From a1b05f7aa7cdf27ce3769f0c307f60045b36b4e7 Mon Sep 17 00:00:00 2001 From: Jose Moreno Date: Fri, 25 Oct 2024 13:58:08 +0200 Subject: [PATCH] WAF checklist generated after data security update --- checklists/waf_checklist.en.json | 15990 +++++++++--------- spreadsheet/macrofree/waf_checklist.en.xlsx | Bin 236680 -> 236447 bytes 2 files changed, 7995 insertions(+), 7995 deletions(-) diff --git a/checklists/waf_checklist.en.json b/checklists/waf_checklist.en.json index f043ee3f..c65719ee 100644 --- a/checklists/waf_checklist.en.json +++ b/checklists/waf_checklist.en.json @@ -203,7719 +203,7766 @@ "waf": "Security" }, { - "arm-service": "Microsoft.App/containerApps", - "checklist": "Container Apps Review", - "guid": "af416482-663c-4ed6-b195-b44c7068e09c", - "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#availability-zone-support", - "query": "resources | where type =~ 'Microsoft.App/managedEnvironments' | project name, resourceGroup, location, zoneRedundancy = tolower(tostring(properties.zoneRedundant)) | extend Compliance = iff(zoneRedundancy == 'true', true, false)", - "service": "Container Apps", - "severity": "High", - "text": "Leverage Availability Zones if regionally applicable", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Azure Data Factory Review Checklist", + "guid": "ab91932c-9fc9-4d1b-a881-37f5e6c0cb9e", + "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-ADF_v1.docx", + "service": "Azure Data Factory", + "severity": "Medium", + "text": "Leverage FTA Resiliency Playbook for Azure Data Factory", "waf": "Reliability" }, { - "arm-service": "Microsoft.App/containerApps", - "checklist": "Container Apps Review", - "guid": "95bc80ec-6499-4d14-a7d2-7d296b1d8abc", - "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#set-up-zone-redundancy-in-your-container-apps-environment", - "query": "resources | where type =~ 'Microsoft.App/containerApps' | project name, resourceGroup, location, minReplicas = toint(properties.template.scale.minReplicas), maxReplicas = toint(properties.template.scale.maxReplicas) | extend Compliance = iff(minReplicas >= 1, true, false)", - "service": "Container Apps", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Azure Data Factory Review Checklist", + "guid": "e503547c-d447-4e82-9138-a7200f1cac6d", + "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery", + "service": "Azure Data Factory", "severity": "High", - "text": "Use more than one replica and enable Zone Redundancy.", + "text": "Use zone redundant pipelines in regions that support Availability Zones", "waf": "Reliability" }, { - "arm-service": "Microsoft.App/containerApps", - "checklist": "Container Apps Review", - "guid": "ccaa4fc2-fdbc-4432-8bb7-f7e6469e4dc3", - "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#cross-region-disaster-recovery-and-business-continuity", - "service": "Container Apps", - "severity": "High", - "text": "For cross-region DR, deploy container apps in multiple regions and follow active/active or active/passive application guidance.", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Azure Data Factory Review Checklist", + "guid": "9ef1d6e8-32e5-42e3-911c-818b1a0bc511", + "link": "https://learn.microsoft.com/azure/data-factory/source-control", + "service": "Azure Data Factory", + "severity": "Medium", + "text": "Use DevOps to Backup the ARM templates with Github/Azure DevOps integration ", "waf": "Reliability" }, { - "arm-service": "Microsoft.App/containerApps", - "checklist": "Container Apps Review", - "guid": "2ffada86-c031-4933-bf7d-0c45bc4e5919", - "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#cross-region-disaster-recovery-and-business-continuity", - "service": "Container Apps", - "severity": "High", - "text": "Use Front Door or Traffic Manager to route traffic to the closest region", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Azure Data Factory Review Checklist", + "guid": "e43a18a9-cd29-49cf-b7b1-7db8255562f2", + "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery", + "service": "Azure Data Factory", + "severity": "Medium", + "text": "Make sure you replicate the Self-Hosted Integration Runtime VMs in another region ", "waf": "Reliability" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "1fc2fc14-eea6-4e69-b8d9-a3edc218e687", - "link": "https://polite-sea-0995b240f.2.azurestaticapps.net/technical-delivery-playbook/azure-services/analytics/purview/", - "service": "Purview", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Azure Data Factory Review Checklist", + "guid": "aee4563a-fd83-4393-98b2-62d6dc5f512a", + "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery", + "service": "Azure Data Factory", "severity": "Medium", - "text": "Leverage FTA Resillency Handbook", + "text": "Make sure you replicate or duplicate your network in the sister region. You have to make a copy of your Vnet in another region", "waf": "Reliability" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "ab067acb-49e5-4b96-8332-4ecf8cc13318", - "link": "https://learn.microsoft.com/purview/disaster-recovery", - "service": "Purview", - "severity": "High", - "text": "Plan for Data Center level outage", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "Azure Data Factory Review Checklist", + "description": "If your ADF Pipelines use Key Vault you don't have to do anything to replicate Key Vault. Key Vault is a managed service and Microsoft takes care of it for you", + "guid": "25498f6d-bad3-47da-a43b-c6ce1d7aa9b2", + "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance", + "service": "Azure Data Factory", + "severity": "Low", + "text": "If using Keyvault integration, use SLA of Keyvault to understand your availablity", "waf": "Reliability" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "description": "1. Create the new account 2. Migrate configuration items 3. Run scans 4. Migrate custom typedefs and custom assets 5. Migrate relationships 6. Migrate glossary terms 7. Assign classifications to assets 8. Assign contacts to assets", - "guid": "da611702-69f4-4fb4-aa3d-3ef7f3176c4b", - "link": "https://learn.microsoft.com/purview/disaster-recovery", - "service": "Purview", - "severity": "Medium", - "text": "Practice Failover for BCDR", + "arm-service": "Microsoft.Kusto/clusters", + "checklist": "Azure Data Explorer Review Checklist", + "description": "Using the correct approach to feed a datalake with cold data and having the Kusto query engine at your disposal at the same time, as in the short-term storage", + "guid": "ba7da7be-9951-4914-a384-5d997cb39132", + "link": "https://learn.microsoft.com/azure/data-explorer/kusto/management/data-export/continuous-data-export", + "service": "Azure Data Explorer", + "text": "Leverage External Tables and Continuous data export overview to reduce costs", "waf": "Reliability" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "97b15b8a-219a-44ab-bb57-879024d22678", - "link": "https://learn.microsoft.com/purview/disaster-recovery", - "service": "Purview", - "severity": "High", - "text": "Plan a backup strategy and take regular backups", + "arm-service": "Microsoft.Kusto/clusters", + "checklist": "Azure Data Explorer Review Checklist", + "description": "Azure Data Explorer provides an optional follower capability for a leader cluster to be followed by other follower clusters for read-only access to the leader's data and metadata. Changes in the leader, such as create, append, and drop are automatically synchronized to the follower. While the leaders could span Azure regions, the follower clusters should be hosted in the same region(s) as the leader. If the leader cluster is down or databases or tables are accidentally dropped, the follower clusters will lose access until access is recovered in the leader.", + "guid": "56a22586-f490-4641-addd-ea8a377cdeb3", + "link": "https://learn.microsoft.com/azure/data-explorer/follower?tabs=csharp", + "service": "Azure Data Explorer", + "text": "To share data, explore Leader-follower cluster configuration", "waf": "Reliability" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "6d20b56c-56a9-4581-89bf-8d8e5c586b7d", - "link": "https://learn.microsoft.com/purview/manage-kafka-dotnet", - "service": "Purview", - "severity": "Low", - "text": "Use Microsoft Purview's Event Hubs to subscribe and create entities to another account", + "arm-service": "Microsoft.Kusto/clusters", + "checklist": "Azure Data Explorer Review Checklist", + "description": "Azure Data Explorer doesn't support automatic protection against the outage of an entire Azure region. This disruption can happen during a natural disaster, like an earthquake. If you require a solution for a disaster recovery situation, do the following steps to ensure business continuity. In these steps, you'll replicate your clusters, management, and data ingestion in two Azure paired regions.", + "guid": "861bb2bc-14ae-4a6e-95d8-d9a3adc218e6", + "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution#create-multiple-independent-clusters", + "service": "Azure Data Explorer", + "text": "To protect against regional failure, create Multiple independent clusters, preferably in two Azure Paired regions", "waf": "Reliability" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "8cdc15ac-c075-4ee9-a130-a8889579e76b", - "link": "https://learn.microsoft.com/purview/deployment-best-practices", - "service": "Purview", - "severity": "Medium", - "text": "Follow Purview accounts architectures and deployment best practices", + "arm-service": "Microsoft.Kusto/clusters", + "checklist": "Azure Data Explorer Review Checklist", + "guid": "436b0635-cb45-4e57-a603-324ace8cc123", + "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution#replicate-management-activities", + "service": "Azure Data Explorer", + "text": "Replicate all management activities such as creating new tables or managing user roles on each cluster.", "waf": "Reliability" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "896e710a-7da7-4be9-a56d-14d3c49d997c", - "link": "https://learn.microsoft.com/purview/concept-best-practices-collections", - "service": "Purview", - "severity": "Medium", - "text": "Follow Collection Architectures and best practices", + "arm-service": "Microsoft.Kusto/clusters", + "checklist": "Azure Data Explorer Review Checklist", + "guid": "18ca6017-0265-4f4b-a46a-393af7f31728", + "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution", + "service": "Azure Data Explorer", + "text": "Ingest data into each cluster in parallel", "waf": "Reliability" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "b3d1325a-a225-4c6f-9e06-85edddea8a4b", - "link": "https://learn.microsoft.com/purview/concept-best-practices-asset-lifecycle", - "service": "Purview", - "severity": "Medium", - "text": "Follow Assest lifecycle best practices", + "arm-service": "Microsoft.Kusto/clusters", + "checklist": "Azure Data Explorer Review Checklist", + "description": "This configuration is also called 'always-on'. For critical application deployments with no tolerance for outages, you should use multiple Azure Data Explorer clusters across Azure paired regions.", + "guid": "58a9c279-9c42-4bb6-9d0c-65556246b338", + "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-active-active-configuration", + "service": "Azure Data Explorer", + "text": "For critical application with no tolerance for outages, create Active-Active-Active (always-on) configuration", "waf": "Reliability" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "7cdeb3c6-1fc2-4fc1-9eea-6e69d8d9a3ed", - "link": "https://learn.microsoft.com/purview/concept-best-practices-automation", - "service": "Purview", - "severity": "Medium", - "text": "Follow automation best practices", + "arm-service": "Microsoft.Kusto/clusters", + "checklist": "Azure Data Explorer Review Checklist", + "description": "This configuration is identical to the active-active-active configuration, but only involves two Azure paired regions. Configure dual ingestion, processing, and curation. Users are routed to the nearest region. The cluster SKU must be the same across regions.", + "guid": "563a4dc7-4a74-48b6-922a-d190916a6649", + "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-active-configuration", + "service": "Azure Data Explorer", + "text": "For critical applications, create Active-Active configuration in two paired regions", "waf": "Reliability" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "c218e687-ab06-47ac-a49e-5b9603324ecf", - "link": "https://learn.microsoft.com/purview/disaster-recovery", - "service": "Purview", - "severity": "Medium", - "text": "Follow Backup and Migration Best practices", + "arm-service": "Microsoft.Kusto/clusters", + "checklist": "Azure Data Explorer Review Checklist", + "description": "The Active-Hot configuration is similar to the Active-Active configuration in dual ingest, processing, and curation. While the standby cluster is online for ingestion, process, and curation, it isn't available to query. The standby cluster doesn't need to be in the same SKU as the primary cluster. It can be of a smaller SKU and scale, which may result in it being less performant. In a disaster scenario, users are redirected to the standby cluster, which can optionally be scaled up to increase performance.", + "guid": "8fadfe27-7de2-483b-8ac3-52baa9b75708", + "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-hot-standby-configuration", + "service": "Azure Data Explorer", + "text": "For applications, which required only read during failure, create Active-Hot standby configuration", "waf": "Reliability" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "8cc13318-da61-4170-869f-4fb4aa3d3ef7", - "link": "https://learn.microsoft.com/purview/concept-best-practices-glossary", - "service": "Purview", - "severity": "Medium", - "text": "Follow Purview Glossary Best Practices", + "arm-service": "Microsoft.Kusto/clusters", + "checklist": "Azure Data Explorer Review Checklist", + "description": "This solution offers the least resiliency (highest RPO and RTO), is the lowest in cost and highest in effort. In this configuration, there's no data recovery cluster. Configure continuous export of curated data (unless raw and intermediate data is also required) to a storage account that is configured GRS (Geo Redundant Storage). A data recovery cluster is spun up if there is a disaster recovery scenario. At that time, DDLs, configuration, policies, and processes are applied. Data is ingested from storage with the ingestion property kustoCreationTime to over-ride the ingestion time that defaults to system time.", + "guid": "49aa8092-dc8e-4b9d-8bb7-3b26a5a67eba", + "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#on-demand-data-recovery-configuration", + "service": "Azure Data Explorer", + "text": "For applications, where cost is a concern and can withstand some downtime during failure, create on-demand data recovery cluster configuration", "waf": "Reliability" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "f3176c4b-97b1-45b8-a219-a4abeb578790", - "link": "https://learn.microsoft.com/purview/concept-workflow", - "service": "Purview", - "severity": "Low", - "text": "Leverage Workflows ", + "arm-service": "Microsoft.Kusto/clusters", + "checklist": "Azure Data Explorer Review Checklist", + "description": "All database objects, policies, and configurations should be persisted in source control so they can be released to the cluster from your release automation tool.", + "guid": "5a907e1e-348e-4f25-9c27-d32e8bbac757", + "link": "https://learn.microsoft.com/azure/data-explorer/devops", + "service": "Azure Data Explorer", + "text": "Wrap DevOps and source control around all your code", + "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/", "waf": "Reliability" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "24d22678-6d20-4b56-a56a-958119bf8d8e", - "link": "https://learn.microsoft.com/purview/concept-best-practices-security", - "service": "Purview", - "severity": "Medium", - "text": "Follow Purview Security Best Practices", + "arm-service": "Microsoft.Kusto/clusters", + "checklist": "Azure Data Explorer Review Checklist", + "guid": "1559ab91-53e8-4908-ae28-b84c33b6b780", + "link": "https://learn.microsoft.com/azure/data-explorer/devops", + "service": "Azure Data Explorer", + "text": "Design, develop, and implement validation routines to ensure all clusters are in-sync from a data perspective.", + "training": "https://learn.microsoft.com/learn/modules/azure-active-directory/", "waf": "Reliability" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "5c586b7d-8cdc-415a-ac07-5ee9b130a888", - "link": "https://learn.microsoft.com/purview/concept-best-practices-lineage-azure-data-factory", - "service": "Purview", - "severity": "Medium", - "text": "Follow Purview Data Lineage Best Practices", + "arm-service": "Microsoft.Kusto/clusters", + "checklist": "Azure Data Explorer Review Checklist", + "guid": "8b9fe5c4-1049-4d40-9a82-2c3474d00f18", + "link": "https://learn.microsoft.com/azure/data-explorer/devops", + "service": "Azure Data Explorer", + "text": "Be fully cognizant of what it takes to build a cluster from scratch. Leverage Infrastructure as a Code for your deployments", + "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/", "waf": "Reliability" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "9579e76b-896e-4710-a7da-7be9956d14d3", - "link": "https://learn.microsoft.com/purview/concept-best-practices-scanning", - "service": "Purview", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "cdnresources | where type =~ 'microsoft.Cdn/profiles/secrets' | extend frontDoorId = substring(id, 0, indexof(id, '/secrets')) | where properties.parameters.type =~ 'CustomerCertificate' | extend compliant = properties.parameters.useLatestVersion == true | project compliant, id=frontDoorId, certificateName = name | distinct id, certificateName, compliant", + "guid": "f00a69de-7076-4734-a734-6e4552cad9e1", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates", + "service": "Front Door", "severity": "Medium", - "text": "Follow Best Practices for Scanning Registered Sources", - "waf": "Reliability" + "text": "If you use customer-managed TLS certificates with Azure Front Door, use the 'Latest' certificate version. Reduce the risk of outages caused by manual certificate renewal.", + "waf": "Operations" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "c49d997c-b3d1-4325-aa22-5c6f4e0685ed", - "link": "https://learn.microsoft.com/purview/concept-best-practices-classification", - "service": "Purview", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type =~ 'microsoft.cdn/profiles' and sku has 'AzureFrontDoor' | project name, cdnprofileid=tolower(id), tostring(tags), resourceGroup, subscriptionId,skuname=tostring(sku.name) | join kind= fullouter ( cdnresources | where type == 'microsoft.cdn/profiles/securitypolicies' | extend wafpolicyid=tostring(properties['parameters']['wafPolicy']['id']) | extend splitid=split(id, '/') | extend cdnprofileid=tolower(strcat_array(array_slice(splitid, 0, 8), '/')) | project secpolname=name, cdnprofileid, wafpolicyid ) on cdnprofileid | project name, cdnprofileid, secpolname, wafpolicyid,skuname | join kind = fullouter ( resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | extend managedrulesenabled=iff(tostring(properties.managedRules.managedRuleSets) != '[]', true, false), enabledState = tostring(properties.policySettings.enabledState) | project afdwafname=name, managedrulesenabled, wafpolicyid=id, enabledState, tostring(tags) ) on wafpolicyid | where name != '' | summarize associatedsecuritypolicies=countif(secpolname != ''), wafswithmanagedrules=countif(managedrulesenabled == 1) by name, id=cdnprofileid, tags,skuname | extend compliant = (associatedsecuritypolicies > 0 and wafswithmanagedrules > 0) | project id, compliant", + "guid": "e79d17b7-3b22-4a5a-97e7-a8ed4b30e38c", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "Front Door", "severity": "Medium", - "text": "Follow Classification Best Practices in Governance Portal", - "waf": "Reliability" + "text": "Use Azure Front Door with WAF policies to deliver and help protect global HTTP/S apps that span multiple Azure regions.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Security" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "ddea8a4b-7cde-4b3c-91fc-2fc14eea6e69", - "link": "https://learn.microsoft.com/purview/sensitivity-labels-frequently-asked-questions", - "service": "Purview", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "3f29812b-2363-4cef-b179-b599de0d5973", + "link": "https://learn.microsoft.com/azure/frontdoor/origin-security?tabs=application-gateway&pivots=front-door-standard-premium#example-configuration", + "service": "Front Door", "severity": "Medium", - "text": "Perform Sensitivity Labelling in the Purview Data Map", - "waf": "Reliability" - }, - { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "d8d9a3ed-c218-4e68-9ab0-67acb49e5b96", - "link": "https://learn.microsoft.com/purview/concept-data-share", - "service": "Purview", - "severity": "Low", - "text": "Leverage Azure Storage in-place data sharing with Microsoft Purview", - "waf": "Reliability" + "text": "When using Front Door and Application Gateway to help protect HTTP/S apps, use WAF policies in Front Door. Lock down Application Gateway to receive traffic only from Front Door.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Security" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "03324ecf-8cc1-4331-ada6-1170269f4fb4", - "link": "https://learn.microsoft.com/purview/concept-insights", - "service": "Purview", - "severity": "Low", - "text": "Leverage Data Estate Insights", - "waf": "Reliability" + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode", + "guid": "ae248989-b306-4591-9186-de482e3f0f0e", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings", + "service": "Front Door", + "severity": "High", + "text": "Deploy your WAF policy for Front Door in 'Prevention' mode' so that Web Application Firewall takes appropriate action to allow or deny traffic.", + "waf": "Security" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "aa3d3ef7-f317-46c4-a97b-15b8a219a4ab", - "link": "https://learn.microsoft.com/purview/catalog-adoption-insights", - "service": "Purview", - "severity": "Low", - "text": "Use Data stewardship and Catalog adoption", - "waf": "Reliability" + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend compliant = properties['hostName'] !endswith '.trafficmanager.net' | project compliant, id=frontDoorId", + "guid": "062d5839-4d36-402f-bfa4-02811eb936e9", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door", + "service": "Front Door", + "severity": "High", + "text": "Avoid placing Traffic Manager behind Front Door.", + "waf": "Security" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "eb578790-24d2-4267-a6d2-0b56c56a9581", - "link": "https://learn.microsoft.com/purview/concept-insights", - "service": "Purview", - "severity": "Low", - "text": "Use Inventory and Ownership", - "waf": "Reliability" + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origins')) | extend compliant = isempty(properties.originHostHeader) or (tostring(properties.hostName) =~ tostring(properties.originHostHeader)) | project id=frontDoorId, originName = name, compliant", + "guid": "5efeb96a-003f-4b18-8fcd-b4d84459c2b2", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin", + "service": "Front Door", + "severity": "High", + "text": "Use the same domain name on Azure Front Door and your origin. Mismatched host names can cause subtle bugs.", + "waf": "Security" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "19bf8d8e-5c58-46b7-b8cd-c15acc075ee9", - "link": "https://learn.microsoft.com/purview/glossary-insights", - "service": "Purview", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant", + "guid": "0b5a380c-4bfb-47bc-b1d7-dcfef363a61b", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group", + "service": "Front Door", "severity": "Low", - "text": "Leverage Insights for Glossary, Classifications, Sensitivity Labels", - "waf": "Reliability" - }, - { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "b130a888-9579-4e76-a896-e710a7da7be9", - "link": "https://learn.microsoft.com/purview/compliance-manager", - "service": "Purview", - "severity": "Medium", - "text": "Generate assessment scores", - "waf": "Reliability" + "text": "Disable health probes when there is only one origin in an Azure Front Door origin group.", + "waf": "Performance" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "956d14d3-c49d-4997-ab3d-1325aa225c6f", - "link": "https://learn.microsoft.com/purview/compliance-manager-scoring", - "service": "Purview", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "5567048e-e5d7-4206-9c55-b5ed45d2cc0c", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints", + "service": "Front Door", "severity": "Medium", - "text": "Profiling- get summaries of data content", + "text": "Select good health probe endpoints for Azure Front Door. Consider building health endpoints that check all of your application's dependencies.", "waf": "Reliability" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "4e0685ed-ddea-48a4-a7cd-eb3c61fc2fc1", - "link": "https://learn.microsoft.com/purview/concept-policies-data-owner#microsoft-purview-policy-concepts", - "service": "Purview", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId", + "guid": "a13f72f3-8f5c-4864-95e5-75bf37fbbeb1", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes", + "service": "Front Door", "severity": "Low", - "text": "Follow Microsoft Purview Data Owner access policies", - "waf": "Reliability" + "text": "Use HEAD health probes with Azure Front Door, to reduce the traffic that Front Door sends to your application.", + "waf": "Performance" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "4eea6e69-d8d9-4a3e-bc21-8e687ab067ac", - "link": "https://learn.microsoft.com/purview/concept-self-service-data-access-policy", - "service": "Purview", - "severity": "Low", - "text": "Follow Self-service access policies", - "waf": "Reliability" + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId", + "guid": "af95c92d-d723-4f4a-98d7-8722324efd4d", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates", + "service": "Front Door", + "severity": "High", + "text": "Use managed TLS certificates with Azure Front Door. Reduce operational cost and risk of outages due to certificate renewals.", + "waf": "Operations" }, { - "arm-service": "Microsoft.Purview/accounts", - "checklist": "Microsoft Purview Review Checklist", - "guid": "b49e5b96-0332-44ec-b8cc-13318da61170", - "link": "https://learn.microsoft.com/purview/concept-policies-devops", - "service": "Purview", - "severity": "Low", - "text": "Follow DevOps policies", - "waf": "Reliability" + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "189ea962-3969-4863-8f5a-5ad808c2cf4b", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#define-your-waf-configuration-as-code", + "service": "Front Door", + "severity": "Medium", + "text": "Define your Azure Front Door WAF configuration as code. By using code, you can more easily adopt new rule set version and gain additional protection.", + "waf": "Operations" }, { - "arm-service": "Microsoft.Compute/virtualMachineScaleSets", - "checklist": "Resiliency Review", - "description": "Automatic instance repairs ensure that unhealthy instances are promptly identified and replaced, maintaining a set of healthy instances within your scale set.", - "guid": "7e13c105-675c-41e9-95b4-59837ff7ae7c", - "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-instance-repairs", - "service": "VMSS", - "severity": "Low", - "text": "Enable automatic instance repairs for enhanced VM Scale Sets resiliency", - "waf": "Reliability" + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "cdnresources | where type == 'microsoft.cdn/profiles/afdendpoints/routes' | extend frontDoorId = substring(id, 0, indexof(id, '/afdendpoints')) | extend forwardingProtocol=tostring(properties.forwardingProtocol),supportedProtocols=properties.supportedProtocols,httpsRedirect=properties.httpsRedirect | extend compliant = forwardingProtocol =~ 'httpsonly' and (supportedProtocols has 'https' or httpsRedirect =~ 'enabled') | project id = frontDoorId, compliant", + "guid": "2e30abab-5478-417c-81bf-bf1ad4ed1ed4", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-end-to-end-tls", + "service": "Front Door", + "severity": "High", + "text": "Use end-to-end TLS with Azure Front Door. Use TLS for connections from your clients to Front Door, and from Front Door to your origin.", + "waf": "Security" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Resiliency Review", - "description": "Ensure that Azure Backup is utilized appropriately to meet your organization's resiliency requirements for Azure virtual machines (VMs).", - "guid": "4d874a74-8b66-42d6-b150-512a66498f6d", - "link": "https://learn.microsoft.com/azure/backup/backup-azure-vms-introduction", - "service": "VM", - "severity": "High", - "text": "Consider Azure Backup to meet your resiliency requirements for Azure VMs", - "waf": "Reliability" + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "cdnresources | where type == 'microsoft.cdn/profiles/afdendpoints/routes' | extend frontDoorId = substring(id, 0, indexof(id, '/afdendpoints')) | extend forwardingProtocol=tostring(properties.forwardingProtocol),supportedProtocols=properties.supportedProtocols,httpsRedirect=properties.httpsRedirect | extend compliant = httpsRedirect =~ 'enabled' | project id = frontDoorId, compliant", + "guid": "10aa45af-166f-44c4-9f36-b6d592dac2ca", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-http-to-https-redirection", + "service": "Front Door", + "severity": "Medium", + "text": "Use HTTP to HTTPS redirection with Azure Front Door. Support older clients by redirecting them to an HTTPS request automatically.", + "waf": "Security" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Resiliency Review", - "description": "Single Instance VMs using Premium SSD or Ultra Disk for all Operating System Disks and Data Disks are guaranteed to have Virtual Machine Connectivity of at least 99.9%", - "guid": "8052d88e-79d1-47b7-9b22-a5a67e7a8ed4", - "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types", - "service": "VM", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type =~ 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=~'Enabled') and (mode=~'Prevention')), enabledState, mode", + "guid": "28b9ee82-b2c7-45aa-bc98-6de6f59a095d", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#enable-the-waf", + "service": "Front Door", "severity": "High", - "text": "Use Premium or Ultra disks for production VMs", - "waf": "Reliability" + "text": "Enable the Azure Front Door WAF. Protect your application from a range of attacks.", + "waf": "Security" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Resiliency Review", - "description": "Azure automatically replicates managed disks within a region to ensure data durability and protect against single-point failures.", - "guid": "b31e38c3-f298-412b-8363-cffe179b599d", - "link": "https://learn.microsoft.com/azure/virtual-machines/managed-disks-overview", - "service": "VM", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "2902d8cc-1b0c-4495-afad-624ab70f7bd6", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#tune-your-waf", + "service": "Front Door", "severity": "High", - "text": "Ensure Managed Disks are used for all VMs", - "waf": "Reliability" + "text": "Tune the Azure Front Door WAF for your workload by configuring the WAF in Detection mode to reduce and fix false positive detections.", + "waf": "Security" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Resiliency Review", - "description": "Temporary disks are intended for short-term storage of non-persistent data such as page files, swap files, or SQL Server tempdb. Storing persistent data on temporary disks can lead to data loss during maintenance events or VM redeployment.", - "guid": "e0d5973c-d4ce-432c-8881-37f6f7c4c0d4", - "link": "https://learn.microsoft.com/azure/virtual-machines/managed-disks-overview#temporary-disk", - "service": "VM", - "severity": "Medium", - "text": "Do not use the Temp disk for anything that is not acceptable