diff --git a/.gitignore b/.gitignore index 922d11fd..ee3f87dd 100644 --- a/.gitignore +++ b/.gitignore @@ -14,6 +14,8 @@ # Output of the go coverage tool, specifically when used with LiteIDE *.out +# Jetbrains IDE +.idea/ # Dependency directories (remove the comment below to include it) # vendor/ diff --git a/README.md b/README.md index 0fe41b09..6e4f4199 100644 --- a/README.md +++ b/README.md @@ -100,6 +100,7 @@ To learn more about the recommendations used by **Azure Quick Review (azqr)**, y * Azure Virtual Machine * Azure Virtual Network * Azure Virtual WAN +* Azure VPN Gateway * Azure Web PubSub ## Usage diff --git a/cmd/azqr/vpng.go b/cmd/azqr/vpng.go new file mode 100644 index 00000000..a4433679 --- /dev/null +++ b/cmd/azqr/vpng.go @@ -0,0 +1,28 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + +package azqr + +import ( + "github.com/Azure/azqr/internal/scanners" + "github.com/Azure/azqr/internal/scanners/vpng" + "github.com/spf13/cobra" +) + +func init() { + scanCmd.AddCommand(vpngCmd) +} + +var vpngCmd = &cobra.Command{ + Use: "vpng", + Short: "Scan Azure VPN Gateway", + Long: "Scan Azure VPN Gateway", + Args: cobra.NoArgs, + Run: func(cmd *cobra.Command, args []string) { + serviceScanners := []scanners.IAzureScanner{ + &vpng.VPNGatewayScanner{}, + } + + scan(cmd, serviceScanners) + }, +} diff --git a/docs/content/en/docs/Overview/_index.md b/docs/content/en/docs/Overview/_index.md index 53d6387f..5b3ee391 100644 --- a/docs/content/en/docs/Overview/_index.md +++ b/docs/content/en/docs/Overview/_index.md @@ -95,6 +95,7 @@ To learn more about the recommendations used by **Azure Quick Review (azqr)**, y * Azure Virtual Machine * Azure Virtual Network * Azure Virtual WAN +* Azure VPN Gateway * Azure Web PubSub ## Code of Conduct diff --git a/docs/content/en/docs/Recommendations/_index.md b/docs/content/en/docs/Recommendations/_index.md index 079f2c63..ae637a80 100644 --- a/docs/content/en/docs/Recommendations/_index.md +++ b/docs/content/en/docs/Recommendations/_index.md @@ -7,312 +7,317 @@ weight: 3 Azure Quick Review checks the following recommendations for Azure resources. The recommendations are categorized based on their impact and category: \# | Category | Impact | Recommendation | More Info ----|---|---|---|--- -1 | Monitoring and Alerting | Low | Azure Databricks should have diagnostic settings enabled | [Learn](https://learn.microsoft.com/en-us/azure/databricks/administration-guide/account-settings/audit-log-delivery) -2 | High Availability | High | Azure Databricks should have a SLA | [Learn](https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services) -3 | Security | High | Azure Databricks should have private endpoints enabled | [Learn](https://learn.microsoft.com/en-us/azure/databricks/administration-guide/cloud-configurations/azure/private-link) -4 | High Availability | High | Azure Databricks SKU | [Learn](https://azure.microsoft.com/en-us/pricing/details/databricks/) -5 | Governance | Low | Azure Databricks Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +---|---|--------|--|--- +1 | Monitoring and Alerting | Low | Azure Databricks should have diagnostic settings enabled | [Learn](https://learn.microsoft.com/en-us/azure/databricks/administration-guide/account-settings/audit-log-delivery) +2 | High Availability | High | Azure Databricks should have a SLA | [Learn](https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services) +3 | Security | High | Azure Databricks should have private endpoints enabled | [Learn](https://learn.microsoft.com/en-us/azure/databricks/administration-guide/cloud-configurations/azure/private-link) +4 | High Availability | High | Azure Databricks SKU | [Learn](https://azure.microsoft.com/en-us/pricing/details/databricks/) +5 | Governance | Low | Azure Databricks Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) 6 | Security | Medium | Azure Databricks should have the Public IP disabled | [Learn](https://learn.microsoft.com/en-us/azure/databricks/security/network/secure-cluster-connectivity) -7 | Monitoring and Alerting | Low | Azure Data Factory should have diagnostic settings enabled | [Learn](https://learn.microsoft.com/en-us/azure/data-factory/monitor-configure-diagnostics) -8 | Security | High | Azure Data Factory should have private endpoints enabled | [Learn]() -9 | High Availability | High | Azure Data Factory SLA | [Learn](https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services) -10 | Governance | Low | Azure Data Factory Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) -11 | Governance | Low | Azure Data Factory should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) -12 | Monitoring and Alerting | Low | Azure FrontDoor should have diagnostic settings enabled | [Learn](https://learn.microsoft.com/en-us/azure/frontdoor/standard-premium/how-to-logs) -13 | High Availability | High | Azure FrontDoor SLA | [Learn](https://www.azure.cn/en-us/support/sla/cdn/) -14 | High Availability | High | Azure FrontDoor SKU | [Learn](https://learn.microsoft.com/en-us/azure/frontdoor/standard-premium/tier-comparison) -15 | Governance | Low | Azure FrontDoor Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) -16 | Governance | Low | Azure FrontDoor should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) -17 | Monitoring and Alerting | Low | Azure Firewall should have diagnostic settings enabled | [Learn](https://docs.microsoft.com/en-us/azure/firewall/logs-and-metrics) -18 | High Availability | High | Azure Firewall should have availability zones enabled | [Learn](https://learn.microsoft.com/en-us/azure/firewall/features#availability-zones) -19 | High Availability | High | Azure Firewall SLA | [Learn](https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services) -20 | High Availability | High | Azure Firewall SKU | [Learn](https://learn.microsoft.com/en-us/azure/firewall/choose-firewall-sku) -21 | Governance | Low | Azure Firewall Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) -22 | Governance | Low | Azure Firewall should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) -23 | Scalability | High | Application Gateway: Ensure autoscaling is used with a minimum of 2 instances | [Learn](https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-autoscaling-zone-redundant) -24 | Security | High | Application Gateway: Secure all incoming connections with SSL | [Learn](https://learn.microsoft.com/en-us/azure/well-architected/services/networking/azure-application-gateway#security) -25 | Security | High | Application Gateway: Enable WAF policies | [Learn](https://learn.microsoft.com/en-us/azure/application-gateway/features#web-application-firewall) -26 | High Availability | High | Application Gateway: Use Application GW V2 instead of V1 | [Learn](https://azure.microsoft.com/en-us/updates/application-gateway-v1-will-be-retired-on-28-april-2026-transition-to-application-gateway-v2/) -27 | Monitoring and Alerting | Low | Application Gateway: Monitor and Log the configurations and traffic | [Learn](https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-diagnostics#diagnostic-logging) +7 | Monitoring and Alerting | Low | Azure Data Factory should have diagnostic settings enabled | [Learn](https://learn.microsoft.com/en-us/azure/data-factory/monitor-configure-diagnostics) +8 | Security | High | Azure Data Factory should have private endpoints enabled | [Learn]() +9 | High Availability | High | Azure Data Factory SLA | [Learn](https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services) +10 | Governance | Low | Azure Data Factory Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +11 | Governance | Low | Azure Data Factory should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) +12 | Monitoring and Alerting | Low | Azure FrontDoor should have diagnostic settings enabled | [Learn](https://learn.microsoft.com/en-us/azure/frontdoor/standard-premium/how-to-logs) +13 | High Availability | High | Azure FrontDoor SLA | [Learn](https://www.azure.cn/en-us/support/sla/cdn/) +14 | High Availability | High | Azure FrontDoor SKU | [Learn](https://learn.microsoft.com/en-us/azure/frontdoor/standard-premium/tier-comparison) +15 | Governance | Low | Azure FrontDoor Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +16 | Governance | Low | Azure FrontDoor should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) +17 | Monitoring and Alerting | Low | Azure Firewall should have diagnostic settings enabled | [Learn](https://docs.microsoft.com/en-us/azure/firewall/logs-and-metrics) +18 | High Availability | High | Azure Firewall should have availability zones enabled | [Learn](https://learn.microsoft.com/en-us/azure/firewall/features#availability-zones) +19 | High Availability | High | Azure Firewall SLA | [Learn](https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services) +20 | High Availability | High | Azure Firewall SKU | [Learn](https://learn.microsoft.com/en-us/azure/firewall/choose-firewall-sku) +21 | Governance | Low | Azure Firewall Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +22 | Governance | Low | Azure Firewall should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) +23 | Scalability | High | Application Gateway: Ensure autoscaling is used with a minimum of 2 instances | [Learn](https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-autoscaling-zone-redundant) +24 | Security | High | Application Gateway: Secure all incoming connections with SSL | [Learn](https://learn.microsoft.com/en-us/azure/well-architected/services/networking/azure-application-gateway#security) +25 | Security | High | Application Gateway: Enable WAF policies | [Learn](https://learn.microsoft.com/en-us/azure/application-gateway/features#web-application-firewall) +26 | High Availability | High | Application Gateway: Use Application GW V2 instead of V1 | [Learn](https://azure.microsoft.com/en-us/updates/application-gateway-v1-will-be-retired-on-28-april-2026-transition-to-application-gateway-v2/) +27 | Monitoring and Alerting | Low | Application Gateway: Monitor and Log the configurations and traffic | [Learn](https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-diagnostics#diagnostic-logging) 28 | High Availability | Medium | Application Gateway should have availability zones enabled | [Learn](https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-autoscaling-zone-redundant) 29 | High Availability | Medium | Application Gateway: Plan for backend maintenance by using connection draining | [Learn](https://learn.microsoft.com/en-us/azure/application-gateway/features#connection-draining) -30 | High Availability | High | Application Gateway SLA | [Learn](https://www.azure.cn/en-us/support/sla/application-gateway/) -31 | High Availability | High | Application Gateway SKU | [Learn](https://learn.microsoft.com/en-us/azure/application-gateway/understanding-pricing) -32 | Governance | Low | Application Gateway Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) -33 | Governance | Low | Application Gateway should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) -34 | Monitoring and Alerting | Low | AKS Cluster should have diagnostic settings enabled | [Learn](https://learn.microsoft.com/en-us/azure/aks/monitor-aks#collect-resource-logs) -35 | High Availability | High | AKS Cluster should have availability zones enabled | [Learn](https://learn.microsoft.com/en-us/azure/aks/availability-zones) -36 | High Availability | High | AKS Cluster should have an SLA | [Learn](https://learn.microsoft.com/en-us/azure/aks/free-standard-pricing-tiers#uptime-sla-terms-and-conditions) -37 | Security | High | AKS Cluster should be private | [Learn](https://learn.microsoft.com/en-us/azure/aks/private-clusters) -38 | High Availability | High | AKS Production Cluster should use Standard SKU | [Learn](https://learn.microsoft.com/en-us/azure/aks/free-standard-pricing-tiers) -39 | Governance | Low | AKS Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +30 | High Availability | High | Application Gateway SLA | [Learn](https://www.azure.cn/en-us/support/sla/application-gateway/) +31 | High Availability | High | Application Gateway SKU | [Learn](https://learn.microsoft.com/en-us/azure/application-gateway/understanding-pricing) +32 | Governance | Low | Application Gateway Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +33 | Governance | Low | Application Gateway should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) +34 | Monitoring and Alerting | Low | AKS Cluster should have diagnostic settings enabled | [Learn](https://learn.microsoft.com/en-us/azure/aks/monitor-aks#collect-resource-logs) +35 | High Availability | High | AKS Cluster should have availability zones enabled | [Learn](https://learn.microsoft.com/en-us/azure/aks/availability-zones) +36 | High Availability | High | AKS Cluster should have an SLA | [Learn](https://learn.microsoft.com/en-us/azure/aks/free-standard-pricing-tiers#uptime-sla-terms-and-conditions) +37 | Security | High | AKS Cluster should be private | [Learn](https://learn.microsoft.com/en-us/azure/aks/private-clusters) +38 | High Availability | High | AKS Production Cluster should use Standard SKU | [Learn](https://learn.microsoft.com/en-us/azure/aks/free-standard-pricing-tiers) +39 | Governance | Low | AKS Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) 40 | Security | Medium | AKS should integrate authentication with AAD (Managed) | [Learn](https://learn.microsoft.com/en-us/azure/aks/managed-azure-ad) 41 | Security | Medium | AKS should be RBAC enabled. | [Learn](https://learn.microsoft.com/azure/aks/manage-azure-rbac) 42 | Security | Medium | AKS should have local accounts disabled | [Learn](https://learn.microsoft.com/azure/aks/managed-aad#disable-local-accounts) 43 | Security | Medium | AKS should have httpApplicationRouting disabled | [Learn](https://learn.microsoft.com/azure/aks/http-application-routing) -44 | Monitoring and Alerting | High | AKS should have Container Insights enabled | [Learn](https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview) -45 | Security | High | AKS should have outbound type set to user defined routing | [Learn](https://learn.microsoft.com/azure/aks/limit-egress-traffic) +44 | Monitoring and Alerting | High | AKS should have Container Insights enabled | [Learn](https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview) +45 | Security | High | AKS should have outbound type set to user defined routing | [Learn](https://learn.microsoft.com/azure/aks/limit-egress-traffic) 46 | Scalability | Medium | AKS should avoid using kubenet network plugin | [Learn](https://learn.microsoft.com/azure/aks/operator-best-practices-network) 47 | Scalability | Medium | AKS should have autoscaler enabled | [Learn](https://learn.microsoft.com/azure/aks/concepts-scale) -48 | Governance | Low | AKS should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) -49 | Scalability | Low | AKS Node Pools should have MaxSurge set | [Learn](https://learn.microsoft.com/en-us/azure/aks/operator-best-practices-run-at-scale#cluster-upgrade-considerations-and-best-practices) -50 | Monitoring and Alerting | Low | APIM should have diagnostic settings enabled | [Learn](https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-use-azure-monitor#resource-logs) -51 | High Availability | High | APIM should have availability zones enabled | [Learn](https://learn.microsoft.com/en-us/azure/reliability/migrate-api-mgt) -52 | High Availability | High | APIM should have a SLA | [Learn](https://www.azure.cn/en-us/support/sla/api-management/) -53 | Security | High | APIM should have private endpoints enabled | [Learn](https://learn.microsoft.com/en-us/azure/api-management/private-endpoint) -54 | High Availability | High | Azure APIM SKU | [Learn](https://learn.microsoft.com/en-us/azure/api-management/api-management-features) -55 | Governance | Low | APIM should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) -56 | Governance | Low | APIM should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) +48 | Governance | Low | AKS should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) +49 | Scalability | Low | AKS Node Pools should have MaxSurge set | [Learn](https://learn.microsoft.com/en-us/azure/aks/operator-best-practices-run-at-scale#cluster-upgrade-considerations-and-best-practices) +50 | Monitoring and Alerting | Low | APIM should have diagnostic settings enabled | [Learn](https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-use-azure-monitor#resource-logs) +51 | High Availability | High | APIM should have availability zones enabled | [Learn](https://learn.microsoft.com/en-us/azure/reliability/migrate-api-mgt) +52 | High Availability | High | APIM should have a SLA | [Learn](https://www.azure.cn/en-us/support/sla/api-management/) +53 | Security | High | APIM should have private endpoints enabled | [Learn](https://learn.microsoft.com/en-us/azure/api-management/private-endpoint) +54 | High Availability | High | Azure APIM SKU | [Learn](https://learn.microsoft.com/en-us/azure/api-management/api-management-features) +55 | Governance | Low | APIM should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +56 | Governance | Low | APIM should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) 57 | Security | Medium | APIM should use Managed Identities | [Learn](https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-use-managed-service-identity) -58 | Security | High | APIM should only accept a minimum of TLS 1.2 | [Learn](https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-manage-protocols-ciphers) -59 | Security | High | APIM should should not accept weak or deprecated ciphers. | [Learn](https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-manage-protocols-ciphers) -60 | Security | High | APIM: Renew expiring certificates | [Learn](https://learn.microsoft.com/en-us/azure/api-management/configure-custom-domain?tabs=custom) -61 | High Availability | High | APIM: Migrate instance hosted on the stv1 platform to stv2 | [Learn](https://learn.microsoft.com/en-us/azure/api-management/migrate-stv1-to-stv2?tabs=portal) -62 | Monitoring and Alerting | Low | AppConfiguration should have diagnostic settings enabled | [Learn](https://learn.microsoft.com/en-us/azure/azure-app-configuration/monitor-app-configuration?tabs=portal) -63 | High Availability | High | AppConfiguration should have a SLA | [Learn](https://www.azure.cn/en-us/support/sla/app-configuration/) -64 | Security | High | AppConfiguration should have private endpoints enabled | [Learn](https://learn.microsoft.com/en-us/azure/azure-app-configuration/concept-private-endpoint) -65 | High Availability | High | AppConfiguration SKU | [Learn](https://azure.microsoft.com/en-us/pricing/details/app-configuration/) -66 | Governance | Low | AppConfiguration Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) -67 | Governance | Low | AppConfiguration should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) +58 | Security | High | APIM should only accept a minimum of TLS 1.2 | [Learn](https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-manage-protocols-ciphers) +59 | Security | High | APIM should should not accept weak or deprecated ciphers. | [Learn](https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-manage-protocols-ciphers) +60 | Security | High | APIM: Renew expiring certificates | [Learn](https://learn.microsoft.com/en-us/azure/api-management/configure-custom-domain?tabs=custom) +61 | High Availability | High | APIM: Migrate instance hosted on the stv1 platform to stv2 | [Learn](https://learn.microsoft.com/en-us/azure/api-management/migrate-stv1-to-stv2?tabs=portal) +62 | Monitoring and Alerting | Low | AppConfiguration should have diagnostic settings enabled | [Learn](https://learn.microsoft.com/en-us/azure/azure-app-configuration/monitor-app-configuration?tabs=portal) +63 | High Availability | High | AppConfiguration should have a SLA | [Learn](https://www.azure.cn/en-us/support/sla/app-configuration/) +64 | Security | High | AppConfiguration should have private endpoints enabled | [Learn](https://learn.microsoft.com/en-us/azure/azure-app-configuration/concept-private-endpoint) +65 | High Availability | High | AppConfiguration SKU | [Learn](https://azure.microsoft.com/en-us/pricing/details/app-configuration/) +66 | Governance | Low | AppConfiguration Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +67 | Governance | Low | AppConfiguration should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) 68 | Security | Medium | AppConfiguration should have local authentication disabled | [Learn](https://learn.microsoft.com/en-us/azure/azure-app-configuration/howto-disable-access-key-authentication?tabs=portal#disable-access-key-authentication) 69 | Disaster Recovery | Medium | AppConfiguration should have purge protection enabled | [Learn](https://learn.microsoft.com/en-us/azure/azure-app-configuration/concept-soft-delete#purge-protection) -70 | High Availability | High | Azure Application Insights SLA | [Learn](https://www.azure.cn/en-us/support/sla/application-insights/index.html) -71 | Governance | Low | Azure Application Insights Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) -72 | Governance | Low | Azure Application Insights should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) -73 | Scalability | Low | Azure Application Insights should store data in a Log Analytics Workspace | [Learn](https://learn.microsoft.com/en-us/azure/azure-monitor/app/create-workspace-resource) -74 | Monitoring and Alerting | Low | Container Apps Environment should have diagnostic settings enabled | [Learn](https://learn.microsoft.com/en-us/azure/container-apps/log-options#diagnostic-settings) -75 | High Availability | High | Container Apps Environment should have availability zones enabled | [Learn](https://learn.microsoft.com/en-us/azure/container-apps/disaster-recovery?tabs=bash#set-up-zone-redundancy-in-your-container-apps-environment) -76 | High Availability | High | Container Apps Environment should have a SLA | [Learn](https://azure.microsoft.com/en-us/support/legal/sla/container-apps/v1_0/) -77 | Security | High | Container Apps Environment should have private endpoints enabled | [Learn](https://learn.microsoft.com/en-us/azure/container-apps/vnet-custom-internal?tabs=bash&pivots=azure-portal) -78 | Governance | Low | Container Apps Environment Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) -79 | Governance | Low | Container Apps Environment should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) -80 | High Availability | High | ContainerApp should have a SLA | [Learn](https://azure.microsoft.com/en-us/support/legal/sla/container-apps/v1_0/) -81 | Governance | Low | ContainerApp Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) -82 | Governance | Low | ContainerApp should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) -83 | Security | Low | ContainerApp should not allow insecure ingress traffic | [Learn](https://learn.microsoft.com/en-us/azure/container-apps/ingress-how-to?pivots=azure-cli) -84 | Security | Low | ContainerApp should use Managed Identities | [Learn](https://learn.microsoft.com/en-us/azure/container-apps/managed-identity?tabs=portal%2Cdotnet) -85 | High Availability | Low | ContainerApp should use Azure Files to persist container data | [Learn](https://learn.microsoft.com/en-us/azure/container-apps/storage-mounts?pivots=azure-cli) -86 | High Availability | Low | ContainerApp should avoid using session affinity | [Learn](https://learn.microsoft.com/en-us/azure/container-apps/sticky-sessions?pivots=azure-portal) -87 | High Availability | High | ContainerInstance should have