. - potentialBenefits: Enhances uptime & resilience + potentialBenefits: Enhances uptime and resilience pgVerified: Verified publishedToLearn: false publishedToAdvisor: false automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Load Balancer and Availability Zones url: "https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-standard-availability-zones#zone-redundant" diff --git a/azure-resources/Network/networkSecurityGroups/recommendations.yaml b/azure-resources/Network/networkSecurityGroups/recommendations.yaml index 692e1ec28..c1475be22 100644 --- a/azure-resources/Network/networkSecurityGroups/recommendations.yaml +++ b/azure-resources/Network/networkSecurityGroups/recommendations.yaml @@ -1,4 +1,4 @@ -- description: Configure Diagnostic Settings for all network security groups +- description: Configure Diagnostic Settings for all network security groups aprlGuid: d2976d3e-294b-4b49-a1f0-c42566a3758f recommendationTypeId: null recommendationControl: Monitoring and Alerting @@ -7,14 +7,14 @@ recommendationMetadataState: Active longDescription: | Resource Logs are not collected and stored until you create a diagnostic setting and route them to one or more locations. - potentialBenefits: Enhanced monitoring & security insights + potentialBenefits: Enhanced monitoring and security insights pgVerified: Preview publishedToLearn: false publishedToAdvisor: false automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Diagnostic settings in Azure Monitor url: "https://learn.microsoft.com/azure/azure-monitor/essentials/diagnostic-settings" - description: Monitor changes in Network Security Groups with Azure Monitor @@ -33,7 +33,7 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Azure Monitor activity log url: "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log?tabs=powershell" - description: Configure locks for Network Security Groups to avoid accidental changes and/or deletion @@ -52,7 +52,7 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Lock your resources to protect your infrastructure url: "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?toc=%2Fazure%2Fvirtual-network%2Ftoc.json&tabs=json" - description: Configure NSG Flow Logs @@ -64,14 +64,14 @@ recommendationMetadataState: Active longDescription: | Monitoring, managing, and understanding your network is crucial for protection and optimization. Knowing the current state, who and from where connections are made, open internet ports, expected and irregular behavior, and traffic spikes is essential. - potentialBenefits: Enhances security & optimizes network + potentialBenefits: Enhances security and optimizes network pgVerified: Preview publishedToLearn: false publishedToAdvisor: false automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Flow logging for network security groups url: "https://learn.microsoft.com/azure/network-watcher/network-watcher-nsg-flow-logging-overview" - description: The NSG only has Default Security Rules, make sure to configure the necessary rules @@ -83,12 +83,12 @@ recommendationMetadataState: Active longDescription: | Azure network security groups filter network traffic between resources in a virtual network, using security rules to allow or deny inbound or outbound traffic based on source, destination, port, and protocol. - potentialBenefits: Enhanced traffic control & security + potentialBenefits: Enhanced traffic control and security pgVerified: Preview publishedToLearn: false publishedToAdvisor: false automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Security rules url: "https://learn.microsoft.com/azure/virtual-network/network-security-groups-overview#security-rules" diff --git a/azure-resources/Network/networkWatchers/recommendations.yaml b/azure-resources/Network/networkWatchers/recommendations.yaml index 7b4904530..9fa78e410 100644 --- a/azure-resources/Network/networkWatchers/recommendations.yaml +++ b/azure-resources/Network/networkWatchers/recommendations.yaml @@ -1,4 +1,4 @@ -- description: Deploy Network Watcher in all regions where you have networking services +- description: Deploy Network Watcher in all regions where you have networking services aprlGuid: 4e133bd0-8762-bc40-a95b-b29142427d73 recommendationTypeId: null recommendationControl: Monitoring and Alerting @@ -7,14 +7,14 @@ recommendationMetadataState: Active longDescription: | Azure Network Watcher offers tools for monitoring, diagnosing, viewing metrics, and managing logs for IaaS resources. It helps maintain the health of VMs, VNets, application gateways, load balancers, but not for PaaS or Web analytics. - potentialBenefits: Enhanced monitoring & diagnostics for Azure IaaS + potentialBenefits: Enhanced monitoring and diagnostics for Azure IaaS pgVerified: Preview publishedToLearn: false publishedToAdvisor: false automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: What is Azure Network Watcher? url: "https://learn.microsoft.com/azure/network-watcher/network-watcher-overview" - description: Fix Flow Log configurations in Failed state or Disabled Status @@ -33,5 +33,5 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Manage NSG flow logs using the Azure portal url: "https://learn.microsoft.com/azure/network-watcher/nsg-flow-logging" diff --git a/azure-resources/Network/privateDnsZones/recommendations.yaml b/azure-resources/Network/privateDnsZones/recommendations.yaml index 0499864d3..79751ab8b 100644 --- a/azure-resources/Network/privateDnsZones/recommendations.yaml +++ b/azure-resources/Network/privateDnsZones/recommendations.yaml @@ -1,4 +1,4 @@ -- description: Protect private DNS zones and records +- description: Protect private DNS zones and records aprlGuid: 2820f6d6-a23c-7a40-aec5-506f3bd1aeb6 recommendationTypeId: null recommendationControl: Security @@ -14,7 +14,7 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Protecting private DNS Zones and Records - Azure DNS url: "https://learn.microsoft.com/en-us/azure/dns/dns-protect-private-zones-recordsets" - description: Monitor Private DNS Zones health and set up alerts @@ -26,14 +26,14 @@ recommendationMetadataState: Active longDescription: | The records in a private DNS zone are only resolvable from linked virtual networks. You can link a private DNS zone to multiple networks and enable autoregistration to manage DNS records for virtual machines automatically. - potentialBenefits: Enhanced DNS reliability & alerting + potentialBenefits: Enhanced DNS reliability and alerting pgVerified: Preview publishedToLearn: false publishedToAdvisor: false automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Scenarios for Azure Private DNS zones url: "https://learn.microsoft.com/en-us/azure/dns/private-dns-scenarios" - description: Align Production and DR zones with identical workload and resource failover entries @@ -52,5 +52,5 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Scenarios for Azure Private DNS zones url: "https://learn.microsoft.com/en-us/azure/dns/private-dns-scenarios" diff --git a/azure-resources/Network/privateEndpoints/recommendations.yaml b/azure-resources/Network/privateEndpoints/recommendations.yaml index 1508e0870..38cee7ef7 100644 --- a/azure-resources/Network/privateEndpoints/recommendations.yaml +++ b/azure-resources/Network/privateEndpoints/recommendations.yaml @@ -1,4 +1,4 @@ -- description: Resolve issues with Private Endpoints in non Succeeded connection state +- description: Resolve issues with Private Endpoints in non Succeeded connection state aprlGuid: b89c9acc-0aba-fb44-9ff2-3dbfcf97dce7 recommendationTypeId: null recommendationControl: High Availability @@ -14,5 +14,6 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Private endpoint connections url: "https://learn.microsoft.com/azure/private-link/manage-private-endpoint?tabs=manage-private-link-powershell#private-endpoint-connections" + diff --git a/azure-resources/Network/publicIPAddresses/recommendations.yaml b/azure-resources/Network/publicIPAddresses/recommendations.yaml index 81cdffeec..02cdcdf46 100644 --- a/azure-resources/Network/publicIPAddresses/recommendations.yaml +++ b/azure-resources/Network/publicIPAddresses/recommendations.yaml @@ -1,4 +1,4 @@ -- description: Use Standard SKU and Zone-Redundant IPs when applicable +- description: Use Standard SKU and Zone-Redundant IPs when applicable aprlGuid: c63b81fb-7afc-894c-a840-91bb8a8dcfaf recommendationTypeId: null recommendationControl: High Availability @@ -14,8 +14,10 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Public IP addresses - Availability Zones url: "https://learn.microsoft.com/azure/virtual-network/ip-services/public-ip-addresses#availability-zone" + - name: Upgrading a basic public IP address to Standard SKU + url: "https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-basic-upgrade-guidance#steps-to-complete-the-upgrade" - description: Use NAT gateway for outbound connectivity to avoid SNAT Exhaustion aprlGuid: 1adba190-5c4c-e646-8527-dd1b2a6d8b15 @@ -33,8 +35,10 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Use NAT GW for outbound connectivity url: "https://learn.microsoft.com/azure/advisor/advisor-reference-reliability-recommendations#use-nat-gateway-for-outbound-connectivity" + - name: TCP and SNAT Ports + url: "https://learn.microsoft.com/azure/architecture/framework/services/compute/azure-app-service/reliability#tcp-and-snat-ports" - description: Upgrade Basic SKU public IP addresses to Standard SKU aprlGuid: 5cea1501-6fe4-4ec4-ac8f-f72320eb18d3 @@ -52,5 +56,8 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Upgrading a basic public IP address to Standard SKU - Guidance url: "https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-basic-upgrade-guidance" + - name: Upgrade to Standard SKU public IP addresses in Azure by 30 September 2025�Basic SKU will be retired + url: "https://azure.microsoft.com/en-us/updates/upgrade-to-standard-sku-public-ip-addresses-in-azure-by-30-september-2025-basic-sku-will-be-retired/" + diff --git a/azure-resources/Network/routeTables/recommendations.yaml b/azure-resources/Network/routeTables/recommendations.yaml index 9eac6f6ba..fc8a0ad7a 100644 --- a/azure-resources/Network/routeTables/recommendations.yaml +++ b/azure-resources/Network/routeTables/recommendations.yaml @@ -1,4 +1,4 @@ -- description: Monitor changes in Route Tables with Azure Monitor +- description: Monitor changes in Route Tables with Azure Monitor aprlGuid: 23b2dfc7-7e5d-9443-9f62-980ca621b561 recommendationTypeId: null recommendationControl: Monitoring and Alerting @@ -7,14 +7,14 @@ recommendationMetadataState: Active longDescription: | Create Alerts with Azure Monitor for operations like Create or Update Route Table to spot unauthorized/undesired changes in production resources. This setup aids in identifying improper routing changes, including efforts to evade firewalls or access resources from outside. - potentialBenefits: Enhanced security & change detection + potentialBenefits: Enhanced security and change detection pgVerified: Preview publishedToLearn: false publishedToAdvisor: false automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Azure activity log - Azure Monitor | Microsoft Learn url: "https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log?tabs=powershell" - description: Configure locks for Route Tables to avoid accidental changes or deletion @@ -33,5 +33,5 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Protect your Azure resources with a lock - Azure Resource Manager | Microsoft Learn url: "https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?toc=%2Fazure%2Fvirtual-network%2Ftoc.json&tabs=json" diff --git a/azure-resources/Network/trafficmanagerprofiles/recommendations.yaml b/azure-resources/Network/trafficmanagerprofiles/recommendations.yaml index c2082b5f4..01ccd11ec 100644 --- a/azure-resources/Network/trafficmanagerprofiles/recommendations.yaml +++ b/azure-resources/Network/trafficmanagerprofiles/recommendations.yaml @@ -1,4 +1,4 @@ -- description: Traffic Manager Monitor Status Should be Online +- description: Traffic Manager Monitor Status Should be Online aprlGuid: f05a3e6d-49db-2740-88e2-2b13706c1f67 recommendationTypeId: null recommendationControl: High Availability @@ -14,8 +14,12 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Azure Traffic Manager endpoint monitoring url: "https://learn.microsoft.com/azure/traffic-manager/traffic-manager-monitoring" + - name: Enable or disable health checks + url: "https://learn.microsoft.com/azure/traffic-manager/traffic-manager-monitoring#enable-or-disable-health-checks-preview" + - name: Troubleshooting degraded state on Azure Traffic Manager + url: "https://learn.microsoft.com/azure/traffic-manager/traffic-manager-troubleshooting-degraded" - description: Traffic manager profiles should have more than one endpoint aprlGuid: 5b422a7f-8caa-3d48-becb-511599e5bba9 @@ -33,7 +37,7 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Traffic Manager Endpoint Types url: "https://learn.microsoft.com/azure/traffic-manager/traffic-manager-endpoint-types" - description: Configure at least one endpoint within a another region @@ -52,7 +56,8 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Reliability recommendations + url: "https://learn.microsoft.com/azure/advisor/advisor-reference-reliability-recommendations#add-at-least-one-more-endpoint-to-the-profile-preferably-in-another-azure-region" - description: Ensure endpoint configured to (All World) for geographic profiles @@ -71,5 +76,8 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Add an endpoint configured to "All (World)" url: "https://learn.microsoft.com/azure/advisor/advisor-reference-reliability-recommendations#add-an-endpoint-configured-to-all-world" + - name: Traffic Manager profile - GeographicProfile (Add an endpoint configured to ""All (World)""). + url: "https://aka.ms/Rf7vc5" + diff --git a/azure-resources/Network/virtualNetworkGateways/recommendations.yaml b/azure-resources/Network/virtualNetworkGateways/recommendations.yaml index ee9e7057c..10a2d3a0e 100644 --- a/azure-resources/Network/virtualNetworkGateways/recommendations.yaml +++ b/azure-resources/Network/virtualNetworkGateways/recommendations.yaml @@ -1,4 +1,4 @@ -- description: Connect ExpressRoute Gateway with circuits from diverse peering locations for resilience +- description: Connect ExpressRoute Gateway with circuits from diverse peering locations for resilience aprlGuid: d37db635-157f-584d-9bce-4f6fc8c65ce5 recommendationTypeId: null recommendationControl: High Availability @@ -14,7 +14,7 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Designing for disaster recovery with ExpressRoute private peering url: "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering" - description: Use Zone-redundant gateway SKUs @@ -33,8 +33,12 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: About ExpressRoute virtual network gateways - Zone-redundant gateway SKUs url: "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways#zrgw" + - name: About zone-redundant virtual network gateway in Azure availability zones + url: "https://learn.microsoft.com/azure/vpn-gateway/about-zone-redundant-vnet-gateways" + - name: Create a zone-redundant virtual network gateway in Azure Availability Zones + url: "https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway" - description: Configure an Azure Resource lock for ExpressRoute Gateway to prevent accidental deletion aprlGuid: c0f23a92-d322-4d4d-97e9-a238b5e3bbb8 @@ -52,7 +56,7 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Protect your Azure resources with a lock - Azure Resource Manager | Microsoft Learn url: "https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json" - description: Monitor gateway health @@ -64,15 +68,17 @@ recommendationMetadataState: Active longDescription: | Use Network Insights for monitoring ExpressRoute Gateway's health, including availability, performance, and scalability. - potentialBenefits: Enhanced monitoring & alerting + potentialBenefits: Enhanced monitoring and alerting pgVerified: Verified publishedToLearn: false publishedToAdvisor: false automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: ExpressRoute monitoring, metrics, and alerts | ExpressRoute gateways url: "https://learn.microsoft.com/azure/expressroute/expressroute-monitoring-metrics-alerts#expressroute-gateways" + - name: Azure ExpressRoute Insights using Network Insights + url: "https://learn.microsoft.com/en-us/azure/expressroute/expressroute-network-insights" - description: Avoid using ExpressRoute circuits for VNet to VNet communication aprlGuid: 194c14ac-0d7a-5a48-ae32-75fa450ee564 @@ -90,7 +96,7 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: About ExpressRoute virtual network gateways - VNet-to-VNet connectivity url: "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways#vnet-to-vnet-connectivity" - description: Configure customer-controlled gateway maintenance @@ -109,7 +115,7 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Configure customer-controlled maintenance for your virtual network gateway - ExpressRoute | Microsoft Learn url: "https://learn.microsoft.com/en-us/azure/expressroute/customer-controlled-gateway-maintenance#azure-portal-steps" - description: Choose a Zone-redundant gateway @@ -128,8 +134,12 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Zone redundant Virtual network gateway in availability zone url: "https://learn.microsoft.com/azure/vpn-gateway/about-zone-redundant-vnet-gateways" + - name: Gateway SKU + url: "https://learn.microsoft.com/azure/vpn-gateway/about-zone-redundant-vnet-gateways#gwskus" + - name: SLA summary for Azure services + url: "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1" - description: Plan for Active-Active mode aprlGuid: 281a2713-c0e0-3c48-b596-19f590c46671 @@ -140,15 +150,17 @@ recommendationMetadataState: Active longDescription: | The active-active mode is available for all SKUs except Basic, allowing for two Gateway IP configurations and two public IP addresses, enhancing redundancy and traffic handling. - potentialBenefits: Enhanced reliability & network capacity + potentialBenefits: Enhanced reliability and network capacity pgVerified: Preview publishedToLearn: false publishedToAdvisor: false automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Active-active VPN gateway url: "https://learn.microsoft.com/azure/vpn-gateway/active-active-portal#gateway" + - name: Gateway SKU + url: "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsku" - description: Deploy active-active VPN concentrators on your premises for maximum resiliency aprlGuid: af11fc4c-c06c-4f4c-b98d-6eee6d5c4c70 @@ -159,14 +171,14 @@ recommendationMetadataState: Active longDescription: | Deploying active-active VPN concentrators and Azure VPN Gateways maximizes resilience and availability using a fully-meshed topology with four IPSec tunnels. - potentialBenefits: Maximizes resilience & availability + potentialBenefits: Maximizes resilience and availability pgVerified: Preview publishedToLearn: false publishedToAdvisor: false automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Dual-redundancy active-active VPN gateways for both Azure and on-premises networks url: "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-highlyavailable#dual-redundancy-active-active-vpn-gateways-for-both-azure-and-on-premises-networks" - description: Monitor connections and gateway health @@ -185,7 +197,7 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: VPN gateway data reference url: "https://learn.microsoft.com/azure/vpn-gateway/monitor-vpn-gateway-reference" - description: Enable service health @@ -204,8 +216,10 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Getting started with Azure Metrics Explorer url: "https://learn.microsoft.com/azure/azure-monitor/essentials/metrics-getting-started" + - name: Monitor VPN gateway + url: "https://learn.microsoft.com/azure/vpn-gateway/monitor-vpn-gateway-reference#metrics" - description: Deploy zone-redundant VPN Gateways with zone-redundant Public IP(s) aprlGuid: 4bae5a28-5cf4-40d9-bcf1-623d28f6d917 @@ -216,12 +230,12 @@ recommendationMetadataState: Active longDescription: | For zone-redundant VPN Gateways, always use zone-redundant Standard SKU public IPs to avoid deploying all instances in one zone. This ensures the gateway's reliability, applying to both active-passive (single IP) and active-active (dual IP) setups. - potentialBenefits: Enhanced reliability & disaster recovery + potentialBenefits: Enhanced reliability and disaster recovery pgVerified: Preview publishedToLearn: false publishedToAdvisor: false automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: About zone-redundant virtual network gateway in Azure availability zones url: "https://learn.microsoft.com/azure/vpn-gateway/about-zone-redundant-vnet-gateways" diff --git a/azure-resources/Network/virtualNetworks/recommendations.yaml b/azure-resources/Network/virtualNetworks/recommendations.yaml index 898d33c41..4420b821d 100644 --- a/azure-resources/Network/virtualNetworks/recommendations.yaml +++ b/azure-resources/Network/virtualNetworks/recommendations.yaml @@ -1,4 +1,4 @@ -- description: All Subnets should have a Network Security Group associated +- description: All Subnets should have a Network Security Group associated aprlGuid: f0bf9ae6-25a5-974d-87d5-025abec73539 recommendationTypeId: null recommendationControl: Security @@ -7,15 +7,21 @@ recommendationMetadataState: Active longDescription: | Network security groups and application security groups allow filtering of inbound and outbound traffic by IP, port, and protocol, adding a security layer at the Subnet level. - potentialBenefits: Enhanced subnet security & traffic control + potentialBenefits: Enhanced subnet security and traffic control pgVerified: Preview publishedToLearn: false publishedToAdvisor: false automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Azure Virtual Network - Concepts and best practices | Microsoft Learn url: "https://learn.microsoft.com/azure/virtual-network/concepts-and-best-practices" + - name: GatewaySUbnet + url: "https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub" + - name: Can I associate a network security group (NSG) to the RouteServerSubnet? + url: "https://learn.microsoft.com/en-us/azure/route-server/route-server-faq#can-i-associate-a-network-security-group-nsg-to-the-routeserversubnet" + - name: Are Network Security Groups (NSGs) supported on the AzureFirewallSubnet? + url: "https://learn.microsoft.com/en-us/azure/firewall/firewall-faq#are-network-security-groups--nsgs--supported-on-the-azurefirewallsubnet" - description: Shield public endpoints in Azure VNets with Azure DDoS Standard Protection Plans aprlGuid: 69ea1185-19b7-de40-9da1-9e8493547a5c @@ -33,7 +39,7 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Reliability and Azure Virtual Network - Microsoft Azure Well-Architected Framework | Microsoft Learn url: "https://learn.microsoft.com/azure/architecture/framework/services/networking/azure-virtual-network/reliability" - description: When available, use Private Endpoints instead of Service Endpoints for PaaS Services @@ -45,12 +51,16 @@ recommendationMetadataState: Active longDescription: | Use VNet service endpoints only if Private Link isn't available and no data movement concerns. This feature restricts Azure service access to specified VNet and subnet, enhancing network security and isolating service traffic. - potentialBenefits: Enhanced security & data isolation + potentialBenefits: Enhanced security and data isolation pgVerified: Preview publishedToLearn: false publishedToAdvisor: false automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Azure Virtual Network FAQ | Microsoft Learn url: "https://learn.microsoft.com/azure/virtual-network/virtual-networks-faq" + - name: Reliability and Network connectivity - Microsoft Azure Well-Architected Framework | Microsoft LearnNetworking Reliability + url: "https://learn.microsoft.com/azure/architecture/framework/services/networking/network-connectivity/reliability" + - name: Azure Private Link availability + url: "https://learn.microsoft.com/en-us/azure/private-link/availability" diff --git a/azure-resources/NetworkFunction/azureTrafficCollectors/recommendations.yaml b/azure-resources/NetworkFunction/azureTrafficCollectors/recommendations.yaml index db5cc327b..bf117b3ed 100644 --- a/azure-resources/NetworkFunction/azureTrafficCollectors/recommendations.yaml +++ b/azure-resources/NetworkFunction/azureTrafficCollectors/recommendations.yaml @@ -1,4 +1,4 @@ -- description: Ensure ExpressRoute Traffic Collector is enabled and configured for ExpressRoute Direct circuits +- description: Ensure ExpressRoute Traffic Collector is enabled and configured for ExpressRoute Direct circuits aprlGuid: 1ceea4b5-1d8b-4be0-9bbe-9594557be51a recommendationTypeId: null recommendationControl: Monitoring and Alerting @@ -7,12 +7,12 @@ recommendationMetadataState: Active longDescription: | ExpressRoute Traffic Collector samples network flows over ExpressRoute Direct circuits, sending flow logs to a Log Analytics workspace for analysis or export to visualization tools/SIEM. - potentialBenefits: Enhanced network flow analysis & DR readiness + potentialBenefits: Enhanced network flow analysis and DR readiness pgVerified: Verified publishedToLearn: false publishedToAdvisor: false automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Azure ExpressRoute Traffic Collector url: "https://learn.microsoft.com/en-us/azure/expressroute/traffic-collector" diff --git a/azure-resources/OperationalInsights/workspaces/recommendations.yaml b/azure-resources/OperationalInsights/workspaces/recommendations.yaml index ab7ee26d4..c5bd86d27 100644 --- a/azure-resources/OperationalInsights/workspaces/recommendations.yaml +++ b/azure-resources/OperationalInsights/workspaces/recommendations.yaml @@ -1,4 +1,4 @@ -- description: Enable Log Analytics data export to GRS or GZRS +- description: Enable Log Analytics data export to GRS or GZRS aprlGuid: b36fd2ac-dd83-664a-ab48-ff7b8d3b189d recommendationTypeId: null recommendationControl: Governance @@ -14,8 +14,10 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Log Analytics workspace data export in Azure Monitor url: "https://learn.microsoft.com/azure/azure-monitor/logs/logs-data-export" + - name: Azure Monitor configuration recommendations + url: "https://learn.microsoft.com/azure/azure-monitor/best-practices-logs#configuration-recommendations" - description: Create a health status alert rule for your Log Analytics workspace aprlGuid: 4b77191c-cc3c-8c4e-844b-0f56d0927890 @@ -33,8 +35,10 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Monitor Log Analytics workspace health url: "https://learn.microsoft.com/azure/azure-monitor/logs/log-analytics-workspace-health" + - name: Azure Monitor configuration recommendations + url: "https://learn.microsoft.com/azure/azure-monitor/best-practices-logs#configuration-recommendations" - description: Configure minimal logging and retention of logs aprlGuid: 7a0063ee-98a0-4634-823b-310a67f798cc @@ -45,12 +49,16 @@ recommendationMetadataState: Active longDescription: | Azure Monitor Logs retain log data for specific periods depending on the data type, e.g., 30 days for platform logs. For compliance or business reasons, you might need longer retention. Data retention settings are adjustable. - potentialBenefits: Cost-saving & compliance with data rules + potentialBenefits: Cost-saving and compliance with data rules pgVerified: Verified publishedToLearn: false publishedToAdvisor: false automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Data retention and archive in Azure Monitor Logs url: "https://learn.microsoft.com/en-us/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2" + - name: Run search jobs in Azure Monitor + url: "https://learn.microsoft.com/en-us/azure/azure-monitor/logs/search-jobs?tabs=portal-1%2Cportal-2" + - name: Restore logs in Azure Monitor + url: "https://learn.microsoft.com/en-us/azure/azure-monitor/logs/restore?tabs=api-1" diff --git a/azure-resources/RecoveryServices/vaults/recommendations.yaml b/azure-resources/RecoveryServices/vaults/recommendations.yaml index be3b2587d..ec2fbcb10 100644 --- a/azure-resources/RecoveryServices/vaults/recommendations.yaml +++ b/azure-resources/RecoveryServices/vaults/recommendations.yaml @@ -1,4 +1,4 @@ -- description: Ensure static IP addresses configured in VM failover settings are available in the failover subnet +- description: Ensure static IP addresses configured in VM failover settings are available in the failover subnet aprlGuid: e93bb813-b356-48f3-9bdf-a06a0a6ba039 recommendationTypeId: null recommendationControl: Disaster Recovery @@ -14,7 +14,7 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Setup network mapping for site recovery url: "https://learn.microsoft.com/en-us/azure/site-recovery/azure-to-azure-network-mapping#set-up-ip-addressing-for-target-vms" - description: Validate VM functionality with a test failover to check performance at target @@ -33,7 +33,7 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Run a test failover url: "https://learn.microsoft.com/en-us/azure/site-recovery/azure-to-azure-tutorial-dr-drill#run-a-test-failover" - description: Migrate from classic alerts to built-in Azure Monitor alerts for Azure Recovery Services Vaults @@ -52,8 +52,10 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Move to Azure monitor Alerts url: "https://learn.microsoft.com/azure/backup/move-to-azure-monitor-alerts" + - name: Classic alerts retirement announcement + url: "https://azure.microsoft.com/updates/transition-to-builtin-azure-monitor-alerts-for-recovery-services-vaults-in-azure-backup-by-31-march-2026/" - description: Opt-in to Cross Region Restore for all Geo-Redundant Storage (GRS) Azure Recovery Services vaults aprlGuid: 1549b91f-2ea0-4d4f-ba2a-4596becbe3de @@ -71,5 +73,12 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Set Cross Region Restore url: "https://learn.microsoft.com/azure/backup/backup-create-recovery-services-vault#set-cross-region-restore" + - name: Azure Backup Best Practices + url: "https://learn.microsoft.com/azure/backup/guidance-best-practices" + - name: Minimum Role Requirements for Cross Region Restore + url: "https://learn.microsoft.com/azure/backup/backup-rbac-rs-vault#minimum-role-requirements-for-azure-vm-backup" + - name: Recovery Services Vault + url: "https://learn.microsoft.com/azure/backup/backup-azure-arm-vms-prepare" + diff --git a/azure-resources/Resources/resourceGroups/recommendations.yaml b/azure-resources/Resources/resourceGroups/recommendations.yaml index fa90f6f0a..931ebf2d0 100644 --- a/azure-resources/Resources/resourceGroups/recommendations.yaml +++ b/azure-resources/Resources/resourceGroups/recommendations.yaml @@ -1,3 +1,24 @@ +- description: Subscriptions should not be placed under the Tenant Root Management Group + aprlGuid: 5ada5ffa-7149-4e49-9fbf-e67be7c2594c + recommendationTypeId: null + recommendationControl: Governance + recommendationImpact: Medium + recommendationResourceType: Microsoft.Resources/resourceGroups + recommendationMetadataState: Active + longDescription: | + The root management group in Azure is designed for organizational hierarchy, allowing for all management groups and subscriptions to fold into it. + potentialBenefits: Enhanced security, compliance, and management + pgVerified: Verified + publishedToLearn: false + publishedToAdvisor: false + automationAvailable: arg + tags: null + learnMoreLink: + - name: Management group recommendations + url: "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-group-recommendations" + - name: Root management group for each directory + url: "https://learn.microsoft.com/en-us/azure/governance/management-groups/overview#root-management-group-for-each-directory" + - description: Ensure Resource Group and its Resources are located in the same Region aprlGuid: 98bd7098-49d6-491b-86f1-b143d6b1a0ff recommendationTypeId: null @@ -14,5 +35,6 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Azure Resource Manager Overview url: "https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/overview#resource-group-location-alignment" + diff --git a/azure-resources/ServiceBus/namespaces/recommendations.yaml b/azure-resources/ServiceBus/namespaces/recommendations.yaml index 8f88666d0..788f35401 100644 --- a/azure-resources/ServiceBus/namespaces/recommendations.yaml +++ b/azure-resources/ServiceBus/namespaces/recommendations.yaml @@ -1,4 +1,4 @@ -- description: Enable Availability Zones for Service Bus namespaces +- description: Enable Availability Zones for Service Bus namespaces aprlGuid: 20057905-262c-49fe-a9be-49f423afb359 recommendationTypeId: null recommendationControl: High Availability @@ -14,5 +14,10 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Service Bus and reliability url: "https://learn.microsoft.com/en-us/azure/well-architected/services/messaging/service-bus/reliability" + - name: Azure Service Bus Geo-disaster recovery + url: "https://learn.microsoft.com/en-us/azure/service-bus-messaging/service-bus-geo-dr#availability-zones" + - name: Insulate Azure Service Bus applications against outages and disasters + url: "https://learn.microsoft.com/en-us/azure/service-bus-messaging/service-bus-outages-disasters" + diff --git a/azure-resources/SignalRService/SignalR/recommendations.yaml b/azure-resources/SignalRService/SignalR/recommendations.yaml index 1ed9b7722..200357723 100644 --- a/azure-resources/SignalRService/SignalR/recommendations.yaml +++ b/azure-resources/SignalRService/SignalR/recommendations.yaml @@ -1,4 +1,4 @@ -- description: Enable zone redundancy for SignalR +- description: Enable zone redundancy for SignalR aprlGuid: 6a8b3db9-5773-413a-a127-4f7032f34bbd recommendationTypeId: null recommendationControl: High Availability @@ -7,12 +7,12 @@ recommendationMetadataState: Active longDescription: | Use SignalR with zone redundancy for production to improve uptime. This feature, available in the Premium tier, is activated upon creating or upgrading to Premium. Standard can upgrade to Premium without downtime. - potentialBenefits: Enhances reliability & uptime + potentialBenefits: Enhances reliability and uptime pgVerified: Preview publishedToLearn: false publishedToAdvisor: false automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Availability zones support in Azure SignalR Service url: "https://learn.microsoft.com/azure/azure-signalr/availability-zones" diff --git a/azure-resources/Sql/servers/recommendations.yaml b/azure-resources/Sql/servers/recommendations.yaml index 8d0ebfed2..13bff4b6f 100644 --- a/azure-resources/Sql/servers/recommendations.yaml +++ b/azure-resources/Sql/servers/recommendations.yaml @@ -1,4 +1,4 @@ -- description: Use Active Geo Replication to Create a Readable Secondary in Another Region +- description: Use Active Geo Replication to Create a Readable Secondary in Another Region aprlGuid: 74c2491d-048b-0041-a140-935960220e20 recommendationTypeId: null recommendationControl: Disaster Recovery @@ -7,14 +7,14 @@ recommendationMetadataState: Active longDescription: | If your primary database fails, perform a manual failover to the secondary database which remains read-only until then. Active geo-replication allows creating readable replicas and manual failover in case of a datacenter outage or application upgrade. - potentialBenefits: Enhanced disaster recovery & read scalability + potentialBenefits: Enhanced disaster recovery and read scalability pgVerified: Preview publishedToLearn: false publishedToAdvisor: false automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Active Geo Replication url: "https://learn.microsoft.com/en-us/azure/azure-sql/database/active-geo-replication-overview" - description: Auto Failover Groups for apps should include all related databases for cohesion @@ -26,15 +26,17 @@ recommendationMetadataState: Active longDescription: | You can use the readable secondary databases to offload read-only query workloads. Autofailover groups involve multiple databases configured on a primary server, supporting replication of all databases in the group to only one secondary server or instance in a different region. - potentialBenefits: Improves load balancing & disaster recovery + potentialBenefits: Improves load balancing and disaster recovery pgVerified: Preview publishedToLearn: false publishedToAdvisor: false automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: AutoFailover Groups url: "https://learn.microsoft.com/en-us/azure/azure-sql/database/auto-failover-group-overview?tabs=azure-powershell" + - name: DR Design + url: "https://learn.microsoft.com/en-us/azure/azure-sql/database/designing-cloud-solutions-for-disaster-recovery" - description: Use a Zone-Redundant Database aprlGuid: c0085c32-84c0-c247-bfa9-e70977cbf108 @@ -52,7 +54,7 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Zone Redundant Databases url: "https://learn.microsoft.com/en-us/azure/azure-sql/database/high-availability-sla" - description: Implement Retry Logic @@ -71,7 +73,7 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: How to Implement Retry Logic url: "https://learn.microsoft.com/en-us/azure/azure-sql/database/troubleshoot-common-connectivity-issues" - description: Monitor your Azure SQL Database in Near Real-Time to Detect Reliability Incidents @@ -83,15 +85,19 @@ recommendationMetadataState: Active longDescription: | Use available solutions to monitor SQL Database to detect reliability incidents early, making your databases more reliable. Opt for near real-time monitoring to rapidly react to incidents. - potentialBenefits: Quick incident detection & response + potentialBenefits: Quick incident detection and response pgVerified: Preview publishedToLearn: false publishedToAdvisor: false automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Azure Monitor url: "https://learn.microsoft.com/en-us/azure/azure-monitor/insights/azure-sql#analyze-data-and-create-alerts" + - name: Azure SQL Database Monitoring + url: "https://learn.microsoft.com/en-us/azure/azure-sql/database/monitoring-sql-database-azure-monitor" + - name: Monitoring SQL Database Reference + url: "https://learn.microsoft.com/en-us/azure/azure-sql/database/monitoring-sql-database-azure-monitor-reference" - description: Back Up Your Keys aprlGuid: d6ef87aa-574e-584e-a955-3e6bb8b5425b @@ -102,12 +108,14 @@ recommendationMetadataState: Active longDescription: | It is highly recommended to use Azure Key Vault to store encryption keys for Always Encrypted configurations. Though not mandatory, if not using AKV, ensure keys are properly backed up. - potentialBenefits: Enhanced security & data recovery + potentialBenefits: Enhanced security and data recovery pgVerified: Preview publishedToLearn: false publishedToAdvisor: false automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Azure Key Vault url: "https://learn.microsoft.com/en-us/azure/key-vault/general/overview" + - name: Getting Started with Always Encrypted + url: "https://learn.microsoft.com/en-us/azure/azure-sql/database/always-encrypted-landing?view=azuresql" diff --git a/azure-resources/Storage/storageAccounts/recommendations.yaml b/azure-resources/Storage/storageAccounts/recommendations.yaml index d23b25881..1e9cb709d 100644 --- a/azure-resources/Storage/storageAccounts/recommendations.yaml +++ b/azure-resources/Storage/storageAccounts/recommendations.yaml @@ -1,4 +1,4 @@ -- description: Ensure that storage accounts are zone or region redundant +- description: Ensure that storage accounts are zone or region redundant aprlGuid: e6c7e1cc-2f47-264d-aa50-1da421314472 recommendationTypeId: null recommendationControl: High Availability @@ -7,15 +7,17 @@ recommendationMetadataState: Active longDescription: | Redundancy ensures storage accounts meet availability and durability targets amidst failures, weighing lower costs against higher availability. Locally redundant storage offers the least durability at the lowest cost. - potentialBenefits: High availability & durability for storage + potentialBenefits: High availability and durability for storage pgVerified: Verified publishedToLearn: false publishedToAdvisor: false automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Azure Storage redundancy url: "https://learn.microsoft.com/azure/storage/common/storage-redundancy" + - name: Change the redundancy configuration for a storage account + url: "https://learn.microsoft.com/azure/storage/common/redundancy-migration" - description: Do not use classic storage accounts aprlGuid: 63ad027e-611c-294b-acc5-8e3234db9a40 @@ -33,8 +35,10 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Azure classic storage accounts retirement announcement url: "https://azure.microsoft.com/updates/classic-azure-storage-accounts-will-be-retired-on-31-august-2024/" + - name: Migrate your classic storage accounts to Azure Resource Manager + url: "https://learn.microsoft.com/azure/storage/common/classic-account-migration-overview" - description: Ensure Performance tier is set as per workload aprlGuid: 5587ef77-7a05-a74d-9c6e-449547a12f27 @@ -45,15 +49,23 @@ recommendationMetadataState: Active longDescription: | Consider using the appropriate storage performance tier for workload scenarios. Each workload scenario requires appropriate performance tiers, and selecting the appropriate tiers based on storage usage is crucial. - potentialBenefits: Optimized cost & performance + potentialBenefits: Optimized cost and performance pgVerified: Verified publishedToLearn: false publishedToAdvisor: false automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Types of storage accounts url: "https://learn.microsoft.com/azure/storage/common/storage-account-overview#types-of-storage-accounts" + - name: Scalability and performance targets for standard storage accounts + url: "https://learn.microsoft.com/azure/storage/common/scalability-targets-standard-account" + - name: Performance and scalability checklist for Blob storage + url: "https://learn.microsoft.com/azure/storage/blobs/storage-performance-checklist" + - name: Scalability and performance targets for Blob storage + url: "https://learn.microsoft.com/azure/storage/blobs/scalability-targets" + - name: Premium block blob storage accounts + url: "https://learn.microsoft.com/azure/storage/blobs/storage-blob-block-blob-premium" - description: Enable soft delete for recovery of data aprlGuid: 03263c57-c869-3841-9e0a-3dbb9ef3e28d @@ -71,7 +83,7 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Soft delete detail