to be lost", - "waf": "Reliability" - }, - { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Resiliency Review", - "description": "Co-locate your compute, storage, networking, and data resources across an availability zone, and replicate this arrangement in other availability zones.", - "guid": "e514548d-2447-4ec6-9138-b8200f1ce16e", - "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview", - "service": "VM", - "severity": "Medium", - "text": "Leverage Availability Zones for your VMs in regions where they are supported", - "waf": "Reliability" + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "17ba124b-127d-42b6-9322-388d5b2bbcfc", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection", + "service": "Front Door", + "severity": "High", + "text": "Enable request body inspection feature enabled in Azure Front Door WAF policy.", + "waf": "Security" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Resiliency Review", - "description": "Use at least two VMs in Availability Sets to isolate VMs on different fault and update domains.", - "guid": "5a785d6f-e96c-496a-b884-4cf3b2b38c88", - "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview", - "service": "VM", - "severity": "Medium", - "text": "For regions that do not support Availability Zones deploy VMs into Availability Sets", - "waf": "Reliability" + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "49a98f2b-ec22-4a87-9415-6a10b00d6555", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-default-rule-sets", + "service": "Front Door", + "severity": "High", + "text": "Enable the Azure Front Door WAF default rule sets. The default rule sets detect and block common attacks.", + "waf": "Security" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Resiliency Review", - "description": "Azure provides multiple options for VM redundancy to meet different requirements (Availability Zones, Virtual Machine Scale Sets, Availability Sets, Azure Site Recovery)", - "guid": "6ba2c021-4991-414a-9d3c-e574dccbd979", - "link": "https://learn.microsoft.com/azure/virtual-machines/availability", - "service": "VM", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "147a13d4-2a2f-4824-a524-f5855b52b946", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-bot-management-rules", + "service": "Front Door", "severity": "High", - "text": "Avoid running a production workload on a single VM", - "waf": "Reliability" + "text": "Enable the Azure Front Door WAF bot protection rule set. The bot rules detect good and bad bots.", + "waf": "Security" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Resiliency Review", - "description": "Azure Site Recovery enables you to achieve low RTO (Recovery Time Objective) for your Azure and hybrid VMs by providing continuous replication and failover capabilities.", - "guid": "2a6bcca2-b5fe-4a1e-af3d-d95d48c7c891", - "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview", - "service": "VM", - "severity": "High", - "text": "For Azure and on-premises VMs (Hyper-V/Phyiscal/VMware) with low RTO requirements use Azure Site Recovery", - "waf": "Reliability" + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "d7dcdcb9-0d99-44b9-baab-ac7570ede79a", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-the-latest-ruleset-versions", + "service": "Front Door", + "severity": "Medium", + "text": "Use the latest Azure Front Door WAF rule set version. Rule set updates are regularly updated to take account of the current threat landscape.", + "waf": "Security" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Resiliency Review", - "description": "By using Capacity Reservations, you can effectively manage capacity for critical workloads, ensuring resource availability in specified regions.", - "guid": "bd7bb012-f7b9-45e0-9e15-8e3ea3992c2d", - "link": "https://learn.microsoft.com/azure/virtual-machines/capacity-reservation-overview", - "service": "VM", - "severity": "Low", - "text": "Use Capacity Reservations for critical workloads that require guaranteed capacity", - "waf": "Reliability" + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "b9620385-1cde-418f-914b-a84a06982ffc", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-rate-limiting", + "service": "Front Door", + "severity": "Medium", + "text": "Add rate limiting to the Azure Front Door WAF. Rate limiting blocks clients accidentally or intentionally sending large amounts of traffic in a short period of time.", + "waf": "Security" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Resiliency Review", - "description": "By ensuring that the necessary quotas are increased in your DR region before testing failover with ASR, you can avoid any potential resource constraints during the recovery process for failed over VMs.", - "guid": "e6e2065b-3a76-4af4-a691-e8939ada4666", - "link": "https://learn.microsoft.com/azure/quotas/per-vm-quota-requests", - "service": "VM", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "6dc36c52-0124-4ffe-9eaf-23ec1282dedb", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-a-high-threshold-for-rate-limits", + "service": "Front Door", "severity": "Medium", - "text": "Increase quotas in DR region before testing failover with ASR", - "waf": "Reliability" + "text": "Use a high threshold for Azure Front Door WAF rate limits. High rate limit thresholds avoid blocking legitimate traffic, while still providing protection against extremely high numbers of requests that might overwhelm your infrastructure.", + "waf": "Security" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Resiliency Review", - "description": "Scheduled Events is an Azure Metadata Service that provides information about upcoming maintenance events for virtual machines (VMs). By leveraging Scheduled Events, you can proactively prepare your applications for VM maintenance, minimizing disruption and improving the availability of your VMs.", - "guid": "6d3b475a-5c7a-4cbe-99bb-e64dd8902e87", - "link": "https://learn.microsoft.com/azure/virtual-machines/windows/scheduled-events", - "service": "VM", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "388a3d0e-0a43-4367-90b2-3dd2aeece5ee", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#geo-filter-traffic", + "service": "Front Door", "severity": "Low", - "text": "Utilize Scheduled Events to prepare for VM maintenance", - "waf": "Reliability" + "text": "If you are not expecting traffic from all geographical regions, use geo-filters to block traffic from non-expected countries.", + "waf": "Security" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Resiliency Review", - "description": "Use Zone-redundant Storage (ZRS) in the primary region for scenarios that require high availability and for restricting replication to a particular country or region. For protection against regional disasters, use Geo-zone-redundant Storage (GZRS), which combines ZRS in the primary region with geo-replication to a secondary region?.", - "guid": "48c7c891-dcb1-4f7d-9769-ae568ba38d4a", - "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy", - "service": "Storage", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "00acd8a9-6975-414f-8491-2be6309893b8", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#specify-the-unknown-zz-location", + "service": "Front Door", "severity": "Medium", - "text": "Choose the most appropriate data redundancy option for Azure Storage based on your requirements", - "waf": "Reliability" - }, - { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Resiliency Review", - "description": "Assigning a Delete lock to your storage account helps protect the availability of your data, minimizing the risk of disruptions to your business operations.", - "guid": "85e2213d-bd7b-4b01-8f7b-95e06e158e3e", - "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource", - "service": "Storage", - "severity": "Low", - "text": "Apply a Delete lock to prevent accidental or malicious deletion of storage accounts", - "waf": "Reliability" + "text": "Specify the unknown (ZZ) location when geo-filtering traffic with the Azure Front Door WAF. Avoid accidentally blocking legitimate requests when IP addresses can't be geo-matched.", + "waf": "Security" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Resiliency Review", - "description": "Container soft delete protects your data from being accidentally deleted by maintaining the deleted data in the system for a specified period of time.", - "guid": "a3992c2d-e6e2-4065-a3a7-6af4a691e893", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable", - "service": "Storage", - "severity": "Low", - "text": "Enable soft delete for Storage Account Containers", - "waf": "Reliability" + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "4cea4050-7946-4a7c-89e6-b021b73c352d", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs", + "service": "Front Door", + "severity": "Medium", + "text": "Capture logs and metrics by turning on Diagnostic Settings. Include resource activity logs, access logs, health probe logs, and WAF logs. Set up alerts.", + "waf": "Operations" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Resiliency Review", - "description": "Blob soft delete protects an individual blob and its versions, snapshots, and metadata from accidental deletes or overwrites by maintaining the deleted data in the system for a specified period of time.", - "guid": "9ada4666-7e13-4c10-96b9-153d89f89dc7", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable", - "service": "Storage", - "severity": "Low", - "text": "Enable soft delete for blobs", - "waf": "Reliability" + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "845f5f91-9c21-4674-a725-5ce890850e20", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel", + "service": "Front Door", + "severity": "Medium", + "text": "Send Azure Front Door WAF logs to Microsoft Sentinel.", + "waf": "Operations" }, { - "arm-service": "Microsoft.RecoveryServices/vaults", - "checklist": "Resiliency Review", - "description": "Azure Backup enhanced soft delete provides critical protection against ransomware attacks by retaining deleted backups, enabling recovery from potential ransomware encryption or deletion.", - "guid": "b44be3b1-a27f-48b9-b91b-e1038df03a82", - "link": "https://learn.microsoft.com/azure/backup/backup-azure-enhanced-soft-delete-about", - "service": "Backup", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "3bb0a854-ea3d-4212-bd8e-3f0cb7792b02", + "link": "https://learn.microsoft.com/azure/frontdoor/routing-methods", + "service": "Front Door", "severity": "Medium", - "text": "Enable Azure Backup enhanced soft delete for improved data protection and recovery", + "text": "Choose a routing method that supports your deployment strategy. The weighted method, which distributes traffic based on the configured weight coefficient, supports active-active models. A priority-based value that configures the primary region to receive all traffic and send traffic to the secondary region as a backup supports active-passive models. Combine the preceding methods with latency so that the origin with the lowest latency receives traffic.", "waf": "Reliability" }, { - "arm-service": "Microsoft.RecoveryServices/vaults", - "checklist": "Resiliency Review", - "description": "Azure Backup's multi-user authorization enables fine-grained control over user access to backup resources, allowing you to restrict privileges and ensure proper authentication and authorization for backup operations.", - "guid": "2cd463cb-bbc8-4ac2-a9eb-c92a43da1dae", - "link": "https://learn.microsoft.com/azure/backup/multi-user-authorization-concept", - "service": "Backup", - "severity": "Low", - "text": "Implement multi-user authorization for Azure Backup to ensure secure and controlled access to backup resources", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend healthprobe=tostring(properties.healthProbeSettings) | project origingroupname=name, id, tags, resourceGroup, subscriptionId, healthprobe, frontDoorId | join ( cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/Origins' | extend origingroupname = tostring(properties.originGroupName) ) on origingroupname | summarize origincount=count(), enabledhealthprobecount=countif(healthprobe != '') by origingroupname, id, tostring(tags), resourceGroup, subscriptionId, frontDoorId | extend compliant = origincount > 1 | project id = frontDoorId, compliant", + "guid": "c3a769e4-cc78-40a9-b36a-f9bcab19ec2d", + "link": "https://learn.microsoft.com/azure/frontdoor/quickstart-create-front-door", + "service": "Front Door", + "severity": "High", + "text": "Support redundancy by having multiple origins in one or more back-end pools. Always have redundant instances of your application and make sure each instance exposes an endpoint or origin. You can place those origins in one or more back-end pools.", "waf": "Reliability" }, { - "arm-service": "Microsoft.RecoveryServices/vaults", - "checklist": "Resiliency Review", - "description": "Azure Immutable Storage provides an additional layer of security by ensuring that backup data stored in the vault cannot be modified or deleted for a specified retention period. This helps safeguard your backups from ransomware attacks that may attempt to compromise or manipulate your backup data.", - "guid": "2cc88147-0607-4c1c-aa0e-614658dd458e", - "link": "https://learn.microsoft.com/azure/backup/backup-azure-immutable-vault-concept?source=recommendations&tabs=recovery-services-vault", - "service": "Backup", - "severity": "Low", - "text": "Implement Immutable Storage for your vaults to protect against ransomware and prevent unauthorized modifications to backups", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "999852be-2137-4179-8fc3-30d1df6fed1d", + "link": "https://learn.microsoft.com/azure/frontdoor/troubleshoot-issues#troubleshooting-steps", + "service": "Front Door", + "severity": "Medium", + "text": "Set a timeout on forwarding requests to the back end. Adjust the timeout setting according to your endpoints' needs. If you don't, Azure Front Door might close the connection before the origin sends the response. You can also lower the default timeout for Azure Front Door if all of your origins have a shorter timeout.", "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/dnsZones", - "checklist": "Resiliency Review", - "description": "To eliminate a single point of failure in your on-premises DNS services and ensure reliable DNS resolution during business continuity and disaster recovery scenarios, it is recommended to utilize Azure DNS Private Resolvers in multiple regions. By deploying two or more Azure DNS private resolvers across different regions, you can enable DNS failover and achieve resiliency in your DNS infrastructure.", - "guid": "43da1dae-2cc8-4814-9060-7c1cca0e6146", - "link": "https://learn.microsoft.com/azure/dns/tutorial-dns-private-resolver-failover", - "service": "DNS", - "severity": "Low", - "text": "Implement DNS Failover using Azure DNS Private Resolvers", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "17bf6351-3e5e-41f1-87bb-d5ad0b4e3de6", + "link": "https://learn.microsoft.com/azure/frontdoor/routing-methods#23session-affinity", + "service": "Front Door", + "severity": "Medium", + "text": "Decide if your application requires session affinity. If you have high reliability requirements, we recommend that you disable session affinity.", "waf": "Reliability" }, { - "arm-service": "Microsoft.PowerBI/gateways", - "checklist": "Resiliency Review", - "description": "Use an on-premises data gateway cluster to avoid single points of failure and to load balance traffic across gateways.", - "guid": "89f89dc7-b44b-4e3b-8a27-f8b9e91be103", - "link": "https://learn.microsoft.com/data-integration/gateway/service-gateway-high-availability-clusters", - "service": "Data Gateways", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "425bfb31-94c4-4007-b9ae-46da9fe57cc7", + "link": "https://learn.microsoft.com/azure/frontdoor/origin?pivots=front-door-standard-premium#origin-host-header", + "service": "Front Door", "severity": "Medium", - "text": "Use on-premises data gateway clusters to ensure high availability for business-critical data", - "waf": "Reliability" + "text": "Send the host header to the back end. The back-end services should be aware of the host name so that they can create rules to accept traffic only from that host.", + "waf": "Security" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Resiliency Review", - "description": "When choosing the best option for deploying NVAs in Azure, it is crucial to consider the vendor's recommendations and validate that the specific design has been vetted and validated by the NVA vendor. The vendor should also provide the necessary NVA configuration for seamless integration in Azure.", - "guid": "8b1188b3-c6a4-46ce-a544-451e192d3442", - "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha", - "service": "NVA", - "severity": "High", - "text": "Deploy Network Virtual Appliances (NVAs) in a vendor supported configuration for High Availability", - "waf": "Reliability" - }, - { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Apply guidance from the Microsoft cloud security benchmark related to Storage", - "guid": "d237de14-3b16-4c21-b7aa-9b64604489a8", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/storage-security-baseline", - "service": "Storage", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "81a5398a-2414-450f-9fc3-e048bc65784c", + "link": "https://learn.microsoft.com/azure/frontdoor/front-door-caching", + "service": "Front Door", "severity": "Medium", - "text": "Consider the 'Azure security baseline for storage'", - "waf": "Security" + "text": "Use caching for endpoints that support it.", + "waf": "Cost" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Azure Storage by default has a public IP address and is Internet-reachable. Private endpoints allow to securely expose Azure Storage only to those Azure Compute resources that need access, thus eliminating exposure to the public Internet", - "graph": "resources | where type =~ 'Microsoft.Storage/StorageAccounts' | where isnull(properties.privateEndpointConnections) or properties.privateEndpointConnections[0].properties.provisioningState != ('Succeeded') or (isnull(properties.networkAcls) and properties.publicNetworkAccess == 'Enabled') | extend compliant = (isnotnull(properties.privateEndpointConnections) and properties.privateEndpointConnections[0].properties.provisioningState == 'Succeeded' and properties.publicNetworkAccess == 'Disabled') | distinct id, compliant", - "guid": "f42d78e7-9d17-4a73-a22a-5a67e7a8ed4b", - "link": "https://learn.microsoft.com/azure/storage/common/storage-private-endpoints", - "service": "Storage", - "severity": "High", - "text": "Consider using private endpoints for Azure Storage", - "waf": "Security" + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend healthprobe=tostring(properties.healthProbeSettings) | project origingroupname=name, id, tags, resourceGroup, subscriptionId, healthprobe, frontDoorId | join ( cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/Origins' | extend origingroupname = tostring(properties.originGroupName) ) on origingroupname | summarize origincount=count(), enabledhealthprobecount=countif(healthprobe != '') by origingroupname, id, tostring(tags), resourceGroup, subscriptionId, frontDoorId | extend compliant = origincount > 1 or (origincount == 1 and enabledhealthprobecount == 0) | project id = frontDoorId, compliant", + "guid": "34069d73-e4de-46c5-a36f-625f87575a56", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group", + "service": "Front Door", + "severity": "Low", + "text": "Disable health checks in single back-end pools. If you have only one origin configured in your Azure Front Door origin group, these calls are unnecessary. This is only recommended if you can't have multiple origins in your endpoint.", + "waf": "Cost" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Newly created storage accounts are created using the ARM deployment model, so that RBAC, auditing etc. are all enabled. Ensure that there are no old storage accounts with classic deployment model in a subscription", - "guid": "30e37c3e-2971-41b2-963c-eee079b598de", - "link": "https://learn.microsoft.com/azure/virtual-machines/migration-classic-resource-manager-overview#migration-of-storage-accounts", - "service": "Storage", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "c92d6786-cdd1-444d-9cad-934a192a276a", + "link": "https://learn.microsoft.com/azure/frontdoor/standard-premium/how-to-reports", + "service": "Front Door", "severity": "Medium", - "text": "Ensure older storage accounts are not using 'classic deployment model'", - "waf": "Security" + "text": "We recommend using the Premium Tier for leveraging the Security reports while the Standard Azure Front Door Profile provides only traffic reports under built-in analytics/reports.", + "waf": "Operations" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Leverage Microsoft Defender to learn about suspicious activity and misconfigurations.", - "graph": "resources | where type =~ 'Microsoft.Storage/StorageAccounts' | project storageAccountId = id | join kind=leftouter (resourceContainers | where type == 'microsoft.security/pricings' | where name == 'StorageAccounts' | project resourceId = id, pricingTier = properties.pricingTier) on $left.storageAccountId == $right.resourceId | where isnull(pricingTier) or pricingTier != 'Standard' | extend compliant = false | distinct storageAccountId, compliant", - "guid": "fc5972cd-4cd2-41b0-a803-7f5e6b4bfd3d", - "link": "https://learn.microsoft.com/azure/storage/common/azure-defender-storage-configure", - "service": "Storage", - "severity": "High", - "text": "Enable Microsoft Defender for all of your storage accounts", - "waf": "Security" + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "440cf7de-30a1-4550-ab50-c9f6eac140cd", + "link": "https://learn.microsoft.com/azure/frontdoor/front-door-wildcard-domain", + "service": "Front Door", + "severity": "Medium", + "text": "Use wildcard TLS certificates when possible.", + "waf": "Operations" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "The soft-delete mechanism allows to recover accidentally deleted blobs.", - "guid": "503547c1-447e-4c66-828a-7100f1ce16dd", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-overview", - "service": "Storage", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "556e2733-6ca9-4edd-9cc7-26de66d46c2e", + "link": "https://learn.microsoft.com/azure/frontdoor/front-door-caching", + "service": "Front Door", "severity": "Medium", - "text": "Enable 'soft delete' for blobs", - "waf": "Security" + "text": "Optimize your application query string for caching. For purely static content, ignore query strings to maximize your use of the cache. If your application uses query strings, consider including them in the cache key. Including the query strings in the cache key allows Azure Front Door to serve cached responses or other responses, based on your configuration.", + "waf": "Performance" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Consider selectively disabling 'soft delete' for certain blob containers, for example if the application must ensure that deleted information is immediately deleted, e.g. for confidentiality, privacy or compliance reasons. ", - "guid": "3f1d5e87-2e52-4e36-81cc-58b4a4b1510e", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable", - "service": "Storage", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "c0b7e55e-fcab-4e66-bdae-bd0290f6aece", + "link": "https://learn.microsoft.com/azure/frontdoor/standard-premium/how-to-compression", + "service": "Front Door", "severity": "Medium", - "text": "Disable 'soft delete' for blobs", - "waf": "Security" + "text": "Use file compression when you're accessing downloadable content.", + "waf": "Performance" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Soft delete for containers enables you to recover a container after it has been deleted, for example recover from an accidental delete operation.", - "guid": "43a58a9c-2289-4c3d-9b57-d0c655462f2a", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-overview", - "service": "Storage", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type =~ 'microsoft.network/frontdoors' and properties['resourceState'] !~ 'migrated' | extend compliant = false | project id, compliant", + "guid": "cb8eb8c0-aa73-4a26-a495-6eba8dc4a243", + "link": "https://learn.microsoft.com/azure/cdn/tier-migration", + "service": "Front Door", "severity": "High", - "text": "Enable 'soft delete' for containers", - "waf": "Security" + "text": "Consider migrating to Standard or Premium SKU if you are using Classic Azure Front Door currently as Classic Azure Front Door will be deprecated by March 2027.", + "waf": "Operations" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Consider selectively disabling 'soft delete' for certain blob containers, for example if the application must ensure that deleted information is immediately deleted, e.g. for confidentiality, privacy or compliance reasons. ", - "guid": "3e3453a3-c863-4964-ab65-2d6c15f51296", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable", - "service": "Storage", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "67c33697-15b1-4752-aeee-0b9b588defc4", + "link": "https://learn.microsoft.com/azure/architecture/guide/networking/global-web-applications/mission-critical-content-delivery", + "service": "Front Door", "severity": "Medium", - "text": "Disable 'soft delete' for containers", - "waf": "Security" + "text": "Consider using Traffic Manager load balancing Azure Front Door and a third party CDN provider CDN profile for mission critical high availability scenario. ", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Prevents accidental deletion of a storage account, by forcing the user to first remove the deletion lock, prior to deletion", - "guid": "5398e6de-d227-4dd1-92b0-6c21d7999a64", - "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource", - "service": "Storage", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "972cd4cd-25b0-4b70-96e9-eab4bfd32907", + "link": "https://learn.microsoft.com/azure/app-service/app-service-ip-restrictions?tabs=azurecli#restrict-access-to-a-specific-azure-front-door-instance", + "service": "Front Door", "severity": "High", - "text": "Enable resource locks on storage accounts", + "text": "When using Front Door with origin as App services, consider locking down the traffic to app services only through Azure Front Door using access restrictions. ", "waf": "Security" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Consider 'legal hold' or 'time-based retention' policies for blobs, so that is is impossible to delete the blob, the container, or the storage account. Please note that 'impossible' actually means 'impossible'; once a storage account contains an immutable blob, the only way to 'get rid' of that storage account is by cancelling the Azure subscription.", - "guid": "6f4389a8-f42c-478e-98c0-6a73a22a4956", - "link": "https://learn.microsoft.com/azure/storage/blobs/immutable-storage-overview", - "service": "Storage", - "severity": "High", - "text": "Consider immutable blobs", - "waf": "Security" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "ab5351f6-383a-45ed-9c5e-b143b16db40a", + "link": "https://learn.microsoft.com/azure/aks/use-windows-hpc", + "service": "AKS", + "severity": "Low", + "text": "If required for AKS Windows workloads HostProcess containers can be used", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Consider disabling unprotected HTTP/80 access to the storage account, so that all data transfers are encrypted, integrity protected, and the server is authenticated. ", - "graph": "resources | where type =~ 'Microsoft.Storage/StorageAccounts' | extend compliant = (properties.supportsHttpsTrafficOnly == false) | distinct id, compliant", - "guid": "e7a8dc4a-20e2-47c3-b297-11b1352beee0", - "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer", - "service": "Storage", - "severity": "High", - "text": "Require HTTPS, i.e. disable port 80 on the storage account", - "waf": "Security" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "a280dcf5-90ce-465d-b8e1-3f9ccbd46926", + "link": "https://learn.microsoft.com/azure/azure-functions/functions-kubernetes-keda", + "service": "AKS", + "severity": "Low", + "text": "Use KEDA if running event-driven workloads", + "waf": "Performance" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "When configuring a custom domain (hostname) on a storage account, check whether you need TLS/HTTPS; if so, you might have to put Azure CDN in front of your storage account.", - "guid": "79b588de-fc49-472c-b3cd-21bf77036e5e", - "link": "https://learn.microsoft.com/azure/storage/blobs/storage-custom-domain-name", - "service": "Storage", - "severity": "High", - "text": "When enforcing HTTPS (disabling HTTP), check that you do not use custom domains (CNAME) for the storage account.", - "waf": "Security" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "26886d20-b66c-457b-a591-19bf8e8f5c58", + "link": "https://dapr.io/", + "service": "AKS", + "severity": "Low", + "text": "Use Dapr to ease microservice development", + "waf": "Operations" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Requiring HTTPS when a client uses a SAS token to access blob data helps to minimize the risk of credential loss.", - "guid": "6b4bed3d-5035-447c-8347-dc56028a71ff", - "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview", - "service": "Storage", - "severity": "Medium", - "text": "Limit shared access signature (SAS) tokens to HTTPS connections only", - "waf": "Security" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (sku.tier=='Paid') | distinct id,compliant", + "guid": "71d41e36-10cc-457b-9a4b-1410d4395898", + "link": "https://learn.microsoft.com/azure/aks/uptime-sla", + "service": "AKS", + "severity": "High", + "text": "Use the SLA-backed AKS offering", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": ". Enforcing the latest TLS version will reject request from clients using the older version. ", - "graph": "resources | where type == 'microsoft.storage/storageaccounts' | extend compliant = (isnull(properties.minimumTlsVersion) == false and properties.minimumTlsVersion in ('TLS1_2', 'TLS1_3')) | distinct id, compliant", - "guid": "e12be569-a18f-4562-8d5d-ce151b9e7d55", - "link": "https://learn.microsoft.com/azure/storage/common/transport-layer-security-configure-minimum-version", - "service": "Storage", - "severity": "High", - "text": "Enforce the latest TLS version for a storage account", - "waf": "Security" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "c1288b3c-6a57-4cfc-9444-51e1a3d3453a", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler", + "service": "AKS", + "severity": "Low", + "text": "Use Disruption Budgets in your pod and deployment definitions", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Microsoft Entra ID tokens should be favored over shared access signatures, wherever possible", - "guid": "e1ce15dd-3f0d-45e7-92d4-1e3611cc57b4", - "link": "https://learn.microsoft.com/azure/storage/common/authorize-data-access", - "service": "Storage", + "arm-service": "microsoft.containerregistry/registries", + "checklist": "Azure AKS Review", + "guid": "3c763963-7a55-42d5-a15e-401955387e5c", + "link": "https://learn.microsoft.com/azure/container-registry/container-registry-geo-replication", + "service": "ACR", "severity": "High", - "text": "Use Microsoft Entra ID tokens for blob access", - "waf": "Security" + "text": "If using a private registry, configure region replication to store images in multiple regions", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "When assigning a role to a user, group, or application, grant that security principal only those permissions that are necessary for them to perform their tasks. Limiting access to resources helps prevent both unintentional and malicious misuse of your data.", - "guid": "a4b1410d-4395-48a8-a228-9b3d6b57cfc6", - "service": "Storage", - "severity": "Medium", - "text": "Least privilege in IaM