From 0f37eed288f17baaa868140448ab676229017c5a Mon Sep 17 00:00:00 2001 From: Dany Contreras <78437433+danycontre@users.noreply.github.com> Date: Wed, 9 Oct 2024 16:09:43 -0400 Subject: [PATCH 1/8] docs: AVD guidance updates (#432) Co-authored-by: github-actions[bot] Co-authored-by: Zach Trocinski <30884663+oZakari@users.noreply.github.com> Co-authored-by: Zach Trocinski --- .../b14ee8ed-7d27-447b-b6fb-6472cb5f4b75.kql | 1 - .../b3c3ba1d-7de6-442d-8c50-023330fbf765.kql | 1 + .../Compute/galleries/recommendations.yaml | 36 +++++++++++++++++++ .../hostPools/recommendations.yaml | 12 +++---- .../scalingPlans/recommendations.yaml | 4 +-- .../imageTemplates/recommendations.yaml | 4 +-- azure-specialized-workloads/avd/_index.md | 10 +++--- .../avd/recommendations.yaml | 19 ---------- 8 files changed, 53 insertions(+), 34 deletions(-) rename azure-specialized-workloads/avd/kql/4b1a45af-d35f-442d-922a-a3e7b6052de1.kql => azure-resources/Compute/galleries/kql/b14ee8ed-7d27-447b-b6fb-6472cb5f4b75.kql (95%) create mode 100644 azure-resources/Compute/galleries/kql/b3c3ba1d-7de6-442d-8c50-023330fbf765.kql diff --git a/azure-specialized-workloads/avd/kql/4b1a45af-d35f-442d-922a-a3e7b6052de1.kql b/azure-resources/Compute/galleries/kql/b14ee8ed-7d27-447b-b6fb-6472cb5f4b75.kql similarity index 95% rename from azure-specialized-workloads/avd/kql/4b1a45af-d35f-442d-922a-a3e7b6052de1.kql rename to azure-resources/Compute/galleries/kql/b14ee8ed-7d27-447b-b6fb-6472cb5f4b75.kql index 825659376..614a7f9ca 100644 --- a/azure-specialized-workloads/avd/kql/4b1a45af-d35f-442d-922a-a3e7b6052de1.kql +++ b/azure-resources/Compute/galleries/kql/b14ee8ed-7d27-447b-b6fb-6472cb5f4b75.kql @@ -1,2 +1 @@ // under-development - diff --git a/azure-resources/Compute/galleries/kql/b3c3ba1d-7de6-442d-8c50-023330fbf765.kql b/azure-resources/Compute/galleries/kql/b3c3ba1d-7de6-442d-8c50-023330fbf765.kql new file mode 100644 index 000000000..614a7f9ca --- /dev/null +++ b/azure-resources/Compute/galleries/kql/b3c3ba1d-7de6-442d-8c50-023330fbf765.kql @@ -0,0 +1 @@ +// under-development diff --git a/azure-resources/Compute/galleries/recommendations.yaml b/azure-resources/Compute/galleries/recommendations.yaml index 156325e4f..d952a6f72 100644 --- a/azure-resources/Compute/galleries/recommendations.yaml +++ b/azure-resources/Compute/galleries/recommendations.yaml @@ -57,3 +57,39 @@ url: "https://learn.microsoft.com/en-us/windows-server/virtualization/hyper-v/plan/should-i-create-a-generation-1-or-2-virtual-machine-in-hyper-v" - name: Images in Compute gallery url: "https://learn.microsoft.com/en-us/azure/virtual-machines/shared-image-galleries?tabs=azure-cli" + +- description: Create Image Versions replicas in secondary region + aprlGuid: b14ee8ed-7d27-447b-b6fb-6472cb5f4b75 + recommendationTypeId: null + recommendationControl: Disaster Recovery + recommendationImpact: Medium + recommendationResourceType: Microsoft.Compute/galleries + recommendationMetadataState: Active + longDescription: | + On multi-region deployments, replicate Image Versions to a secondary region to ensure disaster recovery capability. This ensures that the Image Versions are available in the secondary region in case of a disaster in the primary region. + potentialBenefits: Enhances disaster recovery capability + pgVerified: true + publishedToLearn: false + automationAvailable: true + tags: null + learnMoreLink: + - name: Compute Gallery Replication + url: "https://learn.microsoft.com/azure/virtual-machines/azure-compute-gallery#replication" + +- description: Configure Image version replica count per region. + aprlGuid: b3c3ba1d-7de6-442d-8c50-023330fbf765 + recommendationTypeId: null + recommendationControl: Disaster Recovery + recommendationImpact: Medium + recommendationResourceType: Microsoft.Compute/galleries + recommendationMetadataState: Active + longDescription: | + You can set a different replica count in each target region, based on the scale needs for the region. For every 20 VMs that you create concurrently, we recommend you keep one replica. + potentialBenefits: Enhances disaster recovery capability + pgVerified: true + publishedToLearn: false + automationAvailable: true + tags: null + learnMoreLink: + - name: Compute Gallery Scaling + url: "https://learn.microsoft.com/en-us/azure/virtual-machines/azure-compute-gallery#scaling" diff --git a/azure-resources/DesktopVirtualization/hostPools/recommendations.yaml b/azure-resources/DesktopVirtualization/hostPools/recommendations.yaml index 20066cedc..bd58c9158 100644 --- a/azure-resources/DesktopVirtualization/hostPools/recommendations.yaml +++ b/azure-resources/DesktopVirtualization/hostPools/recommendations.yaml @@ -1,4 +1,4 @@ -- description: Create a validation host pool for testing of planned updates +- description: Create a validation host pool aprlGuid: 013ac34e-7c4b-425f-9e0c-216f0cc06181 recommendationTypeId: null recommendationControl: Governance @@ -6,7 +6,7 @@ recommendationResourceType: Microsoft.DesktopVirtualization/hostPools recommendationMetadataState: Active longDescription: | - Create a Validation Pool for early issue detection with planned AVD updates. Adjust limits based on needs. Scale by adding multiple host pools for more users. Regularly test updates on host pools. Validate changes before applying to main environment to avoid downtime. + Validation host pools let you monitor service updates before the service applies them to your standard or non-validation environment. potentialBenefits: Enhanced environment stability pgVerified: true publishedToLearn: false @@ -24,7 +24,7 @@ recommendationResourceType: Microsoft.DesktopVirtualization/hostPools recommendationMetadataState: Active longDescription: | - Create maintenance schedules for AVD agent updates to avoid disruptions. Use Scheduled Agent Updates to set maintenance windows for updating Azure Virtual Desktop agent, side-by-side stack, and Geneva Monitoring agent. + Create up to two maintenance windows for the Azure Virtual Desktop agent, side-by-side stack, and Geneva Monitoring agent to get updated so that updates don't happen during peak business hours. potentialBenefits: Enhanced environment stability pgVerified: true publishedToLearn: false @@ -42,7 +42,7 @@ recommendationResourceType: Microsoft.DesktopVirtualization/hostPools recommendationMetadataState: Active longDescription: | - For optimized AVD configuration, place Hybrid VMs in unique OUs. Segregate Prod and DR units for environment-specific settings. This ensures targeted configurations for session hosts, including FSLogix, timeouts, and session controls. + Place domain joined session hosts VMs in unique OUs. Segregate Prod and DR units for environment-specific settings. This ensures targeted configurations for session hosts, including FSLogix, session controls, etc. potentialBenefits: Improved AVD hostpool config & segmentation pgVerified: true publishedToLearn: false @@ -52,7 +52,7 @@ - name: Configure the VMs and install Active Directory Domain Services url: "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/virtual-dc/adds-on-azure-vm#configure-the-vms-and-install-active-directory-domain-services" -- description: Use Azure Site Recovery or backups to protect VMs supporting personal desktops +- description: Use Azure Site Recovery to protect stateful session hosts aprlGuid: 38721758-2cc2-4d6b-b7b7-8b47dadbf7df recommendationTypeId: null recommendationControl: Disaster Recovery @@ -60,7 +60,7 @@ recommendationResourceType: Microsoft.Compute/virtualMachines recommendationMetadataState: Active longDescription: | - Implement Azure Site Recovery (ASR) or Azure Backup for personal host pools to enable seamless failover and failback. This replicates VMs supporting personal desktops to a secondary Azure region, ensuring recovery from a known state in case of a disaster or outage. + Implement Azure Site Recovery (ASR) to replicate or backup stateful session hosts. This replicates VMs to a secondary Azure region or availability zone, ensuring recovery from a known VM state in case of an outage. potentialBenefits: Ensures VM recovery & failover pgVerified: true publishedToLearn: false diff --git a/azure-resources/DesktopVirtualization/scalingPlans/recommendations.yaml b/azure-resources/DesktopVirtualization/scalingPlans/recommendations.yaml index 882a2038f..48f963ace 100644 --- a/azure-resources/DesktopVirtualization/scalingPlans/recommendations.yaml +++ b/azure-resources/DesktopVirtualization/scalingPlans/recommendations.yaml @@ -1,4 +1,4 @@ -- description: Scaling plans should be created per region and not scaled across regions +- description: Create scaling plans per region aprlGuid: 499769ae-67c9-492e-9ca5-cfd4cece5209 recommendationTypeId: null recommendationControl: Scalability @@ -6,7 +6,7 @@ recommendationResourceType: Microsoft.DesktopVirtualization/scalingPlans recommendationMetadataState: Active longDescription: | - Each region has its own scaling plans assigned to host pools within that region. However, these plans can become inaccessible if there's a regional failure. To mitigate this risk, it's advisable to create a secondary scaling plan in another region. + Scaling plans can only