Merge branch 'main' into SQL-MI-changes2

Azure · Oct 16, 2024 · a5015be · a5015be
2 parents dbad42d + e04dfc5
commit a5015be
Show file tree

Hide file tree

Showing 22 changed files with 225 additions and 60 deletions.
diff --git a/.github/actions-config/gh-ado-sync-config.json b/.github/actions-config/gh-ado-sync-config.json
@@ -0,0 +1,18 @@
+{
+  "log_level": "info",
+  "ado": {
+    "organization": "CSUSolEng",
+    "project": "Well-Architected Framework",
+    "wit": "GitHub Issue",
+    "states": {
+      "new": "New",
+      "closed": "Closed",
+      "reopened": "New",
+      "deleted": "Removed",
+      "active": "In Progress"
+    },
+    "bypassRules": true,
+    "autoCreate": true,
+    "areaPath": "Well-Architected Framework"
+  }
+}
diff --git a/.github/workflows/ado-sync-workitems.yml b/.github/workflows/ado-sync-workitems.yml
@@ -0,0 +1,31 @@
+name: Sync Issues to Azure DevOps Work Items
+
+permissions:
+  contents: read
+
+on:
+  issues:
+    types: [opened, closed, deleted, reopened, edited, labeled, unlabeled, assigned, unassigned]
+  issue_comment:
+    types: [created]
+
+jobs:
+  alert:
+    runs-on: ubuntu-latest
+    name: Sync workflow
+    if: github.repository == 'Azure/Azure-Proactive-Resiliency-Library-v2'
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: GitHub/ADO Sync
+        uses: a11smiles/GitSync@v1.2.3
+        env:
+          ado_token: '${{ secrets.ADO_PERSONAL_ACCESS_TOKEN }}'
+          github_token: '${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}'
+          config_file: './.github/actions-config/gh-ado-sync-config.json'
+        with:
+          ado: ${{ secrets.ADO_MAPPINGS_HANDLES }}
diff --git a/.github/workflows/build-recommendation-object.yml b/.github/workflows/build-recommendation-object.yml
@@ -5,9 +5,15 @@ on:
     - cron: "0 0 * * *"
   workflow_dispatch: {}
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
@@ -38,7 +44,7 @@ jobs:
         run: |
           git add ./tools/data/recommendations.json
           git commit -m "Update recommendations.json"
-          git push
+          git push --set-upstream origin json-object-update
 
       - name: Create PR
         env:

diff --git a/.../4b1a45af-d35f-442d-922a-a3e7b6052de1.kql → .../b14ee8ed-7d27-447b-b6fb-6472cb5f4b75.kql b/.../4b1a45af-d35f-442d-922a-a3e7b6052de1.kql → .../b14ee8ed-7d27-447b-b6fb-6472cb5f4b75.kql
@@ -1,2 +1 @@
 // under-development
-
diff --git a/azure-resources/Compute/galleries/kql/b3c3ba1d-7de6-442d-8c50-023330fbf765.kql b/azure-resources/Compute/galleries/kql/b3c3ba1d-7de6-442d-8c50-023330fbf765.kql
@@ -0,0 +1 @@
+// under-development
diff --git a/azure-resources/Compute/galleries/recommendations.yaml b/azure-resources/Compute/galleries/recommendations.yaml
@@ -57,3 +57,39 @@
       url: "https://learn.microsoft.com/en-us/windows-server/virtualization/hyper-v/plan/should-i-create-a-generation-1-or-2-virtual-machine-in-hyper-v"
     - name: Images in Compute gallery
       url: "https://learn.microsoft.com/en-us/azure/virtual-machines/shared-image-galleries?tabs=azure-cli"
+
+- description: Create Image Versions replicas in secondary region
+  aprlGuid: b14ee8ed-7d27-447b-b6fb-6472cb5f4b75
+  recommendationTypeId: null
+  recommendationControl: Disaster Recovery
+  recommendationImpact: Medium
+  recommendationResourceType: Microsoft.Compute/galleries
+  recommendationMetadataState: Active
+  longDescription: |
+    On multi-region deployments, replicate Image Versions to a secondary region to ensure disaster recovery capability. This ensures that the Image Versions are available in the secondary region in case of a disaster in the primary region.
+  potentialBenefits: Enhances disaster recovery capability
+  pgVerified: true
+  publishedToLearn: false
+  automationAvailable: true
+  tags: null
+  learnMoreLink:
+    - name: Compute Gallery Replication
+      url: "https://learn.microsoft.com/azure/virtual-machines/azure-compute-gallery#replication"
+
+- description: Configure Image version replica count per region.
+  aprlGuid: b3c3ba1d-7de6-442d-8c50-023330fbf765
+  recommendationTypeId: null
+  recommendationControl: Disaster Recovery
+  recommendationImpact: Medium
+  recommendationResourceType: Microsoft.Compute/galleries
+  recommendationMetadataState: Active
+  longDescription: |
+    You can set a different replica count in each target region, based on the scale needs for the region. For every 20 VMs that you create concurrently, we recommend you keep one replica.
+  potentialBenefits: Enhances disaster recovery capability
+  pgVerified: true
+  publishedToLearn: false
+  automationAvailable: true
+  tags: null
+  learnMoreLink:
+    - name: Compute Gallery Scaling
+      url: "https://learn.microsoft.com/en-us/azure/virtual-machines/azure-compute-gallery#scaling"
diff --git a/azure-resources/Compute/virtualMachines/kql/587ca3e4-113b-4c4f-b4e0-92cd8d2065b6.kql b/azure-resources/Compute/virtualMachines/kql/587ca3e4-113b-4c4f-b4e0-92cd8d2065b6.kql
@@ -0,0 +1,2 @@
+// cannot-be-validated-with-arg
+
diff --git a/azure-resources/Compute/virtualMachines/recommendations.yaml b/azure-resources/Compute/virtualMachines/recommendations.yaml
@@ -523,3 +523,21 @@
   learnMoreLink:
     - name: How to update the Azure Linux Agent on a VM
       url: "https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/update-linux-agent?tabs=ubuntu"
+
+- description: Reserve Compute Capacity in Disaster Recovery Regions
+  aprlGuid: 587ca3e4-113b-4c4f-b4e0-92cd8d2065b6
+  recommendationTypeId: null
+  recommendationControl: Disaster Recovery
+  recommendationImpact: Medium
+  recommendationResourceType: Microsoft.Compute/virtualMachines
+  recommendationMetadataState: Active
+  longDescription: |
+    On-Demand Capacity Reservations ensure recovery of virtual machines in the event of a natural disaster by reserving compute capacity in advance within a specific region or zone. This guarantees that VMs have the necessary resources during disaster recovery failover events thus reducing downtime.
+  potentialBenefits: Guaranteed capacity in disaster recovery regions
+  pgVerified: true
+  publishedToLearn: false
+  automationAvailable: false
+  tags: null
+  learnMoreLink:
+    - name: On-demand Capacity Reservation
+      url: "https://aka.ms/on-demand-capacity-reservations-docs"
diff --git a/azure-resources/Dashboard/_index.md b/azure-resources/Dashboard/_index.md
@@ -0,0 +1,5 @@
+---
+title: Dashboard
+geekdocCollapseSection: true
+geekdocHidden: false
+---
diff --git a/azure-resources/Dashboard/grafana/_index.md b/azure-resources/Dashboard/grafana/_index.md
@@ -0,0 +1,7 @@
+---
+title: grafana
+geekdocCollapseSection: true
+geekdocHidden: false
+---
+
+{{< azure-resources-recommendationlist name="azure-resources-recommendationlist" >}}