availability zones enabled | [Learn](https://learn.microsoft.com/en-us/azure/container-instances/availability-zones) -88 | High Availability | High | ContainerInstance should have a SLA | [Learn](https://www.azure.cn/en-us/support/sla/container-instances/v1_0/index.html) -89 | Security | High | ContainerInstance should use private IP addresses | [Learn]() -90 | High Availability | High | ContainerInstance SKU | [Learn](https://azure.microsoft.com/en-us/pricing/details/container-instances/) -91 | Governance | Low | ContainerInstance Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) -92 | Governance | Low | ContainerInstance should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) -93 | Monitoring and Alerting | Low | Cognitive Service Account should have diagnostic settings enabled | [Learn](https://learn.microsoft.com/en-us/azure/event-hubs/monitor-event-hubs#collection-and-routing) -94 | High Availability | High | Cognitive Service Account should have a SLA | [Learn](https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1) -95 | Security | High | Cognitive Service Account should have private endpoints enabled | [Learn](https://learn.microsoft.com/en-us/azure/cognitive-services/cognitive-services-virtual-networks) -96 | High Availability | High | Cognitive Service Account SKU | [Learn](https://learn.microsoft.com/en-us/azure/templates/microsoft.cognitiveservices/accounts?pivots=deployment-language-bicep#sku) -97 | Governance | Low | Cognitive Service Account Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) -98 | Governance | Low | Cognitive Service Account should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) +70 | High Availability | High | Azure Application Insights SLA | [Learn](https://www.azure.cn/en-us/support/sla/application-insights/index.html) +71 | Governance | Low | Azure Application Insights Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +72 | Governance | Low | Azure Application Insights should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) +73 | Scalability | Low | Azure Application Insights should store data in a Log Analytics Workspace | [Learn](https://learn.microsoft.com/en-us/azure/azure-monitor/app/create-workspace-resource) +74 | Monitoring and Alerting | Low | Container Apps Environment should have diagnostic settings enabled | [Learn](https://learn.microsoft.com/en-us/azure/container-apps/log-options#diagnostic-settings) +75 | High Availability | High | Container Apps Environment should have availability zones enabled | [Learn](https://learn.microsoft.com/en-us/azure/container-apps/disaster-recovery?tabs=bash#set-up-zone-redundancy-in-your-container-apps-environment) +76 | High Availability | High | Container Apps Environment should have a SLA | [Learn](https://azure.microsoft.com/en-us/support/legal/sla/container-apps/v1_0/) +77 | Security | High | Container Apps Environment should have private endpoints enabled | [Learn](https://learn.microsoft.com/en-us/azure/container-apps/vnet-custom-internal?tabs=bash&pivots=azure-portal) +78 | Governance | Low | Container Apps Environment Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +79 | Governance | Low | Container Apps Environment should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) +80 | High Availability | High | ContainerApp should have a SLA | [Learn](https://azure.microsoft.com/en-us/support/legal/sla/container-apps/v1_0/) +81 | Governance | Low | ContainerApp Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +82 | Governance | Low | ContainerApp should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) +83 | Security | Low | ContainerApp should not allow insecure ingress traffic | [Learn](https://learn.microsoft.com/en-us/azure/container-apps/ingress-how-to?pivots=azure-cli) +84 | Security | Low | ContainerApp should use Managed Identities | [Learn](https://learn.microsoft.com/en-us/azure/container-apps/managed-identity?tabs=portal%2Cdotnet) +85 | High Availability | Low | ContainerApp should use Azure Files to persist container data | [Learn](https://learn.microsoft.com/en-us/azure/container-apps/storage-mounts?pivots=azure-cli) +86 | High Availability | Low | ContainerApp should avoid using session affinity | [Learn](https://learn.microsoft.com/en-us/azure/container-apps/sticky-sessions?pivots=azure-portal) +87 | High Availability | High | ContainerInstance should have availability zones enabled | [Learn](https://learn.microsoft.com/en-us/azure/container-instances/availability-zones) +88 | High Availability | High | ContainerInstance should have a SLA | [Learn](https://www.azure.cn/en-us/support/sla/container-instances/v1_0/index.html) +89 | Security | High | ContainerInstance should use private IP addresses | [Learn]() +90 | High Availability | High | ContainerInstance SKU | [Learn](https://azure.microsoft.com/en-us/pricing/details/container-instances/) +91 | Governance | Low | ContainerInstance Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +92 | Governance | Low | ContainerInstance should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) +93 | Monitoring and Alerting | Low | Cognitive Service Account should have diagnostic settings enabled | [Learn](https://learn.microsoft.com/en-us/azure/event-hubs/monitor-event-hubs#collection-and-routing) +94 | High Availability | High | Cognitive Service Account should have a SLA | [Learn](https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1) +95 | Security | High | Cognitive Service Account should have private endpoints enabled | [Learn](https://learn.microsoft.com/en-us/azure/cognitive-services/cognitive-services-virtual-networks) +96 | High Availability | High | Cognitive Service Account SKU | [Learn](https://learn.microsoft.com/en-us/azure/templates/microsoft.cognitiveservices/accounts?pivots=deployment-language-bicep#sku) +97 | Governance | Low | Cognitive Service Account Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +98 | Governance | Low | Cognitive Service Account should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) 99 | Security | Medium | Cognitive Service Account should have local authentication disabled | [Learn](https://learn.microsoft.com/en-us/azure/ai-services/policy-reference#azure-ai-services) -100 | Monitoring and Alerting | Low | CosmosDB should have diagnostic settings enabled | [Learn](https://learn.microsoft.com/en-us/azure/cosmos-db/monitor-resource-logs) -101 | High Availability | High | CosmosDB should have availability zones enabled | [Learn](https://learn.microsoft.com/en-us/azure/cosmos-db/high-availability) -102 | High Availability | High | CosmosDB should have a SLA | [Learn](https://learn.microsoft.com/en-us/azure/cosmos-db/high-availability#slas) -103 | Security | High | CosmosDB should have private endpoints enabled | [Learn](https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-configure-private-endpoints) -104 | High Availability | High | CosmosDB SKU | [Learn](https://azure.microsoft.com/en-us/pricing/details/cosmos-db/autoscale-provisioned/) -105 | Governance | Low | CosmosDB Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) -106 | Governance | Low | CosmosDB should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) -107 | Security | High | CosmosDB should have local authentication disabled | [Learn](https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-setup-rbac#disable-local-auth) -108 | Security | High | CosmosDB: disable write operations on metadata resources (databases, containers, throughput) via account keys | [Learn](https://learn.microsoft.com/en-us/azure/cosmos-db/role-based-access-control#set-via-arm-template) -109 | Monitoring and Alerting | Low | ContainerRegistry should have diagnostic settings enabled | [Learn](https://learn.microsoft.com/en-us/azure/container-registry/monitor-service) -110 | High Availability | High | ContainerRegistry should have availability zones enabled | [Learn](https://learn.microsoft.com/en-us/azure/container-registry/zone-redundancy) -111 | High Availability | High | ContainerRegistry should have a SLA | [Learn](https://www.azure.cn/en-us/support/sla/container-registry/) -112 | Security | High | ContainerRegistry should have private endpoints enabled | [Learn](https://learn.microsoft.com/en-us/azure/container-registry/container-registry-private-link) -113 | High Availability | High | ContainerRegistry SKU | [Learn](https://learn.microsoft.com/en-us/azure/container-registry/container-registry-skus) -114 | Governance | Low | ContainerRegistry Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +100 | Monitoring and Alerting | Low | CosmosDB should have diagnostic settings enabled | [Learn](https://learn.microsoft.com/en-us/azure/cosmos-db/monitor-resource-logs) +101 | High Availability | High | CosmosDB should have availability zones enabled | [Learn](https://learn.microsoft.com/en-us/azure/cosmos-db/high-availability) +102 | High Availability | High | CosmosDB should have a SLA | [Learn](https://learn.microsoft.com/en-us/azure/cosmos-db/high-availability#slas) +103 | Security | High | CosmosDB should have private endpoints enabled | [Learn](https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-configure-private-endpoints) +104 | High Availability | High | CosmosDB SKU | [Learn](https://azure.microsoft.com/en-us/pricing/details/cosmos-db/autoscale-provisioned/) +105 | Governance | Low | CosmosDB Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +106 | Governance | Low | CosmosDB should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) +107 | Security | High | CosmosDB should have local authentication disabled | [Learn](https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-setup-rbac#disable-local-auth) +108 | Security | High | CosmosDB: disable write operations on metadata resources (databases, containers, throughput) via account keys | [Learn](https://learn.microsoft.com/en-us/azure/cosmos-db/role-based-access-control#set-via-arm-template) +109 | Monitoring and Alerting | Low | ContainerRegistry should have diagnostic settings enabled | [Learn](https://learn.microsoft.com/en-us/azure/container-registry/monitor-service) +110 | High Availability | High | ContainerRegistry should have availability zones enabled | [Learn](https://learn.microsoft.com/en-us/azure/container-registry/zone-redundancy) +111 | High Availability | High | ContainerRegistry should have a SLA | [Learn](https://www.azure.cn/en-us/support/sla/container-registry/) +112 | Security | High | ContainerRegistry should have private endpoints enabled | [Learn](https://learn.microsoft.com/en-us/azure/container-registry/container-registry-private-link) +113 | High Availability | High | ContainerRegistry SKU | [Learn](https://learn.microsoft.com/en-us/azure/container-registry/container-registry-skus) +114 | Governance | Low | ContainerRegistry Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) 115 | Security | Medium | ContainerRegistry should have anonymous pull access disabled | [Learn](https://learn.microsoft.com/azure/container-registry/anonymous-pull-access#configure-anonymous-pull-access) 116 | Security | Medium | ContainerRegistry should have the Administrator account disabled | [Learn](https://learn.microsoft.com/azure/container-registry/container-registry-authentication-managed-identity) -117 | Governance | Low | ContainerRegistry should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) +117 | Governance | Low | ContainerRegistry should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) 118 | Governance | Medium | ContainerRegistry should use retention policies | [Learn](https://learn.microsoft.com/en-us/azure/container-registry/container-registry-retention-policy) -119 | Monitoring and Alerting | Low | Azure Data Explorer should have diagnostic settings enabled | [Learn](https://learn.microsoft.com/en-us/azure/data-explorer/using-diagnostic-logs) -120 | High Availability | High | Azure Data Explorer SLA | [Learn](https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services) -121 | High Availability | High | Azure Data Explorer Production Cluster should not use Dev SKU | [Learn](https://learn.microsoft.com/en-us/azure/data-explorer/manage-cluster-choose-sku) -122 | Governance | Low | Azure Data Explorer Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) -123 | Governance | Low | Azure Data Explorer should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) -124 | Security | High | Azure Data Explorer should use Disk Encryption | [Learn](https://learn.microsoft.com/en-us/azure/data-explorer/cluster-encryption-overview) -125 | Security | Low | Azure Data Explorer should use Managed Identities | [Learn](https://learn.microsoft.com/en-us/azure/data-explorer/configure-managed-identities-cluster?tabs=portal) -126 | Monitoring and Alerting | Low | Event Grid Domain should have diagnostic settings enabled | [Learn](https://learn.microsoft.com/en-us/azure/event-grid/diagnostic-logs) -127 | High Availability | High | Event Grid Domain should have a SLA | [Learn](https://www.azure.cn/en-us/support/sla/event-grid/) -128 | Security | High | Event Grid Domain should have private endpoints enabled | [Learn](https://learn.microsoft.com/en-us/azure/event-grid/configure-private-endpoints) -129 | High Availability | High | Event Grid Domain SKU | [Learn](https://azure.microsoft.com/en-gb/pricing/details/event-grid/) -130 | Governance | Low | Event Grid Domain Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) -131 | Governance | Low | Event Grid Domain should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) +119 | Monitoring and Alerting | Low | Azure Data Explorer should have diagnostic settings enabled | [Learn](https://learn.microsoft.com/en-us/azure/data-explorer/using-diagnostic-logs) +120 | High Availability | High | Azure Data Explorer SLA | [Learn](https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services) +121 | High Availability | High | Azure Data Explorer Production Cluster should not use Dev SKU | [Learn](https://learn.microsoft.com/en-us/azure/data-explorer/manage-cluster-choose-sku) +122 | Governance | Low | Azure Data Explorer Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +123 | Governance | Low | Azure Data Explorer should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) +124 | Security | High | Azure Data Explorer should use Disk Encryption | [Learn](https://learn.microsoft.com/en-us/azure/data-explorer/cluster-encryption-overview) +125 | Security | Low | Azure Data Explorer should use Managed Identities | [Learn](https://learn.microsoft.com/en-us/azure/data-explorer/configure-managed-identities-cluster?tabs=portal) +126 | Monitoring and Alerting | Low | Event Grid Domain should have diagnostic settings enabled | [Learn](https://learn.microsoft.com/en-us/azure/event-grid/diagnostic-logs) +127 | High Availability | High | Event Grid Domain should have a SLA | [Learn](https://www.azure.cn/en-us/support/sla/event-grid/) +128 | Security | High | Event Grid Domain should have private endpoints enabled | [Learn](https://learn.microsoft.com/en-us/azure/event-grid/configure-private-endpoints) +129 | High Availability | High | Event Grid Domain SKU | [Learn](https://azure.microsoft.com/en-gb/pricing/details/event-grid/) +130 | Governance | Low | Event Grid Domain Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +131 | Governance | Low | Event Grid Domain should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) 132 | Security | Medium | Event Grid Domain should have local authentication disabled | [Learn](https://learn.microsoft.com/en-us/azure/event-grid/authenticate-with-access-keys-shared-access-signatures) -133 | Monitoring and Alerting | Low | Event Hub Namespace should have diagnostic settings enabled | [Learn](https://learn.microsoft.com/en-us/azure/event-hubs/monitor-event-hubs#collection-and-routing) -134 | High Availability | High | Event Hub Namespace should have availability zones enabled | [Learn](https://learn.microsoft.com/en-us/azure/event-hubs/event-hubs-premium-overview#high-availability-with-availability-zones) -135 | High Availability | High | Event Hub Namespace should have a SLA | [Learn](https://www.azure.cn/en-us/support/sla/event-hubs/) -136 | Security | High | Event Hub Namespace should have private endpoints enabled | [Learn](https://learn.microsoft.com/en-us/azure/event-hubs/network-security) -137 | High Availability | High | Event Hub Namespace SKU | [Learn](https://learn.microsoft.com/en-us/azure/event-hubs/compare-tiers) -138 | Governance | Low | Event Hub Namespace Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) -139 | Governance | Low | Event Hub should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) +133 | Monitoring and Alerting | Low | Event Hub Namespace should have diagnostic settings enabled | [Learn](https://learn.microsoft.com/en-us/azure/event-hubs/monitor-event-hubs#collection-and-routing) +134 | High Availability | High | Event Hub Namespace should have availability zones enabled | [Learn](https://learn.microsoft.com/en-us/azure/event-hubs/event-hubs-premium-overview#high-availability-with-availability-zones) +135 | High Availability | High | Event Hub Namespace should have a SLA | [Learn](https://www.azure.cn/en-us/support/sla/event-hubs/) +136 | Security | High | Event Hub Namespace should have private endpoints enabled | [Learn](https://learn.microsoft.com/en-us/azure/event-hubs/network-security) +137 | High Availability | High | Event Hub Namespace SKU | [Learn](https://learn.microsoft.com/en-us/azure/event-hubs/compare-tiers) +138 | Governance | Low | Event Hub Namespace Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +139 | Governance | Low | Event Hub should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) 140 | Security | Medium | Event Hub should have local authentication disabled | [Learn](https://learn.microsoft.com/en-us/azure/event-hubs/authorize-access-event-hubs#shared-access-signatures) -141 | Monitoring and Alerting | Low | Key Vault should have diagnostic settings enabled | [Learn](https://learn.microsoft.com/en-us/azure/key-vault/general/monitor-key-vault) -142 | High Availability | High | Key Vault should have a SLA | [Learn](https://www.azure.cn/en-us/support/sla/key-vault/) -143 | Security | High | Key Vault should have private endpoints enabled | [Learn](https://learn.microsoft.com/en-us/azure/key-vault/general/private-link-service) -144 | High Availability | High | Key Vault SKU | [Learn](https://azure.microsoft.com/en-us/pricing/details/key-vault/) -145 | Governance | Low | Key Vault Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) -146 | Governance | Low | Key Vault should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) +141 | Monitoring and Alerting | Low | Key Vault should have diagnostic settings enabled | [Learn](https://learn.microsoft.com/en-us/azure/key-vault/general/monitor-key-vault) +142 | High Availability | High | Key Vault should have a SLA | [Learn](https://www.azure.cn/en-us/support/sla/key-vault/) +143 | Security | High | Key Vault should have private endpoints enabled | [Learn](https://learn.microsoft.com/en-us/azure/key-vault/general/private-link-service) +144 | High Availability | High | Key Vault SKU | [Learn](https://azure.microsoft.com/en-us/pricing/details/key-vault/) +145 | Governance | Low | Key Vault Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +146 | Governance | Low | Key Vault should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) 147 | Disaster Recovery | Medium | Key Vault should have soft delete enabled | [Learn](https://learn.microsoft.com/en-us/azure/key-vault/general/soft-delete-overview) 148 | Disaster Recovery | Medium | Key Vault should have purge protection enabled | [Learn](https://learn.microsoft.com/en-us/azure/key-vault/general/soft-delete-overview#purge-protection) -149 | Monitoring and Alerting | Low | Load Balancer should have diagnostic settings enabled | [Learn](https://learn.microsoft.com/en-us/azure/load-balancer/monitor-load-balancer#creating-a-diagnostic-setting) -150 | High Availability | High | Load Balancer should have availability zones enabled | [Learn](https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-standard-availability-zones#zone-redundant) -151 | High Availability | High | Load Balancer should have a SLA | [Learn](https://learn.microsoft.com/en-us/azure/load-balancer/skus) -152 | High Availability | High | Load Balancer SKU | [Learn](https://learn.microsoft.com/en-us/azure/load-balancer/skus) -153 | Governance | Low | Load Balancer Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) -154 | Governance | Low | Load Balancer should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) -155 | Monitoring and Alerting | Low | Logic App should have diagnostic settings enabled | [Learn](https://learn.microsoft.com/en-us/azure/logic-apps/monitor-workflows-collect-diagnostic-data) -156 | High Availability | High | Logic App should have a SLA | [Learn](https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1) -157 | Security | High | Logic App should limit access to Http Triggers | [Learn](https://learn.microsoft.com/en-us/azure/logic-apps/logic-apps-securing-a-logic-app?tabs=azure-portal#restrict-access-by-ip-address-range) -158 | Governance | Low | Logic App Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) -159 | Governance | Low | Logic App should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) -160 | Monitoring and Alerting | Low | MariaDB should have diagnostic settings enabled | [Learn]() -161 | Security | High | MariaDB should have private endpoints enabled | [Learn]() -162 | Governance | Low | MariaDB server Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) -163 | High Availability | High | MariaDB server should have a SLA | [Learn]() -164 | Governance | Low | MariaDB should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) -165 | Security | Low | MariaDB should enforce TLS >= 1.2 | [Learn](https://learn.microsoft.com/en-us/azure/mariadb/howto-tls-configurations) -166 | Monitoring and Alerting | Low | Azure Database for MySQL - Flexible Server should have diagnostic settings enabled | [Learn](https://learn.microsoft.com/en-us/azure/mysql/flexible-server/tutorial-query-performance-insights#set-up-diagnostics) -167 | High Availability | High | Azure Database for MySQL - Flexible Server should have availability zones enabled | [Learn](https://learn.microsoft.com/en-us/azure/mysql/flexible-server/how-to-configure-high-availability-cli) -168 | High Availability | High | Azure Database for MySQL - Flexible Server should have a SLA | [Learn](hhttps://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1) -169 | Security | High | Azure Database for MySQL - Flexible Server should have private access enabled | [Learn](https://learn.microsoft.com/en-us/azure/mysql/flexible-server/how-to-manage-virtual-network-cli) -170 | High Availability | High | Azure Database for MySQL - Flexible Server SKU | [Learn](https://learn.microsoft.com/en-us/azure/mysql/flexible-server/concepts-service-tiers-storage) -171 | Governance | Low | Azure Database for MySQL - Flexible Server Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) -172 | Governance | Low | Azure Database for MySQL - Flexible Server should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) -173 | Monitoring and Alerting | Low | Azure Database for MySQL - Flexible Server should have diagnostic settings enabled | [Learn](https://learn.microsoft.com/en-us/azure/mysql/single-server/concepts-monitoring#server-logs) -174 | High Availability | High | Azure Database for MySQL - Flexible Server should have a SLA | [Learn](https://www.azure.cn/en-us/support/sla/mysql/) -175 | Security | High | Azure Database for MySQL - Flexible Server should have private endpoints enabled | [Learn](https://learn.microsoft.com/en-us/azure/mysql/single-server/concepts-data-access-security-private-link) -176 | High Availability | High | Azure Database for MySQL - Flexible Server SKU | [Learn](https://learn.microsoft.com/en-us/azure/mysql/single-server/concepts-pricing-tiers) -177 | Governance | Low | Azure Database for MySQL - Flexible Server Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) -178 | High Availability | High | Azure Database for MySQL - Single Server is on the retirement path | [Learn](https://learn.microsoft.com/en-us/azure/mysql/single-server/whats-happening-to-mysql-single-server) -179 | Governance | Low | Azure Database for MySQL - Single Server should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) -180 | Monitoring and Alerting | Low | App Service should have diagnostic settings enabled | [Learn](https://learn.microsoft.com/en-us/azure/app-service/troubleshoot-diagnostic-logs#send-logs-to-azure-monitor) -181 | Security | High | App Service should have private endpoints enabled | [Learn](https://learn.microsoft.com/en-us/azure/app-service/networking/private-endpoint) -182 | Governance | Low | App Service Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) -183 | Security | High | App Service should use HTTPS only | [Learn](https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https) -184 | Governance | Low | App Service should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) +149 | Monitoring and Alerting | Low | Load Balancer should have diagnostic settings enabled | [Learn](https://learn.microsoft.com/en-us/azure/load-balancer/monitor-load-balancer#creating-a-diagnostic-setting) +150 | High Availability | High | Load Balancer should have availability zones enabled | [Learn](https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-standard-availability-zones#zone-redundant) +151 | High Availability | High | Load Balancer should have a SLA | [Learn](https://learn.microsoft.com/en-us/azure/load-balancer/skus) +152 | High Availability | High | Load Balancer SKU | [Learn](https://learn.microsoft.com/en-us/azure/load-balancer/skus) +153 | Governance | Low | Load Balancer Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +154 | Governance | Low | Load Balancer should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) +155 | Monitoring and Alerting | Low | Logic App should have diagnostic settings enabled | [Learn](https://learn.microsoft.com/en-us/azure/logic-apps/monitor-workflows-collect-diagnostic-data) +156 | High Availability | High | Logic App should have a SLA | [Learn](https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1) +157 | Security | High | Logic App should limit access to Http Triggers | [Learn](https://learn.microsoft.com/en-us/azure/logic-apps/logic-apps-securing-a-logic-app?tabs=azure-portal#restrict-access-by-ip-address-range) +158 | Governance | Low | Logic App Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +159 | Governance | Low | Logic App should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) +160 | Monitoring and Alerting | Low | MariaDB should have diagnostic settings enabled | [Learn]() +161 | Security | High | MariaDB should have private endpoints enabled | [Learn]() +162 | Governance | Low | MariaDB server Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +163 | High Availability | High | MariaDB server should have a SLA | [Learn]() +164 | Governance | Low | MariaDB should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) +165 | Security | Low | MariaDB should enforce TLS >= 1.2 | [Learn](https://learn.microsoft.com/en-us/azure/mariadb/howto-tls-configurations) +166 | Monitoring and Alerting | Low | Azure Database for MySQL - Flexible Server should have diagnostic settings enabled | [Learn](https://learn.microsoft.com/en-us/azure/mysql/flexible-server/tutorial-query-performance-insights#set-up-diagnostics) +167 | High Availability | High | Azure Database for MySQL - Flexible Server should have availability zones enabled | [Learn](https://learn.microsoft.com/en-us/azure/mysql/flexible-server/how-to-configure-high-availability-cli) +168 | High Availability | High | Azure Database for MySQL - Flexible Server should have a SLA | [Learn](hhttps://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1) +169 | Security | High | Azure Database for MySQL - Flexible Server should have private access enabled | [Learn](https://learn.microsoft.com/en-us/azure/mysql/flexible-server/how-to-manage-virtual-network-cli) +170 | High Availability | High | Azure Database for MySQL - Flexible Server SKU | [Learn](https://learn.microsoft.com/en-us/azure/mysql/flexible-server/concepts-service-tiers-storage) +171 | Governance | Low | Azure Database for MySQL - Flexible Server Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +172 | Governance | Low | Azure Database for MySQL - Flexible Server should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) +173 | Monitoring and Alerting | Low | Azure Database for MySQL - Flexible Server should have diagnostic settings enabled | [Learn](https://learn.microsoft.com/en-us/azure/mysql/single-server/concepts-monitoring#server-logs) +174 | High Availability | High | Azure Database for MySQL - Flexible Server should have a SLA | [Learn](https://www.azure.cn/en-us/support/sla/mysql/) +175 | Security | High | Azure Database for MySQL - Flexible Server should have private endpoints enabled | [Learn](https://learn.microsoft.com/en-us/azure/mysql/single-server/concepts-data-access-security-private-link) +176 | High Availability | High | Azure Database for MySQL - Flexible Server SKU | [Learn](https://learn.microsoft.com/en-us/azure/mysql/single-server/concepts-pricing-tiers) +177 | Governance | Low | Azure Database for MySQL - Flexible Server Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +178 | High Availability | High | Azure Database for MySQL - Single Server is on the retirement path | [Learn](https://learn.microsoft.com/en-us/azure/mysql/single-server/whats-happening-to-mysql-single-server) +179 | Governance | Low | Azure Database for MySQL - Single Server should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) +180 | Monitoring and Alerting | Low | App Service should have diagnostic settings enabled | [Learn](https://learn.microsoft.com/en-us/azure/app-service/troubleshoot-diagnostic-logs#send-logs-to-azure-monitor) +181 | Security | High | App Service should have private endpoints enabled | [Learn](https://learn.microsoft.com/en-us/azure/app-service/networking/private-endpoint) +182 | Governance | Low | App Service Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +183 | Security | High | App Service should use HTTPS only | [Learn](https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https) +184 | Governance | Low | App Service should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) 185 | Security | Medium | App Service should use VNET integration | [Learn](https://learn.microsoft.com/en-us/azure/app-service/overview-vnet-integration) 186 | Security | Medium | App Service should have VNET Route all enabled for VNET integration | [Learn](https://learn.microsoft.com/en-us/azure/app-service/overview-vnet-integration) -187 | Security | High | App Service should use TLS 1.2 | [Learn](https://learn.microsoft.com/en-us/azure/app-service/overview-tls) -188 | Security | High | App Service remote debugging should be disabled | [Learn](https://learn.microsoft.com/en-us/visualstudio/debugger/remote-debugging-azure-app-service?view=vs-2022#enable-remote-debugging) -189 | Security | High | App Service should not allow insecure FTP | [Learn](https://learn.microsoft.com/en-us/azure/app-service/deploy-ftp?tabs=portal) -190 | Scalability | High | App Service should have Always On enabled | [Learn](https://learn.microsoft.com/en-us/azure/app-service/configure-common?tabs=portal) +187 | Security | High | App Service should use TLS 1.2 | [Learn](https://learn.microsoft.com/en-us/azure/app-service/overview-tls) +188 | Security | High | App Service remote debugging should be disabled | [Learn](https://learn.microsoft.com/en-us/visualstudio/debugger/remote-debugging-azure-app-service?view=vs-2022#enable-remote-debugging) +189 | Security | High | App Service should not allow insecure FTP | [Learn](https://learn.microsoft.com/en-us/azure/app-service/deploy-ftp?tabs=portal) +190 | Scalability | High | App Service should have Always On enabled | [Learn](https://learn.microsoft.com/en-us/azure/app-service/configure-common?tabs=portal) 191 | High Availability | Medium | App Service should avoid using Client Affinity | [Learn](https://learn.microsoft.com/en-us/azure/well-architected/service-guides/azure-app-service/reliability#checklist) 192 | Security | Medium | App Service should use Managed Identities | [Learn](https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Chttp) -193 | Monitoring and Alerting | Low | Plan should have diagnostic settings enabled | [Learn]() -194 | High Availability | High | Plan should have availability zones enabled | [Learn](https://learn.microsoft.com/en-us/azure/reliability/migrate-app-service) -195 | High Availability | High | Plan should have a SLA | [Learn](https://www.azure.cn/en-us/support/sla/app-service/) -196 | High Availability | High | Plan SKU | [Learn](https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans) -197 | Governance | Low | Plan Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) -198 | Governance | Low | Plan should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) -199 | Monitoring and Alerting | Low | Function should have diagnostic settings enabled | [Learn](https://learn.microsoft.com/en-us/azure/azure-functions/functions-monitor-log-analytics?tabs=csharp) -200 | Security | High | Function should have private endpoints enabled | [Learn](https://learn.microsoft.com/en-us/azure/azure-functions/functions-create-vnet) -201 | Governance | Low | Function Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) -202 | Security | High | Function should use HTTPS only | [Learn](https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https) -203 | Governance | Low | Function should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) +193 | Monitoring and Alerting | Low | Plan should have diagnostic settings enabled | [Learn]() +194 | High Availability | High | Plan should have availability zones enabled | [Learn](https://learn.microsoft.com/en-us/azure/reliability/migrate-app-service) +195 | High Availability | High | Plan should have a SLA | [Learn](https://www.azure.cn/en-us/support/sla/app-service/) +196 | High Availability | High | Plan SKU | [Learn](https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans) +197 | Governance | Low | Plan Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +198 | Governance | Low | Plan should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) +199 | Monitoring and Alerting | Low | Function should have diagnostic settings enabled | [Learn](https://learn.microsoft.com/en-us/azure/azure-functions/functions-monitor-log-analytics?tabs=csharp) +200 | Security | High | Function should have private endpoints enabled | [Learn](https://learn.microsoft.com/en-us/azure/azure-functions/functions-create-vnet) +201 | Governance | Low | Function Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +202 | Security | High | Function should use HTTPS only | [Learn](https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https) +203 | Governance | Low | Function should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) 204 | Security | Medium | Function should use VNET integration | [Learn](https://learn.microsoft.com/en-us/azure/app-service/overview-vnet-integration) 205 | Security | Medium | Function