permissions", - "waf": "Security" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "f82cb8eb-8c0a-4a63-a25a-4956eaa8dc4a", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/aks/eslz-cost-governance-with-kubecost", + "service": "AKS", + "severity": "Low", + "text": "Use an external application such as kubecost to allocate costs to different users", + "waf": "Cost" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "A user delegation SAS is secured with Azure Active Directory (Azure AD) credentials and also by the permissions specified for the SAS. A user delegation SAS is analogous to a service SAS in terms of its scope and function, but offers security benefits over the service SAS. ", - "guid": "55461e1a-3e34-453a-9c86-39648b652d6c", - "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#best-practices-when-using-sas", - "service": "Storage", - "severity": "High", - "text": "When using SAS, prefer 'user delegation SAS' over storage-account-key based SAS.", - "waf": "Security" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "4d3dfbab-9924-4831-a68d-fdf0d72f462c", + "link": "https://learn.microsoft.com/azure/aks/scale-down-mode", + "service": "AKS", + "severity": "Low", + "text": "Use scale down mode to delete/deallocate nodes", + "waf": "Cost" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Storage account keys ('shared keys') have very little audit capabilities. While it can be monitored on who/when fetched a copy of the keys, once the keys are in the hands of multiple people, it is impossible to attribute usage to a specific user. Solely relying on Entra ID authentication makes it easier to tie storage access to a user. ", - "graph": "resources | where type == 'microsoft.storage/storageaccounts' | extend allowSharedKeyAccess = tostring(properties.allowSharedKeyAccess) | extend compliant = (isnotempty(allowSharedKeyAccess) and allowSharedKeyAccess == 'false') | distinct id, compliant", - "guid": "15f51296-5398-4e6d-bd22-7dd142b06c21", - "link": "https://learn.microsoft.com/rest/api/storageservices/authorize-with-shared-key", - "service": "Storage", - "severity": "High", - "text": "Consider disabling storage account keys, so that only Microsoft Entra ID access (and user delegation SAS) is supported.", - "waf": "Security" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "87e651ea-bc4a-4a87-a6df-c06a4b570ebc", + "link": "https://learn.microsoft.com/azure/aks/gpu-multi-instance", + "service": "AKS", + "severity": "Medium", + "text": "When required use multi-instance partitioning GPU on AKS Clusters", + "waf": "Cost" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Use Activity Log data to identify 'when', 'who', 'what' and 'how' the security of your storage account is being viewed or changed (i.e. storage account keys, access policies, etc.).", - "guid": "d7999a64-6f43-489a-af42-c78e78c06a73", - "link": "https://learn.microsoft.com/azure/storage/blobs/blob-storage-monitoring-scenarios#audit-account-activity", - "service": "Storage", - "severity": "High", - "text": "Consider using Azure Monitor to audit control plane operations on the storage account", - "waf": "Security" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "2b72a08b-0410-4cd6-9093-e068a5cf27e8", + "link": "https://learn.microsoft.com/azure/aks/start-stop-nodepools", + "service": "AKS", + "severity": "Low", + "text": "If running a Dev/Test cluster use NodePool Start/Stop", + "waf": "Cost" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "A key expiration policy enables you to set a reminder for the rotation of the account access keys. The reminder is displayed if the specified interval has elapsed and the keys have not yet been rotated.", - "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1", - "link": "https://learn.microsoft.com/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#create-a-key-expiration-policy", - "service": "Storage", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.azurepolicy) and properties.addonProfiles.azurepolicy.enabled==true) | distinct id,compliant", + "guid": "9ca48e4a-85e2-4223-bce8-bb12307ca5f1", + "link": "https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes", + "service": "AKS", "severity": "Medium", - "text": "When using storage account keys, consider enabling a 'key expiration policy'", + "text": "Use Azure Policy for Kubernetes to ensure cluster compliance", "waf": "Security" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "A SAS expiration policy specifies a recommended interval over which the SAS is valid. SAS expiration policies apply to a service SAS or an account SAS. When a user generates service SAS or an account SAS with a validity interval that is larger than the recommended interval, they'll see a warning.", - "guid": "352beee0-79b5-488d-bfc4-972cd3cd21bf", - "link": "https://learn.microsoft.com/azure/storage/common/sas-expiration-policy", - "service": "Storage", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | project id,name,resourceGroup,poolcount=array_length(pools) | extend compliant = (poolcount > 1)", + "guid": "6f158e3e-a3a9-42c2-be7e-2165c3a87af4", + "link": "https://learn.microsoft.com/azure/aks/use-system-pools", + "service": "AKS", "severity": "Medium", - "text": "Consider configuring an SAS expiration policy", + "text": "Separate applications from the control plane with user/system node pools", "waf": "Security" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Stored access policies give you the option to revoke permissions for a service SAS without having to regenerate the storage account keys. ", - "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56", - "link": "https://learn.microsoft.com/rest/api/storageservices/define-stored-access-policy", - "service": "Storage", - "severity": "Medium", - "text": "Consider linking SAS to a stored access policy", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "a7a1f893-9bda-4477-98f2-4c116775c2ea", + "link": "https://learn.microsoft.com/azure/aks/use-system-pools", + "service": "AKS", + "severity": "Low", + "text": "Add taint to your system nodepool to make it dedicated", "waf": "Security" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36", - "link": "https://microsoft.github.io/code-with-engineering-playbook/continuous-integration/dev-sec-ops/secret-management/recipes/detect-secrets-ado/", - "service": "Storage", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "55b46a94-8008-4ae7-b7e4-b475b6c8bdbf", + "link": "https://learn.microsoft.com/azure/container-registry/", + "service": "AKS", "severity": "Medium", - "text": "Consider configuring your application's source code repository to detect checked-in connection strings and storage account keys.", + "text": "Use a private registry for your images, such as ACR", "waf": "Security" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Ideally, your application should be using a managed identity to authenticate to Azure Storage. If that is not possible, consider having the storage credential (connection string, storage account key, SAS, service principal credential) in Azure KeyVault or an equivalent service.", - "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d", - "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys", - "service": "Storage", - "severity": "High", - "text": "Consider storing connection strings in Azure KeyVault (in scenarios where managed identities are not possible)", + "arm-service": "microsoft.containerregistry/registries", + "checklist": "Azure AKS Review", + "guid": "59bce65d-e8a0-43f9-9879-468d66a786d6", + "link": "https://learn.microsoft.com/azure/security-center/container-security", + "service": "ACR", + "severity": "Medium", + "text": "Scan your images for vulnerabilities", "waf": "Security" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Use near-term expiration times on an ad hoc SAS service SAS or account SAS. In this way, even if a SAS is compromised, it's valid only for a short time. This practice is especially important if you cannot reference a stored access policy. Near-term expiration times also limit the amount of data that can be written to a blob by limiting the time available to upload to it.", - "guid": "27138b82-1102-4cac-9eae-01e6e842e52f", - "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature", - "service": "Storage", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "d167dd18-2b0a-4c24-8b99-9a646f8389a7", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-cluster-isolation", + "service": "AKS", "severity": "High", - "text": "Strive for short validity periods for ad-hoc SAS", + "text": "Define app separation requirements (namespace/nodepool/cluster)", "waf": "Security" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "When creating a SAS, be as specific and restrictive as possible. Prefer a SAS for a single resource and operation over a SAS which gives much broader access.", - "guid": "4721d928-c1b1-4cd5-81e5-4a29a9de399c", - "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature", - "service": "Storage", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "5e3df584-eccc-4d97-a3b6-bcda3b50eb2e", + "link": "https://github.com/Azure/secrets-store-csi-driver-provider-azure", + "service": "AKS", "severity": "Medium", - "text": "Apply a narrow scope to a SAS", + "text": "Store your secrets in Azure Key Vault with the CSI Secrets Store driver", "waf": "Security" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "A SAS can include parameters on which client IP addresses or address ranges are authorized to request a resource using the SAS. ", - "guid": "fd7b28dc-9355-4562-82bf-e4564b0d834a", - "link": "https://learn.microsoft.com/rest/api/storageservices/create-account-sas", - "service": "Storage", - "severity": "Medium", - "text": "Consider scoping SAS to a specific client IP address, wherever possible", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "b03dda6d-58d7-4c89-8ddb-107d5769ae66", + "link": "https://learn.microsoft.com/azure/aks/update-credentials", + "service": "AKS", + "severity": "High", + "text": "If using Service Principals for the cluster, refresh credentials periodically (like quarterly)", "waf": "Security" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "A SAS cannot constrain how much data a client uploads; given the pricing model of amount of storage over time, it might make sense to validate whether clients uploaded maliciously large contents.", - "guid": "348b263e-6dd6-4051-8a36-498f6dbad38e", - "service": "Storage", - "severity": "Low", - "text": "Consider checking uploaded data, after clients used a SAS to upload a file. ", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "e7ba73a3-0508-4f80-806f-527db30cee96", + "link": "https://learn.microsoft.com/azure/aks/use-kms-etcd-encryption", + "service": "AKS", + "severity": "Medium", + "text": "If required add Key Management Service etcd encryption", "waf": "Security" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "When accessing blob storage via SFTP using a 'local user account', the 'usual' RBAC controls do not apply. Blob access via NFS or REST might be more restrictive than SFTP access. Unfortunately, as of early 2023, local users are the only form of identity management that is currently supported for the SFTP endpoint", - "guid": "ad53cc7c-e1d7-4aaa-a357-1449ab8053d8", - "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support#sftp-permission-model", - "service": "Storage", - "severity": "High", - "text": "SFTP: Limit the amount of 'local users' for SFTP access, and audit whether access is needed over time.", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "ec8e4e42-0344-41b0-b865-9123e8956d31", + "link": "https://learn.microsoft.com/azure/confidential-computing/confidential-nodes-aks-overview", + "service": "AKS", + "severity": "Low", + "text": "If required consider using Confidential Compute for AKS", "waf": "Security" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "guid": "9f89dc7b-33be-42a1-a27f-7b9e91be1f38", - "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-known-issues#authentication-and-authorization", - "service": "Storage", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "c9e95ffe-6dd1-4a17-8c5f-110389ca9b21", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable", + "service": "AKS", "severity": "Medium", - "text": "SFTP: The SFTP endpoint does not support POSIX-like ACLs.", + "text": "Consider using Defender for Containers", "waf": "Security" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Storage supports CORS (Cross-Origin Resource Sharing), i.e. an HTTP feature that enables web apps from a different domain to loosen the same-origin policy. When enabling CORS, keep the CorsRules to the least privilege.", - "guid": "cef39812-bd46-43cb-aac8-ac199ebb91a3", - "link": "https://learn.microsoft.com/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services", - "service": "Storage", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.servicePrincipalProfile.clientId=='msi') | distinct id,compliant", + "guid": "ed127dd1-42b0-46b2-8c69-99a646f3389a", + "link": "https://learn.microsoft.com/azure/aks/use-managed-identity", + "service": "AKS", "severity": "High", - "text": "Avoid overly broad CORS policies", + "text": "Use managed identities instead of Service Principals", "waf": "Security" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Data at rest is always encrypted server-side, and in addition might be encrypted client-side as well. Server-side encryption might happen using a platform-managed key (default) or customer-managed key. Client-side encryption might happen by either having the client supply an encryption/decryption key on a per-blob basis to Azure storage, or by completely handling encryption on the client-side. thus not relying on Azure Storage at all for confidentiality guarantees.", - "guid": "3d90cae2-cc88-4137-86f7-c0cbafe61464", - "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption", - "service": "Storage", - "severity": "High", - "text": "Determine how data at rest should be encrypted. Understand the thread model for data.", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.aadProfile) | distinct id,compliant", + "guid": "7e42c78e-78c0-46a6-8a21-94956e698dc4", + "link": "https://learn.microsoft.com/azure/aks/managed-aad", + "service": "AKS", + "severity": "Medium", + "text": "Integrate authentication with AAD (using the managed integration)", "waf": "Security" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "guid": "8dd457e9-2713-48b8-8110-2cac6eae01e6", - "link": "https://learn.microsoft.com/azure/storage/common/customer-managed-keys-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json", - "service": "Storage", - "severity": "Medium", - "text": "Determine which/if platform encryption should be used.", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "a2fe27b2-e287-401a-8352-beedf79b488d", + "link": "https://learn.microsoft.com/azure/aks/control-kubeconfig-access", + "service": "AKS", + "severity": "Medium", + "text": "Limit access to admin kubeconfig (get-credentials --admin)", "waf": "Security" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "guid": "e842e52f-4721-4d92-ac1b-1cd521e54a29", - "link": "https://learn.microsoft.com/azure/storage/blobs/encryption-customer-provided-keys", - "service": "Storage", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "eec4962c-c3bd-421b-b77f-26e5e6b3bec3", + "link": "https://learn.microsoft.com/azure/aks/manage-azure-rbac", + "service": "AKS", "severity": "Medium", - "text": "Determine which/if client-side encryption should be used.", + "text": "Integrate authorization with AAD RBAC", "waf": "Security" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "description": "Anonymous access may present a security risk. We recommend that you disable anonymous access for optimal security. Disallowing anonymous access helps to prevent data breaches caused by undesired anonymous access.", - "graph": "resources | where type == 'microsoft.storage/storageaccounts' | extend compliant = (properties.allowBlobPublicAccess == 'false') | distinct id, compliant", - "guid": "659ae558-b937-4d49-a5e1-112dbd7ba012", - "link": "https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#allow-or-disallow-public-read-access-for-a-storage-account", - "service": "Storage", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "d4f3537c-1346-4dc5-9027-a71ffe1bd05d", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-identity", + "service": "AKS", "severity": "High", - "text": "Consider whether public blob anonymous access is needed, or whether it can be disabled for certain storage accounts. ", + "text": "Use namespaces for restricting RBAC privilege in Kubernetes", "waf": "Security" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "guid": "cb8eb8c0-aa62-4a25-a495-6eaa8dc4a243", - "link": "https://learn.microsoft.com/azure/storage/common/storage-account-upgrade?tabs=azure-portal", - "service": "Storage", - "severity": "High", - "text": "Leverage a storagev2 account type for better performance and reliability", - "waf": "Reliability" - }, - { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "graph": "resources | where type =~ 'Microsoft.Storage/StorageAccounts' | extend compliant = (sku.name != 'Standard_LRS' and sku.name != 'Premium_LRS') | distinct id, compliant", - "guid": "e05bbe20-9d49-4fda-9777-8424d116785c", - "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy", - "service": "Storage", - "severity": "High", - "text": "Leverage GRS, ZRS or GZRS storage for the highest availability", - "waf": "Reliability" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "d2e0d5d7-71d4-41e3-910c-c57b4a4b1410", + "link": "https://learn.microsoft.com/azure/aks/workload-identity-migration-sidecar", + "service": "AKS", + "severity": "Medium", + "text": "For Pod Identity Access Management use Azure AD Workload Identity (preview)", + "waf": "Security" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "guid": "2fa56c56-ad48-4408-be72-734c486ba280", - "link": "https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance", - "service": "Storage", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "f4dcf690-1b30-407d-abab-6f8aa780d3a3", + "link": "https://learn.microsoft.com/azure/aks/managed-aad#non-interactive-sign-in-with-kubelogin", + "service": "AKS", "severity": "Medium", - "text": "For write operation after failover, use customer-Managed Failover ", - "waf": "Reliability" + "text": "For AKS non-interactive logins use kubelogin (preview)", + "waf": "Security" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "guid": "dc0590cf-65de-48e1-909c-cbd579266bcc", - "link": "https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance#microsoft-managed-failover", - "service": "Storage", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.disableLocalAccounts==true) | distinct id,compliant", + "guid": "b085b1f2-3119-4771-8c9a-bbf4411810ec", + "link": "https://learn.microsoft.com/azure/aks/managed-aad#disable-local-accounts", + "service": "AKS", "severity": "Medium", - "text": "Understand Microsoft-Managed Failover details", - "waf": "Reliability" + "text": "Disable AKS local accounts", + "waf": "Security" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Storage Review Checklist", - "guid": "a274faa1-abfe-49d5-9d04-c3c4919cb1b3", - "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable?tabs=azure-portal", - "service": "Storage", - "severity": "Medium", - "text": "Enable Soft Delete", - "waf": "Reliability" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "36abb0db-c118-4f4c-9880-3f30f9a2deb6", + "link": "https://learn.microsoft.com/azure/aks/managed-aad#configure-just-in-time-cluster-access-with-azure-ad-and-aks", + "service": "AKS", + "severity": "Low", + "text": "Configure if required Just-in-time cluster access", + "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "4620dc87-e948-4ce8-8426-f3e6e5d7bd85", - "link": "https://learn.microsoft.com/azure/sap/center-sap-solutions/overview", - "service": "SAP", - "severity": "Medium", - "text": "Azure Center for SAP solutions (ACSS) is an Azure offering that makes SAP a top-level workload on Azure. ACSS is an end-to-end solution that enables you to create and run SAP systems as a unified workload on Azure and provides a more seamless foundation for innovation. You can take advantage of the management capabilities for both new and existing Azure-based SAP systems.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-center-sap-solutions/?source=recommendations", - "waf": "Operations" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "c4d7f4c6-79bf-45d0-aa05-ce8fc717e150", + "link": "https://learn.microsoft.com/azure/aks/managed-aad#use-conditional-access-with-azure-ad-and-aks", + "service": "AKS", + "severity": "Low", + "text": "Configure if required AAD conditional access for AKS", + "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "5d75e99d-624d-4afe-91d9-e17adc580790", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-platform-automation-and-devops", - "service": "SAP", - "severity": "Medium", - "text": "Azure supports automating SAP deployments in Linux and Windows. SAP Deployment Automation Framework is an open-source orchestration tool that can deploy, install, and maintain SAP environments.", - "training": "https://github.com/Azure/sap-automation", - "waf": "Operations" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "e1123a7c-a333-4eb4-a120-4ee3f293c9f3", + "link": "https://learn.microsoft.com/azure/aks/use-group-managed-service-accounts", + "service": "AKS", + "severity": "Low", + "text": "If required for Windows AKS workloads configure gMSA ", + "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "d17f6f39-a377-48a2-931f-5ead3ebe33a8", - "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/data-platform", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "1f711a74-3672-470b-b8b8-a2148d640d79", + "link": "https://learn.microsoft.com/azure/aks/use-managed-identity#use-a-pre-created-kubelet-managed-identity", + "service": "AKS", "severity": "Medium", - "text": "Perform a point-in-time recovery for your production databases at any point and in a time frame that meets your RTO; point-in-time recovery typically includes operator errors deleting data either on the DBMS layer or through SAP, incidentally", - "waf": "Reliability" + "text": "For finer control consider using a managed Kubelet Identity", + "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "c4b8e117-930b-4dbd-ae50-7bc5faf6f91a", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "cbd8ac2a-aebc-4a2a-94da-1dbf3dc99248", + "link": "https://azure.github.io/application-gateway-kubernetes-ingress/setup/install-existing/", + "service": "AKS", "severity": "Medium", - "text": "Test the backup and recovery times to verify that they meet your RTO requirements for restoring all systems simultaneously after a disaster.", + "text": "If using AGIC, do not share an AppGW across clusters", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "b651423c-8552-42db-a545-5cb50c05527a", - "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnull(properties.addonProfiles.httpApplicationRouting) or properties.addonProfiles.httpApplicationRouting.enabled==false) | distinct id,compliant", + "guid": "8008ae7d-7e4b-4475-a6c8-bdbf59bce65d", + "link": "https://learn.microsoft.com/azure/aks/http-application-routing", + "service": "AKS", "severity": "High", - "text": "You can replicate standard storage between paired regions, but you can't use standard storage to store your databases or virtual hard disks. You can replicate backups only between paired regions that you use. For all your other data, run your replication by using native DBMS features like SQL Server Always On or SAP HANA System Replication. Use a combination of Site Recovery, rsync or robocopy, and other third-party software for the SAP application layer.", - "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/", + "text": "Do not use AKS HTTP Routing Add-On, use instead the managed NGINX ingress with the application routing add-on.", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "aa208dca-784f-46c6-9014-cc919c542dc9", - "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "7bacd7b9-c025-4a9d-a5d2-25d6bc5439d9", + "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview", + "service": "AKS", "severity": "Medium", - "text": "When using Azure Availability Zones to achieve high availability, you must consider latency between SAP application servers and database servers. For zones with high latencies, operational procedures need to be in place to ensure that SAP application servers and database servers are running in the same zone at all times.", - "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations", - "waf": "Reliability" + "text": "For Windows workloads use Accelerated Networking", + "waf": "Performance" }, { - "checklist": "SAP Checklist", - "graph": "resources| where type =~ 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType =~ 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant", - "guid": "ba07c007-1f90-43e9-aa4f-601346b80352", - "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (tolower(properties.networkProfile.loadBalancerSku)=='standard') | distinct id,compliant", + "guid": "ba7da7be-9952-4914-a384-5d997cb39132", + "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard", + "service": "AKS", "severity": "High", - "text": "Set up ExpressRoute connections from on-premises to the primary and secondary Azure disaster recovery regions. Also, as an alternative to using ExpressRoute, consider setting up VPN connections from on-premises to the primary and secondary Azure disaster recovery regions.", - "training": "https://learn.microsoft.com/azure/expressroute/use-s2s-vpn-as-backup-for-expressroute-privatepeering", - "waf": "Reliability" - }, - { - "checklist": "SAP Checklist", - "guid": "d2b30195-b11d-4a8f-a672-28b2b4169a7c", - "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance", - "service": "SAP", - "severity": "Low", - "text": "Replicate key vault contents like certificates, secrets, or keys across regions so you can decrypt data in the DR region.", + "text": "Use the standard ALB (as opposed to the basic one)", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "05f1101d-250f-40e7-b2a1-b674ab50edbd", - "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-s4hana", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "22fbe8d6-9b40-47ef-9011-25bb1a555a6b", + "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#add-a-node-pool-with-a-unique-subnet", + "service": "AKS", "severity": "Medium", - "text": "Peer the primary and disaster recovery virtual networks. For example, for HANA System Replication, an SAP HANA DB virtual network needs to be peered to the disaster recovery site's SAP HANA DB virtual network.", - "waf": "Reliability" + "text": "If using Azure CNI, consider using different Subnets for NodePools", + "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "d3351bf7-628a-46de-917d-dfc11d3b6b40", - "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-service-levels", - "service": "SAP", - "severity": "Low", - "text": "If you use Azure NetApp Files storage for your SAP deployments, at a minimum, create two Azure NetApp Files accounts in the Premium tier, in two regions.", - "training": "https://learn.microsoft.com/training/modules/choose-service-level-azure-netapp-files-hpc-applications/2-identify-decision-criteria", - "waf": "Reliability" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "c3c39c98-6bb2-4c12-859a-114b5e3df584", + "link": "https://learn.microsoft.com/azure/private-link/private-link-overview", + "service": "AKS", + "severity": "Medium", + "text": "Use Private Endpoints (preferred) or Virtual Network Service Endpoints to access PaaS services from the cluster", + "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "726a1d3e-5508-4a06-9d54-93f4b50040c1", - "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.networkPlugin=='azure') | distinct id,compliant", + "guid": "a0f61565-9de5-458f-a372-49c831112dbd", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network", + "service": "AKS", "severity": "High", - "text": "Native database replication technology should be used to synchronize the database in a HA pair.", - "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/?source=recommendations", + "text": "Choose the best CNI network plugin for your requirements (Azure CNI recommended)", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\.|172\\.(1[6-9]|2[0-9]|3[01])\\.|192\\.168\\.)') | project id, compliant, cidr", - "guid": "6561f847-3db5-4ff8-9200-5ad3c3b436ad", - "link": "https://learn.microsoft.com/ja-jp/azure/virtual-network/virtual-networks-faq", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "7faf12e7-0943-4f63-8472-2da29c2b1cd6", + "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", + "service": "AKS", "severity": "High", - "text": "The CIDR for the primary virtual network (VNet) shouldn't conflict or overlap with the CIDR of the DR site's VNet", - "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations", - "waf": "Reliability" + "text": "If using Azure CNI, size your subnet accordingly considering the maximum number of pods per node", + "waf": "Performance" }, { - "checklist": "SAP Checklist", - "guid": "0258ed30-fe42-434f-87b9-58f91f908e0a", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "22f54b29-bade-43aa-b1e8-c38ec9366673", + "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", + "service": "AKS", "severity": "High", - "text": "Use Site Recovery to replicate an application server to a DR site. Site Recovery can also help with replicating central-services cluster VMs to the DR site. When you invoke DR, you'll need to reconfigure the Linux Pacemaker cluster on the DR site (for example, replace the VIP or SBD, run corosync.conf, and more).", - "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/", - "waf": "Reliability" + "text": "If using Azure CNI, check the maximum pods/node (default 30)", + "waf": "Performance" }, { - "checklist": "SAP Checklist", - "guid": "8300cb30-766b-4084-b126-0dd8fb1269a1", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery", - "service": "SAP", - "severity": "High", - "text": "Consider the availability of SAP software against single points of failure. This includes single points of failure within applications such as DBMSs utilized in SAP NetWeaver and SAP S/4HANA architectures, SAP ABAP and ASCS + SCS. Also, other tools such as SAP Web Dispatcher.", - "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/2-explore-high-availability-disaster-recovery-support-azure-for-sap-workloads?source=recommendations", - "waf": "Reliability" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "description": "For internal apps organizations often open the whole AKS subnet in their firewalls. This opens network access to the nodes too, and potentially to the pods as well (if using Azure CNI). If LoadBalancer IPs are in a different subnet, only this one needs to be available to the app clients. Another reason is that if the IP addresses in the AKS subnet are a scarce resource, consuming its IP addresses for services will reduce the maximum scalability of the cluster .", + "guid": "13c00567-4b1e-4945-a459-c373e7ed6162", + "link": "https://learn.microsoft.com/azure/aks/internal-lb", + "service": "AKS", + "severity": "Low", + "text": "If using private-IP LoadBalancer services, use a dedicated subnet (not the AKS subnet)", + "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "56402f11-ccbe-42c3-a2f6-c6f6f38ab579", - "link": "https://learn.microsoft.com/azure/sap/workloads/planning-supported-configurations", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "43f63047-22d9-429c-8b1c-d622f54b29ba", + "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", + "service": "AKS", "severity": "High", - "text": "For SAP and SAP databases, consider implementing automatic failover clusters. In Windows, Windows Server Failover Clustering supports failover. In Linux, Linux Pacemaker or third-party tools like SIOS Protection Suite and Veritas InfoScale support failover.", - "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", + "text": "Size the service IP address range accordingly (it is going to limit the cluster scalability)", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "afae6bec-2671-49ae-bc69-140b8ec8d320", - "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows", - "service": "SAP", - "severity": "High", - "text": "Azure doesn't support architectures in which the primary and secondary VMs share storage for DBMS data. For the DBMS layer, the common architecture pattern is to replicate databases at the same time and with different storage stacks than the ones that the primary and secondary VMs use.", - "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/?source=recommendationshttps%3A%2F%2Flearn.microsoft.com%2Fja-jp%2Ftraining%2Fpaths%2Fensure-business-continuity-implement-disaster-recovery%2F%3Fsource%3Drecommendations", - "waf": "Reliability" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "57bf217f-6dc8-481c-81e2-785773e9c00f", + "link": "https://learn.microsoft.com/azure/aks/use-byo-cni", + "service": "AKS", + "severity": "Low", + "text": "If required add your own CNI plugin", + "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "ac614e95-6767-4bc3-b8a4-9953533da6ba", - "link": "https://learn.microsoft.com/azure/sap/workloads/dbms-guide-general", - "service": "SAP", - "severity": "High", - "text": "The DBMS data and transaction/redo log files are stored in Azure supported block storage or Azure NetApp Files. Azure Files or Azure Premium Files isn't supported as storage for DBMS data and/or redo log files with SAP workload.