be assigned to host pools in the same region, on multi-region deployment scenario each region should has its own scaling plan. potentialBenefits: Enhanced scaling pgVerified: true publishedToLearn: false diff --git a/azure-resources/VirtualMachineImages/imageTemplates/recommendations.yaml b/azure-resources/VirtualMachineImages/imageTemplates/recommendations.yaml index d9d89d8e6..619071f11 100644 --- a/azure-resources/VirtualMachineImages/imageTemplates/recommendations.yaml +++ b/azure-resources/VirtualMachineImages/imageTemplates/recommendations.yaml @@ -24,7 +24,7 @@ recommendationResourceType: Microsoft.VirtualMachineImages/imageTemplates recommendationMetadataState: Active longDescription: | - The Azure Image Builder service, used for deploying Image Templates, lacks availability zones support. By replicating Image Templates to a secondary, preferably paired, region, quick recovery from a region failure is enabled, ensuring continuous virtual machine deployment from these templates. + The Azure Image Builder service lacks availability zones support. Replicating Image Templates to a secondary region will enable the build of new images in secondary region. potentialBenefits: Enhances disaster recovery capability pgVerified: true publishedToLearn: false @@ -32,6 +32,6 @@ tags: null learnMoreLink: - name: Image Template resiliency - url: "https://learn.microsoft.com/en-us/azure/reliability/reliability-image-builder?toc=%2Fazure%2Fvirtual-machines%2Ftoc.json&bc=%2Fazure%2Fvirtual-machines%2Fbreadcrumb%2Ftoc.json#capacity-and-proactive-disaster-recovery-resiliency" + url: "https://learn.microsoft.com/en-us/azure/reliability/reliability-image-builder?toc=%2Fazure%2Fvirtual-machines%2Ftoc.json&bc=%2Fazure%2Fvirtual-machines%2Fbreadcrumb%2Ftoc.json&tabs=graph#disaster-recovery" - name: Azure Image Builder Supported Regions url: "https://learn.microsoft.com/en-us/azure/virtual-machines/image-builder-overview?tabs=azure-powershell#regions" diff --git a/azure-specialized-workloads/avd/_index.md b/azure-specialized-workloads/avd/_index.md index dc01c6c0b..d4324854e 100644 --- a/azure-specialized-workloads/avd/_index.md +++ b/azure-specialized-workloads/avd/_index.md @@ -8,12 +8,14 @@ geekdocHidden: false | Recommendation | Provider Namespace | Resource Type | |:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:---------------------:|:----------------------:| -| [Create a validation host pool for testing of planned updates](../../../Azure-Proactive-Resiliency-Library-v2/azure-resources/DesktopVirtualization/hostPools/#Create-a-validation-host-pool-for-testing-of-planned-updates) | DesktopVirtualization | hostPools | +| [Create a validation host pool](../../../Azure-Proactive-Resiliency-Library-v2/azure-resources/DesktopVirtualization/hostPools/#Create-a-validation-host-pool) | DesktopVirtualization | hostPools | | [Configure host pool scheduled agent updates](../../../Azure-Proactive-Resiliency-Library-v2/azure-resources/DesktopVirtualization/hostPools/#configure-host-pool-scheduled-agent-updates) | DesktopVirtualization | hostPools | | [Ensure a unique OU is used when deploying host pools with domain joined session hosts](../../../Azure-Proactive-Resiliency-Library-v2/azure-resources/DesktopVirtualization/hostPools/#ensure-a-unique-ou-is-used-when-deploying-host-pools-with-domain-joined-session-hosts) | DesktopVirtualization | hostPools | -| [Use Azure Site Recovery or backups to protect VMs supporting personal desktops](../../../Azure-Proactive-Resiliency-Library-v2/azure-resources/DesktopVirtualization/hostPools/#use-azure-site-recovery-or-backups-to-protect-vms-supporting-personal-desktops) | DesktopVirtualization | hostPools | -| [Scaling plans should be created per region and not scaled across regions](../../../Azure-Proactive-Resiliency-Library-v2/azure-resources/DesktopVirtualization/scalingPlans/#scaling-plans-should-be-created-per-region-and-not-scaled-across-regions) | DesktopVirtualization | scalingPlans | -| [Replicate your Image Templates to a secondary region](../../../Azure-Proactive-Resiliency-Library-v2/azure-resources/VirtualMachineImages/imageTemplates/#replicate-your-image-templates-to-a-secondary-region) | Compute | galleries | +| [Use Azure Site Recovery to protect stateful session hosts](../../../Azure-Proactive-Resiliency-Library-v2/azure-resources/DesktopVirtualization/hostPools/#use-azure-site-recovery-to-protect-stateful-session hosts) | DesktopVirtualization | hostPools | +| [Create scaling plans per region](../../../Azure-Proactive-Resiliency-Library-v2/azure-resources/DesktopVirtualization/scalingPlans/#create-scaling-plans-per-region) | DesktopVirtualization | scalingPlans | +| [Replicate your image templates to a secondary region](../../../Azure-Proactive-Resiliency-Library-v2/azure-resources/VirtualMachineImages/imageTemplates/#replicate-your-image-templates-to-a-secondary-region) | Compute | virtualMachineImages | +| [Create image Versions replicas in secondary region](../../../Azure-Proactive-Resiliency-Library-v2/azure-resources/compute/galleries/#create-image-versions-replicas-in-secondary-region) | Compute | galleries | +| [Configure image version replica count per region](../../../Azure-Proactive-Resiliency-Library-v2/azure-resources/compute/galleries/#configure-image-version-replica-count-per-region) | Compute | galleries | | [A minimum of three replicas should be kept for production image versions](../../../Azure-Proactive-Resiliency-Library-v2/azure-resources/Compute/galleries/#a-minimum-of-three-replicas-should-be-kept-for-production-image-versions) | Compute | galleries | | [Zone redundant storage should be used for image versions](../../../Azure-Proactive-Resiliency-Library-v2/azure-resources/Compute/galleries/#zone-redundant-storage-should-be-used-for-image-versions) | Compute | galleries | | [Deploy VMs across Availability Zones](../../../Azure-Proactive-Resiliency-Library-v2/azure-resources/Compute/virtualMachines/#deploy-vms-across-availability-zones) | Compute | virtualMachines | diff --git a/azure-specialized-workloads/avd/recommendations.yaml b/azure-specialized-workloads/avd/recommendations.yaml index b900a31c8..ef2ef7c49 100644 --- a/azure-specialized-workloads/avd/recommendations.yaml +++ b/azure-specialized-workloads/avd/recommendations.yaml @@ -279,25 +279,6 @@ - name: Learn More url: "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing" -- description: Ensure route tables accommodate failover - aprlGuid: 4b1a45af-d35f-442d-922a-a3e7b6052de1 - recommendationTypeId: null - recommendationControl: Disaster Recovery - recommendationImpact: High - recommendationResourceType: Specialized.Workload/AVD - recommendationMetadataState: Active - longDescription: | - Ensure Route Tables that force tunnel traffic to FW/NVA have failover considerations evaluated and won't fail or trigger next-gen FW protections. - AVD workload teams should collaborate with centralized teams that manage the shared infrastructure, like networking, to ensure that both Production and DR workloads have the appropriate route tables in place for failover of routing to perform as expected. - potentialBenefits: Enhanced failover reliability - pgVerified: true - publishedToLearn: false - automationAvailable: false - tags: - learnMoreLink: - - name: Learn More - url: "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-business-continuity-disaster-recovery" - - description: Configure static routes for session hosts to directly access the AVD control plane subnet aprlGuid: 1c6c97d7-4d03-4f53-985d-fa239f715173 recommendationTypeId: null From 4b6e25490f8eff5f998039a6edd4a29e1d368fec Mon Sep 17 00:00:00 2001 From: Robert Lightner <49571483+DaFitRobsta@users.noreply.github.com> Date: Wed, 9 Oct 2024 17:57:54 -0700 Subject: [PATCH 2/8] feat: Added KQL for ExpressRoute FastPath Connections (#446) Co-authored-by: Zach Trocinski <30884663+oZakari@users.noreply.github.com> Co-authored-by: Eric Henry <44706965+ejhenry@users.noreply.github.com> --- .../f6a14b32-a727-4ace-b5fa-7b1c6bdff402.kql | 21 +++++++++++++++++-- .../Network/connections/recommendations.yaml | 2 +- 2 files changed, 20 insertions(+), 3 deletions(-) diff --git a/azure-resources/Network/connections/kql/f6a14b32-a727-4ace-b5fa-7b1c6bdff402.kql b/azure-resources/Network/connections/kql/f6a14b32-a727-4ace-b5fa-7b1c6bdff402.kql index 825659376..c39397d18 100644 --- a/azure-resources/Network/connections/kql/f6a14b32-a727-4ace-b5fa-7b1c6bdff402.kql +++ b/azure-resources/Network/connections/kql/f6a14b32-a727-4ace-b5fa-7b1c6bdff402.kql @@ -1,2 +1,19 @@ -// under-development - +// Azure Resource Graph Query +// Find all ExpressRoute Connections that are connected to ErGw3AZ or UltraPerformance gateway sku that don't have +// FastPath enabled for both the Gateway Bypass or Private Endpoint/Link service. +resources +| where type == "microsoft.network/connections" +| where properties.connectionType =~ 'expressroute' +| extend gatewayId = tostring(properties.virtualNetworkGateway1.id) +| join kind=inner ( + resources + | where type =~ "Microsoft.Network/virtualNetworkGateways" + | where properties.sku.name in~ ("ErGw3AZ", "UltraPerformance") + | extend