Skip to content

Commit

Permalink
Added ALB zone-redundant frontend
Browse files Browse the repository at this point in the history
  • Loading branch information
@erjosito
erjosito authored Dec 21, 2023
1 parent 703d3cf commit 7af02b5
Showing 1 changed file with 42 additions and 31 deletions.
73 changes: 42 additions & 31 deletions checklists/network_appdelivery_checklist.en.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,14 +47,25 @@
"graph": "resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard')",
"link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview"
},
{
"category": "Network Topology and Connectivity",
"subcategory": "App delivery - Load Balancer",
"text": "Ensure your Load Balancers frontend IP addresses are zone-redundant (unless you require zonal frontends).",
"waf": "Security",
"service": "Load Balancer",
"guid": "9432621a-8397-4654-a882-5bc856b7ef83",
"id": "A01.05",
"severity": "Medium",
"link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-standard-availability-zones"
},
{
"category": "Network Topology and Connectivity",
"subcategory": "App delivery - App Gateway",
"text": "Your Application Gateways v2 should be deployed in subnets with IP prefixes equal or larger than /24",
"waf": "Security",
"service": "App Gateway",
"guid": "dfc50f87-3800-424c-937b-ed5f186e7c15",
"id": "A01.05",
"id": "A01.06",
"severity": "Medium",
"graph": "resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant",
"training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
Expand All @@ -68,7 +79,7 @@
"waf": "Security",
"service": "App Gateway",
"guid": "48b662d6-d15f-4512-a654-98f6dfe237de",
"id": "A01.06",
"id": "A01.07",
"severity": "Medium",
"training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview"
Expand All @@ -80,7 +91,7 @@
"waf": "Security",
"service": "App Gateway",
"guid": "143b16c3-1d7a-4a9b-9470-4489a8042d88",
"id": "A01.07",
"id": "A01.08",
"severity": "Medium",
"training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview"
Expand All @@ -92,7 +103,7 @@
"waf": "Reliability",
"service": "App Gateway",
"guid": "135bf4ac-f9db-461f-b76b-2ee9e30b12c0",
"id": "A01.08",
"id": "A01.09",
"graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant",
"severity": "Medium",
"training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
Expand All @@ -105,7 +116,7 @@
"waf": "Reliability",
"service": "App Gateway",
"guid": "060c6964-52b5-48db-af8b-83e4b2d85349",
"id": "A01.09",
"id": "A01.10",
"severity": "Medium",
"graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant",
"training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
Expand All @@ -118,7 +129,7 @@
"waf": "Security",
"service": "Front Door",
"guid": "e79d17b7-3b22-4a5a-97e7-a8ed4b30e38c",
"id": "A01.10",
"id": "A01.11",
"severity": "Medium",
"training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview"
Expand All @@ -130,7 +141,7 @@
"waf": "Security",
"service": "Front Door",
"guid": "3f29812b-2363-4cef-b179-b599de0d5973",
"id": "A01.11",
"id": "A01.12",
"severity": "Medium",
"training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
"link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview"
Expand All @@ -142,7 +153,7 @@
"waf": "Reliability",
"service": "Traffic Manager",
"guid": "cd4cd21b-0881-437f-9e6c-4cfd3e504547",
"id": "A01.12",
"id": "A01.13",
"ammp": true,
"severity": "High",
"training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
Expand All @@ -155,7 +166,7 @@
"waf": "Security",
"service": "Entra",
"guid": "3b4b3e88-a459-4ed5-a22f-644dfbc58204",
"id": "A01.13",
"id": "A01.14",
"severity": "Low",
"training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/",
"link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works"
Expand All @@ -167,7 +178,7 @@
"waf": "Security",
"service": "Entra",
"guid": "01ca7cf1-5754-442d-babb-8ba6772e5c30",
"id": "A01.14",
"id": "A01.15",
"severity": "Medium",
"training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
"link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works"
Expand All @@ -179,7 +190,7 @@
"waf": "Security",
"service": "Front Door",
"guid": "ae248989-b306-4591-9186-de482e3f0f0e",
"id": "A01.15",
"id": "A01.16",
"ammp": true,
"severity": "High",
"graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode",
Expand All @@ -192,7 +203,7 @@
"waf": "Security",
"service": "Front Door",
"guid": "062d5839-4d36-402f-bfa4-02811eb936e9",
"id": "A01.16",
"id": "A01.17",
"ammp": true,
"severity": "High",
"link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door"
Expand All @@ -204,7 +215,7 @@
"waf": "Security",
"service": "Front Door",
"guid": "5efeb96a-003f-4b18-8fcd-b4d84459c2b2",
"id": "A01.17",
"id": "A01.18",
"ammp": true,
"severity": "High",
"link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin"