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-databases/2-explore-database-support-azure-for-sap-workloads", - "waf": "Reliability" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "4b3bb365-9458-44d9-9ed1-5c8f52890364", + "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools", + "service": "AKS", + "severity": "Low", + "text": "If required configure Public IP per node in AKS", + "waf": "Performance" }, { - "checklist": "SAP Checklist", - "guid": "1f737179-8e7f-4e1a-a30c-e5a649a3092b", - "link": "https://learn.microsoft.com/azure/sap/workloads/sap-high-availability-guide-wsfc-shared-disk", - "service": "SAP", - "severity": "High", - "text": "You can use Azure shared disks in Windows for ASCS + SCS components and specific high-availability scenarios. Set up your failover clusters separately for SAP application layer components and the DBMS layer. Azure doesn't currently support high-availability architectures that combine SAP application layer components and the DBMS layer into one failover cluster.", - "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "b3808b9f-a1cf-4204-ad01-3a923ce474db", + "link": "https://learn.microsoft.com/azure/aks/concepts-network", + "service": "AKS", + "severity": "Medium", + "text": "Use an ingress controller to expose web-based apps instead of exposing them with LoadBalancer-type services", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "graph": "resources | where type =~ 'Microsoft.Network/loadBalancers' | extend bep = properties.backendAddressPools | extend BackEndPools = array_length(bep) | where BackEndPools =~ 0 | project name, id, Param1='backendPools', Param2=toint(0), tags | union (resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name =~ 'Standard' | extend bep = properties.backendAddressPools | extend BackEndPools = toint(array_length(bep)) | mv-expand bip = properties.backendAddressPools | extend BackendAddresses = array_length(bip.properties.loadBalancerBackendAddresses) | where toint(BackendAddresses) <= 1 | project name, id, tags, Param1='backendAddresses', Param2=toint(BackendAddresses)) | union ( resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name =~ 'Basic' | mv-expand properties.backendAddressPools | extend backendPoolId = properties_backendAddressPools.id | project id, name, tags, tostring(backendPoolId), Param1='BackEndPools' | join kind = leftouter ( resources | where type =~ 'Microsoft.Network/networkInterfaces' | mv-expand properties.ipConfigurations | mv-expand properties_ipConfigurations.properties.loadBalancerBackendAddressPools | extend backendPoolId = tostring(properties_ipConfigurations_properties_loadBalancerBackendAddressPools.id) | summarize poolMembers = count() by backendPoolId | project tostring(backendPoolId), poolMembers ) on backendPoolId | where toint(poolMembers) <= 1 | extend BackendAddresses = poolMembers | project id, name, tags, Param1='backendAddresses', Param2=toint(BackendAddresses))", - "guid": "a78b3d31-3170-44f2-b5d7-651a29f4ccf5", - "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-standard-load-balancer-outbound-connections", - "service": "SAP", - "severity": "High", - "text": "Most failover clusters for SAP application layer components (ASCS) and the DBMS layer require a virtual IP address for a failover cluster. Azure Load Balancer should handle the virtual IP address for all other cases. One design principle is to use one load balancer per cluster configuration. We recommend that you use the standard version of the load balancer (Standard Load Balancer SKU).", - "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "ccb534e7-416e-4a1d-8e93-533b53199085", + "link": "https://learn.microsoft.com/azure/aks/nat-gateway", + "service": "AKS", + "severity": "Low", + "text": "Use Azure NAT Gateway as outboundType for scaling egress traffic", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "1a541741-5833-4fb4-ae3c-2df743165c3a", - "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-ha-ports-overview?source=recommendations", - "service": "SAP", - "severity": "High", - "text": "Make sure the Floating IP is enabled on the Load balancer", - "training": "https://learn.microsoft.com/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "8ee9a69a-1b58-4b1e-9c61-476e110a160b", + "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni#dynamic-allocation-of-ips-and-enhanced-subnet-support", + "service": "AKS", + "severity": "Medium", + "text": "Use Dynamic allocations of IPs in order to avoid Azure CNI IP exhaustion", "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "c47cc4f3-f105-452c-845e-9b307b3856c1", - "link": "https://learn.microsoft.com/azure/virtual-machines/availability", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.outboundType=='userDefinedRouting') | distinct id,compliant", + "guid": "3b365a91-7ecb-4e48-bbe5-4cd7df2e8bba", + "link": "https://learn.microsoft.com/azure/aks/limit-egress-traffic", + "service": "AKS", "severity": "High", - "text": "Before you deploy your high-availability infrastructure, and depending on the region you choose, determine whether to deploy with an Azure availability set or an availability zone.", - "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations", - "waf": "Reliability" + "text": "Filter egress traffic with AzFW/NVA if your security requirements mandate it", + "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "844f69c3-07e5-4ec1-bff7-4be27bcf5fea", - "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1", - "service": "SAP", - "severity": "High", - "text": "If you want to meet the infrastructure SLAs for your applications for SAP components (central services, application servers, and databases), you must choose the same high availability options (VMs, availability sets, availability zones) for all components.", - "waf": "Reliability" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = ((isnull(properties.apiServerAccessProfile.enablePrivateCluster) or properties.apiServerAccessProfile.enablePrivateCluster==false) and isnotnull(properties.apiServerAccessProfile.authorizedIPRanges)) | distinct id,compliant", + "guid": "c4581559-bb91-463e-a908-aed8c44ce3b2", + "link": "https://learn.microsoft.com/azure/aks/api-server-authorized-ip-ranges", + "service": "AKS", + "severity": "Medium", + "text": "If using a public API endpoint, restrict the IP addresses that can access it", + "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "cbe05bbe-209d-4490-ba47-778424d11678", - "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant", + "guid": "ecccd979-3b6b-4cda-9b50-eb2eb03dda6d", + "link": "https://learn.microsoft.com/azure/aks/private-clusters", + "service": "AKS", "severity": "High", - "text": "Do not mix servers of different roles in the same availability set. Keep central services VMs, database VMs, application VMs in their own availability sets", - "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations", - "waf": "Reliability" + "text": "Use private clusters if your requirements mandate it", + "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "f2201000-d045-40a6-a79a-d7cdc01b4d86", - "link": "https://learn.microsoft.com/azure/virtual-machines/co-location", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant", + "guid": "ce7f2a7c-297c-47c6-adea-a6ff838db665", + "link": "https://learn.microsoft.com/azure/aks/use-network-policies", + "service": "AKS", "severity": "Medium", - "text": "You can't deploy Azure availability sets within an Azure availability zone unless you use proximity placement groups.", - "training": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", - "waf": "Reliability" - }, - { - "checklist": "SAP Checklist", - "guid": "9674e7c7-7796-4181-8920-09f4429543ba", - "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview", - "service": "SAP", - "severity": "High", - "text": "When you create availability sets, use the maximum number of fault domains and update domains available. For example, if you deploy more than two VMs in one availability set, use the maximum number of fault domains (three) and enough update domains to limit the effect of potential physical hardware failures, network outages, or power interruptions, in addition to Azure planned maintenance. The default number of fault domains is two, and you can't change it online later.", - "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations", - "waf": "Reliability" + "text": "For Windows 2019 and 2022 AKS nodes Calico Network Policies can be used ", + "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "ae4ecb95-b70f-428f-8b9a-4c5b7e3478a2", - "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.networkProfile.networkPolicy) | distinct id,compliant", + "guid": "58d7c892-ddb1-407d-9769-ae669ca48e4a", + "link": "https://learn.microsoft.com/azure/aks/use-network-policies", + "service": "AKS", "severity": "High", - "text": "When you use Azure proximity placement groups in an availability set deployment, all three SAP components (central services, application server, and database) should be in the same proximity placement group.", - "waf": "Reliability" + "text": "Enable a Kubernetes Network Policy option (Calico/Azure)", + "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "5d2fa56c-56ad-4484-88fe-72734c486ba2", - "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "85e2223e-ce8b-4b12-907c-a5f16f158e3e", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network", + "service": "AKS", "severity": "High", - "text": "Use one proximity placement group per SAP SID. Groups don't span across Availability Zones or Azure regions", - "waf": "Reliability" + "text": "Use Kubernetes network policies to increase intra-cluster security", + "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "bca3b10e-0ff5-4aec-ac16-4c4bd1a1c13f", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "a3a92c2d-e7e2-4165-a3a8-7af4a7a1f893", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network", + "service": "AKS", "severity": "High", - "text": "Use one of the following services to run SAP central services clusters, depending on the operating system.", - "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", - "waf": "Reliability" + "text": "Use a WAF for web workloads (UIs or APIs)", + "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "ed46b937-913e-4018-9c62-8393ab037e53", - "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-suse-multi-sid", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')", + "guid": "9bda4776-8f24-4c11-9775-c2ea55b46a94", + "link": "https://learn.microsoft.com/azure/virtual-network/ddos-protection-overview", + "service": "AKS", "severity": "Medium", - "text": "Azure doesn't currently support combining ASCS and DB HA in the same Linux Pacemaker cluster; separate them into individual clusters. However, you can combine up to five multiple central-services clusters into a pair of VMs.", - "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", - "waf": "Reliability" + "text": "Use DDoS Standard in the AKS Virtual Network", + "waf": "Security" }, { - "checklist": "SAP Checklist", - "graph": "Resources | where type =~ 'Microsoft.Storage/storageAccounts' | where sku.name in~ ('Standard_LRS', 'Premium_LRS') | project name, id, tags, param1 = strcat('sku: ', sku.name)", - "guid": "f656e745-0cfb-453e-8008-0528fa21c933", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery", - "service": "SAP", - "severity": "Medium", - "text": "Deploy both VMs in the high-availability pair in an availability set or in availability zones. These VMs should be the same size and have the same storage configuration.", - "waf": "Reliability" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')", + "guid": "6c46b91a-1107-4485-ad66-3183e2a8c266", + "link": "https://learn.microsoft.com/azure/aks/http-proxy", + "service": "AKS", + "severity": "Low", + "text": "If required add company HTTP Proxy", + "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "7f684ebc-95da-425e-b329-e782dbed050f", - "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-with-hana-ascs-ers-dialog-instance", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "e9855d04-c3c3-49c9-a6bb-2c12159a114b", + "link": "https://learn.microsoft.com/azure/aks/servicemesh-about", + "service": "AKS", "severity": "Medium", - "text": "Azure supports installing and configuring SAP HANA and ASCS/SCS and ERS instances on the same high availability cluster running on Red Hat Enterprise Linux (RHEL).", - "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", - "waf": "Reliability" + "text": "Consider using a service mesh for advanced microservice communication management", + "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "07991f7d-6598-4d90-9431-45c62605d3a5", - "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "67f7a9ed-5b31-4f38-a3f3-9812b2463cff", + "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-metric-alerts", + "service": "AKS", "severity": "High", - "text": "Run all production systems on Premium managed SSDs and use Azure NetApp Files or Ultra Disk Storage. At least the OS disk should be on the Premium tier so you can achieve better performance and the best SLA.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations", - "waf": "Reliability" + "text": "Configure alerts on the most critical metrics (see Container Insights for recommendations)", + "waf": "Operations" }, { - "checklist": "SAP Checklist", - "guid": "73cdaecc-7d74-48d8-a040-88416eebc98c", - "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-operations-storage", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "337453a3-cc63-4963-9a65-22ac19e80696", + "link": "https://learn.microsoft.com/azure/advisor/advisor-get-started", + "service": "AKS", + "severity": "Low", + "text": "Check regularly Azure Advisor for recommendations on your cluster", + "waf": "Operations" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "3aa70560-e7e7-4968-be3d-628af35b2ced", + "link": "https://learn.microsoft.com/azure/aks/certificate-rotation", + "service": "AKS", + "severity": "Low", + "text": "Enable AKS auto-certificate rotation", + "waf": "Operations" + }, + { + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "e189c599-df0d-45a7-9dd4-ce32c1881370", + "link": "https://learn.microsoft.com/azure/aks/supported-kubernetes-versions", + "service": "AKS", "severity": "High", - "text": "You should run SAP HANA on Azure only on the types of storage that are certified by SAP. Note that certain volumes must be run on certain disk configurations, where applicable. These configurations include enabling Write Accelerator and using Premium storage. You also need to ensure that the file system that runs on storage is compatible with the DBMS that runs on the machine.", - "training": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1?source=recommendations", - "waf": "Reliability" + "text": "Have a regular process to upgrade your kubernetes version periodically (quarterly, for example), or use the AKS autoupgrade feature", + "waf": "Operations" }, { - "checklist": "SAP Checklist", - "guid": "51904867-a70e-4fa0-b4ff-3e6292846d7c", - "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-overview-guide#storage", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "6f7c4c0d-4e51-4464-ad24-57ed67138b82", + "link": "https://learn.microsoft.com/azure/aks/node-updates-kured", + "service": "AKS", "severity": "High", - "text": "Consider configuring high availability depending on the type of storage you use for your SAP workloads. Some storage services available in Azure are not supported by Azure Site Recovery, so your high availability configuration may differ.", - "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/2-explore-disaster-recovery-sap-workloads", - "waf": "Reliability" + "text": "Use kured for Linux node upgrades in case you are not using node-image upgrade", + "waf": "Operations" }, { - "checklist": "SAP Checklist", - "guid": "1ac2d928-c9b7-42c6-ba18-23b1aea78693", - "link": "https://azure.microsoft.com/ja-jp/explore/global-infrastructure/products-by-region/", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "139c9580-ade3-426a-ba09-cf157d9f6477", + "link": "https://learn.microsoft.com/azure/aks/node-image-upgrade", + "service": "AKS", "severity": "High", - "text": "Different native Azure storage services (like Azure Files, Azure NetApp Files, Azure Shared Disk) may not be available in all regions. So to have similar SAP setup on the DR region after failover, ensure the respective storage service is offered in DR site.", - "waf": "Reliability" + "text": "Have a regular process to upgrade the cluster node images periodically (weekly, for example)", + "waf": "Operations" }, { - "checklist": "SAP Checklist", - "guid": "925d1f8c-01f3-4a67-948e-aabf0a1fad60", - "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/optimize-your-azure-costs-by-automating-sap-system-start-stop/ba-p/2120675", - "service": "SAP", - "severity": "Medium", - "text": "Automate SAP System Start-Stop to manage costs.", - "waf": "Cost" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "0102ce16-ee30-41e6-b882-e52e4621dd68", + "link": "https://learn.microsoft.com/azure/architecture/example-scenario/bedrock/bedrock-automated-deployments", + "service": "AKS", + "severity": "Low", + "text": "Consider gitops to deploy applications or cluster configuration to multiple clusters", + "waf": "Operations" }, { - "checklist": "SAP Checklist", - "guid": "71dc00cd-4392-4262-8949-20c05e6c0333", - "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "d7672c26-7602-4482-85a4-14527fbe855c", + "link": "https://learn.microsoft.com/azure/aks/command-invoke", + "service": "AKS", "severity": "Low", - "text": "In the case of using Azure Premium Storage with SAP HANA, Azure Standard SSD storage can be used to select a cost-conscious storage solution. However, please note that choosing Standard SSD or Standard HDD Azure storage will affect the SLA of the individual VMs. Also, for systems with lower I/O throughput and low latency, such as non-production environments, lower series VMs can be used.", - "waf": "Cost" + "text": "Consider using AKS command invoke on private clusters", + "waf": "Operations" }, { - "checklist": "SAP Checklist", - "guid": "9877f353-2591-4e8b-8381-e9043fed1010", - "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "31d7aaab-7571-4449-ab80-53d89e89d17b", + "link": "https://learn.microsoft.com/azure/aks/node-auto-repair#node-autodrain", + "service": "AKS", "severity": "Low", - "text": "As a lower-cost alternative configuration (multipurpose), you can choose a low-performance SKU for your non-production HANA database server VMs. However, it is important to note that some VM types, such as E-series, are not HANA certified (SAP HANA Hardware Directory) or cannot achieve storage latency of less than 1ms.", - "waf": "Cost" + "text": "For planned events consider using Node Auto Drain", + "waf": "Operations" }, { - "checklist": "SAP Checklist", - "graph": "resources | where type =~ 'microsoft.aad/domainservices' | extend replicaSets = properties.replicaSets | where array_length(replicaSets) < 2 | project name=name, id=id, tags=tags, param1=strcat('replicaSetLocation:', replicaSets[0].location)", - "guid": "fda1dbf3-dc95-4d48-a7c7-91dca0f6c565", - "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/security", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "ed0fda7f-211b-47c7-8b6e-c18873fb473c", + "link": "https://learn.microsoft.com/azure/aks/faq", + "service": "AKS", "severity": "High", - "text": "Enforce a RBAC model for management groups, subscriptions, resource groups and resources", - "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/", - "waf": "Security" + "text": "Develop own governance practices to make sure no changes are performed by operators in the node RG (aka 'infra RG')", + "waf": "Operations" }, { - "checklist": "SAP Checklist", - "guid": "45911475-e39e-4530-accc-d979366bcda2", - "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration", - "service": "SAP", - "severity": "Medium", - "text": "Enforce Principal propagation for forwarding the identity from SAP cloud application to SAP on-premises (Including IaaS) through cloud connector", - "training": "https://learn.microsoft.com/training/modules/explore-identity-services/2-explore-azure-virtual-machine-auth-access-control", - "waf": "Security" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.nodeResourceGroup !startswith 'MC_') | distinct id,compliant", + "guid": "73b32a5a-67f7-4a9e-b5b3-1f38c3f39812", + "link": "https://learn.microsoft.com/azure/aks/cluster-configuration", + "service": "AKS", + "severity": "Low", + "text": "Use custom Node RG (aka 'Infra RG') name", + "waf": "Operations" }, { - "checklist": "SAP Checklist", - "guid": "750ab1ab-039d-495d-94c7-c8929cb107d5", - "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "b2463cff-e189-4c59-adf0-d5a73dd4ce32", + "link": "https://kubernetes.io/docs/setup/release/notes/", + "service": "AKS", "severity": "Medium", - "text": "Implement SSO to SAP SaaS applications like SAP Analytics Cloud, SAP Cloud Platform, Business by design, SAP Qualtrics and SAP C4C with Azure AD using SAML.", - "waf": "Security" + "text": "Do not use deprecated Kubernetes APIs in your YAML manifests", + "waf": "Operations" }, { - "checklist": "SAP Checklist", - "guid": "325ae525-ba34-4d46-a5e2-213ace7bb122", - "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial", - "service": "SAP", - "severity": "Medium", - "text": "Implement SSO to SAP NetWeaver-based web applications like SAP Fiori and SAP Web GUI by using SAML.", - "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver", - "waf": "Security" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "c1881370-6f7c-44c0-b4e5-14648d2457ed", + "link": "https://learn.microsoft.com/azure-stack/aks-hci/adapt-apps-mixed-os-clusters", + "service": "AKS", + "severity": "Low", + "text": "Taint Windows nodes", + "waf": "Operations" }, { - "checklist": "SAP Checklist", - "guid": "9eb54dad-7861-4e1c-973a-f3bb003fc9c1", - "service": "SAP", - "severity": "Medium", - "text": "Implement SSO to SAP NetWeaver-based web applications like SAP Fiori and SAP Web GUI by using SAML.", - "training": "https://learn.microsoft.com/training/modules/explore-identity-services/6-exercise-integrate-azure-active-directory-sap-fiori", - "waf": "Security" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "67138b82-0102-4ce1-9ee3-01e6e882e52e", + "link": "https://learn.microsoft.com/virtualization/windowscontainers/deploy-containers/version-compatibility?tabs=windows-server-20H2%2Cwindows-10-20H2", + "service": "AKS", + "severity": "Low", + "text": "Keep windows containers patch level in sync with host patch level", + "waf": "Operations" }, { - "checklist": "SAP Checklist", - "guid": "f29676ef-0c9c-4c4d-ab21-a55504c0c829", - "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial", - "service": "SAP", - "severity": "Medium", - "text": "You can implement SSO to SAP GUI by using SAP NetWeaver SSO or a partner solution.", - "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver", - "waf": "Security" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "description": "Via Diagnostic Settings at the cluster level", + "guid": "5b56ad48-408f-4e72-934c-476ba280dcf5", + "link": "https://learn.microsoft.com/azure/aks/monitor-aks", + "service": "AKS", + "severity": "Low", + "text": "Send master logs (aka API logs) to Azure Monitor or your preferred log management solution", + "waf": "Operations" }, { - "checklist": "SAP Checklist", - "guid": "23181aa4-1742-4694-9ff8-ae7d7d474317", - "service": "SAP", - "severity": "Medium", - "text": "For SSO for SAP GUI and web browser access, implement SNC / Kerberos/SPNEGO (simple and protected GSSAPI negotiation mechanism) due to its ease of configuration and maintenance. For SSO with X.509 client certificates, consider the SAP Secure Login Server, which is a component of the SAP SSO solution.", - "training": "https://learn.microsoft.com/training/modules/explore-identity-services/9-exercise-integrate-active-directory-sap-single-sign-on", - "waf": "Security" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "64d1a846-e28a-4b6b-9a33-22a635c15a21", + "link": "https://learn.microsoft.com/azure/aks/node-pool-snapshot", + "service": "AKS", + "severity": "Low", + "text": "If required use nodePool snapshots", + "waf": "Cost" }, { - "checklist": "SAP Checklist", - "guid": "6c8bcbf4-5bbe-4609-b8a0-3e97778424d6", - "link": "https://blogs.sap.com/2017/07/12/sap-single-sign-on-protect-your-sap-landscape-with-x.509-certificates/", - "service": "SAP", - "severity": "Medium", - "text": "For SSO for SAP GUI and web browser access, implement SNC / Kerberos/SPNEGO (simple and protected GSSAPI negotiation mechanism) due to its ease of configuration and maintenance. For SSO with X.509 client certificates, consider the SAP Secure Login Server, which is a component of the SAP SSO solution.", - "waf": "Security" - }, - { - "checklist": "SAP Checklist", - "guid": "16785d6f-a96c-496a-b885-18f482734c88", - "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial#configure-sap-netweaver-for-oauth", - "service": "SAP", - "severity": "Medium", - "text": "Implement SSO by using OAuth for SAP NetWeaver to allow third-party or custom applications to access SAP NetWeaver OData services.", - "waf": "Security" - }, - { - "checklist": "SAP Checklist", - "guid": "a747c350-8d4c-449c-93af-393dbca77c48", - "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/saphana-tutorial", - "service": "SAP", - "severity": "Medium", - "text": "Implement SSO to SAP HANA", - "waf": "Security" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "c5a5b252-1e44-4a59-a9d2-399c4d7b68d0", + "link": "https://learn.microsoft.com/azure/aks/spot-node-pool", + "service": "AKS", + "severity": "Low", + "text": "Consider spot node pools for non time-sensitive workloads", + "waf": "Operations" }, { - "checklist": "SAP Checklist", - "guid": "c7bae5bf-daf9-4761-9c56-f92891890aa4", - "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration#connectivity-with-sap-rise", - "service": "SAP", - "severity": "Medium", - "text": "Consider Azure AD an identity provider for SAP systems hosted on RISE. For more information, see Integrating the Service with Azure AD.", - "waf": "Security" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.aciConnectorLinux) and properties.addonProfiles.aciConnectorLinux.enabled==true) | distinct id,compliant", + "guid": "c755562f-2b4e-4456-9b4d-874a748b662e", + "link": "https://learn.microsoft.com/azure/aks/concepts-scale", + "service": "AKS", + "severity": "Low", + "text": "Consider AKS virtual node for quick bursting", + "waf": "Operations" }, { - "checklist": "SAP Checklist", - "guid": "e4e48226-ce54-44b6-bb6b-bfa15bd8f753", - "link": "https://github.com/azuredevcollege/SAP/blob/master/sap-oauth-saml-flow/README.md", - "service": "SAP", - "severity": "Medium", - "text": "For applications that access SAP, you might want to use principal propagation to establish SSO.", - "waf": "Security" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "6f8389a7-f82c-4b8e-a8c0-aa63a25a4956", + "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview", + "service": "AKS", + "severity": "High", + "text": "Monitor your cluster metrics with Container Insights (or other tools like Prometheus)", + "waf": "Operations" }, { - "checklist": "SAP Checklist", - "guid": "59921095-4980-4fc1-a5b6-524a5a560c79", - "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-identity-authentication-tutorial", - "service": "SAP", - "severity": "Medium", - "text": "If you're using SAP BTP services or SaaS solutions that require SAP Identity Authentication Service (IAS), consider implementing SSO between SAP Cloud Identity Authentication Services and Azure AD to access those SAP services. This integration lets SAP IAS act as a proxy identity provider and forwards authentication requests to Azure AD as the central user store and identity provider.", - "waf": "Security" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.omsagent) and properties.addonProfiles.omsagent.enabled==true) | distinct id,compliant", + "guid": "eaa8dc4a-2436-47b3-9697-15b1752beee0", + "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview", + "service": "AKS", + "severity": "High", + "text": "Store and analyze your cluster logs with Container Insights (or other tools like Telegraf/ElasticSearch)", + "waf": "Operations" }, { - "checklist": "SAP Checklist", - "guid": "a709c664-317e-41e4-9e34-67d9016a86f4", - "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-tutorial", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "4621dd68-c5a5-4be2-bdb1-1726769ef669", + "link": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-analyze", + "service": "AKS", "severity": "Medium", - "text": "Implement SSO to SAP BTP", - "waf": "Security" + "text": "Monitor CPU and memory utilization of the nodes", + "waf": "Operations" }, { - "checklist": "SAP Checklist", - "guid": "01f11b7f-38df-4251-9c76-4dec19abd3e8", - "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "1a4835ac-9422-423e-ae80-b123081a5417", + "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", + "service": "AKS", "severity": "Medium", - "text": "If you're using SAP SuccessFactors, consider using the Azure AD automated user provisioning. With this integration, as you add new employees to SAP SuccessFactors, you can automatically create their user accounts in Azure AD. Optionally, you can create user accounts in Microsoft 365 or other SaaS applications that are supported by Azure AD. Use write-back of the email address to SAP SuccessFactors.", - "waf": "Security" + "text": "If using Azure CNI, monitor % of pod IPs consumed per node", + "waf": "Operations" }, { - "checklist": "SAP Checklist", - "description": "Keep your management group hierarchy reasonably flat, no more than four.", - "graph": "resourcecontainers| where type =~ 'microsoft.resources/subscriptions'| extend ManagementGroup = tostring(tags),mgmtChain = properties.managementGroupAncestorsChain| extend compliant =( array_length(mgmtChain) <= 4 and array_length(mgmtChain) > 1)", - "guid": "6ba28021-4591-4147-9e39-e5309cccd979", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "description": "I/O in the OS disk is a critical resource. If the OS in the nodes gets throttled on I/O, this could lead to unpredictable behavior, typically ending up in node being declared NotReady", + "guid": "415833ea-3ad3-4c2d-b733-165c3acbe04b", + "link": "https://learn.microsoft.com/azure/virtual-machines/premium-storage-performance", + "service": "AKS", "severity": "Medium", - "text": "enforce existing Management Group policies to SAP