docs url: "https://learn.microsoft.com//azure/storage/blobs/soft-delete-blob-enable?tabs=azure-portal " - description: Enable versioning for accidental modification and keep the number of versions below 1000 @@ -90,7 +102,7 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Blob versioning url: "https://learn.microsoft.com/azure/storage/blobs/versioning-overview " - description: Enable point-in-time restore for GPv2 accounts to safeguard against data loss @@ -109,8 +121,10 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Point-in-time restore for block blobs url: "https://learn.microsoft.com/azure/storage/blobs/point-in-time-restore-overview" + - name: Perform a point-in-time restore on block blob data + url: "https://learn.microsoft.com/azure/storage/blobs/point-in-time-restore-manage?tabs=portal" - description: Monitor all blob storage accounts aprlGuid: 96cb8331-6b06-8242-8ce8-4e2f665dc679 @@ -121,15 +135,17 @@ recommendationMetadataState: Active longDescription: | For critical applications and business processes relying on Azure, monitoring and alerts are crucial. Resource logs are only stored after creating a diagnostic setting to route logs to specified locations, requiring selection of log categories to collect. - potentialBenefits: Enhanced alerting & log analysis + potentialBenefits: Enhanced alerting and log analysis pgVerified: Verified publishedToLearn: false publishedToAdvisor: false automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Monitor Azure Blob Storage url: "https://learn.microsoft.com/azure/storage/blobs/monitor-blob-storage" + - name: Best practices for monitoring Azure Blob Storage + url: "https://learn.microsoft.com/azure/storage/blobs/blob-storage-monitoring-scenarios" - description: Consider upgrading legacy storage accounts to v2 storage accounts aprlGuid: 2ad78dec-5a4d-4a30-8fd1-8584335ad781 @@ -147,5 +163,7 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Legacy storage account types url: "https://learn.microsoft.com/azure/storage/common/storage-account-overview#legacy-storage-account-types" + - name: Upgrade to a general-purpose v2 storage account + url: "https://learn.microsoft.com/azure/storage/common/storage-account-upgrade" diff --git a/azure-resources/Subscription/subscriptions/recommendations.yaml b/azure-resources/Subscription/subscriptions/recommendations.yaml index 6ab5122c0..f959e8478 100644 --- a/azure-resources/Subscription/subscriptions/recommendations.yaml +++ b/azure-resources/Subscription/subscriptions/recommendations.yaml @@ -1,4 +1,4 @@ -- description: Do not create more than 2000 Citrix VDA servers per subscription +- description: Do not create more than 2000 Citrix VDA servers per subscription aprlGuid: c041d596-6c97-4c5f-b4b3-9cd37628f2e2 recommendationTypeId: null recommendationControl: Governance @@ -14,5 +14,5 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Citrix Limits url: "https://docs.citrix.com/en-us/citrix-daas-azure/limits" diff --git a/azure-resources/VirtualMachineImages/imageTemplates/recommendations.yaml b/azure-resources/VirtualMachineImages/imageTemplates/recommendations.yaml index a4049db47..9a00d5ffd 100644 --- a/azure-resources/VirtualMachineImages/imageTemplates/recommendations.yaml +++ b/azure-resources/VirtualMachineImages/imageTemplates/recommendations.yaml @@ -1,4 +1,4 @@ -- description: Use Generation 2 virtual machine source image +- description: Use Generation 2 virtual machine source image aprlGuid: 19b6df57-f6b5-3e4f-843a-273daa087cb0 recommendationTypeId: null recommendationControl: High Availability @@ -14,7 +14,7 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Generation 1 vs generation 2 virtual machines url: "https://learn.microsoft.com/en-us/azure/virtual-machines/generation-2#features-and-capabilities" - description: Replicate your Image Templates to a secondary region @@ -33,5 +33,7 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Image Template resiliency url: "https://learn.microsoft.com/en-us/azure/reliability/reliability-image-builder?toc=%2Fazure%2Fvirtual-machines%2Ftoc.json&bc=%2Fazure%2Fvirtual-machines%2Fbreadcrumb%2Ftoc.json#capacity-and-proactive-disaster-recovery-resiliency" + - name: Azure Image Builder Supported Regions + url: "https://learn.microsoft.com/en-us/azure/virtual-machines/image-builder-overview?tabs=azure-powershell#regions" diff --git a/azure-resources/Web/serverFarms/recommendations.yaml b/azure-resources/Web/serverFarms/recommendations.yaml index e9e34a6e3..6df234c3d 100644 --- a/azure-resources/Web/serverFarms/recommendations.yaml +++ b/azure-resources/Web/serverFarms/recommendations.yaml @@ -1,4 +1,4 @@ -- description: Migrate App Service to availability Zone Support +- description: Migrate App Service to availability Zone Support aprlGuid: 88cb90c2-3b99-814b-9820-821a63f600dd recommendationTypeId: null recommendationControl: High Availability @@ -7,15 +7,17 @@ recommendationMetadataState: Active longDescription: | Azure's feature of deploying App Service plans across availability zones enhances resiliency and reliability by ensuring operation during datacenter failures, providing redundancy without needing different regions, thus minimizing downtime and maintaining uninterrupted services. - potentialBenefits: Enhances app resiliency & reliability + potentialBenefits: Enhances app resiliency and reliability pgVerified: Preview publishedToLearn: false publishedToAdvisor: false automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Migrate App Service to availability zone support url: "https://learn.microsoft.com/en-us/azure/reliability/migrate-app-service" + - name: High availability enterprise deployment using App Service Environment + url: "https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/enterprise-integration/ase-high-availability-deployment" - description: Use Standard or Premium tier aprlGuid: b2113023-a553-2e41-9789-597e2fb54c31 @@ -26,14 +28,14 @@ recommendationMetadataState: Active longDescription: | Choose Standard/Premium Azure App Service Plan for robust apps with advanced scaling, high availability, better performance, and multiple slots, ensuring resilience and continuous operation. - potentialBenefits: Enhanced scaling & reliability + potentialBenefits: Enhanced scaling and reliability pgVerified: Preview publishedToLearn: false publishedToAdvisor: false automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Resiliency checklist for specific Azure services url: "https://learn.microsoft.com/en-us/azure/architecture/checklist/resiliency-per-service#app-service" - description: Avoid scaling up or down @@ -52,7 +54,7 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Resiliency checklist for specific Azure services url: "https://learn.microsoft.com/en-us/azure/architecture/checklist/resiliency-per-service#app-service" - description: Create separate App Service plans for production and test @@ -71,7 +73,7 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Resiliency checklist for specific Azure services url: "https://learn.microsoft.com/en-us/azure/architecture/checklist/resiliency-per-service#app-service" - description: Enable Autoscale/Automatic scaling to ensure adequate resources are available to service requests @@ -90,5 +92,7 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Automatic scaling in Azure App Service url: "https://learn.microsoft.com/en-us/azure/app-service/manage-automatic-scaling?tabs=azure-portal" + - name: Auto Scale Web Apps + url: "https://learn.microsoft.com/en-us/azure/azure-monitor/autoscale/autoscale-get-started" diff --git a/azure-resources/Web/sites/recommendations.yaml b/azure-resources/Web/sites/recommendations.yaml index 73042adb7..5be983eb5 100644 --- a/azure-resources/Web/sites/recommendations.yaml +++ b/azure-resources/Web/sites/recommendations.yaml @@ -1,4 +1,4 @@ -- description: Enable diagnostics logging +- description: Enable diagnostics logging aprlGuid: 493f6079-3bb6-4a56-96ba-ab3248474cb1 recommendationTypeId: null recommendationControl: Monitoring and Alerting @@ -7,14 +7,14 @@ recommendationMetadataState: Active longDescription: | Enabling diagnostics logging for your Azure App Service is crucial for monitoring and diagnostics, including both application logging and web server logging. - potentialBenefits: Enhanced monitoring & diagnostics + potentialBenefits: Enhanced monitoring and diagnostics pgVerified: Preview publishedToLearn: false publishedToAdvisor: false automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Enable diagnostics logging for apps in Azure App Service url: "https://learn.microsoft.com/azure/app-service/troubleshoot-diagnostic-logs" - description: Monitor Performance @@ -26,15 +26,17 @@ recommendationMetadataState: Active longDescription: | Use Application Insights to monitor app performance and load behavior, offering real-time insights, issue diagnosis, and root-cause analysis. It supports ASP.NET, ASP.NET Core, Java, and Node.js on Azure App Service, now with built-in monitoring. - potentialBenefits: Real-time insights & issue diagnosis + potentialBenefits: Real-time insights and issue diagnosis pgVerified: Preview publishedToLearn: false publishedToAdvisor: false automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Application Insights url: "https://learn.microsoft.com/azure/application-insights/app-insights-overview" + - name: Application monitoring for Azure App Service + url: "https://learn.microsoft.com/azure/azure-monitor/app/azure-web-apps" - description: Separate web apps from web APIs aprlGuid: 78a5c033-ff51-4332-8a71-83464c34494b @@ -52,7 +54,7 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Resiliency checklist for specific Azure services url: "https://learn.microsoft.com/azure/architecture/checklist/resiliency-per-service#app-service" - description: Create a separate storage account for logs @@ -71,7 +73,7 @@ automationAvailable: no tags: null learnMoreLink: - - name: Learn More + - name: Resiliency checklist url: "https://learn.microsoft.com/azure/architecture/checklist/resiliency-per-service#app-service" - description: Deploy to a staging slot @@ -83,14 +85,14 @@ recommendationMetadataState: Active longDescription: | Create a deployment slot for staging to deploy updates, verify them, and ensure all instances are warmed up before production swap, reducing bad update chances. An LKG slot allows easy rollback to a previous good deployment if issues arise later, enhancing reliability. - potentialBenefits: Safer updates & easy rollback + potentialBenefits: Safer updates and easy rollback pgVerified: Preview publishedToLearn: false publishedToAdvisor: false automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Set up staging environments in Azure App Service url: "https://learn.microsoft.com/azure/app-service-web/web-sites-staged-publishing" - description: Store configuration as app settings @@ -109,5 +111,5 @@ automationAvailable: arg tags: null learnMoreLink: - - name: Learn More + - name: Configure web apps in Azure App Service url: "https://learn.microsoft.com/azure/app-service-web/web-sites-configure" diff --git a/azure-specialized-workloads/avd/recommendations.yaml b/azure-specialized-workloads/avd/recommendations.yaml index 5bce0f83a..723569ccb 100644 --- a/azure-specialized-workloads/avd/recommendations.yaml +++ b/azure-specialized-workloads/avd/recommendations.yaml @@ -67,7 +67,7 @@ recommendationMetadataState: Active longDescription: | It is recommended to enable RDP Shortpath for AVD. RDP Shortpath is a feature of Azure Virtual Desktop that establishes a direct UDP-based transport between a supported Windows Remote Desktop client and session host. By default, Remote Desktop Protocol (RDP) tries to establish connection using UDP and uses a TCP-based reverse connect transport as a fallback connection mechanism. TCP-based reverse connect transport provides the best compatibility with various networking configurations and has a high success rate for establishing RDP connections. UDP-based transport offers better connection reliability and more consistent latency. - potentialBenefits: Better reliability & consistent latency + potentialBenefits: Better reliability and consistent latency pgVerified: Verified publishedToLearn: false publishedToAdvisor: false @@ -86,7 +86,7 @@ recommendationMetadataState: Active longDescription: | It is recommended to adopt a multi-region deployment (active-active) for AVD. Each region should contain at least identity, name resolution, AVD management resources, and session hosts in case of a primary region outage. - potentialBenefits: Enhanced resilience & uptime + potentialBenefits: Enhanced resilience and uptime pgVerified: Verified publishedToLearn: false publishedToAdvisor: false @@ -150,9 +150,8 @@ - ZRS is recommended for apps requiring high availability across zones. ZRS provides twelve 9s durability. Replicated across three availability zones - GRS replicates an additional three copies to secondary region and provides sixteen 9s durability. - GZRS provides both high availability and redundancy across geo replication. It provides sixteen 9s durability over a given year. - Generally, it is recommended to store your data as secure and redundant as possible. - potentialBenefits: Improves data durability & availability + potentialBenefits: Improves data durability and availability pgVerified: Verified publishedToLearn: false publishedToAdvisor: false @@ -444,7 +443,7 @@ App Attach packages should be on a separate share from profiles. And App Attach files should be backed up. Best practice is to separate App Attach VHD files in a separate file share away from user profiles, both for performance and scalability purposes. Requirements can vary greatly depending on how many packaged applications are stored in an image, and you need to test your applications to understand your requirements. Your file share should be in the same Azure region as your session hosts. - potentialBenefits: Enhances performance & scalability + potentialBenefits: Enhances performance and scalability pgVerified: Verified publishedToLearn: false publishedToAdvisor: false @@ -483,7 +482,7 @@ longDescription: | NSG and ASG per AVD persona and IP