diff --git a/azure-resources/Dashboard/grafana/kql/6cd57b65-ef84-4088-9ada-c0d8de74c2f7.kql b/azure-resources/Dashboard/grafana/kql/6cd57b65-ef84-4088-9ada-c0d8de74c2f7.kql
@@ -0,0 +1,14 @@
+// Azure Resource Graph Query
+// Provides a list of Azure Managed Grafana resources that do not zone redundancy enabled.
+resources
+| where type =~ "Microsoft.Dashboard/grafana"
+| extend zoneRedundancy = properties.zoneRedundancy
+| where zoneRedundancy !~ "Enabled"
+| project
+    recommendationId = "6cd57b65-ef84-4088-9ada-c0d8de74c2f7",
+    name,
+    id,
+    tags,
+    param1 = strcat("location: ", location),
+    param2 = strcat("sku: ", sku.name),
+    param3 = strcat("zoneRedundancy: ", zoneRedundancy)
diff --git a/azure-resources/Dashboard/grafana/recommendations.yaml b/azure-resources/Dashboard/grafana/recommendations.yaml
@@ -0,0 +1,19 @@
+- description: Enable zone redundancy in Managed Grafana
+  aprlGuid: 6cd57b65-ef84-4088-9ada-c0d8de74c2f7
+  recommendationTypeId: null
+  recommendationControl: High Availability
+  recommendationImpact: Medium
+  recommendationResourceType: Microsoft.Dashboard/grafana
+  recommendationMetadataState: Active
+  longDescription: |
+    Managed Grafana Standard tier is hosted on a dedicated set of VMs to provide redundancy. With zone redundancy enabled, VMs are spread across availability zones (AZ). Related resources are also configured for AZ. Zone redundancy can only be enabled when creating the Azure Managed Grafana instance.
+  potentialBenefits: Enhanced Managed Grafana resilience to failures
+  pgVerified: false
+  publishedToLearn: false
+  automationAvailable: true
+  tags: null
+  learnMoreLink:
+    - name: Azure Managed Grafana service reliability
+      url: "https://learn.microsoft.com/azure/managed-grafana/high-availability"
+    - name: Enable zone redundancy in Azure Managed Grafana
+      url: "https://learn.microsoft.com/Azure/managed-grafana/how-to-enable-zone-redundancy"
diff --git a/azure-resources/DesktopVirtualization/hostPools/recommendations.yaml b/azure-resources/DesktopVirtualization/hostPools/recommendations.yaml
@@ -1,12 +1,12 @@
-- description: Create a validation host pool for testing of planned updates
+- description: Create a validation host pool
   aprlGuid: 013ac34e-7c4b-425f-9e0c-216f0cc06181
   recommendationTypeId: null
   recommendationControl: Governance
   recommendationImpact: Medium
   recommendationResourceType: Microsoft.DesktopVirtualization/hostPools
   recommendationMetadataState: Active
   longDescription: |
-    Create a Validation Pool for early issue detection with planned AVD updates. Adjust limits based on needs. Scale by adding multiple host pools for more users. Regularly test updates on host pools. Validate changes before applying to main environment to avoid downtime.
+    Validation host pools let you monitor service updates before the service applies them to your standard or non-validation environment.
   potentialBenefits: Enhanced environment stability
   pgVerified: true
   publishedToLearn: false
@@ -24,7 +24,7 @@
   recommendationResourceType: Microsoft.DesktopVirtualization/hostPools
   recommendationMetadataState: Active
   longDescription: |
-    Create maintenance schedules for AVD agent updates to avoid disruptions. Use Scheduled Agent Updates to set maintenance windows for updating Azure Virtual Desktop agent, side-by-side stack, and Geneva Monitoring agent.
+    Create up to two maintenance windows for the Azure Virtual Desktop agent, side-by-side stack, and Geneva Monitoring agent to get updated so that updates don't happen during peak business hours.
   potentialBenefits: Enhanced environment stability
   pgVerified: true
   publishedToLearn: false
@@ -42,7 +42,7 @@
   recommendationResourceType: Microsoft.DesktopVirtualization/hostPools
   recommendationMetadataState: Active
   longDescription: |
-    For optimized AVD configuration, place Hybrid VMs in unique OUs. Segregate Prod and DR units for environment-specific settings. This ensures targeted configurations for session hosts, including FSLogix, timeouts, and session controls.
+    Place domain joined session hosts VMs in unique OUs. Segregate Prod and DR units for environment-specific settings. This ensures targeted configurations for session hosts, including FSLogix, session controls, etc.
   potentialBenefits: Improved AVD hostpool config & segmentation
   pgVerified: true
   publishedToLearn: false
@@ -52,15 +52,15 @@
     - name: Configure the VMs and install Active Directory Domain Services
       url: "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/virtual-dc/adds-on-azure-vm#configure-the-vms-and-install-active-directory-domain-services"
 