Subscriptions", - "training": "https://learn.microsoft.com/training/modules/enterprise-scale-organization/4-management-group-subscription-organization", + "text": "Monitor OS disk queue depth in nodes", "waf": "Operations" }, { - "checklist": "SAP Checklist", - "graph": "Resources | summarize count()", - "guid": "366bcda2-750a-4b1a-a039-d95d54c7c892", - "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape", - "service": "SAP", - "severity": "High", - "text": "Integrate tightly coupled applications into the same SAP subscription to avoid additional routing and management complexity", - "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-subscriptions", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "be209d39-fda4-4777-a424-d116785c2fa5", + "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard", + "service": "AKS", + "severity": "Medium", + "text": "If not using egress filtering with AzFW/NVA, monitor standard ALB allocated SNAT ports", "waf": "Operations" }, { - "checklist": "SAP Checklist", - "graph": "Resources | where type contains 'publicIPAddresses' and isnotempty(properties.ipAddress) | summarize count () by subscriptionId", - "guid": "9cb107d5-325a-4e52-9ba3-4d4685e2213a", - "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape", - "service": "SAP", - "severity": "High", - "text": "Leverage Subscription as scale unit and scaling our resources, consider deploying subscription per environment eg. Sandbox, non-prod, prod ", - "training": "https://learn.microsoft.com/training/modules/configure-subscriptions/?source=recommendations", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "74c2ee76-569b-4a79-a57e-dedf91b022c9", + "link": "https://learn.microsoft.com/azure/aks/aks-resource-health", + "service": "AKS", + "severity": "Medium", + "text": "Subscribe to resource health notifications for your AKS cluster", "waf": "Operations" }, { - "checklist": "SAP Checklist", - "graph": "QuotaResources | where type =~ 'microsoft.compute/locations/usages' | where subscriptionId in~ ('','') | mv-expand json = properties.value limit 400 | extend usagevCPUs = json.currentValue, QuotaLimit = json['limit'], quotaName = tostring(json['name'].localizedValue) | extend usagePercent = toint(usagevCPUs)*100 / toint(QuotaLimit) |where quotaName =~ 'Total Regional vCPUs' or quotaName =~ 'Total Regional Low-priority vCPUs' |project subscriptionId,quotaName,usagevCPUs,QuotaLimit,usagePercent,location,['json'] | order by ['usagePercent'] desc", - "guid": "ce7bb122-f7c9-45f0-9e15-4e3aa3592829", - "link": "https://learn.microsoft.com/azure/quotas/quotas-overview", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "b54eb2eb-03dd-4aa3-9927-18e2edb11726", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler", + "service": "AKS", "severity": "High", - "text": "Ensure quota increase as a part of subscription provisioning (e.g. total available VM cores within a subscription)", - "training": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits", + "text": "Configure requests and limits in your pod specs", "waf": "Operations" }, { - "checklist": "SAP Checklist", - "guid": "ce4fab2f-433a-4d59-a5a9-3d1032e03ebc", - "link": "https://learn.microsoft.com/rest/api/reserved-vm-instances/quotaapi?branch=capacity", - "service": "SAP", - "severity": "Low", - "text": "The Quota API is a REST API that you can use to view and manage quotas for Azure services. Consider using it if necessary.", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "769ef669-1a48-435a-a942-223ece80b123", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler", + "service": "AKS", + "severity": "Medium", + "text": "Enforce resource quotas for namespaces", "waf": "Operations" }, { - "checklist": "SAP Checklist", - "guid": "cbfad17b-f240-42bf-a1d8-f4f4cee661c8", - "link": "https://learn.microsoft.com/azure/quotas/quickstart-increase-quota-portal", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "081a5417-4158-433e-a3ad-3c2de733165c", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits", + "service": "AKS", "severity": "High", - "text": "If deploying to an availability zone, ensure that the VM's zone deployment is available once the quota has been approved. Submit a support request with the subscription, VM series, number of CPUs and availability zone required.", + "text": "Ensure your subscription has enough quota to scale out your nodepools", "waf": "Operations" }, { - "checklist": "SAP Checklist", - "guid": "e6e20617-3686-4af4-9791-f8935ada4332", - "link": "https://azure.microsoft.com/explore/global-infrastructure/products-by-region/", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "f4fd0602-7ab5-46f1-b66a-e9dea9654a65", + "link": "https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/", + "service": "AKS", "severity": "High", - "text": "Ensure required services and features are available within the chosen deployment regions eg. ANF , Zone etc.", - "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/migrate/azure-best-practices/multiple-regions?source=recommendations", + "text": "Configure Liveness and Readiness probes for all deployments", "waf": "Operations" }, { - "checklist": "SAP Checklist", - "graph": "resources | extend compliant = isnotnull(['tags']) | project name, id, subscriptionId, resourceGroup, tags, compliant", - "guid": "4e138115-2318-41aa-9174-26943ff8ae7d", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-resource-organization", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.autoScalerProfile)) | distinct id,compliant", + "guid": "90ce65de-8e13-4f9c-abd4-69266abca264", + "link": "https://learn.microsoft.com/azure/aks/concepts-scale", + "service": "AKS", "severity": "Medium", - "text": "Leverage Azure resource tag for cost categorization and resource grouping (: BillTo, Department (or Business Unit), Environment (Production, Stage, Development), Tier (Web Tier, Application Tier), Application Owner, ProjectName)", - "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/", - "waf": "Operations" + "text": "Use the Cluster Autoscaler", + "waf": "Performance" }, { - "checklist": "SAP Checklist", - "guid": "2f7c95f0-6e15-44e3-aa35-92829e6e2061", - "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about", - "service": "SAP", - "severity": "High", - "text": "Help protect your HANA database by using the Azure Backup service.", - "training": "https://learn.microsoft.com/training/modules/implement-azure-backup-sap-workloads-azure-virtual-machines/?source=recommendations", - "waf": "Reliability" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.austoscalerProfile)) | distinct id,compliant", + "guid": "831c2872-c693-4b39-a887-a561bada49bc", + "link": "https://learn.microsoft.com/azure/aks/custom-node-configuration", + "service": "AKS", + "severity": "Low", + "text": "Customize node configuration for AKS node pools", + "waf": "Performance" }, { - "checklist": "SAP Checklist", - "guid": "302a2fbf-3745-4a5f-a365-c9d1a16ca22c", - "link": "https://learn.microsoft.com/azure/azure-netapp-files/azacsnap-introduction", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "faa19bfe-9d55-4d04-a3c4-919ca1b2d121", + "link": "https://learn.microsoft.com/azure/aks/concepts-scale", + "service": "AKS", "severity": "Medium", - "text": "If you deploy Azure NetApp Files for your HANA, Oracle, or DB2 database, use the Azure Application Consistent Snapshot tool (AzAcSnap) to take application-consistent snapshots. AzAcSnap also supports Oracle databases. Consider using AzAcSnap on a central VM rather than on individual VMs.", - "waf": "Reliability" + "text": "Use the Horizontal Pod Autoscaler when required", + "waf": "Performance" }, { - "checklist": "SAP Checklist", - "guid": "42d37218-a3a7-45df-bff6-1173e7f249ea", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "description": "Larger nodes will bring higher performance and features such as ephemeral disks and accelerated networking, but they will increase the blast radius and decrease the scaling granularity", + "guid": "5ae124ba-34df-4585-bcdc-e9bd3bb0cdb3", + "link": "https://blog.cloudtrooper.net/2020/10/23/which-vm-size-should-i-choose-as-aks-node/", + "service": "AKS", "severity": "High", - "text": "Ensure time-zone matches between the operating system and the SAP system.", - "waf": "Operations" - }, - { - "checklist": "SAP Checklist", - "guid": "c3c7abc0-716c-4486-893c-40e181d65539", - "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-multi-sid", - "service": "SAP", - "severity": "Medium", - "text": "Don't group different application services in the same cluster. For example, don't combine DRBD and central services clusters on the same cluster. However, you can use the same Pacemaker cluster to manage approximately five different central services (multi-SID cluster).", - "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", - "waf": "Reliability" + "text": "Consider an appropriate node size, not too large or too small", + "waf": "Performance" }, { - "checklist": "SAP Checklist", - "guid": "a491dfc4-9353-4213-9217-eef0949f9467", - "link": "https://azure.microsoft.com/pricing/offers/dev-test/", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "38800e6a-ae01-40a2-9fbc-ae5a06e5462d", + "link": "https://learn.microsoft.com/azure/aks/quotas-skus-regions#service-quotas-and-limits", + "service": "AKS", "severity": "Low", - "text": "Consider running dev/test systems in a snooze model to save and optimize Azure run costs.", - "waf": "Cost" + "text": "If more than 5000 nodes are required for scalability then consider using an additional AKS cluster", + "waf": "Performance" }, { - "checklist": "SAP Checklist", - "guid": "b7056168-6199-4732-a514-cdbb2d5c9c54", - "link": "https://learn.microsoft.com/azure/lighthouse/overview", - "service": "SAP", - "severity": "Medium", - "text": "If you partner with customers by managing their SAP estates, consider Azure Lighthouse. Azure Lighthouse allows managed service providers to use Azure native identity services to authenticate to the customers' environment. It puts the control in the hands of customers, because they can revoke access at any time and audit service providers' actions.", - "waf": "Operations" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "9583c0f6-6083-43f6-aa6b-df7102c901bb", + "link": "https://learn.microsoft.com/azure/event-grid/event-schema-aks", + "service": "AKS", + "severity": "Low", + "text": "Consider subscribing to EventGrid Events for AKS automation", + "waf": "Performance" }, { - "checklist": "SAP Checklist", - "guid": "4d116785-d2fa-456c-96ad-48408fe72734", - "link": "https://learn.microsoft.com/azure/update-manager/scheduled-patching?tabs=schedule-updates-single-machine%2Cschedule-updates-scale-overview", - "service": "SAP", - "severity": "Medium", - "text": "Use Azure Update Manager to check the status of available updates for a single VM or multiple VMs and consider scheduling regular patching.", - "training": "https://learn.microsoft.com/training/modules/keep-your-virtual-machines-updated/?source=recommendations", - "waf": "Operations" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "c5016d8c-c6c9-4165-89ae-673ef0fff19d", + "link": "https://learn.microsoft.com/azure/aks/manage-abort-operations", + "service": "AKS", + "severity": "Low", + "text": "For long running operation on an AKS cluster consider event termination", + "waf": "Performance" }, { - "checklist": "SAP Checklist", - "guid": "76c8bcbf-45bb-4e60-ad8a-03e97778424d", - "link": "https://learn.microsoft.com/azure/sap/workloads/lama-installation", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "c4e37133-f186-4ce1-aed9-9f1b32f6e021", + "link": "https://learn.microsoft.com/azure/aks/use-azure-dedicated-hosts", + "service": "AKS", "severity": "Low", - "text": "Optimize and manage SAP Basis operations by using SAP Landscape Management (LaMa). Use the SAP LaMa connector for Azure to relocate, copy, clone, and refresh SAP systems.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-remote-management/?source=recommendations", - "waf": "Operations" + "text": "If required consider using Azure Dedicated Hosts for AKS nodes", + "waf": "Performance" }, { - "checklist": "SAP Checklist", - "guid": "14591147-5e39-4e53-89cc-cd979366bcda", - "link": "https://learn.microsoft.com/azure/sap/monitor/about-azure-monitor-sap-solutions", - "service": "SAP", - "severity": "Medium", - "text": "Use Azure Monitor for SAP solutions to monitor your SAP workloads(SAP HANA, high-availability SUSE clusters, and SQL systems) on Azure. Consider supplementing Azure Monitor for SAP solutions with SAP Solution Manager.", - "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations", - "waf": "Operations" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | mvexpand pools | extend compliant = (pools.osDiskType=='Ephemeral') | project id,name=strcat(name,'-',pools.name), resourceGroup, compliant", + "guid": "24367b33-6971-45b1-952b-eee0b9b588de", + "link": "https://learn.microsoft.com/azure/aks/cluster-configuration", + "service": "AKS", + "severity": "High", + "text": "Use ephemeral OS disks", + "waf": "Performance" }, { - "checklist": "SAP Checklist", - "guid": "2750ab1a-b039-4d95-b54c-7c8929cb107d", - "link": "https://learn.microsoft.com/azure/sap/workloads/vm-extension-for-sap", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "f0ce315f-1120-4166-8206-94f2cf3a4d07", + "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types", + "service": "AKS", "severity": "High", - "text": "Run a VM Extension for SAP check. VM Extension for SAP uses the assigned managed identity of a virtual machine (VM) to access VM monitoring and configuration data. The check ensures that all performance metrics in your SAP application come from the underlying Azure Extension for SAP.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-enhanced-monitoring-extension-for-sap/?source=recommendations", - "waf": "Operations" + "text": "For non-ephemeral disks, use high IOPS and larger OS disks for the nodes when running many pods/node since it requires high performance for running multiple pods and will generate huge logs with default AKS log rotation thresholds", + "waf": "Performance" }, { - "checklist": "SAP Checklist", - "guid": "5325ae52-5ba3-44d4-985e-2213ace7bb12", - "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", - "service": "SAP", - "severity": "Medium", - "text": "Use Azure Policy for access control and compliance reporting. Azure Policy provides the ability to enforce organization-wide settings to ensure consistent policy adherence and fast violation detection. ", - "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/", - "waf": "Operations" + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "39c486ce-d5af-4062-89d5-18bb5fd795db", + "link": "https://learn.microsoft.com/azure/aks/use-ultra-disks", + "service": "AKS", + "severity": "Low", + "text": "For hyper performance storage option use Ultra Disks on AKS", + "waf": "Performance" }, { - "checklist": "SAP Checklist", - "guid": "523181aa-4174-4269-93ff-8ae7d7d47431", - "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-overview", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "9f7547c1-747d-4c56-868a-714435bd19dd", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region", + "service": "AKS", "severity": "Medium", - "text": "Use Connection Monitor in Azure Network Watcher to monitor latency metrics for SAP databases and application servers. Or collect and display network latency measurements by using Azure Monitor.", - "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/collecting-and-displaying-niping-network-latency-measurements/ba-p/1833979", - "waf": "Operations" + "text": "Avoid keeping state in the cluster, and store data outside (AzStorage, AzSQL, Cosmos, etc)", + "waf": "Performance" }, { - "checklist": "SAP Checklist", - "guid": "73686af4-6791-4f89-95ad-a43324e13811", - "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/QualityCheck", - "service": "SAP", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "24429eb7-2281-4376-85cc-57b4a4b18142", + "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-storage", + "service": "AKS", "severity": "Medium", - "text": "Perform a quality check for SAP HANA on the provisioned Azure infrastructure to verify that provisioned VMs comply with SAP HANA on Azure best practices.", - "waf": "Operations" + "text": "If using AzFiles Standard, consider AzFiles Premium and/or ANF for performance reasons", + "waf": "Performance" }, { - "checklist": "SAP Checklist", - "guid": "616785d6-fa96-4c96-ad88-518f482734c8", - "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones", - "service": "SAP", - "severity": "High", - "text": "For each Azure subscription, run a latency test on Azure availability zones before zonal deployment to choose low-latency zones for deployment of SAP on Azure.", - "training": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Azure AKS Review", + "guid": "83958a8c-2689-4b32-ab57-cfc64546135a", + "link": "https://learn.microsoft.com/azure/aks/availability-zones#azure-disk-availability-zone-support", + "service": "AKS", + "severity": "Medium", + "text": "If using Azure Disks and AZs, consider having nodepools within a zone for LRS disk with VolumeBindingMode:WaitForFirstConsumer for provisioning storage in right zone or use ZRS disk for nodepools spanning multiple zones", "waf": "Performance" }, { - "checklist": "SAP Checklist", - "guid": "410adcba-db46-424f-a6c4-05ecde75c52e", - "link": "https://learn.microsoft.com/azure/advisor/advisor-how-to-improve-reliability", - "service": "SAP", + "checklist": "Azure Landing Zone Review", + "guid": "70c15989-c726-42c7-b0d3-24b7375b9201", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/considerations-recommendations", + "service": "Entra", "severity": "Medium", - "text": "Run the Resiliency Report to ensure that the configuration of the entire provisioned Azure infrastructure (Compute, Database, Networking, Storage, Site Recovery) complies with the configuration defined by Cloud Adaption Framework for Azure.", - "training": "https://learn.microsoft.com/training/paths/azure-well-architected-framework/", - "waf": "Reliability" + "text": "Use one Entra tenant for managing your Azure resources, unless you have a clear regulatory or business requirement for multi-tenants.", + "training": "https://learn.microsoft.com/training/modules/deploy-resources-scopes-bicep/2-understand-deployment-scopes", + "waf": "Operations" }, { - "checklist": "SAP Checklist", - "guid": "86ba2802-1459-4114-95e3-9e5309cccd97", - "link": "https://learn.microsoft.com/azure/sentinel/sap/deployment-overview", - "service": "SAP", - "severity": "Medium", - "text": "Implement threat protection by using the Microsoft Sentinel solution for SAP. Use this solution to monitor your SAP systems and detect sophisticated threats throughout the business logic and application layers.", - "training": "https://learn.microsoft.com/training/modules/plan-microsoft-sentinel-deployment-sap/?source=recommendations", - "waf": "Security" + "checklist": "Azure Landing Zone Review", + "guid": "6309957b-821a-43d1-b9d9-7fcf1802b747", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation", + "service": "Entra", + "severity": "Low", + "text": "Use Multi-Tenant Automation approach to managing your Microsoft Entra ID Tenants.", + "training": "https://learn.microsoft.com/entra/architecture/multi-tenant-user-management-introduction/", + "waf": "Operations" }, { - "checklist": "SAP Checklist", - "graph": "resources | extend compliant = isnotnull(['tags']) | project name, id, subscriptionId, resourceGroup, tags, compliant", - "guid": "579266bc-ca27-45fa-a1ab-fe9d55d04c3c", - "link": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance", - "service": "SAP", - "severity": "Medium", - "text": "Azure tagging can be leveraged to logically group and track resources, automate their deployments, and most importantly, provide visibility on the incurred costs.", - "training": "https://learn.microsoft.com/training/modules/analyze-costs-create-budgets-azure-cost-management/?source=recommendations", + "checklist": "Azure Landing Zone Review", + "guid": "78e11934-499a-45ed-8ef7-aae5578f0ecf", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse", + "service": "Entra", + "severity": "High", + "text": "Use Azure Lighthouse for Multi-Tenant Management with the same IDs.", + "training": "https://learn.microsoft.com/azure/lighthouse/concepts/cross-tenant-management-experience", "waf": "Operations" }, { - "checklist": "SAP Checklist", - "guid": "04b8e5e5-13cb-4b22-af62-5a8ecfcf0337", - "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-test-latency?tabs=windows", - "service": "SAP", - "severity": "Low", - "text": "Use inter-VM latency monitoring for latency-sensitive applications.", - "waf": "Performance" + "checklist": "Azure Landing Zone Review", + "guid": "5d82e6df-6f61-42f2-82e2-3132d293be3d", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations", + "service": "Entra", + "severity": "High", + "text": "If you give a partner access to administer your tenant, use Azure Lighthouse.", + "training": "https://learn.microsoft.com/azure/lighthouse/how-to/onboard-customer", + "waf": "Cost" }, { - "checklist": "SAP Checklist", - "guid": "07e5ed53-3d96-43d8-87ea-631b77da5aba", - "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage", - "service": "SAP", + "checklist": "Azure Landing Zone Review", + "guid": "348ef254-c27d-442e-abba-c7571559ab91", + "link": "https://learn.microsoft.com/azure/role-based-access-control/overview", + "service": "Entra", + "severity": "High", + "text": "Enforce a RBAC model that aligns to your cloud operating model. Scope and Assign across Management Groups and Subscriptions.", + "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", + "waf": "Security" + }, + { + "checklist": "Azure Landing Zone Review", + "guid": "12e7f983-f630-4472-8dd6-9c5b5c2622f5", + "link": "https://learn.microsoft.com/azure/active-directory/roles/security-planning#identify-microsoft-accounts-in-administrative-roles-that-need-to-be-switched-to-work-or-school-accounts", + "service": "Entra", "severity": "Medium", - "text": "Use Azure Site Recovery monitoring to maintain the health of the disaster recovery service for SAP application servers.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations", - "waf": "Reliability" + "text": "Only use the authentication type Work or school account for all account types. Avoid using the Microsoft account", + "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", + "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "abb6af9c-982c-4cf1-83fb-329fafd1ee56", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring", - "service": "SAP", + "checklist": "Azure Landing Zone Review", + "guid": "4b69bad3-3aad-45e8-a68e-1d76667313b4", + "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal", + "service": "Entra", "severity": "Medium", - "text": "Exclude all the database file systems and executable programs from antivirus scans. Including them could lead to performance problems. Check with the database vendors for prescriptive details on the exclusion list. For example, Oracle recommends excluding /oracle//sapdata from antivirus scans.", - "waf": "Performance" + "text": "Only use groups to assign permissions. Add on-premises groups to the Entra ID only group if a group management system is already in place.", + "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", + "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "c027f893-f404-41a9-b33d-39d625a14964", - "link": "https://sapit-forme-prod.authentication.eu11.hana.ondemand.com/login", - "service": "SAP", - "severity": "Low", - "text": "Consider collecting full database statistics for non-HANA databases after migration. For example, implement SAP note 1020260 - Delivery of Oracle statistics.", - "waf": "Performance" - }, - { - "checklist": "SAP Checklist", - "guid": "fdafb1f5-3eee-4354-a8c9-deb8127ebc2e", - "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/configure-oracle-asm", - "service": "SAP", - "severity": "Medium", - "text": "Consider using Oracle Automatic Storage Management (ASM) for all Oracle deployments that use SAP on Azure.", - "training": "https://learn.microsoft.com/training/paths/administer-infrastructure-resources-in-azure/?source=recommendations", - "waf": "Performance" - }, - { - "checklist": "SAP Checklist", - "guid": "33c5d5bf-daf3-4f0d-bd50-6010fdcec22e", - "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/announcement-sap-on-azure-oracle-performance-efficiency-scripts/ba-p/3725178", - "service": "SAP", - "severity": "Medium", - "text": "For SAP on Azure running Oracle, a collection of SQL scripts can help you diagnose performance problems. Automatic Workload Repository (AWR) reports contain valuable information for diagnosing problems in the Oracle system. We recommend that you run an AWR report during several sessions and choose peak times for it, to ensure broad coverage for the analysis.", - "training": "https://learn.microsoft.com/ja-jp/azure/well-architected/oracle-iaas/performance-efficiency", - "waf": "Performance" + "checklist": "Azure Landing Zone Review", + "guid": "53e8908a-e28c-484c-93b6-b7808b9fe5c4", + "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/overview", + "service": "Entra", + "severity": "High", + "text": "Enforce Microsoft Entra ID Conditional Access policies for any user with rights to Azure environments.", + "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/", + "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "d89fd98d-23e4-4b40-a92e-32db9365522c", - "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot", - "service": "SAP", + "checklist": "Azure Landing Zone Review", + "guid": "1049d403-a923-4c34-94d0-0018ac6a9e01", + "link": "https://learn.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks", + "service": "Entra", "severity": "High", - "text": "Use Azure Site Recovery monitoring to maintain the health of the disaster recovery service for SAP application servers.", - "training": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations", - "waf": "Operations" + "text": "Enforce multi-factor authentication for any user with rights to the Azure environments.", + "training": "https://learn.microsoft.com/entra/identity/authentication/concept-mandatory-multifactor-authentication", + "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "5ba34d46-85e2-4213-ace7-bb122f7c95f0", - "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", - "service": "SAP", + "checklist": "Azure Landing Zone Review", + "guid": "14658d35-58fd-4772-99b8-21112df27ee4", + "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure", + "service": "Entra", "severity": "Medium", - "text": "For secure delivery of HTTP/S apps, use Application Gateway v2 and ensure that WAF protection and policies are enabled.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/", + "text": "Enforce Microsoft Entra ID Privileged Identity Management (PIM) to establish zero standing access and least privilege.", + "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "fa9d30bc-1b82-4e4b-bfdf-6b017938b9e6", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", - "service": "SAP", + "checklist": "Azure Landing Zone Review", + "guid": "8b9fe5c4-1049-4d40-9a92-3c3474d00018", + "link": "https://learn.microsoft.com/entra/identity/domain-services/overview", + "service": "Entra", "severity": "Medium", - "text": "If the virtual machine's DNS or virtual name is not changed during migration to Azure, Background DNS and virtual names connect many system interfaces in the SAP landscape, and customers are only sometimes aware of the interfaces that developers define over time. Connection challenges arise between various systems when virtual or DNS names change after migrations, and it's recommended to retain DNS aliases to prevent these types of difficulties.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution", - "waf": "Operations" + "text": "If planning to switch from Active Directory Domain Services to Entra domain services, evaluate the compatibility of all workloads.", + "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/", + "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "a2858f78-105b-4f52-b7a9-5b0f4439743b", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", - "service": "SAP", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type == 'microsoft.aad/domainservices' | extend replicaSets = properties.replicaSets | where array_length(replicaSets) < 2 | project name=name, id=id, tags=tags, param1=strcat('replicaSetLocation:', replicaSets[0].location)", + "guid": "0dd4e625-9c4b-4a56-b54a-4357bac12761", + "link": "https://learn.microsoft.com/entra/identity/domain-services/overview", + "service": "Entra", "severity": "Medium", - "text": "Use different DNS zones to distinguish each environment (sandbox, development, preproduction, and production) from each other. The exception is for SAP deployments with their own VNet; here, private DNS zones might not be necessary.