space per Prod/DR regions. It's important your organization plans for IP addressing in Azure. Planning ensures the IP address space doesn't overlap across on-premises locations and Azure regions. Overlapping IP address spaces across on-premises and Azure regions create major contention challenges. - potentialBenefits: Enhances security & prevents IP conflicts + potentialBenefits: Enhances security and prevents IP conflicts pgVerified: Verified publishedToLearn: false publishedToAdvisor: false @@ -502,7 +501,6 @@ recommendationMetadataState: Active longDescription: | Ensure Route Tables that force tunnel traffic to FW/NVA have failover considerations evaluated and won't fail or trigger next-gen FW protections. - AVD workload teams should collaborate with centralized teams that manage the shared infrastructure, like networking, to ensure that both Production and DR workloads have the appropriate route tables in place for failover of routing to perform as expected. potentialBenefits: Enhanced failover reliability pgVerified: Verified @@ -542,7 +540,7 @@ recommendationMetadataState: Active longDescription: | AVD Insights is an Azure Workbook template provided by the AVD product team. It is highly recommended in order to monitor and troubleshoot AVD workloads across metrics, logs, events, and more. Both Production and DR workloads should be enabled with AVD Insights. - potentialBenefits: Enhanced AVD monitoring & troubleshooting + potentialBenefits: Enhanced AVD monitoring and troubleshooting pgVerified: Verified publishedToLearn: false publishedToAdvisor: false @@ -561,7 +559,7 @@ recommendationMetadataState: Active longDescription: | Having separate Log Analytics ensures that your DR environment is fully operational for visibility of the metrics, performance, and other auditing tools your workload teams will rely on in the event of an incident. - potentialBenefits: Improved DR visibility & operation + potentialBenefits: Improved DR visibility and operation pgVerified: Verified publishedToLearn: false publishedToAdvisor: false @@ -580,7 +578,7 @@ recommendationMetadataState: Active longDescription: | Follow AVD Landing Zone best practices using multiple resource groups based on resource type and associated shared resources for AVD workloads. - potentialBenefits: Enhanced organization & scalability + potentialBenefits: Enhanced organization and scalability pgVerified: Verified publishedToLearn: false publishedToAdvisor: false diff --git a/azure-specialized-workloads/avs/recommendations.yaml b/azure-specialized-workloads/avs/recommendations.yaml index ed3fbf687..2c8cdc225 100644 --- a/azure-specialized-workloads/avs/recommendations.yaml +++ b/azure-specialized-workloads/avs/recommendations.yaml @@ -64,7 +64,7 @@ recommendationMetadataState: Active longDescription: | Ensure sufficient memory resources to prevent host resource exhaustion in Azure VMware Solution. It uses vSphere DRS and vSphere HA for dynamic workload management. Yet, continuous memory use over 95% leads to disk swapping, affecting workloads. - potentialBenefits: Avoids host exhaustion & swapping + potentialBenefits: Avoids host exhaustion and swapping pgVerified: Verified publishedToLearn: false publishedToAdvisor: false @@ -140,7 +140,7 @@ recommendationMetadataState: Active longDescription: | Azure VMware Solution vSAN stretched clusters cover 2 Availability Zones plus a third for witness. Use ExpressRoute for added resilience by deploying two circuits in different locations. With Global Reach, create a mesh topology by connecting on-premises circuits to Azure's managed circuits. - potentialBenefits: Enhanced resilience & connectivity + potentialBenefits: Enhanced resilience and connectivity pgVerified: Verified publishedToLearn: false publishedToAdvisor: false @@ -178,7 +178,7 @@ recommendationMetadataState: Active longDescription: | Azure VMware Solution private clouds support up to three DNS servers for a single FQDN, preventing a single DNS server from becoming a point of failure. It's crucial to use multiple DNS servers for on-premises FQDN resolution from each private cloud. - potentialBenefits: Enhances reliability & avoids failure + potentialBenefits: Enhances reliability and avoids failure pgVerified: Preview publishedToLearn: false publishedToAdvisor: false diff --git a/azure-specialized-workloads/hpc/recommendations.yaml b/azure-specialized-workloads/hpc/recommendations.yaml index 269f01184..58fe036d8 100644 --- a/azure-specialized-workloads/hpc/recommendations.yaml +++ b/azure-specialized-workloads/hpc/recommendations.yaml @@ -1,76 +1,75 @@ - description: Ensure File shares that stores jobs metadata are accessible from all head nodes aprlGuid: 4c78fab4-845a-495d-ab14-3ad51de53a2a - recommendationTypeId: + recommendationTypeId: null recommendationControl: High Availability recommendationImpact: High recommendationResourceType: n/a recommendationMetadataState: Active longDescription: | - Currently in all HPC Pack ARM templates we create the cluster share on one of the head node which is not highly available. - potentialBenefits: Enhances job metadata availability + Currently in all HPC Pack ARM templates we create the cluster share on one of the head node which is not highly available. + potentialBenefits: Enhances job metadata availability pgVerified: Preview publishedToLearn: false - publishedToAdvisor: false + publishedToAdvisor: false automationAvailable: no - tags: + tags: null learnMoreLink: - - name: Learn More - url: "https://learn.microsoft.com/en-us/powershell/high-performance-computing/hpcpack-ha-cloud?view=hpc19-ps#hpc-pack-cluster-shares" + - name: Learn More + url: "https://learn.microsoft.com/en-us/powershell/high-performance-computing/hpcpack-ha-cloud?view=hpc19-ps#hpc-pack-cluster-shares" - description: Automatically grow and shrink HPC Pack cluster resources aprlGuid: b02b5a0e-3770-44da-a099-5dd4d9f8cd70 - recommendationTypeId: + recommendationTypeId: null recommendationControl: Scalability recommendationImpact: Medium recommendationResourceType: n/a recommendationMetadataState: Active longDescription: | - By deploying Azure "burst" nodes (both Windows and Linux) in your HPC Pack cluster or creating your HPC Pack cluster in Azure, you can automatically grow or shrink the cluster's resources such as nodes or cores according to the workload on the cluster. - potentialBenefits: Efficient, uninterrupted execution + By deploying Azure "burst" nodes (both Windows and Linux) in your HPC Pack cluster or creating your HPC Pack cluster in Azure, you can automatically grow or shrink the cluster's resources such as nodes or cores according to the workload on the cluster. + potentialBenefits: Efficient, uninterrupted execution pgVerified: Preview publishedToLearn: false - publishedToAdvisor: false + publishedToAdvisor: false automationAvailable: no - tags: + tags: null learnMoreLink: - - name: Learn More - url: "https://learn.microsoft.com/en-us/powershell/high-performance-computing/hpcpack-auto-grow-shrink?view=hpc19-ps" + - name: Learn More + url: "https://learn.microsoft.com/en-us/powershell/high-performance-computing/hpcpack-auto-grow-shrink?view=hpc19-ps" - description: Use multiple head nodes for HPC Pack aprlGuid: a48b1be6-77a3-4e3c-8205-dda2ba010a99 - recommendationTypeId: + recommendationTypeId: null recommendationControl: High Availability recommendationImpact: Medium recommendationResourceType: n/a recommendationMetadataState: Active longDescription: | Establish a cluster with a minimum of two head nodes. In the event of a head node failure, the active HPC Service will be automatically transferred from the affected head node to another functioning one. - potentialBenefits: Enhanced reliability for HPC + potentialBenefits: Enhanced reliability for HPC pgVerified: Preview publishedToLearn: false - publishedToAdvisor: false + publishedToAdvisor: false automationAvailable: no - tags: + tags: null learnMoreLink: - - name: Learn More - url: "https://learn.microsoft.com/en-us/powershell/high-performance-computing/hpcpack-ha-cloud?view=hpc19-ps#dealing-with-head-node-failure" + - name: Learn More + url: "https://learn.microsoft.com/en-us/powershell/high-performance-computing/hpcpack-ha-cloud?view=hpc19-ps#dealing-with-head-node-failure" - description: Use HPC Pack Azure AD Integration or other highly available AD configuration aprlGuid: 37eec891-7880-4759-b597-7cd925512fe3 - recommendationTypeId: + recommendationTypeId: null recommendationControl: High Availability recommendationImpact: High recommendationResourceType: n/a recommendationMetadataState: Active longDescription: | - When HPC failed to connect to the Domain controller, admin and user will not be able to connect to the HPC Service thus not able to manage and submit jobs to the cluster. - potentialBenefits: Enhanced reliability & job management + When HPC failed to connect to the Domain controller, admin and user will not be able to connect to the HPC Service thus not able to manage and submit jobs to the cluster. + potentialBenefits: Enhanced reliability and job management pgVerified: Preview publishedToLearn: false - publishedToAdvisor: false + publishedToAdvisor: false automationAvailable: no - tags: + tags: null learnMoreLink: - - name: Learn More - url: "https://learn.microsoft.com/en-us/powershell/high-performance-computing/hpcpack-ha-cloud?view=hpc19-ps#dealing-with-ad-failure" - + - name: Learn More + url: "https://learn.microsoft.com/en-us/powershell/high-performance-computing/hpcpack-ha-cloud?view=hpc19-ps#dealing-with-ad-failure" diff --git a/azure-specialized-workloads/sap/recommendations.yaml b/azure-specialized-workloads/sap/recommendations.yaml index 9630fcd4b..aeaa9893a 100644 --- a/azure-specialized-workloads/sap/recommendations.yaml +++ b/azure-specialized-workloads/sap/recommendations.yaml @@ -1,6 +1,6 @@ - description: Ensure that each SAP production system is designed for high availability across availability zones aprlGuid: a9b649a5-2bfe-40ca-9b8f-34f9c71dfa12 - recommendationTypeId: + recommendationTypeId: null recommendationControl: High Availability recommendationImpact: High recommendationResourceType: n/a @@ -12,33 +12,47 @@ publishedToLearn: false publishedToAdvisor: false automationAvailable: no - tags: + tags: null learnMoreLink: - - name: Learn More + - name: SAP ACSS Quality Insights + url: "https://learn.microsoft.com/en-us/azure/sap/center-sap-solutions/get-quality-checks-insights" + - name: OpenSource Inventory Checks + url: "https://aka.ms/ACESInventoryCheckSAP" + - name: OpenSource Quality Checks + url: "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/QualityCheck" + - name: Move Regional SAP HA to Zonal url: "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/Move-VM-from-AvSet-to-AvZone/Move-Regional-SAP-HA-To-Zonal-SAP-HA-WhitePaper" + - name: High Availability Deployment Options for SAP + url: "https://learn.microsoft.com/en-us/azure/sap/workloads/sap-high-availability-architecture-scenarios#high-availability-deployment-options-for-sap-workload" - description: Run SAP application servers on two or more VMs using VMSS Flex aprlGuid: 49bd34ab-d117-4b0e-99f8-34cc8a5394bc - recommendationTypeId: + recommendationTypeId: null recommendationControl: High Availability recommendationImpact: High recommendationResourceType: n/a recommendationMetadataState: Active longDescription: | - Use Virtual Machines Scale Set (VMSS) with flexible orchestration to distribute the virtual machines across specified zones and within each zone to also distribute VMs across different fault domains within the zone on a best effort basis. Configure VMSS Flex following Microsoft recommendation for SAP workload using the right mode and correct settings. If you aren't currently using VMSS Flex for SAP application servers and also not using Availability Sets with Fault domain & Update domain distribution, then you should consider moving to VMSS Flex architecture to improve the resiliency posture of your SAP deployment. The following blog post in links below outlines the details on the process of migrating existing SAP workloads that are deployed in an availability set or availability zone to a flexible scale set with FD=1 deployment option. + Use Virtual Machines Scale Set (VMSS) with flexible orchestration to distribute the virtual machines across specified zones and within each zone to also distribute VMs across different fault domains within the zone on a best effort basis. Configure VMSS Flex following Microsoft recommendation for SAP workload using the right mode and correct settings. If you aren't currently using VMSS Flex for SAP application servers and also not using Availability Sets with Fault domain and Update domain distribution, then you should consider moving to VMSS Flex architecture to improve the resiliency posture of your SAP deployment. The following blog post in links below outlines the details on the process of migrating existing SAP workloads that are deployed in an availability set or availability zone to a flexible scale set with FD=1 deployment option. potentialBenefits: Enhanced resiliency for SAP on Azure pgVerified: Verified publishedToLearn: false publishedToAdvisor: false automationAvailable: no - tags: + tags: null learnMoreLink: - - name: Learn More + - name: OpenSource Inventory Checks + url: "https://aka.ms/ACESInventoryCheckSAP" + - name: Virtual machine Scale Set SAP Deployment Guide url: "https://learn.microsoft.com/en-us/azure/sap/workloads/virtual-machine-scale-set-sap-deployment-guide" + - name: Considerations for Flexible VM Scale Sets for SAP + url: "https://learn.microsoft.com/en-us/azure/sap/workloads/virtual-machine-scale-set-sap-deployment-guide?tabs=scaleset-cli#important-consideration-of-flexible-virtual-machine-scale-sets-for-sap-workload" + - name: Migrate existing SAP system VMs to VMSS Flex + url: "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/how-to-easily-migrate-an-existing-sap-system-vms-to-flexible/ba-p/3833548" - description: If using single-instance VMs all OS and data disks must be Premium SSD or Ultra Disk aprlGuid: b60ae773-9917-4bca-8a42-7cb45365a917 - recommendationTypeId: + recommendationTypeId: null