From 7af02b57e76ffaa5f21fa100e29a6f524984be5e Mon Sep 17 00:00:00 2001 From: Jose Moreno Date: Thu, 21 Dec 2023 10:07:46 +0100 Subject: [PATCH] Added ALB zone-redundant frontend --- .../network_appdelivery_checklist.en.json | 73 +++++++++++-------- 1 file changed, 42 insertions(+), 31 deletions(-) diff --git a/checklists/network_appdelivery_checklist.en.json b/checklists/network_appdelivery_checklist.en.json index 923188fcc..825bb7424 100644 --- a/checklists/network_appdelivery_checklist.en.json +++ b/checklists/network_appdelivery_checklist.en.json @@ -47,6 +47,17 @@ "graph": "resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard')", "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview" }, + { + "category": "Network Topology and Connectivity", + "subcategory": "App delivery - Load Balancer", + "text": "Ensure your Load Balancers frontend IP addresses are zone-redundant (unless you require zonal frontends).", + "waf": "Security", + "service": "Load Balancer", + "guid": "9432621a-8397-4654-a882-5bc856b7ef83", + "id": "A01.05", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-standard-availability-zones" + }, { "category": "Network Topology and Connectivity", "subcategory": "App delivery - App Gateway", @@ -54,7 +65,7 @@ "waf": "Security", "service": "App Gateway", "guid": "dfc50f87-3800-424c-937b-ed5f186e7c15", - "id": "A01.05", + "id": "A01.06", "severity": "Medium", "graph": "resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant", "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", @@ -68,7 +79,7 @@ "waf": "Security", "service": "App Gateway", "guid": "48b662d6-d15f-4512-a654-98f6dfe237de", - "id": "A01.06", + "id": "A01.07", "severity": "Medium", "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview" @@ -80,7 +91,7 @@ "waf": "Security", "service": "App Gateway", "guid": "143b16c3-1d7a-4a9b-9470-4489a8042d88", - "id": "A01.07", + "id": "A01.08", "severity": "Medium", "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview" @@ -92,7 +103,7 @@ "waf": "Reliability", "service": "App Gateway", "guid": "135bf4ac-f9db-461f-b76b-2ee9e30b12c0", - "id": "A01.08", + "id": "A01.09", "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant", "severity": "Medium", "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", @@ -105,7 +116,7 @@ "waf": "Reliability", "service": "App Gateway", "guid": "060c6964-52b5-48db-af8b-83e4b2d85349", - "id": "A01.09", + "id": "A01.10", "severity": "Medium", "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant", "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", @@ -118,7 +129,7 @@ "waf": "Security", "service": "Front Door", "guid": "e79d17b7-3b22-4a5a-97e7-a8ed4b30e38c", - "id": "A01.10", + "id": "A01.11", "severity": "Medium", "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview" @@ -130,7 +141,7 @@ "waf": "Security", "service": "Front Door", "guid": "3f29812b-2363-4cef-b179-b599de0d5973", - "id": "A01.11", + "id": "A01.12", "severity": "Medium", "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview" @@ -142,7 +153,7 @@ "waf": "Reliability", "service": "Traffic Manager", "guid": "cd4cd21b-0881-437f-9e6c-4cfd3e504547", - "id": "A01.12", + "id": "A01.13", "ammp": true, "severity": "High", "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", @@ -155,7 +166,7 @@ "waf": "Security", "service": "Entra", "guid": "3b4b3e88-a459-4ed5-a22f-644dfbc58204", - "id": "A01.13", + "id": "A01.14", "severity": "Low", "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/", "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works" @@ -167,7 +178,7 @@ "waf": "Security", "service": "Entra", "guid": "01ca7cf1-5754-442d-babb-8ba6772e5c30", - "id": "A01.14", + "id": "A01.15", "severity": "Medium", "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/", "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works" @@ -179,7 +190,7 @@ "waf": "Security", "service": "Front Door", "guid": "ae248989-b306-4591-9186-de482e3f0f0e", - "id": "A01.15", + "id": "A01.16", "ammp": true, "severity": "High", "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode", @@ -192,7 +203,7 @@ "waf": "Security", "service": "Front Door", "guid": "062d5839-4d36-402f-bfa4-02811eb936e9", - "id": "A01.16", + "id": "A01.17", "ammp": true, "severity": "High", "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door" @@ -204,7 +215,7 @@ "waf": "Security", "service": "Front Door", "guid": "5efeb96a-003f-4b18-8fcd-b4d84459c2b2", - "id": "A01.17", + "id": "A01.18", "ammp": true, "severity": "High", "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin" @@ -216,7 +227,7 @@ "waf": "Performance", "service": "Front Door", "guid": "0b5a380c-4bfb-47bc-b1d7-dcfef363a61b", - "id": "A01.18", + "id": "A01.19", "severity": "Low", "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group" }, @@ -227,7 +238,7 @@ "waf": "Reliability", "service": "Front Door", "guid": "5567048e-e5d7-4206-9c55-b5ed45d2cc0c", - "id": "A01.19", + "id": "A01.20", "severity": "Medium", "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints" }, @@ -238,7 +249,7 @@ "waf": "Performance", "service": "Front Door", "guid": "a13f72f3-8f5c-4864-95e5-75bf37fbbeb1", - "id": "A01.20", + "id": "A01.21", "severity": "Low", "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes" }, @@ -249,7 +260,7 @@ "waf": "Reliability", "service": "Load Balancer", "guid": "97a2fd46-64b0-1dfa-b72d-9c8869496d75", - "id": "A01.21", + "id": "A01.22", "ammp": true, "severity": "High", "graph": "resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant", @@ -262,7 +273,7 @@ "waf": "Operations", "service": "Front Door", "guid": "af95c92d-d723-4f4a-98d7-8722324efd4d", - "id": "A01.22", + "id": "A01.23", "ammp": true, "severity": "High", "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates" @@ -274,7 +285,7 @@ "waf": "Operations", "service": "Front Door", "guid": "189ea962-3969-4863-8f5a-5ad808c2cf4b", - "id": "A01.23", + "id": "A01.24", "severity": "Medium", "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#define-your-waf-configuration-as-code" }, @@ -285,7 +296,7 @@ "waf": "Security", "service": "Front Door", "guid": "2e30abab-5478-417c-81bf-bf1ad4ed1ed4", - "id": "A01.24", + "id": "A01.25", "ammp": true, "severity": "High", "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-end-to-end-tls" @@ -297,7 +308,7 @@ "waf": "Security", "service": "Front Door", "guid": "10aa45af-166f-44c4-9f36-b6d592dac2ca", - "id": "A01.25", + "id": "A01.26", "severity": "Medium", "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-http-to-https-redirection" }, @@ -308,7 +319,7 @@ "waf": "Security", "service": "Front Door", "guid": "28b9ee82-b2c7-45aa-bc98-6de6f59a095d", - "id": "A01.26", + "id": "A01.27", "ammp": true, "severity": "High", "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#enable-the-waf" @@ -320,7 +331,7 @@ "waf": "Security", "service": "Front Door", "guid": "2902d8cc-1b0c-4495-afad-624ab70f7bd6", - "id": "A01.27", + "id": "A01.28", "ammp": true, "severity": "High", "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#tune-your-waf" @@ -332,7 +343,7 @@ "waf": "Security", "service": "Front Door", "guid": "17ba124b-127d-42b6-9322-388d5b2bbcfc", - "id": "A01.28", + "id": "A01.29", "ammp": true, "severity": "High", "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-prevention-mode" @@ -344,7 +355,7 @@ "waf": "Security", "service": "Front Door", "guid": "49a98f2b-ec22-4a87-9415-6a10b00d6555", - "id": "A01.29", + "id": "A01.30", "ammp": true, "severity": "High", "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-default-rule-sets" @@ -356,7 +367,7 @@ "waf": "Security", "service": "Front Door", "guid": "147a13d4-2a2f-4824-a524-f5855b52b946", - "id": "A01.30", + "id": "A01.31", "ammp": true, "severity": "High", "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-bot-management-rules" @@ -368,7 +379,7 @@ "waf": "Security", "service": "Front Door", "guid": "d7dcdcb9-0d99-44b9-baab-ac7570ede79a", - "id": "A01.31", + "id": "A01.32", "severity": "Medium", "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-the-latest-ruleset-versions" }, @@ -379,7 +390,7 @@ "waf": "Security", "service": "Front Door", "guid": "b9620385-1cde-418f-914b-a84a06982ffc", - "id": "A01.32", + "id": "A01.33", "severity": "Medium", "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-rate-limiting" }, @@ -390,7 +401,7 @@ "waf": "Security", "service": "Front Door", "guid": "6dc36c52-0124-4ffe-9eaf-23ec1282dedb", - "id": "A01.33", + "id": "A01.34", "severity": "Medium", "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-a-high-threshold-for-rate-limits" }, @@ -401,7 +412,7 @@ "waf": "Security", "service": "Front Door", "guid": "388a3d0e-0a43-4367-90b2-3dd2aeece5ee", - "id": "A01.34", + "id": "A01.35", "severity": "Low", "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#geo-filter-traffic" }, @@ -412,7 +423,7 @@ "waf": "Security", "service": "Front Door", "guid": "00acd8a9-6975-414f-8491-2be6309893b8", - "id": "A01.35", + "id": "A01.36", "severity": "Medium", "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#specify-the-unknown-zz-location" }