-- description: Use Azure Site Recovery or backups to protect VMs supporting personal desktops
+- description: Use Azure Site Recovery to protect stateful session hosts
   aprlGuid: 38721758-2cc2-4d6b-b7b7-8b47dadbf7df
   recommendationTypeId: null
   recommendationControl: Disaster Recovery
   recommendationImpact: Medium
   recommendationResourceType: Microsoft.Compute/virtualMachines
   recommendationMetadataState: Active
   longDescription: |
-    Implement Azure Site Recovery (ASR) or Azure Backup for personal host pools to enable seamless failover and failback. This replicates VMs supporting personal desktops to a secondary Azure region, ensuring recovery from a known state in case of a disaster or outage.
+    Implement Azure Site Recovery (ASR) to replicate or backup stateful session hosts. This replicates VMs to a secondary Azure region or availability zone, ensuring recovery from a known VM state in case of an outage.
   potentialBenefits: Ensures VM recovery & failover
   pgVerified: true
   publishedToLearn: false

diff --git a/azure-resources/DesktopVirtualization/scalingPlans/recommendations.yaml b/azure-resources/DesktopVirtualization/scalingPlans/recommendations.yaml
@@ -1,12 +1,12 @@
-- description: Scaling plans should be created per region and not scaled across regions
+- description: Create scaling plans per region
   aprlGuid: 499769ae-67c9-492e-9ca5-cfd4cece5209
   recommendationTypeId: null
   recommendationControl: Scalability
   recommendationImpact: Medium
   recommendationResourceType: Microsoft.DesktopVirtualization/scalingPlans
   recommendationMetadataState: Active
   longDescription: |
-    Each region has its own scaling plans assigned to host pools within that region. However, these plans can become inaccessible if there's a regional failure. To mitigate this risk, it's advisable to create a secondary scaling plan in another region.
+    Scaling plans can only be assigned to host pools in the same region, on multi-region deployment scenario each region should has its own scaling plan.
   potentialBenefits: Enhanced scaling
   pgVerified: true
   publishedToLearn: false

diff --git a/azure-resources/Network/connections/kql/f6a14b32-a727-4ace-b5fa-7b1c6bdff402.kql b/azure-resources/Network/connections/kql/f6a14b32-a727-4ace-b5fa-7b1c6bdff402.kql
@@ -1,2 +1,19 @@
-// under-development
-
+// Azure Resource Graph Query
+// Find all ExpressRoute Connections that are connected to ErGw3AZ or UltraPerformance gateway sku that don't have
+// FastPath enabled for both the Gateway Bypass or Private Endpoint/Link service.
+resources
+| where type == "microsoft.network/connections"
+| where properties.connectionType =~ 'expressroute'
+| extend gatewayId = tostring(properties.virtualNetworkGateway1.id)
+| join kind=inner (
+    resources
+    | where type =~ "Microsoft.Network/virtualNetworkGateways"
+    | where properties.sku.name in~ ("ErGw3AZ", "UltraPerformance")
+    | extend gatewayId = tostring(id)
+) on gatewayId
+| extend erGatewayBypass = tobool(properties.expressRouteGatewayBypass)
+| extend privateLinkFastPath = tobool(properties.enablePrivateLinkFastPath)
+| where not(erGatewayBypass) or not(privateLinkFastPath)
+| project recommendationId = "f6a14b32-a727-4ace-b5fa-7b1c6bdff402", id, name, tags,
+    param1 = iff(erGatewayBypass, "Enabled: Gateway Bypass", "Disabled: Gateway Bypass"),
+    param2 = iff(privateLinkFastPath, "Enabled: PE FastPath", "Disabled: PE FastPath"),
diff --git a/azure-resources/Network/connections/recommendations.yaml b/azure-resources/Network/connections/recommendations.yaml
@@ -1,4 +1,4 @@
-- description: For better data path performance enable FastPath on ExpressRoute Direct and Gateway
+- description: For better data path performance enable FastPath on ExpressRoute Connections
   aprlGuid: f6a14b32-a727-4ace-b5fa-7b1c6bdff402
   recommendationTypeId: null
   recommendationControl: Scalability