recommendationControl: High Availability recommendationImpact: High recommendationResourceType: n/a @@ -50,14 +64,22 @@ publishedToLearn: false publishedToAdvisor: false automationAvailable: no - tags: + tags: null learnMoreLink: - - name: Learn More + - name: SAP ACSS Insights + url: "https://learn.microsoft.com/en-us/azure/sap/center-sap-solutions/get-quality-checks-insights" + - name: OpenSource Inventory Checks + url: "https://aka.ms/ACESInventoryCheckSAP" + - name: OpenSource Quality Checks + url: "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/QualityCheck" + - name: VM SLA url: "https://www.azure.cn/en-us/support/sla/virtual-machines/" + - name: SAP Storage Planning Guide + url: "https://learn.microsoft.com/en-us/azure/sap/workloads/planning-guide-storage" - description: Ensure that the data is replicated synchronously (SYNC mode) between the primary and secondary database hosting VM nodes aprlGuid: 094400a5-f112-408d-a334-afd68873ff0f - recommendationTypeId: + recommendationTypeId: null recommendationControl: High Availability recommendationImpact: High recommendationResourceType: n/a @@ -69,14 +91,16 @@ publishedToLearn: false publishedToAdvisor: false automationAvailable: no - tags: + tags: null learnMoreLink: - - name: Learn More + - name: SAP ACSS Insights url: "https://learn.microsoft.com/en-us/azure/sap/center-sap-solutions/get-quality-checks-insights" + - name: OpenSource Quality Checks + url: "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/QualityCheck" - description: Ensure that SAP shared file systems are designed for high availability and when possible using availability zones aprlGuid: e09ca960-20b7-4831-b85b-83ec84c1390e - recommendationTypeId: + recommendationTypeId: null recommendationControl: High Availability recommendationImpact: High recommendationResourceType: n/a @@ -89,14 +113,14 @@ publishedToLearn: false publishedToAdvisor: false automationAvailable: no - tags: + tags: null learnMoreLink: - - name: Learn More - url: "https://learn.microsoft.com/en-us/azure/sap/center-sap-solutions/get-quality-checks-insights" + - name: OpenSource Inventory Checks + url: "https://aka.ms/ACESInventoryCheckSAP" - description: Test high availability solutions thoroughly to ensure fail overs work as expected aprlGuid: 5663a808-56be-49ea-8d5c-c5dfc6925f76 - recommendationTypeId: + recommendationTypeId: null recommendationControl: High Availability recommendationImpact: High recommendationResourceType: n/a @@ -109,14 +133,14 @@ publishedToLearn: false publishedToAdvisor: false automationAvailable: no - tags: + tags: null learnMoreLink: - - name: Learn More - url: "https://learn.microsoft.com/en-us/azure/sap/center-sap-solutions/get-quality-checks-insights" + - name: Test Cases + url: "https://learn.microsoft.com/en-us/azure/sap/workloads/sap-hana-high-availability?tabs=lb-portal#test-the-cluster-setup" - description: Remove unwanted location constraints from Linux Pacemaker clusters aprlGuid: 1b8a3051-dfd4-4780-bfb7-446296774029 - recommendationTypeId: + recommendationTypeId: null recommendationControl: High Availability recommendationImpact: High recommendationResourceType: n/a @@ -133,14 +157,12 @@ publishedToLearn: false publishedToAdvisor: false automationAvailable: no - tags: + tags: null learnMoreLink: - - name: Learn More - url: "https://learn.microsoft.com/en-us/azure/sap/center-sap-solutions/get-quality-checks-insights" - description: Secure compute resource capacity for critical VM roles in DR region aprlGuid: 820b4c0c-8a74-442a-8ba7-b0cb840cd983 - recommendationTypeId: + recommendationTypeId: null recommendationControl: Disaster Recovery recommendationImpact: Medium recommendationResourceType: n/a @@ -154,14 +176,14 @@ publishedToLearn: false publishedToAdvisor: false automationAvailable: no - tags: + tags: null learnMoreLink: - - name: Learn More + - name: Capacity Reservation url: "https://learn.microsoft.com/en-us/azure/virtual-machines/capacity-reservation-overview" - description: Ensure that the production databases are replicated (ASYNC) to DR location using the database vendor's replication technology aprlGuid: fb8bdcee-d88f-408d-8572-a76a4aaa733b - recommendationTypeId: + recommendationTypeId: null recommendationControl: Disaster Recovery recommendationImpact: High recommendationResourceType: n/a @@ -173,33 +195,35 @@ publishedToLearn: false publishedToAdvisor: false automationAvailable: no - tags: + tags: null learnMoreLink: - - name: Learn More - url: "https://learn.microsoft.com/en-us/azure/sap/center-sap-solutions/get-quality-checks-insights" + - name: SAP Disaster Recovery Guide + url: "https://learn.microsoft.com/en-us/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows" - description: SAP components are backed up to DR location using an appropriate backup tool or ASR aprlGuid: 41f0d88e-7866-4444-aac4-ef5fee3e6874 - recommendationTypeId: + recommendationTypeId: null recommendationControl: Disaster Recovery recommendationImpact: High recommendationResourceType: n/a recommendationMetadataState: Active longDescription: | SAP components such as (A)SCS, application servers, WebDispatchers, etc are backed up to DR location using an appropriate backup tool or ASR. - potentialBenefits: Ensures SAP data safety & recovery + potentialBenefits: Ensures SAP data safety and recovery pgVerified: Verified publishedToLearn: false publishedToAdvisor: false automationAvailable: no - tags: + tags: null learnMoreLink: - - name: Learn More + - name: SAP ACSS Insights url: "https://learn.microsoft.com/en-us/azure/sap/center-sap-solutions/get-quality-checks-insights" + - name: OpenSource Inventory Checks + url: "https://aka.ms/ACESInventoryCheckSAP" - description: SAP shared files systems are replicated or backed up to DR location aprlGuid: ee4dc309-00a1-49fe-92fa-1724baf5f103 - recommendationTypeId: + recommendationTypeId: null recommendationControl: Disaster Recovery recommendationImpact: High recommendationResourceType: n/a @@ -211,14 +235,14 @@ publishedToLearn: false publishedToAdvisor: false automationAvailable: no - tags: + tags: null learnMoreLink: - - name: Learn More - url: "https://learn.microsoft.com/en-us/azure/sap/center-sap-solutions/get-quality-checks-insights" + - name: DR Guidance + url: "https://learn.microsoft.com/en-us/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows" - description: Automate DR infrastructure build or pre-deploy DR resources aprlGuid: 0fabc52e-cdbb-4acd-8626-c4c637061e2d - recommendationTypeId: + recommendationTypeId: null recommendationControl: Disaster Recovery recommendationImpact: Medium recommendationResourceType: n/a @@ -230,14 +254,12 @@ publishedToLearn: false publishedToAdvisor: false automationAvailable: no - tags: + tags: null learnMoreLink: - - name: Learn More - url: "https://learn.microsoft.com/en-us/azure/sap/center-sap-solutions/get-quality-checks-insights" - description: Document and test DR procedure ensure it meets RPO and RTO targets aprlGuid: c300e949-528d-4ac9-889b-cacf8b4a6e90 - recommendationTypeId: + recommendationTypeId: null recommendationControl: Disaster Recovery recommendationImpact: Medium recommendationResourceType: n/a @@ -251,33 +273,29 @@ publishedToLearn: false publishedToAdvisor: false automationAvailable: no - tags: + tags: null learnMoreLink: - - name: Learn More - url: "https://learn.microsoft.com/en-us/azure/sap/center-sap-solutions/get-quality-checks-insights" - description: Ensure there is a robust monitoring and alerting solution in place for the entire DR solution aprlGuid: c27134b7-6917-4852-8276-3dbef5c71578 - recommendationTypeId: + recommendationTypeId: null recommendationControl: Disaster Recovery recommendationImpact: Medium recommendationResourceType: n/a recommendationMetadataState: Active longDescription: | For an SAP solution hosted on Azure it is imperative to implement a robust monitoring and alerting solution that comprehensively covers DR of each layer of the SAP architecture. Given the complexity of SAP systems, which span multiple layers using diverse technologies and Azure resources, each with potentially distinct DR replication mechanisms, an appropriate monitoring strategy is crucial. The different layers include database, central services, application, and shared file systems. - potentialBenefits: Improved DR oversight & rapid issue response + potentialBenefits: Improved DR oversight and rapid issue response pgVerified: Verified publishedToLearn: false publishedToAdvisor: false automationAvailable: no - tags: + tags: null learnMoreLink: - - name: Learn More - url: "https://learn.microsoft.com/en-us/azure/sap/center-sap-solutions/get-quality-checks-insights" - description: Configure scheduled events notification aprlGuid: 6b589ce6-c847-4cee-af35-f6e8eb1cf983 - recommendationTypeId: + recommendationTypeId: null recommendationControl: Monitoring and Alerting recommendationImpact: High recommendationResourceType: n/a @@ -285,27 +303,26 @@ longDescription: | Scheduled events is an Azure Metadata Services that provides proactive notifications about upcoming maintenance events (for example, reboot) so that your application can prepare for them and limit disruption. You should configure scheduled events for all your critical Azure VMs. - Resource agent azure-events-az can also integrate with Pacemaker clusters. To ensure high availability and service continuity in your Azure VMs, you should configure the azure-events-az resource agent within your Pacemaker clusters. This agent monitors for scheduled Azure maintenance events and can proactively relocate resources for a graceful node shutdown. Configure the agent to monitor specific event types such as Reboot and Redeploy, and enable verbose logging for detailed diagnostics. - - In addition, it is also important that you define a procedure on how to react to scheduled events. potentialBenefits: Proactive maintenance awareness pgVerified: Verified publishedToLearn: false publishedToAdvisor: false automationAvailable: no - tags: + tags: null learnMoreLink: - - name: Learn More + - name: VM Scheduled Events url: "https://learn.microsoft.com/en-us/azure/virtual-machines/linux/scheduled-events" + - name: Configure Pacemaker for Azure Scheduled Events + url: "https://learn.microsoft.com/en-us/azure/sap/workloads/high-availability-guide-suse-pacemaker?tabs=msi#configure-pacemaker-for-azure-scheduled-events" - description: ASCS-Pacemaker (Central Server Instance) Ensure Pacemaker cluster has been setup for SAP ASCS high availability aprlGuid: 9d8f6678-694c-4da4-8384-415201f65194 - recommendationTypeId: + recommendationTypeId: null recommendationControl: High Availability recommendationImpact: High recommendationResourceType: n/a @@ -317,14 +334,18 @@ publishedToLearn: false publishedToAdvisor: false automationAvailable: no - tags: + tags: null learnMoreLink: - - name: Learn More + - name: SAP ACSS Insights url: "https://learn.microsoft.com/en-us/azure/sap/center-sap-solutions/get-quality-checks-insights" + - name: OpenSource Quality Checks + url: "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/QualityCheck" + - name: ASCS-Pacemaker - Central Server Instance + url: "https://docs.microsoft.com/en-us/azure/advisor/advisor-reference-reliability-recommendations" - description: ASCS-LB (Central Server Instance) Ensure the load balancer is configured correctly for SAP ASCS High availability aprlGuid: 5c2e52d0-25be-4b1c-833c-b98b5ef1a26b - recommendationTypeId: + recommendationTypeId: null recommendationControl: High Availability recommendationImpact: High recommendationResourceType: n/a @@ -336,14 +357,18 @@ publishedToLearn: false publishedToAdvisor: false automationAvailable: no - tags: + tags: null learnMoreLink: - - name: Learn More + - name: SAP ACSS Insights + url: "https://learn.microsoft.com/en-us/azure/sap/center-sap-solutions/get-quality-checks-insights" + - name: OpenSource Quality Checks + url: "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/QualityCheck" + - name: ASCS-LB - Central Server Instance url: "https://docs.microsoft.com/en-us/azure/advisor/advisor-reference-reliability-recommendations" - description: DBHANA-Pacemaker (Database Instance) Ensure the Pacemaker cluster has been setup for SAP HANA DB high availability aprlGuid: 6648fe61-880d-4a96-8d2d-190a23d5580b - recommendationTypeId: + recommendationTypeId: null recommendationControl: High Availability recommendationImpact: High recommendationResourceType: n/a @@ -355,14 +380,18 @@ publishedToLearn: false publishedToAdvisor: false automationAvailable: no - tags: + tags: null learnMoreLink: - - name: Learn More + - name: SAP ACSS Insights + url: "https://learn.microsoft.com/en-us/azure/sap/center-sap-solutions/get-quality-checks-insights" + - name: OpenSource Quality Checks + url: "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/QualityCheck" + - name: DBHANA-Pacemaker - Database Instance url: "https://docs.microsoft.com/en-us/azure/advisor/advisor-reference-reliability-recommendations" - description: DBHANA-LB (Database Instance) Ensure the load balancer is configured correctly for SAP HANA DB High availability aprlGuid: 2e4c2171-a83f-4238-a8e3-b51c90d86a99 - recommendationTypeId: + recommendationTypeId: null recommendationControl: High Availability recommendationImpact: High recommendationResourceType: n/a @@ -374,7 +403,11 @@ publishedToLearn: false publishedToAdvisor: false automationAvailable: no - tags: + tags: null learnMoreLink: - - name: Learn More + - name: SAP ACSS Insights + url: "https://learn.microsoft.com/en-us/azure/sap/center-sap-solutions/get-quality-checks-insights" + - name: OpenSource Quality Checks + url: "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/QualityCheck" + - name: DBHANA-LB- Database Instance url: "https://docs.microsoft.com/en-us/azure/advisor/advisor-reference-reliability-recommendations" diff --git a/azure-waf/define/recommendations.yaml b/azure-waf/define/recommendations.yaml index fc5aaf8e0..3dc6bd955 100644 --- a/azure-waf/define/recommendations.yaml +++ b/azure-waf/define/recommendations.yaml @@ -1,37 +1,39 @@ -- description: Define and share Availability Targets with all teams for workload consistency +- description: Define and share