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution", - "waf": "Operations" + "text": "When using Microsoft Entra Domain Services use replica sets. Replica sets will improve the resiliency of your managed domain and allow you to deploy to additional regions. ", + "training": "https://learn.microsoft.com/training/modules/understand-azure-active-directory/6-examine-azure-domain-services", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "description": "When configuring VNet peering, use the Allow traffic to remote virtual networks setting.", - "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess =~ True)", - "guid": "a3592829-e6e2-4061-9368-6af46791f893", - "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-peering-overview", - "service": "SAP", + "checklist": "Azure Landing Zone Review", + "guid": "1cf0b8da-70bd-44d0-94af-8d99cfc89ae1", + "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/concept-activity-logs-azure-monitor", + "service": "Entra", "severity": "Medium", - "text": "Local and global VNet peering provide connectivity and are the preferred approaches to ensure connectivity between landing zones for SAP deployments across multiple Azure regions", - "training": "https://learn.microsoft.com/training/modules/configure-vnet-peering/?source=recommendations", - "waf": "Reliability" + "text": "Integrate Microsoft Entra ID logs with the platform-central Azure Monitor. Azure Monitor allows for a single source of truth around log and monitoring data in Azure, giving organizations a cloud native options to meet requirements around log collection and retention.", + "training": "https://learn.microsoft.com/entra/identity/monitoring-health/howto-integrate-activity-logs-with-azure-monitor-logs", + "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "41742694-3ff8-4ae7-b7d4-743176c8bcbf", - "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide", - "service": "SAP", + "ammp": true, + "checklist": "Azure Landing Zone Review", + "guid": "984a859c-773e-47d2-9162-3a765a917e1f", + "link": "https://learn.microsoft.com/azure/active-directory/roles/security-emergency-access", + "service": "Entra", "severity": "High", - "text": "It is not supported to deploy any NVA between SAP application and SAP Database server", - "training": "https://me.sap.com/notes/2731110", - "waf": "Performance" + "text": "Implement an emergency access or break-glass accounts to prevent tenant-wide account lockout. MFA will be turned on by default for all users in Oct 2024. We recommend updating these accounts to use passkey (FIDO2) or configure certificate-based authentication for MFA. ", + "training": "https://learn.microsoft.com/entra/identity/role-based-access-control/security-emergency-access#exclude-at-least-one-account-from-conditional-access-policies", + "waf": "Security" }, { - "checklist": "SAP Checklist", - "graph": "resources| where type =~ 'microsoft.network/virtualwans' | extend compliant= (properties.allowBranchToBranchTraffic =~ 'true') | distinct id,compliant", - "guid": "7d4bc7d2-c34a-452e-8f1d-6ae3c8eafcc3", - "link": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/?source=recommendations", - "service": "SAP", + "checklist": "Azure Landing Zone Review", + "guid": "35037e68-9349-4c15-b371-228514f4cdff", + "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices", + "service": "Entra", "severity": "Medium", - "text": "Use Virtual WAN for Azure deployments in new, large, or global networks where you need global transit connectivity across Azure regions and on-premises locations. With this approach, you won't need to manually set up transitive routing for Azure networking, and you can follow a standard for SAP on Azure deployments.", - "training": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about", - "waf": "Operations" + "text": "Do not use on-premises synced accounts for Microsoft Entra ID role assignments, unless you have a scenario that specifically requires it.", + "training": "https://learn.microsoft.com/learn/modules/design-identity-security-strategy/", + "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "0cedb1f6-ae6c-492b-8b17-8061f50b16d3", - "link": "https://learn.microsoft.com/azure/well-architected/services/networking/network-virtual-appliances/reliability", - "service": "SAP", + "checklist": "Azure Landing Zone Review", + "guid": "d5d1e4e6-1465-48d3-958f-d77249b82111", + "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy", + "service": "Entra", "severity": "Medium", - "text": "Consider deploying network virtual appliances (NVAs) between regions only if partner NVAs are used. NVAs between regions or VNets aren't required if native NVAs are present. When you're deploying partner networking technologies and NVAs, follow the vendor's guidance to verify conflicting configurations with Azure networking.", - "training": "https://learn.microsoft.com/training/modules/control-network-traffic-flow-with-routes/?source=recommendations", - "waf": "Operations" + "text": "When using Microsoft Entra ID Application Proxy to give remote users access to applications, manage it as a Platform resource as you can only have one instance per tenant.", + "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/", + "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "facc08c6-ea95-4641-91cd-fa09e573adbd", - "link": "https://learn.microsoft.com/azure/architecture/networking/hub-spoke-vwan-architecture", - "service": "SAP", + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "e8bbac75-7155-49ab-a153-e8908ae28c84", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/network-topology-and-connectivity", + "service": "VNet", "severity": "Medium", - "text": "Virtual WAN manages connectivity between spoke VNets for virtual-WAN-based topologies (no need to set up user-defined routing [UDR] or NVAs), and maximum network throughput for VNet-to-VNet traffic in the same virtual hub is 50 gigabits per second. If necessary, SAP landing zones can use VNet peering to connect to other landing zones and overcome this bandwidth limitation.", - "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/?source=recommendations", - "waf": "Operations" - }, - { - "checklist": "SAP Checklist", - "graph": "Resources | where type =~ 'Microsoft.Network/publicIPAddresses' and sku.tier =~ 'Regional' | where isempty(zones) or array_length(zones) <= 1 | extend az = case(isempty(zones), 'Non-zonal', array_length(zones) <= 1, strcat('Zonal (', strcat_array(zones, ','), ')'), zones) | project name, id, tags, param1 = strcat('sku: ', sku.name), param2 = strcat('availabilityZone: ', az)", - "guid": "82734c88-6ba2-4802-8459-11475e39e530", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", - "service": "SAP", - "severity": "High", - "text": "Public IP assignment to VM running SAP Workload is not recommended.", - "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations", + "text": "Use a hub-and-spoke network topology for network scenarios that require maximum flexibility.", + "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", "waf": "Security" }, { - "checklist": "SAP Checklist", - "graph": "Resources | where type contains 'publicIPAddresses' and isnotempty(properties.ipAddress) | summarize count () by subscriptionId", - "guid": "9cccd979-366b-4cda-8750-ab1ab039d95d", - "link": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations", - "service": "SAP", - "severity": "High", - "text": "Consider reserving IP address on DR side when configuring ASR", - "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", - "waf": "Operations" + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "7bc1c396-2461-4698-b57f-30ca69525252", + "link": "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/considerations/regions", + "service": "VNet", + "severity": "Medium", + "text": "Deploy your Azure landing zone connectivity resources in multiple regions, so that you can quickly support multi-region application landing zones and disaster recovery scenarios.", + "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "54c7c892-9cb1-407d-9325-ae525ba34d46", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", - "service": "SAP", + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "7dd61623-a364-4a90-9eca-e48ebd54cd7d", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/traditional-azure-networking-topology", + "service": "VNet", "severity": "High", - "text": "Avoid using overlapping IP address ranges for production and DR sites.", - "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations", - "waf": "Operations" + "text": "Deploy shared networking services, including ExpressRoute gateways, VPN gateways, and Azure Firewall or partner NVAs in the central-hub virtual network. If necessary, also deploy DNS services.", + "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", + "waf": "Cost" }, { - "checklist": "SAP Checklist", - "guid": "6e154e3a-a359-4282-ae6e-206173686af4", - "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-delegate-subnet", - "service": "SAP", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Azure Landing Zone Review", + "guid": "e2e8abac-3571-4559-ab91-53e89f89dc7b", + "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha", + "service": "NVA", "severity": "Medium", - "text": "While Azure does help you to create multiple delegated subnets in a VNet, only one delegated subnet can exist in a VNet for Azure NetApp Files. Attempts to create a new volume will fail if you use more than one delegated subnet for Azure NetApp Files.", - "training": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-network-topologies?source=recommendations", - "waf": "Operations" + "text": "When deploying partner networking technologies or NVAs, follow the partner vendor's guidance.", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "graph": "resources | where type=~'microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant", - "guid": "d8a03e97-7784-424d-9167-85d6fa96c96a", - "link": "https://learn.microsoft.com/azure/well-architected/services/networking/azure-firewall?toc=%2Fazure%2Ffirewall%2Ftoc.json&bc=%2Fazure%2Ffirewall%2Fbreadcrumb%2Ftoc.json", - "service": "SAP", - "severity": "Medium", - "text": "Use Azure Firewall to govern Azure outbound traffic to the internet, non-HTTP/S inbound connections, and East/West traffic filtering (if the organization requires it)", - "training": "https://learn.microsoft.com/training/paths/secure-networking-infrastructure/", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "ce463dbb-bc8a-4c2a-aebc-92a43da1dae2", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager#to-enable-transit-routing-between-expressroute-and-azure-vpn", + "service": "ExpressRoute", + "severity": "Low", + "text": "If you need transit between ExpressRoute and VPN gateways in hub and spoke scenarios, use Azure Route Server.", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-route-server/", "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "91a65e40-be90-45b3-9f73-f3edbf8dc324", - "link": "https://learn.microsoft.com/azure/sap/workloads/expose-sap-process-orchestration-on-azure", - "service": "SAP", - "severity": "Medium", - "text": "Application Gateway and Web Application Firewall have limitations when Application Gateway serves as a reverse proxy for SAP web apps, as shown in the comparison between Application Gateway, SAP Web Dispatcher, and other third-party services.", - "training": "https://help.sap.com/docs/SUPPORT_CONTENT/si/3362959506.html", + "arm-service": "Microsoft.Network/virtualHubs", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant", + "guid": "91b9d7d5-91e1-4dcb-8f1f-fa7e465646cc", + "link": "https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1", + "service": "ARS", + "severity": "Low", + "text": "If using Route Server, use a /27 prefix for the Route Server subnet.", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-route-server/", "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "5e39e530-9ccc-4d97-a366-bcda2750ab1a", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "SAP", + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "cc881471-607c-41cc-a0e6-14658dd558f9", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-faq#can-i-create-a-peering-connection-to-a-vnet-in-a-different-region", + "service": "VNet", "severity": "Medium", - "text": "Use Azure Front Door and WAF policies to provide global protection across Azure regions for inbound HTTP/S connections to a landing zone.", - "training": "https://learn.microsoft.com/training/paths/secure-application-delivery/", - "waf": "Security" + "text": "For network architectures with multiple hub-and-spoke topologies across Azure regions, use global virtual network peerings between the hub VNets to connect the regions to each other.", + "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-virtual-networks/", + "waf": "Performance" }, { - "checklist": "SAP Checklist", - "guid": "b039d95d-54c7-4c89-89cb-107d5325ae52", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview", - "service": "SAP", + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "4722d929-c1b1-4cd6-81f5-4b29bade39ad", + "link": "https://learn.microsoft.com/azure/azure-monitor/insights/network-insights-overview", + "service": "VNet", "severity": "Medium", - "text": "Take advantage of Web Application Firewall policies in Azure Front Door when you're using Azure Front Door and Application Gateway to protect HTTP/S applications. Lock down Application Gateway to receive traffic only from Azure Front Door.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations", - "waf": "Security" + "text": "Use Azure Monitor for Networks to monitor the end-to-end state of the networks on Azure.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/", + "waf": "Operations" }, { - "checklist": "SAP Checklist", - "guid": "5ada4332-4e13-4811-9231-81aa41742694", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "SAP", + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant", + "guid": "0e7c28ec-9366-4572-83b0-f4664b1d944a", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits", + "service": "VNet", "severity": "Medium", - "text": "Use a web application firewall to scan your traffic when it's exposed to the internet. Another option is to use it with your load balancer or with resources that have built-in firewall capabilities like Application Gateway or third-party solutions.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations", - "waf": "Security" + "text": "If you have more than 400 spoke networks in a region, deploy an additional hub to bypass VNet peering limits (500) and the maximum number of prefixes that can be advertised via ExpressRoute (1000).", + "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "e73de7d5-6f36-4217-a526-e1a621ecddde", - "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview", - "service": "SAP", + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant", + "guid": "3d457936-e9b7-41eb-bdff-314b26450b12", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits", + "service": "VNet", "severity": "Medium", - "text": "Use Virtual WAN for Azure deployments in new, large, or global networks where you need global transit connectivity across Azure regions and on-premises locations. With this approach, you won't need to manually set up transitive routing for Azure networking, and you can follow a standard for SAP on Azure deployments.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/10-explore-azure-front-door", - "waf": "Performance" + "text": "Limit the number of routes per route table to 400.", + "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "3c536a3e-1b6b-4e87-95ca-15edb47251c0", - "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services", - "service": "SAP", - "severity": "Medium", - "text": "To prevent data leakage, use Azure Private Link to securely access platform as a service resources like Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2, Azure Data Factory, and more. Azure Private Endpoint can also help to secure traffic between VNets and services like Azure Storage, Azure Backup, and more. Traffic between your VNet and the Private Endpoint enabled service travels across the Microsoft global network, which prevents its exposure to the public internet.", - "training": "https://learn.microsoft.com/training/modules/design-implement-private-access-to-azure-services/?source=recommendations", - "waf": "Security" + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True)", + "guid": "c76cb5a2-abe2-11ed-afa1-0242ac120002", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering", + "service": "VNet", + "severity": "High", + "text": "Use the setting 'Allow traffic to remote virtual network' when configuring VNet peerings.", + "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "graph": "Resources | where type =~ 'Microsoft.Network/NetworkInterfaces' | where properties.enableAcceleratedNetworking =~ 'false' | project name, subscriptionId, properties.enableAcceleratedNetworking", - "guid": "85e2213a-ce7b-4b12-8f7c-95f06e154e3a", - "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview?tabs=redhat", - "service": "SAP", + "arm-service": "Microsoft.Network/loadBalancers", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type == 'microsoft.network/loadbalancers' | where tolower(sku.name) != 'basic' | mv-expand feIPconfigs = properties.frontendIPConfigurations | extend feConfigName = (feIPconfigs.name), PrivateSubnetId = toupper(feIPconfigs.properties.subnet.id), PrivateIPZones = feIPconfigs.zones, PIPid = toupper(feIPconfigs.properties.publicIPAddress.id), JoinID = toupper(id) | where isnotempty(PrivateSubnetId) | where isnull(PrivateIPZones) or array_length(PrivateIPZones) < 2 | project name, feConfigName, id | union (resources | where type == 'microsoft.network/loadbalancers' | where tolower(sku.name) != 'basic' | mv-expand feIPconfigs = properties.frontendIPConfigurations | extend feConfigName = (feIPconfigs.name), PIPid = toupper(feIPconfigs.properties.publicIPAddress.id), JoinID = toupper(id) | where isnotempty(PIPid) | join kind=innerunique ( resources | where type == 'microsoft.network/publicipaddresses' | where isnull(zones) or array_length(zones) < 2 | extend LBid = toupper(substring(properties.ipConfiguration.id, 0, indexof(properties.ipConfiguration.id, '/frontendIPConfigurations'))), InnerID = toupper(id) ) on $left.PIPid == $right.InnerID) | project name, id, tags, param1='Zones: No Zone or Zonal', param2=strcat('Frontend IP Configuration:', ' ', feConfigName)", + "guid": "9dcd6250-9c4a-4382-aa9b-5b84c64fc1fe", + "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-load-balancer?tabs=graph#zone-redundant", + "service": "Load Balancer", "severity": "High", - "text": "Make sure that Azure accelerated networking is enabled on the VMs used in the SAP application and DBMS layers.", - "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations", - "waf": "Performance" + "text": "Use Standard Load Balancer SKU with a zone-redundant deployment, Selecting Standard SKU Load Balancer enhances reliability through availability zones and zone resiliency, ensuring deployments withstand zone and region failures. Unlike Basic, it supports global load balancing and offers an SLA.", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "3ff8ae7d-7d47-4431-96c8-bcbf45bbe609", - "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-multivip-overview", - "service": "SAP", + "arm-service": "Microsoft.Network/loadBalancers", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type =~ 'Microsoft.Network/loadBalancers' | extend bep = properties.backendAddressPools | extend BackEndPools = array_length(bep) | where BackEndPools == 0 | project name, id, Param1='backendPools', Param2=toint(0), tags | union (resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name == 'Standard' | extend bep = properties.backendAddressPools | extend BackEndPools = toint(array_length(bep)) | mv-expand bip = properties.backendAddressPools | extend BackendAddresses = array_length(bip.properties.loadBalancerBackendAddresses) | where toint(BackendAddresses) <= 1 | project name, id, tags, Param1='backendAddresses', Param2=toint(BackendAddresses)) | union ( resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name == 'Basic' | mv-expand properties.backendAddressPools | extend backendPoolId = properties_backendAddressPools.id | project id, name, tags, tostring(backendPoolId), Param1='BackEndPools' | join kind = leftouter ( resources | where type =~ 'Microsoft.Network/networkInterfaces' | mv-expand properties.ipConfigurations | mv-expand properties_ipConfigurations.properties.loadBalancerBackendAddressPools | extend backendPoolId = tostring(properties_ipConfigurations_properties_loadBalancerBackendAddressPools.id) | summarize poolMembers = count() by backendPoolId | project tostring(backendPoolId), poolMembers ) on backendPoolId | where toint(poolMembers) <= 1 | extend BackendAddresses = poolMembers | project id, name, tags, Param1='backendAddresses', Param2=toint(BackendAddresses))", + "guid": "48682fb1-1e86-4458-a686-518ebd47393d", + "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-load-balancer?tabs=graph#zone-redundant", + "service": "Load Balancer", + "severity": "High", + "text": "Ensure load balancer backend pool(s) contains at least two instances, Deploying Azure Load Balancers with at least two instances in the backend prevents a single point of failure and supports scalability.", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "de0d5973-cd4c-4d21-a088-137f5e6c4cfd", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-macsec", + "service": "ExpressRoute", "severity": "Medium", - "text": "Make sure that internal deployments for Azure Load Balancer are set up to use Direct Server Return (DSR). This setting (Enabling Floating IP) will reduce latency when internal load balancer configurations are used for high-availability configurations on the DBMS layer.", - "training": "https://learn.microsoft.com/ja-jp/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations", + "text": "When you're using ExpressRoute Direct, configure MACsec in order to encrypt traffic at the layer-two level between the organization's routers and MSEE. The diagram shows this encryption in flow.", + "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", "waf": "Security" }, { - "checklist": "SAP Checklist", - "graph": "Resources | where type =~ 'microsoft.network/networksecuritygroups' and isnull(properties.networkInterfaces) and isnull(properties.subnets) | project name, resourceGroup | sort by name asc", - "guid": "6791f893-5ada-4433-84e1-3811523181aa", - "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works", - "service": "SAP", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "ed301d6e-872e-452e-9611-cc58b5a4b151", + "link": "https://learn.microsoft.com/azure/vpn-gateway/site-to-site-vpn-private-peering", + "service": "ExpressRoute", "severity": "Medium", - "text": "You can use application security group (ASG) and NSG rules to define network security access-control lists between the SAP application and DBMS layers. ASGs group virtual machines to help manage their security.", - "training": "https://learn.microsoft.com/training/modules/configure-network-security-groups/?source=recommendations", + "text": "For scenarios where MACsec isn't an option (for example, not using ExpressRoute Direct), use a VPN gateway to establish IPsec tunnels over ExpressRoute private peering.", + "training": "https://learn.microsoft.com/learn/paths/implement-network-security/", "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "45bbe609-d8a0-43e9-9778-424d616785d6", - "link": "https://me.sap.com/notes/2015553", - "service": "SAP", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "558fd772-49b8-4211-82df-27ee412e7f98", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", + "service": "ExpressRoute", "severity": "High", - "text": "Placing of the SAP application layer and SAP DBMS in different Azure VNets that aren't peered isn't supported.", - "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", - "waf": "Performance" + "text": "Ensure no overlapping IP address spaces across Azure regions and on-premises locations are used.", + "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", + "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "fa96c96a-d885-418f-9827-34c886ba2802", - "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", - "service": "SAP", + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)') | project id, compliant, cidr", + "guid": "3f630472-2dd6-49c5-a5c2-622f54b69bad", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", + "service": "VNet", "severity": "Medium", - "text": "For optimal network latency with SAP applications, consider using Azure proximity placement groups.", - "training": "https://learn.microsoft.com/azure/virtual-machines/co-location#planned-maintenance-and-proximity-placement-groups", - "waf": "Performance" + "text": "Use IP addresses from the address allocation ranges for private internets (RFC 1918).", + "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", + "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "18c8b61c-855a-4405-b6ed-266455e4f4ce", - "link": "https://me.sap.com/notes/2015553", - "service": "SAP", + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant", + "guid": "33aad5e8-c68e-41d7-9667-313b4f5664b5", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", + "service": "VNet", "severity": "High", - "text": "It is NOT supported at all to run an SAP Application Server layer and DBMS layer split between on-premise and Azure. Both layers need to completely reside either on-premise or in Azure.", - "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", + "text": "Ensure that IP address space isn't wasted, don't create unnecessarily large virtual networks (for example /16).", + "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", "waf": "Performance" }, { - "checklist": "SAP Checklist", - "guid": "b65c878b-4b14-4f4e-92d8-d873936493f2", - "link": "https://me.sap.com/notes/2015553", - "service": "SAP", + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "f348ef25-4c27-4d42-b8bb-ac7571559ab9", + "link": "https://learn.microsoft.com/azure/site-recovery/concepts-on-premises-to-azure-networking#retain-ip-addresses", + "service": "VNet", "severity": "High", - "text": "It isn't recommended to host the database management system (DBMS) and application layers of SAP systems in different VNets and connect them with VNet peering because of the substantial costs that excessive network traffic between the layers can produce. Recommend using subnets within the Azure virtual network to separate the SAP application layer and DBMS layer.", - "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", - "waf": "Cost" + "text": "Do not use overlapping IP address ranges for production and disaster recovery sites.", + "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "402a9846-d515-4061-aff8-cd30088693fa", - "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel", - "service": "SAP", + "checklist": "Azure Landing Zone Review", + "graph": "Resources | where type =~ 'Microsoft.Network/publicIPAddresses' and sku.tier =~ 'Regional' | where isempty(zones) or array_length(zones) <= 1 | extend az = case(isempty(zones), 'Non-zonal', array_length(zones) <= 1, strcat('Zonal (', strcat_array(zones, ','), ')'), zones) | project name, id, tags, param1 = strcat('sku: ', sku.name), param2 = strcat('availabilityZone: ', az)", + "guid": "0c47f486-656d-4699-8c30-edef5b8a93c4", + "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/public-ip-addresses#availability-zone", + "service": "Public IP Addresses", "severity": "High", - "text": "If using Load Balancer with Linux guest operating systems, check that the Linux network parameter net.ipv4.tcp_timestamps is set to 0.", - "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", - "waf": "Performance" + "text": "Use Standard SKU and Zone-Redundant IPs when applicable, Public IP addresses in Azure can be of standard SKU, available as non-zonal, zonal, or zone-redundant. Zone-redundant IPs are accessible across all zones, resisting any single zone failure, thereby providing higher resilience. ", + "training": "https://learn.microsoft.com/en-gb/training/modules/configure-virtual-networks/6-create-public-ip-addressing", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "87585797-5551-4d53-bb7d-a94ee415734d", - "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration", - "service": "SAP", + "arm-service": "Microsoft.Network/dnsZones", + "checklist": "Azure Landing Zone Review", + "guid": "153e8908-ae28-4c84-a33b-6b7808b9fe5c", + "link": "https://learn.microsoft.com/azure/dns/private-dns-getstarted-portal", + "service": "DNS", "severity": "Medium", - "text": "For SAP RISE/ECS deployments, virtual peering is the preferred way to establish connectivity with customer's existing Azure environment. Both the SAP vnet and customer vnet(s) are protected with network security groups (NSG), enabling communication on SAP and database ports through the vnet peering", - "waf": "Security" - }, - { - "checklist": "SAP Checklist", - "guid": "ff5136bd-dcf1-4d2b-ae52-39333efdf45a", - "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about", - "service": "SAP", - "severity": "High", - "text": "Review SAP HANA database backups for Azure VMs.", - "waf": "Cost" + "text": "For environments where name resolution in Azure is all that's required, use Azure Private DNS for resolution with a delegated zone for name resolution (such as 'azure.contoso.com').", + "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", + "waf": "Operations" }, { - "checklist": "SAP Checklist", - "guid": "cafde29d-a0af-4bcd-87c0-0f299d63f0e8", - "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot", - "service": "SAP", + "arm-service": "Microsoft.Network/dnsZones", + "checklist": "Azure Landing Zone Review", + "guid": "41049d40-3a92-43c3-974d-00018ac6a9e0", + "link": "https://learn.microsoft.com/azure/dns/dns-private-resolver-overview", + "service": "DNS", "severity": "Medium", - "text": "Review Site Recovery built-in monitoring, where used for SAP.", - "waf": "Cost" + "text": "For environments where name resolution across Azure and on-premises is required and there is no existing enterprise DNS service like Active Directory, use Azure DNS Private Resolver to route DNS requests to Azure or to on-premises DNS servers.", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-dns-private-resolver/", + "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "82d7b8de-d3f1-44a0-830b-38e200e82acf", - "link": "https://help.sap.com/docs/SAP_HANA_PLATFORM/c4d7c773af4a4e5dbebb6548d6e2d4f4/e3111d2ebb5710149510cc120646bf3f.html?locale=en-US", - "service": "SAP", - "severity": "High", - "text": "Review the Monitoring the SAP HANA System Landscape guidance.", + "arm-service": "Microsoft.Network/dnsZones", + "checklist": "Azure Landing Zone Review", + "guid": "1e6a83de-5de3-42c1-a924-81607d5d1e4e", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances", + "service": "DNS", + "severity": "Low", + "text": "Special workloads that require and deploy their own DNS (such as Red Hat OpenShift) should use their preferred DNS solution.", + "training": "https://learn.microsoft.com/training/courses/az-700t00", "waf": "Operations" }, { - "checklist": "SAP Checklist", - "guid": "c823873a-2bec-4c2a-b684-a1ce8ae80efd", - "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/oracle-database-backup-strategies", - "service": "SAP", - "severity": "Medium", - "text": "Review Oracle Database in Azure Linux VM backup strategies.", - "waf": "Operations" - }, - { - "checklist": "SAP Checklist", - "guid": "2943b6d8-1d31-4e19-ade7-78e6b26d1962", - "link": "https://learn.microsoft.com/sql/relational-databases/tutorial-use-azure-blob-storage-service-with-sql-server-2016?view=sql-server-ver16", - "service": "SAP", - "severity": "Medium", - "text": "Review the use of Azure Blob Storage with SQL Server 2016.", - "waf": "Operations" - }, - { - "checklist": "SAP Checklist", - "guid": "b82e650f-676d-417d-994d-fc33ca54ec14", - "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/automated-backup?view=azuresql", - "service": "SAP", - "severity": "Medium", - "text": "Review the use of Automated Backup v2 for Azure VMs.", - "waf": "Operations" - }, - { - "checklist": "SAP Checklist", - "guid": "347c2dcc-e6eb-4b04-80c5-628b171aa62d", - "service": "SAP", + "arm-service": "Microsoft.Network/dnsZones", + "checklist": "Azure Landing Zone Review", + "guid": "614658d3-558f-4d77-849b-821112df27ee", + "link": "https://learn.microsoft.com/azure/dns/private-dns-autoregistration", + "service": "DNS", "severity": "High", - "text": "Enabling Write accelerator for M series when using premium disks(V1)", + "text": "Enable auto-registration for Azure DNS to automatically manage the lifecycle of the DNS records for the virtual machines deployed within a virtual network.", + "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", "waf": "Operations" }, { - "checklist": "SAP Checklist", - "guid": "b96512cf-996f-4b17-b9b8-6b16db1a2a94", - "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test", - "service": "SAP", - "severity": "Medium", - "text": "Test availability zone latency.", - "waf": "Performance" - }, - { - "checklist": "SAP Checklist", - "guid": "9fd7ffd4-da11-49f6-a374-8d03e94c511d", - "link": "https://support.sap.com/en/offerings-programs/support-services/earlywatch-alert.html", - "service": "SAP", - "severity": "Medium", - "text": "Activate SAP EarlyWatch Alert for all SAP components.", - "training": "https://help.sap.com/docs/SUPPORT_CONTENT/techops/3362700736.html", - "waf": "Performance" - }, - { - "checklist": "SAP Checklist", - "guid": "b9b140cf-413a-483d-aad2-8802c4e3c017", - "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/sap-on-azure-general-update-march-2019/ba-p/377456", - "service": "SAP", - "severity": "Medium", - "text": "Review SAP application server to database server latency using SAP ABAPMeter report /SSA/CAT.", - "training": "https://me.sap.com/notes/0002879613", - "waf": "Performance" - }, - { - "checklist": "SAP Checklist", - "guid": "62fbf0f8-51db-49e1-a961-bb5df7a35f80", - "service": "SAP", - "severity": "Medium", - "text": "Review SQL Server performance monitoring using CCMS.", - "waf": "Performance" - }, - { - "checklist": "SAP Checklist", - "guid": "35709da7-fc7d-4efe-bb20-2e91547b7390", - "link": "https://me.sap.com/notes/500235", - "service": "SAP", - "severity": "Medium", - "text": "Test network latency between SAP application layer VMs and DBMS VMs (NIPING).", - "training": "https://me.sap.com/notes/1100926/E", - "waf": "Performance" - }, - { - "checklist": "SAP Checklist", - "guid": "9e9bb4c8-e934-4e4b-a13c-6f7c7c38eb43", - "link": "https://learn.microsoft.com/en-us/azure/sap/large-instances/hana-monitor-troubleshoot", - "service": "SAP", + "arm-service": "Microsoft.Network/dnsZones", + "checklist": "Azure Landing Zone Review", + "guid": "18c80eb0-582a-4198-bf5c-d8800b2d263b", + "link": "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/private-link-and-dns-integration-at-scale#private-link-and-dns-integration-in-hub-and-spoke-network-architectures", + "service": "DNS", "severity": "Medium", - "text": "Review SAP HANA studio alerts.", - "waf": "Performance" + "text": "Implement a plan for managing DNS resolution between multiple Azure regions and when services