should have VNET Route all enabled for VNET integration | [Learn](https://learn.microsoft.com/en-us/azure/app-service/overview-vnet-integration) 206 | Security | Medium | Function should use TLS 1.2 | [Learn](https://learn.microsoft.com/en-us/azure/app-service/overview-tls) 207 | Security | Medium | Function remote debugging should be disabled | [Learn](https://learn.microsoft.com/en-us/visualstudio/debugger/remote-debugging-azure-app-service?view=vs-2022#enable-remote-debugging) 208 | High Availability | Medium | Function should avoid using Client Affinity | [Learn](https://learn.microsoft.com/en-us/azure/well-architected/service-guides/azure-app-service/reliability#checklist) 209 | Security | Medium | Function should use Managed Identities | [Learn](https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Chttp) -210 | Monitoring and Alerting | Low | Logic App should have diagnostic settings enabled | [Learn](https://learn.microsoft.com/en-us/azure/logic-apps/monitor-workflows-collect-diagnostic-data) -211 | Security | High | Logic App should have private endpoints enabled | [Learn](https://learn.microsoft.com/en-us/azure/logic-apps/secure-single-tenant-workflow-virtual-network-private-endpoint) -212 | Governance | Low | Logic App Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) -213 | Security | High | Logic App should use HTTPS only | [Learn](https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https) -214 | Governance | Low | Logic App should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) +210 | Monitoring and Alerting | Low | Logic App should have diagnostic settings enabled | [Learn](https://learn.microsoft.com/en-us/azure/logic-apps/monitor-workflows-collect-diagnostic-data) +211 | Security | High | Logic App should have private endpoints enabled | [Learn](https://learn.microsoft.com/en-us/azure/logic-apps/secure-single-tenant-workflow-virtual-network-private-endpoint) +212 | Governance | Low | Logic App Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +213 | Security | High | Logic App should use HTTPS only | [Learn](https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https) +214 | Governance | Low | Logic App should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) 215 | Security | Medium | Logic App should use VNET integration | [Learn](https://learn.microsoft.com/en-us/azure/app-service/overview-vnet-integration) 216 | Security | Medium | Logic App should have VNET Route all enabled for VNET integration | [Learn](https://learn.microsoft.com/en-us/azure/app-service/overview-vnet-integration) 217 | Security | Medium | Logic App should use TLS 1.2 | [Learn](https://learn.microsoft.com/en-us/azure/app-service/overview-tls) 218 | Security | Medium | Logic App remote debugging should be disabled | [Learn](https://learn.microsoft.com/en-us/visualstudio/debugger/remote-debugging-azure-app-service?view=vs-2022#enable-remote-debugging) 219 | High Availability | Medium | Logic App should avoid using Client Affinity | [Learn](https://learn.microsoft.com/en-us/azure/well-architected/service-guides/azure-app-service/reliability#checklist) 220 | Security | Medium | Logic App should use Managed Identities | [Learn](https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Chttp) -221 | Monitoring and Alerting | Low | PostgreSQL should have diagnostic settings enabled | [Learn](https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/howto-configure-and-access-logs) -222 | High Availability | High | PostgreSQL should have availability zones enabled | [Learn](https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/overview#architecture-and-high-availability) -223 | High Availability | High | PostgreSQL should have a SLA | [Learn](https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-compare-single-server-flexible-server) -224 | Security | High | PostgreSQL should have private access enabled | [Learn](https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-networking#private-access-vnet-integration) -225 | High Availability | High | PostgreSQL SKU | [Learn](https://azure.microsoft.com/en-gb/pricing/details/postgresql/flexible-server/) -226 | Governance | Low | PostgreSQL Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) -227 | Governance | Low | PostgreSQL should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) -228 | Monitoring and Alerting | Low | PostgreSQL should have diagnostic settings enabled | [Learn](https://learn.microsoft.com/en-us/azure/postgresql/single-server/concepts-server-logs#resource-logs) -229 | High Availability | High | PostgreSQL should have a SLA | [Learn](https://www.azure.cn/en-us/support/sla/postgresql/) -230 | Security | High | PostgreSQL should have private endpoints enabled | [Learn](https://learn.microsoft.com/en-us/azure/postgresql/single-server/concepts-data-access-and-security-private-link) -231 | High Availability | High | PostgreSQL SKU | [Learn](https://learn.microsoft.com/en-us/azure/postgresql/single-server/concepts-pricing-tiers) -232 | Governance | Low | PostgreSQL Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) -233 | Governance | Low | PostgreSQL should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) -234 | Security | High | PostgreSQL should enforce SSL | [Learn](https://learn.microsoft.com/en-us/azure/postgresql/single-server/concepts-ssl-connection-security#enforcing-tls-connections) -235 | Security | Low | PostgreSQL should enforce TLS >= 1.2 | [Learn](https://learn.microsoft.com/en-us/azure/postgresql/single-server/how-to-tls-configurations) -236 | Monitoring and Alerting | Low | Redis should have diagnostic settings enabled | [Learn](https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-monitor-diagnostic-settings) -237 | High Availability | High | Redis should have availability zones enabled | [Learn](https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability) -238 | High Availability | High | Redis should have a SLA | [Learn](https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1) -239 | Security | High | Redis should have private endpoints enabled | [Learn](https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-private-link) -240 | High Availability | High | Redis SKU | [Learn](https://azure.microsoft.com/en-gb/pricing/details/cache/) -241 | Governance | Low | Redis Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) -242 | Governance | Low | Redis should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) -243 | Security | High | Redis should not enable non SSL ports | [Learn](https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-configure#access-ports) -244 | Security | Low | Redis should enforce TLS >= 1.2 | [Learn](https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-remove-tls-10-11) -245 | Monitoring and Alerting | Low | Service Bus should have diagnostic settings enabled | [Learn](https://learn.microsoft.com/en-us/azure/service-bus-messaging/monitor-service-bus#collection-and-routing) -246 | High Availability | High | Service Bus should have availability zones enabled | [Learn](https://learn.microsoft.com/en-us/azure/service-bus-messaging/service-bus-outages-disasters#availability-zones) -247 | High Availability | High | Service Bus should have a SLA | [Learn](https://www.azure.cn/en-us/support/sla/service-bus/) -248 | Security | High | Service Bus should have private endpoints enabled | [Learn](https://learn.microsoft.com/en-us/azure/service-bus-messaging/network-security) -249 | High Availability | High | Service Bus SKU | [Learn](https://azure.microsoft.com/en-us/pricing/details/service-bus/) -250 | Governance | Low | Service Bus Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) -251 | Governance | Low | Service Bus should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) +221 | Monitoring and Alerting | Low | PostgreSQL should have diagnostic settings enabled | [Learn](https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/howto-configure-and-access-logs) +222 | High Availability | High | PostgreSQL should have availability zones enabled | [Learn](https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/overview#architecture-and-high-availability) +223 | High Availability | High | PostgreSQL should have a SLA | [Learn](https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-compare-single-server-flexible-server) +224 | Security | High | PostgreSQL should have private access enabled | [Learn](https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-networking#private-access-vnet-integration) +225 | High Availability | High | PostgreSQL SKU | [Learn](https://azure.microsoft.com/en-gb/pricing/details/postgresql/flexible-server/) +226 | Governance | Low | PostgreSQL Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +227 | Governance | Low | PostgreSQL should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) +228 | Monitoring and Alerting | Low | PostgreSQL should have diagnostic settings enabled | [Learn](https://learn.microsoft.com/en-us/azure/postgresql/single-server/concepts-server-logs#resource-logs) +229 | High Availability | High | PostgreSQL should have a SLA | [Learn](https://www.azure.cn/en-us/support/sla/postgresql/) +230 | Security | High | PostgreSQL should have private endpoints enabled | [Learn](https://learn.microsoft.com/en-us/azure/postgresql/single-server/concepts-data-access-and-security-private-link) +231 | High Availability | High | PostgreSQL SKU | [Learn](https://learn.microsoft.com/en-us/azure/postgresql/single-server/concepts-pricing-tiers) +232 | Governance | Low | PostgreSQL Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +233 | Governance | Low | PostgreSQL should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) +234 | Security | High | PostgreSQL should enforce SSL | [Learn](https://learn.microsoft.com/en-us/azure/postgresql/single-server/concepts-ssl-connection-security#enforcing-tls-connections) +235 | Security | Low | PostgreSQL should enforce TLS >= 1.2 | [Learn](https://learn.microsoft.com/en-us/azure/postgresql/single-server/how-to-tls-configurations) +236 | Monitoring and Alerting | Low | Redis should have diagnostic settings enabled | [Learn](https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-monitor-diagnostic-settings) +237 | High Availability | High | Redis should have availability zones enabled | [Learn](https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability) +238 | High Availability | High | Redis should have a SLA | [Learn](https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1) +239 | Security | High | Redis should have private endpoints enabled | [Learn](https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-private-link) +240 | High Availability | High | Redis SKU | [Learn](https://azure.microsoft.com/en-gb/pricing/details/cache/) +241 | Governance | Low | Redis Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +242 | Governance | Low | Redis should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) +243 | Security | High | Redis should not enable non SSL ports | [Learn](https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-configure#access-ports) +244 | Security | Low | Redis should enforce TLS >= 1.2 | [Learn](https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-remove-tls-10-11) +245 | Monitoring and Alerting | Low | Service Bus should have diagnostic settings enabled | [Learn](https://learn.microsoft.com/en-us/azure/service-bus-messaging/monitor-service-bus#collection-and-routing) +246 | High Availability | High | Service Bus should have availability zones enabled | [Learn](https://learn.microsoft.com/en-us/azure/service-bus-messaging/service-bus-outages-disasters#availability-zones) +247 | High Availability | High | Service Bus should have a SLA | [Learn](https://www.azure.cn/en-us/support/sla/service-bus/) +248 | Security | High | Service