Availability Targets with all teams for workload consistency aprlGuid: 0c8a12dd-52fb-cf40-bb4a-b60f99409bab - recommendationTypeId: + recommendationTypeId: null recommendationControl: High Availability recommendationImpact: High recommendationResourceType: WellArchitected/Define recommendationMetadataState: Active longDescription: | Ensure the Availability Targets (SLA, SLO, SLI) are well defined, tested, monitored and communicated across teams working on the Workload. A Service Level Agreement (SLA) is an availability target that represents a commitment around performance and availability of the application. Understanding the SLA of individual components within the system is essential to define reliability targets. Knowing the SLA of dependencies will also provide a justification for additional spend when making the dependencies highly available and with proper support contracts. Availability targets for any dependencies leveraged by the application should be understood and ideally align with application targets should also be considered. Understanding your availability expectations is vital to reviewing overall operations for the application. For example, if you are striving to achieve an application Service Level Objective (SLO) of 99.999%, the level of inherent operational action required by the application is going to be far greater than if an SLO of 99.9% was the goal. - potentialBenefits: Enhances reliability & communication + potentialBenefits: Enhances reliability and communication pgVerified: Verified publishedToLearn: false publishedToAdvisor: false automationAvailable: No - tags: + tags: null learnMoreLink: - - name: Learn More + - name: Use business metrics to design resilient Azure applications url: "https://learn.microsoft.com/azure/well-architected/resiliency/business-metrics#workload-availability-targets" + - name: Target functional and nonfunctional requirements + url: "https://learn.microsoft.com/azure/well-architected/resiliency/design-requirements" - description: Ensure the Recovery Targets are well defined and communicated across teams working on the Workload aprlGuid: a43ab756-5b33-2345-8743-3daee911a1ae - recommendationTypeId: + recommendationTypeId: null recommendationControl: Disaster Recovery recommendationImpact: High recommendationResourceType: WellArchitected/Define recommendationMetadataState: Active longDescription: | Ensure the Recovery Targets are well defined and communicated across teams working on the Workload. Two important metrics to consider are the recovery time objective and recovery point objective, as they pertain to disaster recovery. - Recovery time objective (RTO) is the maximum acceptable time that an application can be unavailable after an incident. If your RTO is 90 minutes, you must be able to restore the application to a running state within 90 minutes from the start of a disaster. If you have a very low RTO, you might keep a second regional deployment continually running an active/passive configuration on standby, to protect against a regional outage. In some cases, you might deploy an active/active configuration to achieve even lower RTO. - Recovery point objective (RPO) is the maximum duration of data loss that is acceptable during a disaster. For example, if you store data in a single database, with no replication to other databases, and perform hourly backups, you could lose up to an hour of data. RTO and RPO are non-functional requirements of a system and should be dictated by business requirements. To derive these values, it's a good idea to conduct a risk assessment, and clearly understanding the cost of downtime or data loss. Monitoring and measuring application availability is vital to qualifying overall application health and progress towards defined targets. Make sure you measure and monitor key targets such as: - Mean Time Between Failures (MTBF) - The average time between failures of a particular component. - Mean Time to Recover (MTTR) - The average time it takes to restore a component after a failure. - potentialBenefits: Improved recovery times & data loss prevention + potentialBenefits: Improved recovery times and data loss prevention pgVerified: Verified publishedToLearn: false publishedToAdvisor: false automationAvailable: No - tags: + tags: null learnMoreLink: - - name: Learn More + - name: Target functional and nonfunctional requirements url: "https://learn.microsoft.com/azure/well-architected/resiliency/design-requirements" diff --git a/azure-waf/deploy/recommendations.yaml b/azure-waf/deploy/recommendations.yaml index 2c75901bd..aa370faab 100644 --- a/azure-waf/deploy/recommendations.yaml +++ b/azure-waf/deploy/recommendations.yaml @@ -1,6 +1,6 @@ -- description: Avoid manual configuration to enforce consistency with Infrastructure as code +- description: Avoid manual configuration to enforce consistency with Infrastructure as code aprlGuid: 6bf9e5d5-fe57-c647-8daa-4903770e1302 - recommendationTypeId: + recommendationTypeId: null recommendationControl: Automation recommendationImpact: Medium recommendationResourceType: WellArchitected/Deploy @@ -12,14 +12,14 @@ publishedToLearn: false publishedToAdvisor: false automationAvailable: No - tags: + tags: null learnMoreLink: - - name: Learn More + - name: Avoid manual configuration to enforce consistency url: "https://learn.microsoft.com/devops/deliver/what-is-infrastructure-as-code#avoid-manual-configuration-to-enforce-consistency" - description: Validated all changes in development environments before applying them to production aprlGuid: e42e646c-7d67-dd4b-96dc-16a3439fa030 - recommendationTypeId: + recommendationTypeId: null recommendationControl: Automation recommendationImpact: Medium recommendationResourceType: WellArchitected/Deploy @@ -31,7 +31,8 @@ publishedToLearn: false publishedToAdvisor: false automationAvailable: No - tags: + tags: null learnMoreLink: - - name: Learn More + - name: Safe deployment practices url: "https://learn.microsoft.com/devops/operate/safe-deployment-practices" + diff --git a/azure-waf/design/recommendations.yaml b/azure-waf/design/recommendations.yaml index 8a1fc2827..964278679 100644 --- a/azure-waf/design/recommendations.yaml +++ b/azure-waf/design/recommendations.yaml @@ -1,44 +1,46 @@ -- description: Consider deploying your application across multiple zones +- description: Consider deploying your application across multiple zones aprlGuid: 063d7237-5f68-5d42-b3d1-43144b3630b5 - recommendationTypeId: + recommendationTypeId: null recommendationControl: High Availability recommendationImpact: High recommendationResourceType: WellArchitected/Design recommendationMetadataState: Active longDescription: | Design your application architecture to use availability zones within a region. Availability zones can be used to optimize application availability within a region by providing datacenter-level fault tolerance. However, the application architecture must not share dependencies between zones to use them effectively. Consider if component proximity is required for application performance reasons. If all or part of the application is highly sensitive to latency, components might need to be co-located which can limit the applicability of multi-region and multi-zone strategies. - potentialBenefits: Enhanced app availability & fault tolerance + potentialBenefits: Enhanced app availability and fault tolerance pgVerified: Verified publishedToLearn: false publishedToAdvisor: false automationAvailable: No - tags: + tags: null learnMoreLink: - - name: Learn More + - name: Use Availability Zones url: "https://learn.microsoft.com/azure/reliability/availability-zones-overview#availability-zones" - description: Consider deploying your application across multiple regions aprlGuid: 8a497b6d-d065-0d43-a7d9-e3f8eebfe0f4 - recommendationTypeId: + recommendationTypeId: null recommendationControl: Disaster Recovery recommendationImpact: High recommendationResourceType: WellArchitected/Design recommendationMetadataState: Active longDescription: | If your application is deployed to a single region, and the region becomes unavailable, your application will also be unavailable. This might be unacceptable under the terms of your application's SLA. If so, consider deploying your application and its services across multiple regions. A multiregional deployment can use an active-active or active-passive configuration. An active-active configuration distributes requests across multiple active regions. An active-passive configuration keeps warm instances in the secondary region, but doesn't send traffic there unless the primary region fails. - potentialBenefits: Enhances app availability & SLA compliance + potentialBenefits: Enhances app availability and SLA compliance pgVerified: Verified publishedToLearn: false publishedToAdvisor: false automationAvailable: No - tags: + tags: null learnMoreLink: - - name: Learn More + - name: Design reliable Azure applications url: "https://learn.microsoft.com/azure/well-architected/resiliency/app-design" + - name: Cross-region replication in Azure Business continuity and disaster recovery + url: "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure" - description: Ensure that all fault-points and fault-modes are understood and operationalized aprlGuid: 99ebe682-6306-6446-bfc7-cf6610ebfa02 - recommendationTypeId: + recommendationTypeId: null recommendationControl: High Availability recommendationImpact: High recommendationResourceType: WellArchitected/Design @@ -50,14 +52,14 @@ publishedToLearn: false publishedToAdvisor: false automationAvailable: No - tags: + tags: null learnMoreLink: - - name: Learn More + - name: Failure mode analysis for Azure applications url: "https://learn.microsoft.com/azure/architecture/resiliency/failure-mode-analysis" - description: Use PaaS Azure services instead of IaaS aprlGuid: 097651d8-6e62-314a-9299-a0234ffd190e - recommendationTypeId: + recommendationTypeId: null recommendationControl: Scalability recommendationImpact: Medium recommendationResourceType: WellArchitected/Design @@ -69,52 +71,52 @@ publishedToLearn: false publishedToAdvisor: false automationAvailable: No - tags: + tags: null learnMoreLink: - - name: Learn More + - name: Use platform as a service (PaaS) options url: "https://learn.microsoft.com/azure/architecture/guide/design-principles/managed-services" - description: Design the application to scale out aprlGuid: 7f4c76d7-f9d4-d643-ab73-4d8f27fd7ed9 - recommendationTypeId: + recommendationTypeId: null recommendationControl: Scalability recommendationImpact: High recommendationResourceType: WellArchitected/Design recommendationMetadataState: Active longDescription: | Azure provides elastic scalability and you should design to scale out. However, applications must leverage a scale-unit approach to navigate service and subscription limits to ensure that individual components and the application as a whole can scale horizontally. Don't forget about scale in, which is important to reduce cost. For example, scale in and out for App Service is done via rules. Often customers write scale out rules and never write scale in rules, which leaves the App Service more expensive. - potentialBenefits: Enhances scalability & cost efficiency + potentialBenefits: Enhances scalability and cost efficiency pgVerified: Verified publishedToLearn: false publishedToAdvisor: false automationAvailable: No - tags: + tags: null learnMoreLink: - - name: Learn More + - name: Design to scale out url: "https://learn.microsoft.com/azure/architecture/guide/design-principles/scale-out" - description: Create a landing zone for the workload following the Microsoft Cloud Adoption Framework aprlGuid: 6132a11a-3ea0-e64c-877b-f01ca1de79d4 - recommendationTypeId: + recommendationTypeId: null recommendationControl: Governance recommendationImpact: Low recommendationResourceType: WellArchitected/Design recommendationMetadataState: Active longDescription: | From a workload perspective, a landing zone refers to a prepared platform into which the application gets deployed. A landing zone implementation can have compute, data sources, access controls, and networking components already provisioned. With the required plumbing ready in place; the workload needs to plug into it. When considering the overall security, a landing zone offers centralized security capabilities that adds a threat mitigation layer for the workload. Implementations can vary but here are some common strategies that enhance the security posture. - Isolation through segmentation. You can isolate assets at several layers from Azure enrollment down to a subscription that has the resources for the workload. - Consistent adoption of organizational policies, enforce creation and deletion of services and their configuration through Azure Policy. - Configurations that align with principles of Zero Trust . For instance an implementation might have network connectivity to on-premises data centers. - potentialBenefits: Enhances security & speeds deployment + potentialBenefits: Enhances security and speeds deployment pgVerified: Verified publishedToLearn: false publishedToAdvisor: false automationAvailable: No - tags: + tags: null learnMoreLink: - - name: Learn More + - name: Azure landing zone integration url: "https://learn.microsoft.com/azure/well-architected/security/design-governance-landing-zone" - description: Design a BCDR strategy that will help to meet the business requirements aprlGuid: b09061cb-d536-1347-9957-390c2d0cfa3d - recommendationTypeId: + recommendationTypeId: null recommendationControl: Disaster Recovery recommendationImpact: High recommendationResourceType: WellArchitected/Design @@ -126,45 +128,45 @@ publishedToLearn: false publishedToAdvisor: false automationAvailable: No - tags: + tags: null learnMoreLink: - - name: Learn More + - name: Backup and disaster recovery for Azure applications url: "https://learn.microsoft.com/azure/well-architected/resiliency/backup-and-recovery" - description: Provide security assurance through identity management aprlGuid: 835e616d-78e6-7f4c-a48b-6f80382a48cf - recommendationTypeId: + recommendationTypeId: null recommendationControl: Security recommendationImpact: Medium recommendationResourceType: WellArchitected/Design recommendationMetadataState: Active longDescription: | Provide security assurance through identity management: the process of authenticating and authorizing security principals. Use identity management services to authenticate and grant permission to users, partners, customers, applications, services, and other entities. Identity management is typically a centralized function not controlled by the workload team as a part of the workload's architecture. - Define clear lines of responsibility and separation of duties for each function. Restrict access based on a need-to-know basis and least privilege security principles. - Assign permissions to users, groups, and applications at a certain scope through Azure RBAC. Use built-in roles when possible. - Prevent deletion or modification of a resource, resource group, or subscription through management locks. - Use managed identities to access resources in Azure. - potentialBenefits: Enhanced access control & security + potentialBenefits: Enhanced access control and security pgVerified: Verified publishedToLearn: false publishedToAdvisor: false automationAvailable: No - tags: + tags: null learnMoreLink: - - name: Learn More + - name: Azure identity and access management considerations url: "https://learn.microsoft.com/azure/well-architected/security/design-identity" - description: Addressing security risks minimizes downtime and data loss from exposures aprlGuid: c5d8f87e-45ef-1644-a4aa-95ec08b88109 - recommendationTypeId: + recommendationTypeId: null recommendationControl: Security recommendationImpact: High recommendationResourceType: WellArchitected/Design recommendationMetadataState: Active longDescription: | Security is one of the most important aspects of any architecture. It provides the following assurances against deliberate attacks and abuse of your valuable data and systems: Confidentiality ,Integrity, and Availability. The security of complex systems depends on understanding the business context, social context, and technical context. As you design your system, cover these areas: - Ensure that the identity provider (AAD/ADFS/AD/Other) is highly available and aligns with application availability and recovery targets. - All external application endpoints are secured. - Communication to Azure PaaS services secured using Virtual Network Service Endpoints or Private Link. - Keys and secrets are backed-up to geo-redundant storage, and are still available in a failover case. - Ensure that the process for key rotation is automated and tested. - Emergency access break glass accounts have been tested and secured for recovering from Identity provider failure scenarios. - potentialBenefits: Minimizes downtime & data loss + potentialBenefits: Minimizes downtime and data loss pgVerified: Verified publishedToLearn: false publishedToAdvisor: false automationAvailable: No - tags: + tags: null learnMoreLink: - - name: Learn More + - name: Security design principles url: "https://learn.microsoft.com/azure/well-architected/security/security-principles" diff --git a/azure-waf/monitor/recommendations.yaml b/azure-waf/monitor/recommendations.yaml index c42d1ab25..9d62e9721 100644 --- a/azure-waf/monitor/recommendations.yaml +++ b/azure-waf/monitor/recommendations.yaml @@ -1,6 +1,6 @@ -- description: Make sure your application's health is being monitored +- description: Make sure your application's health is being monitored aprlGuid: 46fb4540-ecac-6e49-bc10-34c7792eb35d - recommendationTypeId: + recommendationTypeId: null recommendationControl: Monitoring and Alerting recommendationImpact: Medium recommendationResourceType: WellArchitected/Monitor @@ -12,14 +12,14 @@ publishedToLearn: false publishedToAdvisor: false automationAvailable: No - tags: + tags: null learnMoreLink: - - name: Learn More + - name: Monitoring application health for reliability url: "https://learn.microsoft.com/azure/well-architected/resiliency/monitoring" - description: Define a health model based on performance, availability, and recovery targets aprlGuid: 5dd7a9a3-fb79-004d-bc89-c9ef79890900 - recommendationTypeId: + recommendationTypeId: null recommendationControl: Monitoring and Alerting recommendationImpact: Low recommendationResourceType: WellArchitected/Monitor @@ -31,33 +31,33 @@ publishedToLearn: false publishedToAdvisor: false automationAvailable: No - tags: + tags: null learnMoreLink: - - name: Learn More + - name: Health modeling for reliability url: "https://learn.microsoft.com/azure/well-architected/resiliency/monitor-model" - description: Create Dashboards and Alerts for Azure Platform resources aprlGuid: 1691bfea-c9fd-0948-969a-03e5abcab299 - recommendationTypeId: + recommendationTypeId: null recommendationControl: Monitoring and Alerting recommendationImpact: Low recommendationResourceType: WellArchitected/Monitor recommendationMetadataState: Active longDescription: | In this stage, telemetry data is presented so that an operator can quickly notice problems or trends. Examples include Workbook, Dashboards or email alerts. With Azure Workbooks and/or dashboards, you can build a single pane of glass view of monitoring graphs originating from Application Insights, Log Analytics, Azure Monitor metrics and service health. With Azure Monitor alerts, you can create alerts on service health and resource health. - potentialBenefits: Quick issue detection & response + potentialBenefits: Quick issue detection and response pgVerified: Verified publishedToLearn: false publishedToAdvisor: false automationAvailable: No - tags: + tags: null learnMoreLink: - - name: Learn More + - name: Azure Workbooks templates url: "https://learn.microsoft.com/azure/azure-monitor/visualize/workbooks-templates" - description: Ensure that the right people in your organization will be notified about any future service issues aprlGuid: 1422b388-5d23-5641-ba1c-139a59fb7b4c - recommendationTypeId: + recommendationTypeId: null recommendationControl: Monitoring and Alerting recommendationImpact: Medium recommendationResourceType: WellArchitected/Monitor @@ -69,26 +69,28 @@ publishedToLearn: false publishedToAdvisor: false automationAvailable: No - tags: + tags: null learnMoreLink: - - name: Learn More + - name: Create a Service Health alert using the Azure portal url: "https://learn.microsoft.com/azure/service-health/alerts-activity-log-service-notifications-portal#create-a-service-health-alert-using-the-azure-portal" - description: Utilize built-in Resilience policies aprlGuid: 2af4f8c2-bafc-4808-88df-0af009a019b5 - recommendationTypeId: + recommendationTypeId: null recommendationControl: Governance recommendationImpact: Medium recommendationResourceType: WellArchitected/Monitor recommendationMetadataState: Active longDescription: | Utilize Azure's built-in Resilience policies to audit and enforce resilient configurations of Azure services. Azure Policy helps to enforce organizational standards and to assess compliance at-scale. - potentialBenefits: Ensures compliance & upscale resilience + potentialBenefits: Ensures compliance and upscale resilience pgVerified: Verified publishedToLearn: false publishedToAdvisor: false automationAvailable: No - tags: + tags: null learnMoreLink: - - name: Learn More + - name: Built-in Resilience policy definitions url: "https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Resilience" + - name: Get policy compliance data + url: "https://learn.microsoft.com/azure/governance/policy/how-to/get-compliance-data" diff --git a/azure-waf/respond/recommendations.yaml b/azure-waf/respond/recommendations.yaml index db2dc9669..f39cde135 100644 --- a/azure-waf/respond/recommendations.yaml +++ b/azure-waf/respond/recommendations.yaml @@ -1,6 +1,6 @@ -- description: Implement proactive Incident Response +- description: Implement proactive Incident Response aprlGuid: daf605e4-d3fd-fc42-819a-e3ec084ffda6 - recommendationTypeId: + recommendationTypeId: null recommendationControl: Disaster Recovery recommendationImpact: High recommendationResourceType: WellArchitected/Respond @@ -12,7 +12,10 @@ publishedToLearn: false publishedToAdvisor: false automationAvailable: No - tags: + tags: null learnMoreLink: - - name: Learn More + - name: Importance of incident response url: "https://learn.microsoft.com/training/modules/improve-reliability-incidents/2-importance" + - name: Incident tracking + url: "https://learn.microsoft.com/training/modules/improve-reliability-incidents/5-tracking" + diff --git a/azure-waf/test/recommendations.yaml b/azure-waf/test/recommendations.yaml index f880fd323..6579f5f5a 100644 --- a/azure-waf/test/recommendations.yaml +++ b/azure-waf/test/recommendations.yaml @@ -1,44 +1,44 @@ -- description: Test your applications for availability and resiliency +- description: Test your applications for availability and resiliency aprlGuid: 28a8ce6f-1b47-c243-bafb-208f4422fe7a - recommendationTypeId: + recommendationTypeId: null recommendationControl: High Availability recommendationImpact: High recommendationResourceType: n/a recommendationMetadataState: Active longDescription: | Applications should be tested to ensure availability and resiliency. Availability describes the amount of time that an application runs in a healthy state without significant downtime. Resiliency describes how quickly an application recovers from failure. Being able to measure availability and resiliency can answer questions like: How much downtime is acceptable? How much does potential downtime cost your business? What are your availability requirements? How much do you invest in making your application highly available? What is the risk versus the cost? Testing plays a critical role in making sure your applications can meet these requirements. Key points: - Test regularly to validate existing thresholds, targets, and assumptions. - Automate testing as much as possible. - Perform testing on both key Test environments and the production environment. - Verify how the end-to-end workload performs under intermittent failure conditions. - Test the application against critical functional and nonfunctional requirements for performance. - Conduct load testing with expected peak volumes to Test scalability and performance under load. - Perform chaos testing by injecting faults. - potentialBenefits: Improves uptime & speeds recovery + potentialBenefits: Improves uptime and speeds recovery pgVerified: Verified publishedToLearn: false publishedToAdvisor: false automationAvailable: No - tags: + tags: null learnMoreLink: - - name: Learn More + - name: Testing applications for availability and resiliency url: "https://learn.microsoft.com/azure/well-architected/resiliency/testing" - description: Consider building logic into your workload to handle errors aprlGuid: 155dda00-c264-1b45-8ac0-d6f68178844f - recommendationTypeId: + recommendationTypeId: null recommendationControl: High Availability recommendationImpact: High recommendationResourceType: n/a recommendationMetadataState: Active longDescription: | In a distributed system, ensuring that your application can recover from errors is critical. You can test your applications to prevent errors and failure, but you need to prepare for a wide range of issues. Testing doesn't always catch everything, so you should understand how to handle errors and prevent potential failure. Many things in a distributed system, such as underlying cloud infrastructure and third-party runtime dependencies, are outside your span of control and your means to test. You can be sure something will fail eventually, so you need to be prepared. Key points: - Implement retry logic to handle transient application failures and transient failures with internal or external dependencies. - Uncover issues or failures in your application's retry logic. - Configure request timeouts to manage intercomponent calls. - Configure and test health probes for your load balancers and traffic managers. - Segregate read operations from update operations across application data stores. - potentialBenefits: Enhances recovery & error management + potentialBenefits: Enhances recovery and error management pgVerified: Verified publishedToLearn: false publishedToAdvisor: false automationAvailable: No - tags: + tags: null learnMoreLink: - - name: Learn More + - name: Error handling for resilient applications in Azure url: "https://learn.microsoft.com/azure/well-architected/resiliency/app-design-error-handling" - description: Perform disaster recovery tests regularly aprlGuid: 1b612a06-28dc-e64e-9057-17467e57764a - recommendationTypeId: + recommendationTypeId: null recommendationControl: Disaster Recovery recommendationImpact: High recommendationResourceType: n/a @@ -50,14 +50,14 @@ publishedToLearn: false publishedToAdvisor: false automationAvailable: No - tags: + tags: null learnMoreLink: - - name: Learn More + - name: Backup and disaster recovery for Azure applications url: "https://learn.microsoft.com/azure/well-architected/resiliency/backup-and-recovery" - description: Use chaos engineering to test Azure applications aprlGuid: e10f11a5-9c5b-6c4c-a684-4d9f4063127a - recommendationTypeId: + recommendationTypeId: null recommendationControl: High Availability recommendationImpact: Medium recommendationResourceType: n/a @@ -69,14 +69,14 @@ publishedToLearn: false publishedToAdvisor: false automationAvailable: No - tags: + tags: null learnMoreLink: - - name: Learn More + - name: Use chaos engineering to test Azure applications url: "https://learn.microsoft.com/azure/well-architected/resiliency/chaos-engineering" - description: Test application fault resiliency aprlGuid: c8ba80d4-20d9-456f-a2bd-8e6d488d8ff9 - recommendationTypeId: + recommendationTypeId: null recommendationControl: High Availability recommendationImpact: High recommendationResourceType: n/a @@ -88,7 +88,7 @@ publishedToLearn: false publishedToAdvisor: false automationAvailable: No - tags: + tags: null learnMoreLink: - - name: Learn More + - name: Test application fault resiliency url: "https://learn.microsoft.com/en-us/azure/azure-sql/database/high-availability-sla?view=azuresql&tabs=azure-powershell#testing-application-fault-resiliency"