gatewayId = tostring(id) +) on gatewayId +| extend erGatewayBypass = tobool(properties.expressRouteGatewayBypass) +| extend privateLinkFastPath = tobool(properties.enablePrivateLinkFastPath) +| where not(erGatewayBypass) or not(privateLinkFastPath) +| project recommendationId = "f6a14b32-a727-4ace-b5fa-7b1c6bdff402", id, name, tags, + param1 = iff(erGatewayBypass, "Enabled: Gateway Bypass", "Disabled: Gateway Bypass"), + param2 = iff(privateLinkFastPath, "Enabled: PE FastPath", "Disabled: PE FastPath"), diff --git a/azure-resources/Network/connections/recommendations.yaml b/azure-resources/Network/connections/recommendations.yaml index 200e269fd..e7cf00e00 100644 --- a/azure-resources/Network/connections/recommendations.yaml +++ b/azure-resources/Network/connections/recommendations.yaml @@ -1,4 +1,4 @@ -- description: For better data path performance enable FastPath on ExpressRoute Direct and Gateway +- description: For better data path performance enable FastPath on ExpressRoute Connections aprlGuid: f6a14b32-a727-4ace-b5fa-7b1c6bdff402 recommendationTypeId: null recommendationControl: Scalability From 31b7f1117d73327065b6719442212b0bf4e8eb7c Mon Sep 17 00:00:00 2001 From: Takeshi Katano Date: Thu, 10 Oct 2024 08:58:48 +0800 Subject: [PATCH 3/8] fix: Improve KQL stability for resource group recommendation (#454) Co-authored-by: github-actions[bot] --- .../98bd7098-49d6-491b-86f1-b143d6b1a0ff.kql | 31 ++++++++++++------- 1 file changed, 20 insertions(+), 11 deletions(-) diff --git a/azure-resources/Resources/resourceGroups/kql/98bd7098-49d6-491b-86f1-b143d6b1a0ff.kql b/azure-resources/Resources/resourceGroups/kql/98bd7098-49d6-491b-86f1-b143d6b1a0ff.kql index 0c313399e..f8cef9ca4 100644 --- a/azure-resources/Resources/resourceGroups/kql/98bd7098-49d6-491b-86f1-b143d6b1a0ff.kql +++ b/azure-resources/Resources/resourceGroups/kql/98bd7098-49d6-491b-86f1-b143d6b1a0ff.kql @@ -1,13 +1,22 @@ // Azure Resource Graph Query // Provides a list of Azure Resource Groups that have resources deployed in a region different than the Resource Group region -resources -| project id, name, tags, resourceGroup, location -| where location != "global" // exclude global resources -| where resourceGroup != "networkwatcherrg" // exclude networkwatcherrg -| where split(id, "/", 3)[0] =~ "resourceGroups" // resource is in a resource group -| extend resourceGroupId = strcat_array(array_slice(split(id, "/"),0,4), "/") // create resource group resource id -| join (resourcecontainers | project containerid=id, containerlocation=location ) on $left.resourceGroupId == $right.['containerid'] // join to resourcecontainers table -| where location != containerlocation -| project recommendationId="98bd7098-49d6-491b-86f1-b143d6b1a0ff", name, id, tags -| order by id asc - +resourcecontainers +| where type =~ "Microsoft.Resources/subscriptions/resourceGroups" +| project resourceGroupId = tolower(id), resourceGroupLocation = location +| join kind = inner ( + resources + | where location !~ "Global" and // Exclude global resources + resourceGroup !~ "NetworkWatcherRG" and // Exclude resources in the NetworkWatcherRG + id has "/resourceGroups/" // Exclude resources not in a resource group + | project id, name, tags, resourceGroup, location, resourceGroupId = tolower(strcat_array(array_slice(split(id, "/"), 0, 4), "/")) + ) + on resourceGroupId +| where resourceGroupLocation !~ location +| project + recommendationId = "98bd7098-49d6-491b-86f1-b143d6b1a0ff", + name, + id, + tags, + param1 = strcat("resourceLocation: ", location), + param2 = strcat("resourceGroupLocation: ", resourceGroupLocation), + param3 = strcat("resourceGroup: ", resourceGroup) From 685aa5340eca9dd018bf88f31e2b21ae33031edf Mon Sep 17 00:00:00 2001 From: Takeshi Katano Date: Fri, 11 Oct 2024 04:15:33 +0800 Subject: [PATCH 4/8] feat: Add recommendation for Managed Grafana (#429) --- azure-resources/Dashboard/_index.md | 5 +++++ azure-resources/Dashboard/grafana/_index.md | 7 +++++++ .../6cd57b65-ef84-4088-9ada-c0d8de74c2f7.kql | 14 ++++++++++++++ .../Dashboard/grafana/recommendations.yaml | 19 +++++++++++++++++++ 4 files changed, 45 insertions(+) create mode 100644 azure-resources/Dashboard/_index.md create mode 100644 azure-resources/Dashboard/grafana/_index.md create mode 100644 azure-resources/Dashboard/grafana/kql/6cd57b65-ef84-4088-9ada-c0d8de74c2f7.kql create mode 100644 azure-resources/Dashboard/grafana/recommendations.yaml diff --git a/azure-resources/Dashboard/_index.md b/azure-resources/Dashboard/_index.md new file mode 100644 index 000000000..00253f673 --- /dev/null +++ b/azure-resources/Dashboard/_index.md @@ -0,0 +1,5 @@ +--- +title: Dashboard +geekdocCollapseSection: true +geekdocHidden: false +--- diff --git a/azure-resources/Dashboard/grafana/_index.md b/azure-resources/Dashboard/grafana/_index.md new file mode 100644 index 000000000..ce121b420 --- /dev/null +++ b/azure-resources/Dashboard/grafana/_index.md @@ -0,0 +1,7 @@ +--- +title: grafana +geekdocCollapseSection: true +geekdocHidden: false +--- + +{{< azure-resources-recommendationlist name="azure-resources-recommendationlist" >}} diff --git a/azure-resources/Dashboard/grafana/kql/6cd57b65-ef84-4088-9ada-c0d8de74c2f7.kql b/azure-resources/Dashboard/grafana/kql/6cd57b65-ef84-4088-9ada-c0d8de74c2f7.kql new file mode 100644 index 000000000..ceb9926cf --- /dev/null +++ b/azure-resources/Dashboard/grafana/kql/6cd57b65-ef84-4088-9ada-c0d8de74c2f7.kql @@ -0,0 +1,14 @@ +// Azure Resource Graph Query +// Provides a list of Azure Managed Grafana resources that do not zone redundancy enabled. +resources +| where type =~ "Microsoft.Dashboard/grafana" +| extend zoneRedundancy = properties.zoneRedundancy +| where zoneRedundancy !~ "Enabled" +| project + recommendationId = "6cd57b65-ef84-4088-9ada-c0d8de74c2f7", + name, + id, + tags, + param1 = strcat("location: ", location), + param2 = strcat("sku: ", sku.name), + param3 = strcat("zoneRedundancy: ", zoneRedundancy) diff --git a/azure-resources/Dashboard/grafana/recommendations.yaml b/azure-resources/Dashboard/grafana/recommendations.yaml new file mode 100644 index 000000000..be213a1a9 --- /dev/null +++ b/azure-resources/Dashboard/grafana/recommendations.yaml @@ -0,0 +1,19 @@ +- description: Enable zone redundancy in Managed Grafana + aprlGuid: 6cd57b65-ef84-4088-9ada-c0d8de74c2f7 + recommendationTypeId: null + recommendationControl: High Availability + recommendationImpact: Medium + recommendationResourceType: Microsoft.Dashboard/grafana + recommendationMetadataState: Active + longDescription: | + Managed Grafana Standard tier is hosted on a dedicated set of VMs to provide redundancy. With zone redundancy enabled, VMs are spread across availability zones (AZ). Related resources are also configured for AZ. Zone redundancy can only be enabled when creating the Azure Managed Grafana instance. + potentialBenefits: Enhanced Managed Grafana resilience to failures + pgVerified: false + publishedToLearn: false + automationAvailable: true + tags: null + learnMoreLink: + - name: Azure Managed Grafana service reliability + url: "https://learn.microsoft.com/azure/managed-grafana/high-availability" + - name: Enable zone redundancy in Azure Managed Grafana + url: "https://learn.microsoft.com/Azure/managed-grafana/how-to-enable-zone-redundancy" From 400069fe4810c07e032c78539a3c167f84099e6f Mon Sep 17 00:00:00 2001 From: Zach Trocinski <30884663+oZakari@users.noreply.github.com> Date: Fri, 11 Oct 2024 15:08:50 -0500 Subject: [PATCH 5/8] feat: Add sync for GitHub issues to Azure DevOps Work items (#461) --- .../actions-config/gh-ado-sync-config.json | 18 +++++++++++ .github/workflows/ado-sync-workitems.yml | 31 +++++++++++++++++++ .../workflows/build-recommendation-object.yml | 5 ++- 3 files changed, 53 insertions(+), 1 deletion(-) create mode 100644 .github/actions-config/gh-ado-sync-config.json create mode 100644 .github/workflows/ado-sync-workitems.yml diff --git a/.github/actions-config/gh-ado-sync-config.json b/.github/actions-config/gh-ado-sync-config.json new file mode 100644 index 000000000..0c3183d83 --- /dev/null +++ b/.github/actions-config/gh-ado-sync-config.json @@ -0,0 +1,18 @@ +{ + "log_level": "info", + "ado": { + "organization": "CSUSolEng", + "project": "Well-Architected Framework", + "wit": "GitHub Issue", + "states": { + "new": "New", + "closed": "Closed", + "reopened": "New", + "deleted": "Removed", + "active": "In Progress" + }, + "bypassRules": true, + "autoCreate": true, + "areaPath": "Well-Architected Framework" + } +} diff --git a/.github/workflows/ado-sync-workitems.yml b/.github/workflows/ado-sync-workitems.yml new file mode 100644 index 000000000..e6896d572 --- /dev/null +++ b/.github/workflows/ado-sync-workitems.yml @@ -0,0 +1,31 @@ +name: Sync Issues to Azure DevOps Work Items + +permissions: + contents: read + +on: + issues: + types: [opened, closed, deleted, reopened, edited, labeled, unlabeled, assigned, unassigned] + issue_comment: + types: [created] + +jobs: + alert: + runs-on: ubuntu-latest + name: Sync workflow + if: github.repository == 'Azure/Azure-Proactive-Resiliency-Library-v2' + + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: GitHub/ADO Sync + uses: a11smiles/GitSync@v1.2.3 + env: + ado_token: '${{ secrets.ADO_PERSONAL_ACCESS_TOKEN }}' + github_token: '${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}' + config_file: './.github/actions-config/gh-ado-sync-config.json' + with: + ado: ${{ secrets.ADO_MAPPINGS_HANDLES }} diff --git a/.github/workflows/build-recommendation-object.yml b/.github/workflows/build-recommendation-object.yml index 5d5bb4356..f1feb2203 100644 --- a/.github/workflows/build-recommendation-object.yml +++ b/.github/workflows/build-recommendation-object.yml @@ -5,6 +5,9 @@ on: - cron: "0 0 * * *" workflow_dispatch: {} +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest @@ -38,7 +41,7 @@ jobs: run: | git add ./tools/data/recommendations.json git commit -m "Update recommendations.json" - git push + git push --set-upstream origin json-object-update - name: Create PR env: From cc918db7e0716e432018ae5770e1fc3d7ae04bd5 Mon Sep 17 00:00:00 2001 From: Zach Trocinski <30884663+oZakari@users.noreply.github.com> Date: Fri, 11 Oct 2024 15:18:53 -0500 Subject: [PATCH 6/8] fix: Build Recommendation Permission Issues (#462) --- .github/workflows/build-recommendation-object.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/build-recommendation-object.yml b/.github/workflows/build-recommendation-object.yml index f1feb2203..b4cfee1a6 100644 --- a/.github/workflows/build-recommendation-object.yml +++ b/.github/workflows/build-recommendation-object.yml @@ -11,6 +11,9 @@ permissions: jobs: build: runs-on: ubuntu-latest + permissions: + contents: write + pull-requests: write steps: - name: Harden Runner uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 From 9c83fa71d79e36c7e0934977b81abf7839b1fdff Mon Sep 17 00:00:00 2001 From: judyer28 Date: Wed, 16 Oct 2024 12:32:54 -0400 Subject: [PATCH 7/8] feat: Added recommendation for On-Demand Capacity Reservations for DR regions (#466) --- .../587ca3e4-113b-4c4f-b4e0-92cd8d2065b6.kql | 2 ++ .../virtualMachines/recommendations.yaml | 18 ++++++++++++++++++ 2 files changed, 20 insertions(+) create mode 100644 azure-resources/Compute/virtualMachines/kql/587ca3e4-113b-4c4f-b4e0-92cd8d2065b6.kql diff --git a/azure-resources/Compute/virtualMachines/kql/587ca3e4-113b-4c4f-b4e0-92cd8d2065b6.kql b/azure-resources/Compute/virtualMachines/kql/587ca3e4-113b-4c4f-b4e0-92cd8d2065b6.kql new file mode 100644 index 000000000..62b578dfe --- /dev/null +++ b/azure-resources/Compute/virtualMachines/kql/587ca3e4-113b-4c4f-b4e0-92cd8d2065b6.kql @@ -0,0 +1,2 @@ +// cannot-be-validated-with-arg + diff --git a/azure-resources/Compute/virtualMachines/recommendations.yaml b/azure-resources/Compute/virtualMachines/recommendations.yaml index ef4b9027c..28e541fff 100644 --- a/azure-resources/Compute/virtualMachines/recommendations.yaml +++ b/azure-resources/Compute/virtualMachines/recommendations.yaml @@ -523,3 +523,21 @@ learnMoreLink: - name: How to update the Azure Linux Agent on a VM url: "https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/update-linux-agent?tabs=ubuntu" + +- description: Reserve Compute Capacity in Disaster Recovery Regions + aprlGuid: 587ca3e4-113b-4c4f-b4e0-92cd8d2065b6 + recommendationTypeId: null + recommendationControl: Disaster Recovery + recommendationImpact: Medium + recommendationResourceType: Microsoft.Compute/virtualMachines + recommendationMetadataState: Active + longDescription: | + On-Demand Capacity Reservations ensure recovery of virtual machines in the event of a natural disaster by reserving compute capacity in advance within a specific region or zone. This guarantees that VMs have the necessary resources during disaster recovery failover events thus reducing downtime. + potentialBenefits: Guaranteed capacity in disaster recovery regions + pgVerified: true + publishedToLearn: false + automationAvailable: false + tags: null + learnMoreLink: + - name: On-demand Capacity Reservation + url: "https://aka.ms/on-demand-capacity-reservations-docs" From e04dfc5ad621bd970db30bf635ff815db0636207 Mon Sep 17 00:00:00 2001 From: Aarthi Murugan <61921020+aarthiem@users.noreply.github.com> Date: Wed, 16 Oct 2024 12:36:45 -0400 Subject: [PATCH 8/8] feat: Updates with PG verified recommendations and upgraded 3 recommendations to impact to High (#444) Co-authored-by: Eric Henry <44706965+ejhenry@users.noreply.github.com> --- .../Web/serverFarms/recommendations.yaml | 4 ++-- azure-resources/Web/sites/recommendations.yaml | 18 +++++++++--------- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/azure-resources/Web/serverFarms/recommendations.yaml b/azure-resources/Web/serverFarms/recommendations.yaml