Bus should have private endpoints enabled | [Learn](https://learn.microsoft.com/en-us/azure/service-bus-messaging/network-security) +249 | High Availability | High | Service Bus SKU | [Learn](https://azure.microsoft.com/en-us/pricing/details/service-bus/) +250 | Governance | Low | Service Bus Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +251 | Governance | Low | Service Bus should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) 252 | Security | Medium | Service Bus should have local authentication disabled | [Learn](https://learn.microsoft.com/en-us/azure/service-bus-messaging/service-bus-sas) -253 | Monitoring and Alerting | Low | SignalR should have diagnostic settings enabled | [Learn](https://learn.microsoft.com/en-us/azure/azure-signalr/signalr-howto-diagnostic-logs) -254 | High Availability | High | SignalR should have availability zones enabled | [Learn](https://learn.microsoft.com/en-us/azure/azure-signalr/availability-zones) -255 | High Availability | High | SignalR should have a SLA | [Learn](https://www.azure.cn/en-us/support/sla/signalr-service/) -256 | Security | High | SignalR should have private endpoints enabled | [Learn](https://learn.microsoft.com/en-us/azure/azure-signalr/howto-private-endpoints) -257 | High Availability | High | SignalR SKU | [Learn](https://azure.microsoft.com/en-us/pricing/details/signalr-service/) -258 | Governance | Low | SignalR Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) -259 | Governance | Low | SignalR should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) -260 | Monitoring and Alerting | Low | SQL should have diagnostic settings enabled | [Learn]() -261 | Security | High | SQL should have private endpoints enabled | [Learn]() -262 | Governance | Low | SQL Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) -263 | Governance | Low | SQL should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) -264 | Security | Low | SQL should enforce TLS >= 1.2 | [Learn](https://learn.microsoft.com/en-us/azure/azure-sql/database/connectivity-settings?view=azuresql&tabs=azure-portal#minimal-tls-version) -265 | Monitoring and Alerting | Low | SQL Database should have diagnostic settings enabled | [Learn]() -266 | High Availability | High | SQL Database should have availability zones enabled | [Learn]() -267 | High Availability | High | SQL Database should have a SLA | [Learn]() -268 | High Availability | High | SQL Database SKU | [Learn](https://docs.microsoft.com/en-us/azure/azure-sql/database/service-tiers-vcore?tabs=azure-portal) -269 | Governance | Low | SQL Database Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) -270 | Governance | Low | SQL Database should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) -271 | Monitoring and Alerting | Low | Traffic Manager should have diagnostic settings enabled | [Learn](https://learn.microsoft.com/en-us/azure/traffic-manager/traffic-manager-diagnostic-logs) -272 | High Availability | High | Traffic Manager should have availability zones enabled | [Learn](https://learn.microsoft.com/en-us/azure/architecture/high-availability/reference-architecture-traffic-manager-application-gateway) -273 | High Availability | High | Traffic Manager should have a SLA | [Learn](https://www.azure.cn/en-us/support/sla/traffic-manager/) -274 | Governance | Low | Traffic Manager Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) -275 | Governance | Low | Traffic Manager should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) -276 | High Availability | High | Traffic Manager should use at least 2 endpoints | [Learn](https://learn.microsoft.com/en-us/azure/traffic-manager/traffic-manager-endpoint-types) -277 | Security | High | Traffic Manager: HTTP endpoints should be monitored using HTTPS | [Learn](https://learn.microsoft.com/en-us/azure/traffic-manager/traffic-manager-monitoring) -278 | Monitoring and Alerting | Low | Storage should have diagnostic settings enabled | [Learn](https://learn.microsoft.com/en-us/azure/storage/blobs/monitor-blob-storage) -279 | High Availability | High | Storage should have availability zones enabled | [Learn](https://learn.microsoft.com/EN-US/azure/reliability/migrate-storage) -280 | High Availability | High | Storage should have a SLA | [Learn](https://www.azure.cn/en-us/support/sla/storage/) -281 | Security | High | Storage should have private endpoints enabled | [Learn](https://learn.microsoft.com/en-us/azure/storage/common/storage-private-endpoints) -282 | High Availability | High | Storage SKU | [Learn](https://learn.microsoft.com/en-us/rest/api/storagerp/srp_sku_types) -283 | Governance | Low | Storage Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) -284 | Security | High | Storage Account should use HTTPS only | [Learn](https://learn.microsoft.com/en-us/azure/storage/common/storage-require-secure-transfer) -285 | Governance | Low | Storage Account should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) -286 | Security | Low | Storage Account should enforce TLS >= 1.2 | [Learn](https://learn.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-minimum-version?tabs=portal) -287 | Disaster Recovery | Low | Storage Account should have inmutable storage versioning enabled | [Learn](https://learn.microsoft.com/en-us/azure/well-architected/service-guides/storage-accounts/reliability) +253 | Monitoring and Alerting | Low | SignalR should have diagnostic settings enabled | [Learn](https://learn.microsoft.com/en-us/azure/azure-signalr/signalr-howto-diagnostic-logs) +254 | High Availability | High | SignalR should have availability zones enabled | [Learn](https://learn.microsoft.com/en-us/azure/azure-signalr/availability-zones) +255 | High Availability | High | SignalR should have a SLA | [Learn](https://www.azure.cn/en-us/support/sla/signalr-service/) +256 | Security | High | SignalR should have private endpoints enabled | [Learn](https://learn.microsoft.com/en-us/azure/azure-signalr/howto-private-endpoints) +257 | High Availability | High | SignalR SKU | [Learn](https://azure.microsoft.com/en-us/pricing/details/signalr-service/) +258 | Governance | Low | SignalR Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +259 | Governance | Low | SignalR should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) +260 | Monitoring and Alerting | Low | SQL should have diagnostic settings enabled | [Learn]() +261 | Security | High | SQL should have private endpoints enabled | [Learn]() +262 | Governance | Low | SQL Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +263 | Governance | Low | SQL should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) +264 | Security | Low | SQL should enforce TLS >= 1.2 | [Learn](https://learn.microsoft.com/en-us/azure/azure-sql/database/connectivity-settings?view=azuresql&tabs=azure-portal#minimal-tls-version) +265 | Monitoring and Alerting | Low | SQL Database should have diagnostic settings enabled | [Learn]() +266 | High Availability | High | SQL Database should have availability zones enabled | [Learn]() +267 | High Availability | High | SQL Database should have a SLA | [Learn]() +268 | High Availability | High | SQL Database SKU | [Learn](https://docs.microsoft.com/en-us/azure/azure-sql/database/service-tiers-vcore?tabs=azure-portal) +269 | Governance | Low | SQL Database Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +270 | Governance | Low | SQL Database should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) +271 | Monitoring and Alerting | Low | Traffic Manager should have diagnostic settings enabled | [Learn](https://learn.microsoft.com/en-us/azure/traffic-manager/traffic-manager-diagnostic-logs) +272 | High Availability | High | Traffic Manager should have availability zones enabled | [Learn](https://learn.microsoft.com/en-us/azure/architecture/high-availability/reference-architecture-traffic-manager-application-gateway) +273 | High Availability | High | Traffic Manager should have a SLA | [Learn](https://www.azure.cn/en-us/support/sla/traffic-manager/) +274 | Governance | Low | Traffic Manager Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +275 | Governance | Low | Traffic Manager should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) +276 | High Availability | High | Traffic Manager should use at least 2 endpoints | [Learn](https://learn.microsoft.com/en-us/azure/traffic-manager/traffic-manager-endpoint-types) +277 | Security | High | Traffic Manager: HTTP endpoints should be monitored using HTTPS | [Learn](https://learn.microsoft.com/en-us/azure/traffic-manager/traffic-manager-monitoring) +278 | Monitoring and Alerting | Low | Storage should have diagnostic settings enabled | [Learn](https://learn.microsoft.com/en-us/azure/storage/blobs/monitor-blob-storage) +279 | High Availability | High | Storage should have availability zones enabled | [Learn](https://learn.microsoft.com/EN-US/azure/reliability/migrate-storage) +280 | High Availability | High | Storage should have a SLA | [Learn](https://www.azure.cn/en-us/support/sla/storage/) +281 | Security | High | Storage should have private endpoints enabled | [Learn](https://learn.microsoft.com/en-us/azure/storage/common/storage-private-endpoints) +282 | High Availability | High | Storage SKU | [Learn](https://learn.microsoft.com/en-us/rest/api/storagerp/srp_sku_types) +283 | Governance | Low | Storage Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +284 | Security | High | Storage Account should use HTTPS only | [Learn](https://learn.microsoft.com/en-us/azure/storage/common/storage-require-secure-transfer) +285 | Governance | Low | Storage Account should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) +286 | Security | Low | Storage Account should enforce TLS >= 1.2 | [Learn](https://learn.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-minimum-version?tabs=portal) +287 | Disaster Recovery | Low | Storage Account should have inmutable storage versioning enabled | [Learn](https://learn.microsoft.com/en-us/azure/well-architected/service-guides/storage-accounts/reliability) 288 | Disaster Recovery | Medium | Storage Account should have soft delete enabled | [Learn](https://learn.microsoft.com/en-us/azure/well-architected/service-guides/storage-accounts/reliability) -289 | Monitoring and Alerting | Low | Virtual Machine should have diagnostic settings enabled | [Learn](https://learn.microsoft.com/en-us/azure/azure-monitor/agents/diagnostics-extension-windows-install) -290 | High Availability | High | Virtual Machine should have availability zones enabled | [Learn](https://learn.microsoft.com/en-us/azure/virtual-machines/availability#availability-zones) -291 | High Availability | High | Virtual Machine should have a SLA | [Learn](https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1) -292 | Governance | Low | Virtual Machine Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) -293 | Governance | Low | Virtual Machine should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) -294 | High Availability | High | Virtual Machine should use managed disks | [Learn](https://learn.microsoft.com/en-us/azure/architecture/checklist/resiliency-per-service#virtual-machines) -295 | Scalability | Low | Virtual Machine should host application or database data on a data disk | [Learn](https://learn.microsoft.com/azure/virtual-machines/managed-disks-overview#data-disk) -296 | Monitoring and Alerting | Low | Virtual Network should have diagnostic settings enabled | [Learn](https://learn.microsoft.com/en-us/azure/virtual-network/monitor-virtual-network#collection-and-routing) -297 | High Availability | High | Virtual Network should have availability zones enabled | [Learn](https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview#virtual-networks-and-availability-zones) -298 | Governance | Low | Virtual Network Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) -299 | Governance | Low | Virtual Network should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) -300 | Security | High | Virtual Network: All Subnets should have a Network Security Group associated | [Learn](https://learn.microsoft.com/azure/virtual-network/concepts-and-best-practices) -301 | High Availability | High | Virtual Network should have at least two DNS servers assigned | [Learn](https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances?tabs=redhat#specify-dns-servers) -302 | Monitoring and Alerting | Low | Web Pub Sub should have diagnostic settings enabled | [Learn](https://learn.microsoft.com/en-us/azure/azure-web-pubsub/howto-troubleshoot-resource-logs) -303 | High Availability | High | Web Pub Sub should have availability zones enabled | [Learn](https://learn.microsoft.com/en-us/azure/azure-web-pubsub/concept-availability-zones) -304 | High Availability | High | Web Pub Sub should have a SLA | [Learn](https://azure.microsoft.com/en-gb/support/legal/sla/web-pubsub/) -305 | Security | High | Web Pub Sub should have private endpoints enabled | [Learn](https://learn.microsoft.com/en-us/azure/azure-web-pubsub/howto-secure-private-endpoints) -306 | High Availability | High | Web Pub Sub SKU | [Learn](https://azure.microsoft.com/en-us/pricing/details/web-pubsub/) -307 | Governance | Low | Web Pub Sub Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) -308 | Governance | Low | Web Pub Sub should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) +289 | Monitoring and Alerting | Low | Virtual Machine should have diagnostic settings enabled | [Learn](https://learn.microsoft.com/en-us/azure/azure-monitor/agents/diagnostics-extension-windows-install) +290 | High Availability | High | Virtual Machine should have availability zones enabled | [Learn](https://learn.microsoft.com/en-us/azure/virtual-machines/availability#availability-zones) +291 | High Availability | High | Virtual Machine should have a SLA | [Learn](https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1) +292 | Governance | Low | Virtual Machine Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +293 | Governance | Low | Virtual Machine should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) +294 | High Availability | High | Virtual Machine should use managed disks | [Learn](https://learn.microsoft.com/en-us/azure/architecture/checklist/resiliency-per-service#virtual-machines) +295 | Scalability | Low | Virtual Machine should host application or database data on a data disk | [Learn](https://learn.microsoft.com/azure/virtual-machines/managed-disks-overview#data-disk) +296 | Monitoring and Alerting | Low | Virtual Network should have diagnostic settings enabled | [Learn](https://learn.microsoft.com/en-us/azure/virtual-network/monitor-virtual-network#collection-and-routing) +297 | High Availability | High | Virtual Network should have availability zones enabled | [Learn](https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview#virtual-networks-and-availability-zones) +298 | Governance | Low | Virtual Network Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +299 | Governance | Low | Virtual Network should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) +300 | Security | High | Virtual Network: All Subnets should have a Network Security Group associated | [Learn](https://learn.microsoft.com/azure/virtual-network/concepts-and-best-practices) +301 | High Availability | High | Virtual Network should have at least two DNS servers assigned | [Learn](https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances?tabs=redhat#specify-dns-servers) +302 | Monitoring and Alerting | Low | Web Pub Sub should have diagnostic settings enabled | [Learn](https://learn.microsoft.com/en-us/azure/azure-web-pubsub/howto-troubleshoot-resource-logs) +303 | High Availability | High | Web Pub Sub should have availability zones enabled | [Learn](https://learn.microsoft.com/en-us/azure/azure-web-pubsub/concept-availability-zones) +304 | High Availability | High | Web Pub Sub should have a SLA | [Learn](https://azure.microsoft.com/en-gb/support/legal/sla/web-pubsub/) +305 | Security | High | Web Pub Sub should have private endpoints enabled | [Learn](https://learn.microsoft.com/en-us/azure/azure-web-pubsub/howto-secure-private-endpoints) +306 | High Availability | High | Web Pub Sub SKU | [Learn](https://azure.microsoft.com/en-us/pricing/details/web-pubsub/) +307 | Governance | Low | Web Pub Sub Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +308 | Governance | Low | Web Pub Sub should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) +309 | Monitoring and Alerting | Low | VPN Gateway should have diagnostic settings enabled | [Learn](https://learn.microsoft.com/en-us/azure/vpn-gateway/monitor-vpn-gateway) +310 | Governance | Low | VPN Gateway Name should comply with naming conventions | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +311 | High Availability | Low | VPN Gateway should have tags | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json) +312 | High Availability | High | VPN Gateway should have a SLA | [Learn](https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services) + diff --git a/internal/scan.go b/internal/scan.go index 941beefb..f0d2bce2 100644 --- a/internal/scan.go +++ b/internal/scan.go @@ -7,6 +7,7 @@ import ( "context" "errors" "fmt" + "github.com/Azure/azqr/internal/scanners/vpng" "sync" "time" @@ -475,6 +476,7 @@ func GetScanners() []scanners.IAzureScanner { &st.StorageScanner{}, &vm.VirtualMachineScanner{}, &vnet.VirtualNetworkScanner{}, + &vpng.VPNGatewayScanner{}, &wps.WebPubSubScanner{}, } } diff --git a/internal/scanners/vpng/rules.go b/internal/scanners/vpng/rules.go new file mode 100644 index 00000000..b8e2b8f6 --- /dev/null +++ b/internal/scanners/vpng/rules.go @@ -0,0 +1,63 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + +package vpng + +import ( + "strings" + + "github.com/Azure/azqr/internal/scanners" + "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork" +) + +// GetRules - Returns the rules for the VPNGatewayScanner +func (a *VPNGatewayScanner) GetRules() map[string]scanners.AzureRule { + return map[string]scanners.AzureRule{ + "vpng-001": { + Id: "vpng-001", + Category: scanners.RulesCategoryMonitoringAndAlerting, + Recommendation: "VPN Gateway should have diagnostic settings enabled", + Impact: scanners.ImpactLow, + Eval: func(target interface{}, scanContext *scanners.ScanContext) (bool, string) { + service := target.(*armnetwork.VPNGateway) + _, ok := scanContext.DiagnosticsSettings[strings.ToLower(*service.ID)] + return !ok, "" + }, + Url: "https://learn.microsoft.com/en-us/azure/vpn-gateway/monitor-vpn-gateway", + }, + "vpng-002": { + Id: "vpng-002", + Category: scanners.RulesCategoryGovernance, + Recommendation: "VPN Gateway Name should comply with naming conventions", + Impact: scanners.ImpactLow, + Eval: func(target interface{}, scanContext *scanners.ScanContext) (bool, string) { + c := target.(*armnetwork.VPNGateway) + caf := strings.HasPrefix(*c.Name, "vpng") + return !caf, "" + }, + Url: "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations", + }, + "vpng-003": { + Id: "vpng-003", + Category: scanners.RulesCategoryGovernance, + Recommendation: "VPN Gateway should have tags", + Impact: scanners.ImpactLow, + Eval: func(target interface{}, scanContext *scanners.ScanContext) (bool, string) { + c := target.(*armnetwork.VPNGateway) + return len(c.Tags) == 0, "" + }, + Url: "https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json", + }, + "vpng-004": { + Id: "vpng-004", + Category: scanners.RulesCategoryHighAvailability, + Recommendation: "VPN Gateway should have a SLA", + Impact: scanners.ImpactHigh, + Eval: func(target interface{}, scanContext *scanners.ScanContext) (bool, string) { + return false, "99.9%" + //TODO: Filter SKU based on tier (BASIC / Or others) + }, + Url: "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services", + }, + } +} diff --git a/internal/scanners/vpng/rules_test.go b/internal/scanners/vpng/rules_test.go new file mode 100644 index 00000000..586ace69 --- /dev/null +++ b/internal/scanners/vpng/rules_test.go @@ -0,0 +1,89 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + +package vpng + +import ( + "reflect" + "testing" + + "github.com/Azure/azqr/internal/scanners" + "github.com/Azure/azqr/internal/to" + "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork" +) + +func TestVPNGatewayScanner_Rules(t *testing.T) { + type fields struct { + rule string + target interface{} + scanContext *scanners.ScanContext + } + type want struct { + broken bool + result string + } + tests := []struct { + name string + fields fields + want want + }{ + { + name: "VPNGatewayScanner DiagnosticSettings", + fields: fields{ + rule: "vpng-001", + target: &armnetwork.VPNGateway{ + ID: to.Ptr("test"), + }, + scanContext: &scanners.ScanContext{ + DiagnosticsSettings: map[string]bool{ + "test": true, + }, + }, + }, + want: want{ + broken: false, + result: "", + }, + }, + { + name: "VPNGatewayScanner CAF", + fields: fields{ + rule: "vpng-002", + target: &armnetwork.VPNGateway{ + Name: to.Ptr("vpng-test"), + }, + scanContext: &scanners.ScanContext{}, + }, + want: want{ + broken: false, + result: "", + }, + }, + { + name: "VPNGatewayScanner SLA 99.9%", + fields: fields{ + rule: "vpng-004", + target: &armnetwork.VPNGateway{}, + scanContext: &scanners.ScanContext{}, + }, + want: want{ + broken: false, + result: "99.9%", + }, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + s := &VPNGatewayScanner{} + rules := s.GetRules() + b, w := rules[tt.fields.rule].Eval(tt.fields.target, tt.fields.scanContext) + got := want{ + broken: b, + result: w, + } + if !reflect.DeepEqual(got, tt.want) { + t.Errorf("VPNGatewayScanner Rule.Eval() = %v, want %v", got, tt.want) + } + }) + } +} diff --git a/internal/scanners/vpng/vpng.go b/internal/scanners/vpng/vpng.go new file mode 100644 index 00000000..00f80ec1 --- /dev/null +++ b/internal/scanners/vpng/vpng.go @@ -0,0 +1,64 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + +package vpng + +import ( + "github.com/Azure/azqr/internal/scanners" + "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork" +) + +// VPNGatewayScanner - Scanner for VPN Gateway +type VPNGatewayScanner struct { + config *scanners.ScannerConfig + client *armnetwork.VPNGatewaysClient +} + +// Init - Initializes the VPN Gateway +func (c *VPNGatewayScanner) Init(config *scanners.ScannerConfig) error { + c.config = config + var err error + c.client, err = armnetwork.NewVPNGatewaysClient(config.SubscriptionID, config.Cred, config.ClientOptions) + return err +} + +// Scan - Scans all VirtualNetwork in a Resource Group +func (c *VPNGatewayScanner) Scan(resourceGroupName string, scanContext *scanners.ScanContext) ([]scanners.AzureServiceResult, error) { + scanners.LogResourceGroupScan(c.config.SubscriptionID, resourceGroupName, "VPN Gateway") + + vpns, err := c.list(resourceGroupName) + if err != nil { + return nil, err + } + engine := scanners.RuleEngine{} + rules := c.GetRules() + results := []scanners.AzureServiceResult{} + + for _, w := range vpns { + rr := engine.EvaluateRules(rules, w, scanContext) + + results = append(results, scanners.AzureServiceResult{ + SubscriptionID: c.config.SubscriptionID, + ResourceGroup: resourceGroupName, + ServiceName: *w.Name, + Type: *w.Type, + Location: *w.Location, + Rules: rr, + }) + } + return results, nil +} + +func (c *VPNGatewayScanner) list(resourceGroupName string) ([]*armnetwork.VPNGateway, error) { + pager := c.client.NewListByResourceGroupPager(resourceGroupName, nil) + + vpns := make([]*armnetwork.VPNGateway, 0) + for pager.More() { + resp, err := pager.NextPage(c.config.Ctx) + if err != nil { + return nil, err + } + vpns = append(vpns, resp.Value...) + } + return vpns, nil +}