Expand All @@ -216,7 +227,7 @@
"waf": "Performance",
"service": "Front Door",
"guid": "0b5a380c-4bfb-47bc-b1d7-dcfef363a61b",
"id": "A01.18",
"id": "A01.19",
"severity": "Low",
"link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group"
},
Expand All @@ -227,7 +238,7 @@
"waf": "Reliability",
"service": "Front Door",
"guid": "5567048e-e5d7-4206-9c55-b5ed45d2cc0c",
"id": "A01.19",
"id": "A01.20",
"severity": "Medium",
"link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints"
},
Expand All @@ -238,7 +249,7 @@
"waf": "Performance",
"service": "Front Door",
"guid": "a13f72f3-8f5c-4864-95e5-75bf37fbbeb1",
"id": "A01.20",
"id": "A01.21",
"severity": "Low",
"link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes"
},
Expand All @@ -249,7 +260,7 @@
"waf": "Reliability",
"service": "Load Balancer",
"guid": "97a2fd46-64b0-1dfa-b72d-9c8869496d75",
"id": "A01.21",
"id": "A01.22",
"ammp": true,
"severity": "High",
"graph": "resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant",
Expand All @@ -262,7 +273,7 @@
"waf": "Operations",
"service": "Front Door",
"guid": "af95c92d-d723-4f4a-98d7-8722324efd4d",
"id": "A01.22",
"id": "A01.23",
"ammp": true,
"severity": "High",
"link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates"
Expand All @@ -274,7 +285,7 @@
"waf": "Operations",
"service": "Front Door",
"guid": "189ea962-3969-4863-8f5a-5ad808c2cf4b",
"id": "A01.23",
"id": "A01.24",
"severity": "Medium",
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#define-your-waf-configuration-as-code"
},
Expand All @@ -285,7 +296,7 @@
"waf": "Security",
"service": "Front Door",
"guid": "2e30abab-5478-417c-81bf-bf1ad4ed1ed4",
"id": "A01.24",
"id": "A01.25",
"ammp": true,
"severity": "High",
"link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-end-to-end-tls"
Expand All @@ -297,7 +308,7 @@
"waf": "Security",
"service": "Front Door",
"guid": "10aa45af-166f-44c4-9f36-b6d592dac2ca",
"id": "A01.25",
"id": "A01.26",
"severity": "Medium",
"link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-http-to-https-redirection"
},
Expand All @@ -308,7 +319,7 @@
"waf": "Security",
"service": "Front Door",
"guid": "28b9ee82-b2c7-45aa-bc98-6de6f59a095d",
"id": "A01.26",
"id": "A01.27",
"ammp": true,
"severity": "High",
"link": "https://learn.microsoft.com/azure/frontdoor/best-practices#enable-the-waf"
Expand All @@ -320,7 +331,7 @@
"waf": "Security",
"service": "Front Door",
"guid": "2902d8cc-1b0c-4495-afad-624ab70f7bd6",
"id": "A01.27",
"id": "A01.28",
"ammp": true,
"severity": "High",
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#tune-your-waf"
Expand All @@ -332,7 +343,7 @@
"waf": "Security",
"service": "Front Door",
"guid": "17ba124b-127d-42b6-9322-388d5b2bbcfc",
"id": "A01.28",
"id": "A01.29",
"ammp": true,
"severity": "High",
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-prevention-mode"
Expand All @@ -344,7 +355,7 @@
"waf": "Security",
"service": "Front Door",
"guid": "49a98f2b-ec22-4a87-9415-6a10b00d6555",
"id": "A01.29",
"id": "A01.30",
"ammp": true,
"severity": "High",
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-default-rule-sets"
Expand All @@ -356,7 +367,7 @@
"waf": "Security",
"service": "Front Door",
"guid": "147a13d4-2a2f-4824-a524-f5855b52b946",
"id": "A01.30",
"id": "A01.31",
"ammp": true,
"severity": "High",
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-bot-management-rules"
Expand All @@ -368,7 +379,7 @@
"waf": "Security",
"service": "Front Door",
"guid": "d7dcdcb9-0d99-44b9-baab-ac7570ede79a",
"id": "A01.31",
"id": "A01.32",
"severity": "Medium",
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-the-latest-ruleset-versions"
},
Expand All @@ -379,7 +390,7 @@
"waf": "Security",
"service": "Front Door",
"guid": "b9620385-1cde-418f-914b-a84a06982ffc",
"id": "A01.32",
"id": "A01.33",
"severity": "Medium",
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-rate-limiting"
},
Expand All @@ -390,7 +401,7 @@
"waf": "Security",
"service": "Front Door",
"guid": "6dc36c52-0124-4ffe-9eaf-23ec1282dedb",
"id": "A01.33",
"id": "A01.34",
"severity": "Medium",
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-a-high-threshold-for-rate-limits"
},
Expand All @@ -401,7 +412,7 @@
"waf": "Security",
"service": "Front Door",
"guid": "388a3d0e-0a43-4367-90b2-3dd2aeece5ee",
"id": "A01.34",
"id": "A01.35",
"severity": "Low",
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#geo-filter-traffic"
},
Expand All @@ -412,7 +423,7 @@
"waf": "Security",
"service": "Front Door",
"guid": "00acd8a9-6975-414f-8491-2be6309893b8",
"id": "A01.35",
"id": "A01.36",
"severity": "Medium",
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#specify-the-unknown-zz-location"
}
Expand Down

0 comments on commit 7af02b5

Please sign in to comment.