fail over to another region", + "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "f1a92ab5-9509-4b57-86ff-b0ade361b694", - "link": "https://me.sap.com/notes/1969700", - "service": "SAP", + "arm-service": "microsoft.network/bastionHosts", + "checklist": "Azure Landing Zone Review", + "guid": "ee1ac551-c4d5-46cf-b035-d0a3c50d87ad", + "link": "https://learn.microsoft.com/azure/bastion/bastion-overview", + "service": "Bastion", "severity": "Medium", - "text": "Perform SAP HANA health checks using HANA_Configuration_Minichecks.", - "waf": "Performance" + "text": "Use Azure Bastion to securely connect to your network.", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-bastion/", + "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "18dffcf3-248c-4039-a67c-dec8e3a5f804", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations", - "service": "SAP", + "arm-service": "microsoft.network/bastionHosts", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant", + "guid": "6eab9eb6-762b-485e-8ea8-15aa5dba0bd0", + "link": "https://learn.microsoft.com/azure/bastion/bastion-faq#subnet", + "service": "Bastion", "severity": "Medium", - "text": "If you run Windows and Linux VMs in Azure, on-premises, or in other cloud environments, you can use the Update management center in Azure Automation to manage operating system updates, including security patches.", - "training": "https://learn.microsoft.com/azure/automation/update-management/overview", + "text": "Use Azure Bastion in a subnet /26 or larger.", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-bastion/", "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "08951710-79a2-492a-adbc-06d7a401545b", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations", - "service": "SAP", + "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "1d7aa9b6-4704-4489-a804-2d88e79d17b7", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview", + "service": "WAF", "severity": "Medium", - "text": "Routinely review the SAP security OSS notes because SAP releases highly critical security patches, or hot fixes, that require immediate action to protect your SAP systems.", - "training": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html", + "text": "Use Azure Front Door and WAF policies to provide global protection across Azure regions for inbound HTTP/S connections to a landing zone.", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "1b8b394e-ae64-4a74-8933-357b523ea0a0", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", - "service": "SAP", + "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "3b22a5a6-7e7a-48ed-9b30-e38c3f29812b", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "WAF", "severity": "Low", - "text": "For SAP on SQL Server, you can disable the SQL Server system administrator account because the SAP systems on SQL Server don't use the account. Ensure that another user with system administrator rights can access the server before disabling the original system administrator account.", + "text": "When using Azure Front Door and Azure Application Gateway to help protect HTTP/S apps, use WAF policies in Azure Front Door. Lock down Azure Application Gateway to receive traffic only from Azure Front Door.", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "5a76a033-ced9-4eef-9a43-5e4f96634c8e", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", - "service": "SAP", + "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "2363cefe-179b-4599-be0d-5973cd4cd21b", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "WAF", "severity": "High", - "text": "Disable xp_cmdshell. The SQL Server feature xp_cmdshell enables a SQL Server internal operating system command shell. It's a potential risk in security audits.", - "training": "https://me.sap.com/notes/3019299/E", + "text": "When WAFs and other reverse proxies are required for inbound HTTP/S connections, deploy them within a landing-zone virtual network and together with the apps that they're protecting and exposing to the internet.", + "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "cf65de8e-1309-4ccc-b579-266bcca275fa", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", - "service": "SAP", + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "088137f5-e6c4-4cfd-9e50-4547c2447ec6", + "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures", + "service": "VNet", "severity": "High", - "text": "Encrypting SAP HANA database servers on Azure uses SAP HANA native encryption technology. Additionally, if you are using SQL Server on Azure, use Transparent Data Encryption (TDE) to protect your data and log files and ensure that your backups are also encrypted.", - "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", + "text": "Use Azure DDoS Network or IP Protection plans to help protect Public IP Addresses endpoints within the virtual networks including application landing zones.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "a1abfe9d-55d0-44c3-a491-9cb1b3d1325a", - "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption", - "service": "SAP", - "severity": "Medium", - "text": "Azure Storage encryption is enabled for all Azure Resource Manager and classic storage accounts, and can't be disabled. Because your data is encrypted by default, you don't need to modify your code or applications to use Azure Storage encryption.", - "training": "https://learn.microsoft.com/training/modules/encrypt-sector-data/?source=recommendations", + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "b034c01e-110b-463a-b36e-e3346e57f225", + "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/default-outbound-access", + "service": "VNet", + "severity": "High", + "text": "Plan for how to manage your network outbound traffic configuration and strategy before the upcoming breaking change. On September 30, 2025, default outbound access for new deployments will be retired and only explicit access configurations will be allowed.", + "training": "https://learn.microsoft.com/training/modules/configure-virtual-networks/", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "guid": "b1c82a3f-2320-4dfa-8972-7ae4823c8930", + "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures", + "service": "VNet", + "severity": "High", + "text": "Add diagnostic settings to save DDoS related logs for all the protected public IP addresses (DDoS IP or Network Protection).", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "waf": "Security" }, { - "checklist": "SAP Checklist", - "graph": "Resources | join kind=leftouter (ResourceContainers | where type=~'microsoft.resources/subscriptions' | project SubName=name, subscriptionId) on subscriptionId | where type =~ 'microsoft.keyvault/vaults' | project type, name, SubName", - "guid": "ce9bd3bb-0cdb-43b5-9eb2-ec14eeaa3592", - "link": "https://learn.microsoft.com/azure/key-vault/general/overview", - "service": "SAP", + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "3c5a808d-c695-4c14-a63c-c7ab7a510e41", + "link": "https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies#corp", + "service": "Policy", "severity": "High", - "text": "Use Azure Key Vault to store your secrets and credentials", - "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", + "text": "Ensure there is a policy assignment to deny Public IP addresses directly tied to Virtual Machines. Use exclusions if public IPs are needed on specific VMs.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "829e2edb-2173-4676-aff6-691b4935ada4", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json", - "service": "SAP", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "359c373e-7dd6-4162-9a36-4a907ecae48e", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure", + "service": "ExpressRoute", "severity": "Medium", - "text": "It is recommended to LOCK the Azure Resources post successful deployment to safeguard against unauthorized changes. You can also enforce LOCK constraints and rules on your per-subscription basis using customized Azure policies(Custome role).", - "training": "https://learn.microsoft.com/training/modules/use-azure-resource-manager/?source=recommendations", - "waf": "Security" + "text": "Use ExpressRoute as the primary connection to Azure. Use VPNs as a source of backup connectivity.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Performance" }, { - "checklist": "SAP Checklist", - "guid": "2223ece8-1b12-4318-8a54-17415833fb4a", - "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview", - "service": "SAP", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "description": "You can use AS-path prepending and connection weights to influence traffic from Azure to on-premises, and the full range of BGP attributes in your own routers to influence traffic from on-premises to Azure.", + "guid": "f29812b2-363c-4efe-879b-599de0d5973c", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-routing", + "service": "ExpressRoute", "severity": "Medium", - "text": "Provision Azure Key Vault with the soft delete and purge policies enabled to allow retention protection for deleted objects.", - "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", - "waf": "Security" + "text": "When you use multiple ExpressRoute circuits or multiple on-prem locations, use BGP attributes to optimize routing.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "e3c2df74-3165-4c3a-abe0-5bbe209d490d", - "link": "https://learn.microsoft.com/azure/role-based-access-control/security-controls-policy", - "service": "SAP", - "severity": "High", - "text": "Based on existing requirements, regulatory and compliance controls (internal/external) - Determine what Azure Policies and Azure RBAC role are needed", - "training": "https://learn.microsoft.com/training/paths/describe-azure-management-governance/?source=recommendations", - "waf": "Security" + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant", + "guid": "d4cd21b0-8813-47f5-b6c4-cfd3e504547c", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways?source=recommendations#gwsku", + "service": "ExpressRoute", + "severity": "Medium", + "text": "Select the right SKU for the ExpressRoute/VPN gateways based on bandwidth and performance requirements.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Performance" }, { - "checklist": "SAP Checklist", - "guid": "a4777842-4d11-4678-9d2f-a56c56ad4840", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", - "service": "SAP", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant", + "guid": "7025b442-f6e9-4af6-b11f-c9574916016f", + "link": "https://learn.microsoft.com/azure/expressroute/plan-manage-cost", + "service": "ExpressRoute", "severity": "High", - "text": "When enabling Microsoft Defender for Endpoint on SAP environment, recommend excluding data and log files on DBMS servers instead of targeting all servers. Follow your DBMS vendor's recommendations when excluding target files.", - "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/microsoft-defender-endpoint-mde-for-sap-applications-on-windows/ba-p/3912268", - "waf": "Security" + "text": "Ensure that you're using unlimited-data ExpressRoute circuits only if you reach the bandwidth that justifies their cost.", + "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", + "waf": "Cost" }, { - "checklist": "SAP Checklist", - "guid": "8fe72734-c486-4ba2-a0dc-0591cf65de8e", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-overview?tabs=defender-for-container-arch-aks", - "service": "SAP", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id", + "guid": "f4e7926a-ec35-476e-a412-5dd17136bd62", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local", + "service": "ExpressRoute", "severity": "High", - "text": "Delegate an SAP admin custom role with just-in-time access of Microsoft Defender for Cloud.", - "training": "https://learn.microsoft.com/training/modules/secure-vms-with-azure-security-center/?source=recommendations", - "waf": "Security" + "text": "Leverage the Local SKU of ExpressRoute to reduce the cost of your circuits, if your circuit peering location supports your Azure regions for the Local SKU.", + "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", + "waf": "Cost" }, { - "checklist": "SAP Checklist", - "guid": "1309cccd-5792-466b-aca2-75faa1abfe9d", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", - "service": "SAP", - "severity": "Low", - "text": "encrypt data in transit by integrating the third-party security product with secure network communications (SNC) for DIAG (SAP GUI), RFC, and SPNEGO for HTTPS", - "training": "https://learn.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit", - "waf": "Security" + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant", + "guid": "2447ec66-138a-4720-8f1c-e16ed301d6e8", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways", + "service": "ExpressRoute", + "severity": "Medium", + "text": "Deploy a zone-redundant ExpressRoute gateway in the supported Azure regions.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "eeaa3592-829e-42ed-a217-3676aff6691b", - "link": "https://learn.microsoft.com/azure/storage/common/storage-encryption-key-model-get?tabs=portal", - "service": "SAP", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "72e52e36-11cc-458b-9a4b-1511e43a58a9", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure", + "service": "ExpressRoute", "severity": "Medium", - "text": "Default to Microsoft-managed keys for principal encryption functionality and use customer-managed keys when required.", - "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", - "waf": "Security" + "text": "For scenarios that require bandwidth higher than 10 Gbps or dedicated 10/100-Gbps ports, use ExpressRoute Direct.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Performance" }, { - "checklist": "SAP Checklist", - "graph": "Resources | join kind=leftouter (ResourceContainers | where type=~'microsoft.resources/subscriptions' | project SubName=name, subscriptionId) on subscriptionId | where type =~ 'microsoft.keyvault/vaults' | project type, name, SubName", - "guid": "4935ada4-2223-4ece-a1b1-23181a541741", - "link": "https://learn.microsoft.com/ja-jp/azure/key-vault/general/best-practices", - "service": "SAP", - "severity": "High", - "text": "Use an Azure Key Vault per application per environment per region.", - "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", - "waf": "Security" + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "c2299c4d-7b57-4d0c-9555-62f2b3e4563a", + "link": "https://learn.microsoft.com/azure/expressroute/about-fastpath", + "service": "ExpressRoute", + "severity": "Medium", + "text": "When low latency is required, or throughput from on-premises to Azure must be greater than 10 Gbps, enable FastPath to bypass the ExpressRoute gateway from the data path.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Performance" }, { - "checklist": "SAP Checklist", - "guid": "abc9634d-c44d-41e9-a530-e8444e16aa3c", - "link": "https://learn.microsoft.com/azure/key-vault/certificates/certificate-scenarios", - "service": "SAP", - "severity": "High", - "text": "To control and manage disk encryption keys and secrets for non-HANA Windows and non-Windows operating systems, use Azure Key Vault. SAP HANA isn't supported with Azure Key Vault, so you must use alternate methods like SAP ABAP or SSH keys.", - "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/?source=recommendations", - "waf": "Security" + "arm-service": "microsoft.network/virtualNetworkGateways", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant", + "guid": "4d873974-8b66-42d6-b15f-512a65498f6d", + "link": "https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway", + "service": "VPN", + "severity": "Medium", + "text": "Use zone-redundant VPN gateways to connect branches or remote locations to Azure (where available).", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "209d490d-a477-4784-84d1-16785d2fa56c", - "link": "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles", - "service": "SAP", - "severity": "High", - "text": "Customize role-based access control (RBAC) roles for SAP on Azure spoke subscriptions to avoid accidental network-related changes", - "training": "https://learn.microsoft.com/training/modules/secure-azure-resources-with-rbac/?source=recommendations", - "waf": "Security" + "arm-service": "microsoft.network/virtualNetworkGateways", + "checklist": "Azure Landing Zone Review", + "guid": "45866df8-cf85-4ca9-bbe2-65ec1478919e", + "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-highlyavailable", + "service": "VPN", + "severity": "Medium", + "text": "Use redundant VPN appliances on-premises (active/active or active/passive).", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/", + "waf": "Reliability" }, { - "checklist": "SAP Checklist", - "guid": "56ad4840-8fe7-4273-9c48-6ba280dc0591", - "link": "https://blogs.sap.com/2019/07/21/sap-security-operations-on-azure/", - "service": "SAP", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "718cb437-b060-2589-8856-2e93a5c6633b", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-erdirect-about", + "service": "ExpressRoute", "severity": "High", - "text": "Isolate DMZs and NVAs from the rest of the SAP estate, configure Azure Private Link, and securely manage and control the SAP on Azure resources", - "training": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/secure-vnet-dmz?tabs=portal", - "waf": "Security" - }, - { - "checklist": "SAP Checklist", - "guid": "e124ba34-df68-45ed-bce9-bd3bb0cdb3b5", - "link": "https://learn.microsoft.com/en-us/training/modules/secure-vms-with-azure-security-center/?source=recommendations", - "service": "SAP", - "severity": "Low", - "text": "Consider using Microsoft anti-malware software on Azure to protect your virtual machines from malicious files, adware, and other threats.", - "training": "https://azure.microsoft.com/blog/deploying-antimalware-solutions-on-azure-virtual-machines/", - "waf": "Security" - }, - { - "checklist": "SAP Checklist", - "guid": "5eb2ec14-eeaa-4359-8829-e2edb2173676", - "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide", - "service": "SAP", - "severity": "Low", - "text": "For even more powerful protection, consider using Microsoft Defender for Endpoint.", - "training": "https://learn.microsoft.com/training/modules/implement-endpoint-protection-use-microsoft-defender/?source=recommendations", - "waf": "Security" + "text": "If using ExpressRoute Direct, consider using ExpressRoute Local circuits to the local Azure regions to save costs.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Cost" }, { - "checklist": "SAP Checklist", - "guid": "87a924c4-25c2-419f-a2f0-96c7c4fe4525", - "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape", - "service": "SAP", - "severity": "High", - "text": "Isolate the SAP application and database servers from the internet or from the on-premises network by passing all traffic through the hub virtual network, which is connected to the spoke network by virtual network peering. The peered virtual networks guarantee that the SAP on Azure solution is isolated from the public internet.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/?source=recommendations", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "8042d88e-79d1-47b7-9b22-a5a67e7a8ed4", + "link": "https://learn.microsoft.com/azure/architecture/framework/services/networking/expressroute/reliability", + "service": "ExpressRoute", + "severity": "Medium", + "text": "When traffic isolation or dedicated bandwidth is required, such as for separating production and nonproduction environments, use different ExpressRoute circuits. It will help you ensure isolated routing domains and alleviate noisy-neighbor risks.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", "waf": "Security" }, { - "checklist": "SAP Checklist", - "guid": "491ca1c4-3d40-42c0-9d85-b8933999590b", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", - "service": "SAP", - "severity": "Low", - "text": "For internet-facing applications like SAP Fiori, make sure to distribute load per application requirements while maintaining security levels. For Layer 7 security, you can use a third-party Web Application Firewall (WAF) available in the Azure Marketplace.", - "training": "https://learn.microsoft.com/training/modules/simplify-cloud-procurement-governance-azure-marketplace/?source=recommendations", - "waf": "Security" + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "b30e38c3-f298-412b-8363-cefe179b599d", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-monitoring-metrics-alerts", + "service": "ExpressRoute", + "severity": "Medium", + "text": "Monitor ExpressRoute availability and utilization using built-in Express Route Insights.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Operations" }, { - "checklist": "SAP Checklist", - "guid": "9fc945b9-0527-47af-8200-9d652fe02fcc", - "link": "https://learn.microsoft.com/azure/sap/monitor/enable-tls-azure-monitor-sap-solutions", - "service": "SAP", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "5bf68dc9-325e-4873-bf88-f8214ef2e5d2", + "link": "https://learn.microsoft.com/azure/expressroute/how-to-configure-connection-monitor", + "service": "ExpressRoute", "severity": "Medium", - "text": "To enable secure communication in Azure Monitor for SAP solutions, you can choose to use either a root certificate or a server certificate. We highly recommend that you use root certificates.", - "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations", - "waf": "Security" + "text": "Use Connection Monitor for connectivity monitoring across the network, especially between on-premises and Azure.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Operations" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Leverage zone-redundancy to ensure high availability in the event of zone-level failures. Use Premium V2/V3 or Isolated v2 tiers, which provide support for zone-redundant deployments and ensure minimal downtime during disasters.", - "guid": "b32e1aa1-4813-4602-88fe-27ca2891f421", - "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/app-service-web-app/zone-redundant?source=recommendations", - "service": "App Services", - "severity": "Low", - "text": "Implement a baseline highly available zone-redundant web application architecture. Ensure your Azure App Service is on Premium V2/V3 or Isolated v2 tiers for zone-redundant support.", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2)", + "guid": "e0d5973c-d4cd-421b-8881-37f5e6c4cfd3", + "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#need-for-redundant-connectivity-solution", + "service": "ExpressRoute", + "severity": "Medium", + "text": "Use ExpressRoute circuits from different peering locations for redundancy.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", "waf": "Reliability" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Leverage staging slots for zero-downtime deployments and automated backups to ensure disaster recovery. Choose the appropriate tier (Standard or Premium) based on the number of slots and disaster recovery requirements.", - "graph": "resources | where type =~ 'microsoft.web/serverfarms' | extend compliant = (sku.tier == 'Premium' or sku.tier == 'Standard') | distinct id,compliant", - "guid": "e4b31c6a-2e3f-4df1-8e8b-9c3aa5a27820", - "link": "https://learn.microsoft.com/azure/app-service/overview-hosting-plans", - "service": "App Services", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "cf3fe65c-fec0-495a-8edc-9675200f2add", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager", + "service": "ExpressRoute", "severity": "Medium", - "text": "Use Premium and Standard tiers for staging slots and automated backups. Align your backup retention period with disaster recovery needs.", + "text": "Use site-to-site VPN as failover of ExpressRoute, if only using a single ExpressRoute circuit.", + "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", "waf": "Reliability" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Availability Zones provide physical isolation across datacenters in a region, reducing downtime during outages. Verify your region supports Availability Zones and use Premium V2/V3 tiers for zone-redundant deployments.", - "guid": "a7e2e6c2-491f-4fa4-a82b-521d0bc3b202", - "link": "https://learn.microsoft.com/azure/reliability/migrate-app-service", - "service": "App Services", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation))", + "guid": "72105cc8-aaea-4ee1-8c7a-ad25977afcaf", + "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub", + "service": "ExpressRoute", "severity": "High", - "text": "Leverage Availability Zones where regionally applicable (Premium V2/V3 tier required). Check region support for Availability Zones.", - "waf": "Reliability" - }, - { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Enable health checks to detect unhealthy instances in real-time and automatically replace them to maintain high availability and application reliability.", - "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.HealthCheckPath != '') | distinct id,compliant", - "guid": "1275e4a9-7b6a-43c3-a9cd-5ee18d8995ad", - "link": "https://learn.microsoft.com/azure/app-service/monitor-instances-health-check", - "service": "App Services", - "severity": "Medium", - "text": "Implement health checks to monitor and detect issues with App Service instances. Health checks enable automatic instance replacement on failure.", + "text": "If you are using a route table in the GatewaySubnet, make sure that gateway routes are propagated.", "waf": "Reliability" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Follow best practices for configuring backups and restores in Azure App Service and ASE to guarantee data availability and ensure recovery during disaster scenarios.", - "guid": "35a91c5d-4ad6-4d9b-8e0f-c47db9e6d1e7", - "link": "https://learn.microsoft.com/azure/app-service/manage-backup", - "service": "App Services", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "d581a947-69a2-4783-942e-9df3664324c8", + "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute#active-active-connections", + "service": "ExpressRoute", "severity": "High", - "text": "Refer to backup and restore best practices for Azure App Service and App Service Environments (ASE) to ensure data availability and recovery.", + "text": "If using ExpressRoute, your on-premises routing should be dynamic: in the event of a connection failure it should converge to the remaining connection of the circuit. Load should be shared across both connections ideally as active/active, although active/passive is supported too.", + "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", "waf": "Reliability" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Ensure high availability by incorporating scaling, fault tolerance, monitoring, and zone redundancy into your App Service architecture. Leverage health checks and availability zones to maintain uptime.", - "guid": "e68cd0ec-afc6-4bd8-a27f-7860ad9a0db2", - "link": "https://learn.microsoft.com/azure/architecture/framework/services/compute/azure-app-service/reliability", - "service": "App Services", - "severity": "High", - "text": "Implement Azure App Service reliability best practices, including auto-scaling, fault tolerance, health checks, and zone redundancy.", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "b258f058-b9f6-46cd-b28d-990106f0c3f8", + "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute", + "service": "ExpressRoute", + "severity": "Medium", + "text": "Ensure the two physical links of your ExpressRoute circuit are connected to two distinct edge devices in your network.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", "waf": "Reliability" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Prepare for disaster recovery by implementing region failover strategies. Utilize active-active and active-passive configurations, automated failover, and Infrastructure as Code (IaC) for seamless failover during outages.", - "guid": "bd2a865c-0835-4418-bb58-4df91a5a9b3f", - "link": "https://learn.microsoft.com/azure/app-service/manage-disaster-recovery#recover-app-content-only", - "service": "App Services", - "severity": "Low", - "text": "Familiarize with App Service region failover, including active-active and active-passive configurations, automated failover, and IaC deployment.", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "fe2a1b53-6fbd-4c67-b58a-85d7c7a0afcb", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-bfd", + "service": "ExpressRoute", + "severity": "Medium", + "text": "Ensure Bidirectional Forwarding Detection (BFD) is enabled and configured on customer or provider edge routing devices.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", "waf": "Reliability" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Azure App Service offers built-in reliability features, including scaling, fault tolerance, and service-level agreements (SLAs). Leverage these features to maintain consistent performance during outages.", - "guid": "f3d2f1e4-e6d4-4b7a-a5a5-e2a9b2c6f293", - "link": "https://learn.microsoft.com/azure/reliability/reliability-app-service", - "service": "App Services", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "669b215a-ce43-4371-8f6f-11047f6490f1", + "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering", + "service": "ExpressRoute", "severity": "High", - "text": "Familiarize with reliability support in Azure App Service, including scaling options, SLAs, and automated recovery mechanisms.", - "waf": "Reliability" - }, - { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Enabling 'Always On' for Function Apps ensures that the app does not go idle, maintaining its availability and responsiveness at all times.", - "guid": "c7b5f3d1-0569-4fd2-9f32-c0b64e9c0c5e", - "link": "https://learn.microsoft.com/azure/azure-functions/dedicated-plan#always-on", - "service": "App Services", - "severity": "Medium", - "text": "Ensure 'Always On' is enabled for Function Apps running on App Service plans to prevent idling and ensure continuous availability.", + "text": "Connect the ExpressRoute Gateway to two or more circuits from different peering locations for higher resiliency.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", "waf": "Reliability" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Health checks monitor the health of App Service instances, enabling automatic replacement of unhealthy instances to maintain high availability.", - "guid": "a3b4d5f6-758c-4f9d-9e1a-d7c6b7e8f9ab", - "link": "https://learn.microsoft.com/azure/app-service/monitor-instances-health-check", - "service": "App Services", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "3f79ed00-203b-4c95-9efd-691505f5a1f9", + "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-howto-setup-alerts-virtual-network-gateway-log", + "service": "ExpressRoute", "severity": "Medium", - "text": "Monitor App Service instances using Health checks to detect unhealthy instances and automatically replace them.", - "waf": "Reliability" + "text": "Configure diagnostic logs and alerts for ExpressRoute virtual network gateway.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Operations" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "guid": "c7d3e5f9-a19c-4833-8ca6-1dcb0128e129", - "link": "https://learn.microsoft.com/azure/azure-monitor/app/availability-overview", - "service": "App Services", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "5234c93f-b651-41dd-80c1-234177b91ced", + "link": "https://learn.microsoft.com/azure/expressroute/virtual-network-connectivity-guidance", + "service": "ExpressRoute", "severity": "Medium", - "text": "Monitor availability and responsiveness of web app or website using Application Insights availability tests, ensuring proactive detection of performance issues and downtime.", - "waf": "Reliability" + "text": "Do not use ExpressRoute circuits for VNet-to-VNet communication.