index 26750673d..5bbb32913 100644 --- a/azure-resources/Web/serverFarms/recommendations.yaml +++ b/azure-resources/Web/serverFarms/recommendations.yaml @@ -46,7 +46,7 @@ longDescription: | Avoid frequent scaling up/down of Azure App Service instances to prevent service disruptions. Choose the right tier and size for the workload and scale out for traffic changes, as scaling adjustments can trigger application restarts. potentialBenefits: Minimizes restarts, enhances stability - pgVerified: false + pgVerified: true publishedToLearn: false automationAvailable: true tags: null @@ -82,7 +82,7 @@ longDescription: | Enabling Autoscale/Automatic Scaling for your Azure App Service ensures sufficient resources for incoming requests. Autoscaling is rule-based, whereas Automatic Scaling, a newer feature, automatically adjusts resources based on HTTP traffic. potentialBenefits: Optimizes resources for traffic - pgVerified: false + pgVerified: true publishedToLearn: false automationAvailable: false tags: null diff --git a/azure-resources/Web/sites/recommendations.yaml b/azure-resources/Web/sites/recommendations.yaml index 9dcdbc108..9261bbd34 100644 --- a/azure-resources/Web/sites/recommendations.yaml +++ b/azure-resources/Web/sites/recommendations.yaml @@ -20,13 +20,13 @@ aprlGuid: a7e8bb3d-8ceb-442d-b26f-007cd63f9ffc recommendationTypeId: null recommendationControl: Monitoring and Alerting - recommendationImpact: Medium + recommendationImpact: High recommendationResourceType: Microsoft.Web/sites recommendationMetadataState: Active longDescription: | Use Application Insights to monitor app performance and load behavior, offering real-time insights, issue diagnosis, and root-cause analysis. It supports ASP.NET, ASP.NET Core, Java, and Node.js on Azure App Service, now with built-in monitoring. potentialBenefits: Real-time insights and issue diagnosis - pgVerified: false + pgVerified: true publishedToLearn: false automationAvailable: false tags: null @@ -64,7 +64,7 @@ longDescription: | Creating a separate storage account for logs and not using the same one for application data prevents logging activities from reducing application performance by ensuring that the resources dedicated to handling application data are not burdened by logging processes. potentialBenefits: Improves app performance - pgVerified: false + pgVerified: true publishedToLearn: false automationAvailable: false tags: null @@ -100,7 +100,7 @@ longDescription: | Use app settings for configuration and define them in Resource Manager templates or via PowerShell to facilitate part of an automated deployment/update process for improved reliability. potentialBenefits: Enhanced reliability via automation - pgVerified: false + pgVerified: true publishedToLearn: false automationAvailable: true tags: null @@ -112,13 +112,13 @@ aprlGuid: fd049c28-ae6d-48f0-a641-cc3ba1a3fe1d recommendationTypeId: null recommendationControl: Other Best Practices - recommendationImpact: Medium + recommendationImpact: High recommendationResourceType: Microsoft.Web/sites recommendationMetadataState: Active longDescription: | Use Health Check for production workloads. Health check increases your application's availability by rerouting requests away from unhealthy instances, and replacing instances if they remain unhealthy. The Health check path should check critical components of your application. potentialBenefits: Enhanced reliability via automation - pgVerified: false + pgVerified: true publishedToLearn: false automationAvailable: true tags: null @@ -136,7 +136,7 @@ longDescription: | Use network access restrictions to define a priority-ordered allow/deny list that controls network access to your app. Web application firewalls, such as the one available in Application Gateway, are recommended for protection of public-facing web applications. potentialBenefits: Enhanced security - pgVerified: false + pgVerified: true publishedToLearn: false automationAvailable: true tags: null @@ -148,13 +148,13 @@ aprlGuid: 9e6682ac-31bc-4635-9959-ab74b52454e6 recommendationTypeId: null recommendationControl: Scalability - recommendationImpact: Medium + recommendationImpact: High recommendationResourceType: Microsoft.Web/sites recommendationMetadataState: Active longDescription: | App Service should be configured with a minimum of two instances for production workloads. If apps have a longer warmup time a minimum of three instances should be used. potentialBenefits: Improves app performace - pgVerified: false + pgVerified: true publishedToLearn: false automationAvailable: true tags: null