diff --git a/azure-resources/Resources/resourceGroups/kql/98bd7098-49d6-491b-86f1-b143d6b1a0ff.kql b/azure-resources/Resources/resourceGroups/kql/98bd7098-49d6-491b-86f1-b143d6b1a0ff.kql
@@ -1,13 +1,22 @@
 // Azure Resource Graph Query
 // Provides a list of Azure Resource Groups that have resources deployed in a region different than the Resource Group region
-resources
-| project id, name, tags, resourceGroup, location
-| where location != "global"                                                                                                          // exclude global resources
-| where resourceGroup != "networkwatcherrg"                                                                                           // exclude networkwatcherrg
-| where split(id, "/", 3)[0] =~ "resourceGroups"                                                                                      // resource is in a resource group
-| extend resourceGroupId = strcat_array(array_slice(split(id, "/"),0,4), "/")                                                         // create resource group resource id
-| join (resourcecontainers | project containerid=id, containerlocation=location ) on $left.resourceGroupId == $right.['containerid']  // join to resourcecontainers table
-| where  location != containerlocation
-| project recommendationId="98bd7098-49d6-491b-86f1-b143d6b1a0ff", name, id, tags
-| order by id asc
-
+resourcecontainers
+| where type =~ "Microsoft.Resources/subscriptions/resourceGroups"
+| project resourceGroupId = tolower(id), resourceGroupLocation = location
+| join kind = inner (
+    resources
+    | where location !~ "Global" and             // Exclude global resources
+        resourceGroup !~ "NetworkWatcherRG" and  // Exclude resources in the NetworkWatcherRG
+        id has "/resourceGroups/"                // Exclude resources not in a resource group
+    | project id, name, tags, resourceGroup, location, resourceGroupId = tolower(strcat_array(array_slice(split(id, "/"), 0, 4), "/"))
+    )
+    on resourceGroupId
+| where resourceGroupLocation !~ location
+| project
+    recommendationId = "98bd7098-49d6-491b-86f1-b143d6b1a0ff",
+    name,
+    id,
+    tags,
+    param1 = strcat("resourceLocation: ", location),
+    param2 = strcat("resourceGroupLocation: ", resourceGroupLocation),
+    param3 = strcat("resourceGroup: ", resourceGroup)
diff --git a/azure-resources/VirtualMachineImages/imageTemplates/recommendations.yaml b/azure-resources/VirtualMachineImages/imageTemplates/recommendations.yaml
@@ -24,14 +24,14 @@
   recommendationResourceType: Microsoft.VirtualMachineImages/imageTemplates
   recommendationMetadataState: Active
   longDescription: |
-    The Azure Image Builder service, used for deploying Image Templates, lacks availability zones support. By replicating Image Templates to a secondary, preferably paired, region, quick recovery from a region failure is enabled, ensuring continuous virtual machine deployment from these templates.
+    The Azure Image Builder service lacks availability zones support. Replicating Image Templates to a secondary region will enable the build of new images in secondary region.
   potentialBenefits: Enhances disaster recovery capability
   pgVerified: true
   publishedToLearn: false
   automationAvailable: true
   tags: null
   learnMoreLink:
     - name: Image Template resiliency
-      url: "https://learn.microsoft.com/en-us/azure/reliability/reliability-image-builder?toc=%2Fazure%2Fvirtual-machines%2Ftoc.json&bc=%2Fazure%2Fvirtual-machines%2Fbreadcrumb%2Ftoc.json#capacity-and-proactive-disaster-recovery-resiliency"
+      url: "https://learn.microsoft.com/en-us/azure/reliability/reliability-image-builder?toc=%2Fazure%2Fvirtual-machines%2Ftoc.json&bc=%2Fazure%2Fvirtual-machines%2Fbreadcrumb%2Ftoc.json&tabs=graph#disaster-recovery"
     - name: Azure Image Builder Supported Regions
       url: "https://learn.microsoft.com/en-us/azure/virtual-machines/image-builder-overview?tabs=azure-powershell#regions"
diff --git a/azure-resources/Web/serverFarms/recommendations.yaml b/azure-resources/Web/serverFarms/recommendations.yaml
@@ -46,7 +46,7 @@
   longDescription: |
     Avoid frequent scaling up/down of Azure App Service instances to prevent service disruptions. Choose the right tier and size for the workload and scale out for traffic changes, as scaling adjustments can trigger application restarts.
   potentialBenefits: Minimizes restarts, enhances stability
-  pgVerified: false
+  pgVerified: true
   publishedToLearn: false
   automationAvailable: true
   tags: null
@@ -82,7 +82,7 @@
   longDescription: |
     Enabling Autoscale/Automatic Scaling for your Azure App Service ensures sufficient resources for incoming requests. Autoscaling is rule-based, whereas Automatic Scaling, a newer feature, automatically adjusts resources based on HTTP traffic.
   potentialBenefits: Optimizes resources for traffic
-  pgVerified: false
+  pgVerified: true
   publishedToLearn: false
   automationAvailable: false
   tags: null