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "waf": "Performance" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "guid": "b4e3f2d5-a5c6-4d7e-8b2f-c5d9e7a8f0ea", - "link": "https://learn.microsoft.com/azure/azure-monitor/app/availability-standard-tests", - "service": "App Services", + "checklist": "Azure Landing Zone Review", + "guid": "8ac6a9e0-1e6a-483d-b5de-32c199248160", + "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about", + "service": "N/A", "severity": "Low", - "text": "Use Application Insights Standard test to monitor availability and responsiveness of web app or website", - "waf": "Reliability" + "text": "Do not send Azure traffic to hybrid locations for inspection. Instead, follow the principle 'traffic in Azure stays in Azure' so that communication across resources in Azure occurs via the Microsoft backbone network.", + "waf": "Performance" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Azure Key Vault ensures secrets are encrypted, securely stored, and accessed only by authorized applications. It supports audit logging, and secret versioning, and reduces the risk of accidental exposure of sensitive information.", - "guid": "834ac932-223e-4ce8-8b12-3071a5416415", - "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references", - "service": "App Services", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "e6c4cfd3-e504-4547-a244-7ec66138a720", + "link": "https://learn.microsoft.com/azure/firewall/overview", + "service": "Firewall", "severity": "High", - "text": "Use Azure Key Vault to store any secrets the application needs. Key Vault provides a secure, managed, and audited environment for storing secrets, and integrates seamlessly with App Service via App Service Key Vault References for enhanced security.", + "text": "Use Azure Firewall to govern Azure outbound traffic to the internet, non-HTTP/S inbound connections, and East/West traffic filtering (if the organization requires it).", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Managed Identity eliminates the need for hard-coded credentials by allowing App Service to authenticate to Azure Key Vault securely. This reduces the risk of credential exposure and simplifies secret management for enhanced security.", - "guid": "833ea3ad-2c2d-4e73-8165-c3acbef4abe1", - "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references", - "service": "App Services", - "severity": "High", - "text": "Use Managed Identity to securely connect to Azure Key Vault for accessing secrets, through App Service Key Vault References.", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "5a4b1511-e43a-458a-ac22-99c4d7b57d0c", + "link": "https://learn.microsoft.com/azure/firewall-manager/policy-overview", + "service": "Firewall", + "severity": "Medium", + "text": "Create a global Azure Firewall policy to govern security posture across the global network environment and assign it to all Azure Firewall instances. Allow for granular policies to meet requirements of specific regions by delegating incremental firewall policies to local security teams via Azure role-based access control.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Storing TLS certificates in Azure Key Vault enhances security by providing centralized, secure management and automated renewal of certificates. This reduces the risk of manual handling errors and certificate expiration.", - "guid": "f8d39fda-4776-4831-9c11-5775c2ea55b4", - "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-certificate", - "service": "App Services", - "severity": "High", - "text": "Use Azure Key Vault to securely store and manage TLS certificates for App Service.", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "655562f2-b3e4-4563-a4d8-739748b662d6", + "link": "https://learn.microsoft.com/azure/firewall-manager/deploy-trusted-security-partner", + "service": "Firewall", + "severity": "Low", + "text": "Configure supported partner SaaS security providers within Firewall Manager if the organization wants to use such solutions to help protect outbound connections.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "To minimize exposure and improve security, isolate systems processing sensitive data. Leverage separate App Service Plans or App Service Environments for isolation, and use different subscriptions or management groups to enforce stricter boundaries and governance.", - "guid": "6ad48408-ee72-4734-a475-ba18fdbf590c", - "link": "https://learn.microsoft.com/azure/app-service/overview-hosting-plans", - "service": "App Services", - "severity": "Medium", - "text": "Isolate systems that process sensitive information using separate App Service Plans, App Service Environments (ASE), and consider different subscriptions or management groups for enhanced security.", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant", + "guid": "14d99880-2f88-47e8-a134-62a7d85c94af", + "link": "https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules", + "service": "Firewall", + "severity": "High", + "text": "Use application rules to filter outbound traffic on destination host name for supported protocols. Use FQDN-based network rules and Azure Firewall with DNS proxy to filter egress traffic to the Internet over other protocols.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Local disks on App Service are not encrypted and sensitive data should not be stored on those. (For example: D:\\\\Local and %TMP%).", - "guid": "e65de8e0-3f9b-4cbd-9682-66abca264f9a", - "link": "https://learn.microsoft.com/azure/app-service/operating-system-functionality#file-access", - "service": "App Services", - "severity": "Medium", - "text": "Do not store sensitive data on local disk", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant", + "guid": "c10d51ef-f999-455d-bba0-5c90ece07447", + "link": "https://learn.microsoft.com/azure/firewall/premium-features", + "service": "Firewall", + "severity": "High", + "text": "Use Azure Firewall Premium to enable additional security features.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-firewall/", "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Use Microsoft Entra ID or B2C for secure user authentication and Single Sign-On (SSO) across applications. Integrate using the built-in App Service Authentication/Authorization feature for streamlined security and compliance with modern authentication protocols like OpenID Connect.", - "guid": "919ca0b2-c121-459e-814b-933df574eccc", - "link": "https://learn.microsoft.com/azure/app-service/overview-authentication-authorization", - "service": "App Services", - "severity": "Medium", - "text": "Use Microsoft Entra ID or B2C for secure authentication and Single Sign-On (SSO).", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant", + "guid": "e9c8f584-6d5e-473b-8dc5-acc9fbaab4e3", + "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps-signature-rules", + "service": "Firewall", + "severity": "High", + "text": "Configure Azure Firewall Threat Intelligence mode to Alert and Deny for additional protection.", "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Ensure all code deployments to App Service originate from a controlled, secured environment, such as a well-managed DevOps pipeline. This practice mitigates the risk of deploying unauthorized or malicious code by enforcing version control, code verification, and secure hosting.", - "guid": "3f9bcbd4-6826-46ab-aa26-4f9a19aed9c5", - "link": "https://learn.microsoft.com/azure/app-service/deploy-best-practices", - "service": "App Services", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant", + "guid": "b9d0dff5-bdd4-4cd8-88ed-5811610b2b2c", + "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps", + "service": "Firewall", "severity": "High", - "text": "Deploy code to App Service from a trusted and secure environment.", + "text": "Configure Azure Firewall IDPS mode to Deny for additional protection.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-firewall/", "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Disable basic authentication for FTP/FTPS and WebDeploy/SCM to enhance security by enforcing Microsoft Entra ID secured endpoints for deployment. This ensures that only authenticated users using Microsoft Entra ID credentials can access deployment services, including the SCM site.", - "guid": "5d04c2c3-919c-4a0b-8c12-159e114b933d", - "link": "https://learn.microsoft.com/azure/app-service/deploy-configure-credentials#disable-basic-authentication", - "service": "App Services", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant", + "guid": "a3784907-9836-4271-aafc-93535f8ec08b", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview", + "service": "Firewall", "severity": "High", - "text": "Disable basic authentication for FTP/FTPS and WebDeploy/SCM.", + "text": "For subnets in VNets not connected to Virtual WAN, attach a route table so that Internet traffic is redirected to Azure Firewall or a Network Virtual Appliance.", "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Wherever possible, use Managed Identity to securely connect to Microsoft Entra ID-secured resources without storing credentials. If this is not feasible, store secrets in Azure Key Vault and access them using Managed Identity to maintain security and reduce the risk of credential exposure.", - "guid": "f574eccc-d9bd-43ba-bcda-3b54eb2eb03d", - "link": "https://learn.microsoft.com/azure/app-service/overview-managed-identity?tabs=portal%2Chttp", - "service": "App Services", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "715d833d-4708-4527-90ac-1b142c7045ba", + "link": "https://learn.microsoft.com/azure/firewall/firewall-structured-logs", + "service": "Firewall", + "severity": "Medium", + "text": "Add diagnostic settings to save logs, using the Resource Specific destination table, for all Azure Firewall deployments.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "e960fc6b-4ab2-4db6-9609-3745135f9ffa", + "link": "https://learn.microsoft.com/azure/firewall-manager/migrate-to-policy", + "service": "Firewall", "severity": "High", - "text": "Use Managed Identity to connect to Microsoft Entra ID secured resources.", - "waf": "Security" + "text": "Migrate from Azure Firewall Classic rules (if exist) to Firewall Policy.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Operations" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "When using images stored in Azure Container Registry, pull these images using a Managed Identity to avoid storing credentials. This ensures secure access to container images and reduces the risk of credential exposure.", - "guid": "d9a25827-18d2-4ddb-8072-5769ee6691a4", - "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-managed-identity-to-pull-image-from-azure-container-registry", - "service": "App Services", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant", + "guid": "22d6419e-b627-4d95-9e7d-019fa759387f", + "link": "https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size", + "service": "Firewall", "severity": "High", - "text": "Pull container images from Azure Container Registry using a Managed Identity.", + "text": "Use a /26 prefix for your Azure Firewall subnets.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-firewall/", "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Configure diagnostic settings to send telemetry and security logs (including HTTP, platform, and audit logs) to Log Analytics. Centralized logging enhances monitoring, threat detection, and compliance reporting.", - "guid": "47768314-c115-4775-a2ea-55b46ad48408", - "link": "https://learn.microsoft.com/azure/app-service/troubleshoot-diagnostic-logs", - "service": "App Services", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "828cec2e-af6c-40c2-8fa2-1b681ee63eb7", + "link": "https://learn.microsoft.com/azure/firewall-manager/rule-hierarchy", + "service": "Firewall", "severity": "Medium", - "text": "Send App Service runtime and security logs to Log Analytics for centralized monitoring and alerting.", - "waf": "Security" + "text": "Arrange rules within the firewall policy into Rule Collection Groups and Rule Collections and based on their frequency of use.", + "training": "https://learn.microsoft.com/training/modules/intro-to-azure-firewall-manager/", + "waf": "Performance" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Set up a diagnostic setting to send the activity log to Log Analytics as the central destination for logging and monitoring. This allows you to monitor control plane activity on the App Service resource itself.", - "guid": "ee72734b-475b-4a18-bdbf-590ce65de8e0", - "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log", - "service": "App Services", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "0da83bb1-2f39-49af-b5c9-835fc455e3d1", + "link": "https://learn.microsoft.com/azure/firewall/ip-groups", + "service": "Firewall", "severity": "Medium", - "text": "Send App Service activity logs to Log Analytics", - "waf": "Security" + "text": "Use IP Groups or IP prefixes to reduce number of IP table rules.", + "waf": "Performance" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Use regional VNet integration, Network Security Groups (NSGs), and User-Defined Routes (UDRs) to control outbound network access. Route traffic through a Network Virtual Appliance (NVA), such as Azure Firewall, and monitor firewall logs to ensure traffic is properly controlled and secure.", - "guid": "c12159e1-14b9-433d-b574-ecccd9bd3baf", - "link": "https://learn.microsoft.com/azure/app-service/overview-vnet-integration", - "service": "App Services", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "c44c6f0e-1642-4a61-a17b-0922f835c93a", + "link": "https://learn.microsoft.com/azure/firewall/tutorial-firewall-dnat", + "service": "Firewall", "severity": "Medium", - "text": "Control outbound network access for App Service using VNet integration, NSGs, UDRs, and firewalls.", - "waf": "Security" + "text": "Do not use wildcards as a source IP for DNATS, such as * or any, you should specify source IPs for incoming DNATs.", + "training": "https://learn.microsoft.com/training/modules/introduction-to-azure-virtual-networks/", + "waf": "Performance" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Provide a stable outbound IP by using VNet integration with a NAT Gateway or Network Virtual Appliance (NVA) like Azure Firewall. This enables the receiving party to allow-list based on IP, if necessary. For communications with Azure services, use mechanisms like Service Endpoints or private endpoints to avoid relying on static IPs, ensuring secure and efficient connectivity.", - "guid": "cda3b54e-b2eb-403d-b9a2-582718d2ddb1", - "link": "https://learn.microsoft.com/azure/app-service/networking/nat-gateway-integration", - "service": "App Services", - "severity": "Low", - "text": "Ensure a stable IP for outbound communications by using VNet NAT Gateway or Azure Firewall.", - "waf": "Security" + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "7371dc21-251a-47a3-af14-6e01b9da4757", + "link": "https://learn.microsoft.com/azure/firewall/integrate-with-nat-gateway", + "service": "Firewall", + "severity": "Medium", + "text": "Prevent SNAT Port exhaustion by monitoring SNAT port usage, evaluating NAT Gateway settings, and ensuring seamless failover. If the port count approaches the limit, it’s a sign that SNAT exhaustion might be imminent.", + "training": "https://learn.microsoft.com/training/modules/introduction-to-azure-virtual-networks/", + "waf": "Performance" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Control inbound network access by configuring App Service Access Restrictions, Service Endpoints, or Private Endpoints. Ensure appropriate restrictions are set for both the web app and the SCM (deployment) site to limit unauthorized access and enhance security.", - "guid": "0725769e-e669-41a4-a34a-c932223ece80", - "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions", - "service": "App Services", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "346840b8-1064-496e-8396-4b1340172d52", + "link": "https://learn.microsoft.com/azure/firewall/premium-features#tls-inspection", + "service": "Firewall", "severity": "High", - "text": "Control inbound network access using Access Restrictions, Service Endpoints, or Private Endpoints.", - "waf": "Security" + "text": "If you are using Azure Firewall Premium, enable TLS Inspection.", + "waf": "Performance" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Protect App Service from malicious inbound traffic by deploying a Web Application Firewall (WAF) using Azure Application Gateway or Azure Front Door. Ensure WAF logs are monitored regularly to detect and respond to security threats.", - "guid": "b123071a-5416-4415-a33e-a3ad2c2de732", - "link": "https://learn.microsoft.com/azure/app-service/networking/app-gateway-with-service-endpoints", - "service": "App Services", - "severity": "High", - "text": "Use a Web Application Firewall (WAF) in front of App Service.", - "waf": "Security" + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "39990a13-915c-45f9-a2d3-562d7d6c4b7c", + "link": "https://learn.microsoft.com/azure/firewall/premium-features#web-categories", + "service": "Firewall", + "severity": "Low", + "text": "Use web categories to allow or deny outbound access to specific topics.", + "waf": "Performance" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "To prevent the Web Application Firewall (WAF) from being bypassed, lock down access to App Service by using Access Restrictions, Service Endpoints, and Private Endpoints. This ensures that all traffic is routed through the WAF, providing a secure front layer of protection.", - "guid": "165c3acb-ef4a-4be1-b8d3-9fda47768314", - "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions", - "service": "App Services", - "severity": "High", - "text": "Ensure the WAF cannot be bypassed by securing access to App Service.", - "waf": "Security" + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "6eff7e6c-6c4a-43d7-be3f-6641c2cb3d4a", + "link": "https://learn.microsoft.com/azure/architecture/example-scenario/gateway/application-gateway-before-azure-firewall", + "service": "Firewall", + "severity": "Medium", + "text": "As part of your TLS inspection, plan for receiving traffic from Azure App Gateways for inspection.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-application-gateway/", + "waf": "Performance" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Ensure that the minimum TLS policy is set to 1.2 or higher, with a preference for TLS 1.3, to enhance security through stronger encryption protocols. TLS 1.3 provides additional security improvements and faster handshake times, reducing vulnerabilities associated with older versions.", - "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.MinTlsVersion>=1.2) | distinct id,compliant", - "guid": "c115775c-2ea5-45b4-9ad4-8408ee72734b", - "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-tls-versions", - "service": "App Services", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type =~ 'Microsoft.Network/firewallPolicies' | where array_length(properties.firewalls) > 0 | extend compliant = (properties.dnsSettings.enableProxy =~ 'true') | distinct id, compliant", + "guid": "94f3eede-9aa3-4088-92a3-bb9a56509fad", + "link": "https://learn.microsoft.com/azure/firewall/dns-details", + "service": "Firewall", "severity": "Medium", - "text": "Set minimum TLS policy to 1.2 or higher, preferably 1.3, in App Service configuration.", + "text": "Enable Azure Firewall DNS proxy configuration.", + "training": "https://learn.microsoft.com/training/courses/az-700t00/", "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Configure App Service to enforce HTTPS-only, automatically redirecting all HTTP traffic to HTTPS. Additionally, implement HTTP Strict Transport Security (HSTS) in your code or via a Web Application Firewall (WAF) to ensure browsers only access the site over HTTPS, enhancing security by preventing downgrade attacks.", - "graph": "where (type=='microsoft.web/sites' and (kind == 'app' or kind == 'app,linux' )) | extend compliant = (properties.httpsOnly==true) | distinct id,compliant", - "guid": "475ba18f-dbf5-490c-b65d-e8e03f9bcbd4", - "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https", - "service": "App Services", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "1dc04554-dece-4ffb-a49e-5c683e09f8da", + "link": "https://learn.microsoft.com/azure/firewall/firewall-diagnostics", + "service": "Firewall", "severity": "High", - "text": "Use HTTPS only and consider enabling HTTP Strict Transport Security (HSTS).", - "waf": "Security" + "text": "Integrate Azure Firewall with Azure Monitor and enable diagnostic logging to store and analyze firewall logs and metrics.", + "training": "https://learn.microsoft.com/training/courses/az-700t00/", + "waf": "Operations" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Do not use wildcards (*) in your CORS configuration, as this permits unrestricted access from any origin, compromising security. Instead, explicitly specify trusted origins that are allowed to access the service, ensuring controlled access.", - "guid": "68266abc-a264-4f9a-89ae-d9c55d04c2c3", - "link": "https://learn.microsoft.com/azure/app-service/app-service-web-tutorial-rest-api", - "service": "App Services", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "64e7000e-3c06-485e-b455-ced7f454cba3", + "link": "https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall", + "service": "Firewall", + "severity": "Low", + "text": "Implement backups for your firewall rules", + "training": "https://learn.microsoft.com/training/courses/az-104t00/", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type == 'microsoft.network/azurefirewalls' | where array_length(zones) <= 1 or isnull(zones) | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | project name, id, tags, param1='multipleZones:false'", + "guid": "d38ad60c-bc9e-4d49-b699-97e5d4dcf707", + "link": "https://learn.microsoft.com/azure/firewall/deploy-availability-zone-powershell", + "service": "Firewall", "severity": "High", - "text": "Avoid using wildcards for CORS; specify allowed origins explicitly.", - "waf": "Security" + "text": "Deploy Azure Firewall across multiple availability zones. Azure Firewall offers different SLAs depending on its deployment; in a single availability zone or across multiple, potentially improving reliability and performance.", + "training": "https://learn.microsoft.com/training/courses/az-104t00/", + "waf": "Reliability" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Remote debugging should not be enabled in production as it opens additional ports, increasing the attack surface. Although App Service automatically turns off remote debugging after 48 hours, it is recommended to disable it manually in production to maintain a secure environment.", - "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.RemoteDebuggingEnabled == false) | distinct id,compliant", - "guid": "d9bd3baf-cda3-4b54-bb2e-b03dd9a25827", - "link": "https://learn.microsoft.com/azure/app-service/configure-common#configure-general-settings", - "service": "App Services", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type =~ 'Microsoft.Network/azureFirewalls' | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | mv-expand ipConfig = properties.ipConfigurations | project name, firewallId = id, tags, vNetName = split(ipConfig.properties.subnet.id, '/', 8)[0], vNetId = tolower(substring(ipConfig.properties.subnet.id, 0, indexof(ipConfig.properties.subnet.id, '/subnet'))) | join kind=fullouter ( resources | where type =~ 'Microsoft.Network/ddosProtectionPlans' | mv-expand vNet = properties.virtualNetworks | project ddosProtectionPlanId = id, vNetId = tolower(vNet.id) ) on vNetId | extend compliant = iif(isempty(ddosProtectionPlanId), false, true) | project name, compliant, id = firewallId, tags, network = strcat('vNet: ', vNetName)", + "guid": "e8143efa-0301-4d62-be54-ca7b5ce566dc", + "link": "https://learn.microsoft.com/en-gb/azure/ddos-protection/ddos-protection-overview", + "service": "Firewall", "severity": "High", - "text": "Turn off remote debugging in production environments.", + "text": "Configure DDoS Protection on the Azure Firewall VNet, Associate a DDoS protection plan with the virtual network hosting Azure Firewall to provide enhanced mitigation against DDoS attacks. Azure Firewall Manager integrates the creation of firewall infrastructure and DDoS protection plans. ", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Landing Zone Review", + "guid": "d301d6e8-72e5-42e3-911c-c58b5a4b1511", + "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services", + "service": "App Gateway", + "severity": "High", + "text": "Do not disrupt control-plane communication for Azure PaaS services injected into a virtual networks, such as with a 0.0.0.0/0 route or an NSG rule that blocks control plane traffic.", + "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn", "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Enable Defender for App Service. This (amongst other threats) detects communications to known malicious IP addresses. Review the recommendations from Defender for App Service as part of your operations.", - "guid": "18d2ddb1-0725-4769-be66-91a4834ac932", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-app-service-introduction", - "service": "App Services", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "guid": "b3e4563a-4d87-4397-98b6-62d6d15f512a", + "link": "https://learn.microsoft.com/azure/private-link/private-endpoint-overview", + "service": "ExpressRoute", "severity": "Medium", - "text": "Enable Defender for Cloud - Defender for App Service", + "text": "Access Azure PaaS services from on-premises via private endpoints and ExpressRoute private peering. This method avoids transiting over the public internet.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Azure provides DDoS Basic protection on its network, which can be improved with intelligent DDoS Standard capabilities which learns about normal traffic patterns and can detect unusual behavior. DDoS Standard applies to a Virtual Network so it must be configured for the network resource in front of the app, such as Application Gateway or an NVA.", - "guid": "223ece80-b123-4071-a541-6415833ea3ad", - "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", - "service": "App Services", - "severity": "Medium", - "text": "Enable DDOS Protection Standard on the WAF VNet", + "arm-service": "Microsoft.Network/virtualNetworks", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc", + "guid": "4704489a-8042-4d88-b79d-17b73b22a5a6", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-service-endpoints-overview", + "service": "VNet", + "severity": "High", + "text": "Don't enable virtual network service endpoints by default on all subnets.", + "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn", "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "When using images stored in Azure Container Registry, ensure they are pulled over a virtual network by using a private endpoint and configuring the app setting 'WEBSITE_PULL_IMAGE_OVER_VNET'. This ensures secure communication between App Service and the registry, preventing exposure to the public internet.", - "guid": "2c2de732-165c-43ac-aef4-abe1f8d39fda", - "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-an-image-from-a-network-protected-registry", - "service": "App Services", + "arm-service": "Microsoft.Network/azureFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "7e7a8ed4-b30e-438c-9f29-812b2363cefe", + "link": "azure/private-link/inspect-traffic-with-azure-firewall", + "service": "Firewall", "severity": "Medium", - "text": "Pull container images over a Virtual Network from Azure Container Registry.", + "text": "Filter egress traffic to Azure PaaS services using FQDNs instead of IP addresses in Azure Firewall or an NVA to prevent data exfiltration. If using Private Link you can block all FQDNs, otherwise allow only the required PaaS services.", + "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn", "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Perform a penetration test on the web application in accordance with Azure's penetration testing rules of engagement. This helps identify vulnerabilities and security weaknesses that can be addressed before they are exploited.", - "guid": "eb2eb03d-d9a2-4582-918d-2ddb10725769", - "link": "https://learn.microsoft.com/azure/security/fundamentals/pen-testing", - "service": "App Services", - "severity": "Medium", - "text": "Conduct a penetration test on the web application.", + "arm-service": "microsoft.network/expressRouteCircuits", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant", + "guid": "f2aad7e3-bb03-4adc-8606-4123d342a917", + "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway", + "service": "ExpressRoute", + "severity": "High", + "text": "Use at least a /27 prefix for your Gateway subnets.", "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Ensure that only trusted code, which has been validated and scanned for vulnerabilities, is deployed to production following DevSecOps practices. This minimizes the risk of introducing security vulnerabilities into the application environment.", - "guid": "19aed9c5-5d04-4c2c-9919-ca0b2c12159e", - "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/devsecops-in-azure", - "service": "App Services", + "arm-service": "Microsoft.Network/networkSecurityGroups", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant)", + "guid": "11deb39d-8299-4e47-bbe0-0fb5a36318a8", + "link": "https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags", + "service": "NSG", + "severity": "High", + "text": "Don't rely on the NSG inbound default rules using the VirtualNetwork service tag to limit connectivity.", + "waf": "Security" + }, + { + "arm-service": "Microsoft.Network/networkSecurityGroups", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mv-expand subnet = properties.subnets | where subnet.name !in~ ('GatewaySubnet', 'AzureFirewallSubnet', 'AzureFirewallManagementSubnet', 'RouteServerSubnet') | extend compliant = iff(isnotnull(subnet.properties.networkSecurityGroup.id), true, false) | project id, subnetName = subnet.name, vnetName = name, NSG = subnet.properties.networkSecurityGroup.id, compliant", + "guid": "872e52e3-611c-4c58-a5a4-b1511e43a58a", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-landing-zone-network-segmentation", + "service": "NSG", "severity": "Medium", - "text": "Deploy validated and vulnerability-scanned code.", + "text": "Use NSGs to help protect traffic across subnets, as well as east/west traffic across the platform (traffic between landing zones).", + "training": "https://learn.microsoft.com/learn/paths/implement-network-security/", "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Ensure that the latest versions of supported platforms, programming languages, protocols, and frameworks are used. Regular updates mitigate the risk of security vulnerabilities and ensure compatibility with security patches.", - "guid": "114b933d-f574-4ecc-ad9b-d3bafcda3b54", - "link": "https://learn.microsoft.com/azure/app-service/overview-patch-os-runtime", - "service": "App Services", - "severity": "High", - "text": "Use up-to-date platforms, languages, protocols and frameworks", + "arm-service": "Microsoft.Network/networkSecurityGroups", + "checklist": "Azure Landing Zone Review", + "guid": "a4d87397-48b6-462d-9d15-f512a65498f6", + "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works", + "service": "NSG", + "severity": "Medium", + "text": "Use NSGs and application security groups to micro-segment traffic within the landing zone and avoid using a central NVA to filter traffic flows.", + "training": "https://learn.microsoft.com/learn/paths/implement-network-security/", "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Leverage Auto-Healing in Azure App Service to automatically restart instances or trigger custom actions based on pre-defined failure conditions like memory thresholds, HTTP errors, or specific event logs.", - "guid": "60b3a935-33e5-45c9-87c7-53882e395b46", - "link": "https://learn.microsoft.com/azure/app-service/overview-diagnostics", - "service": "App Services", + "arm-service": "Microsoft.Network/networkSecurityGroups", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type =~ 'Microsoft.Network/virtualnetworks' | project subscriptionId, lowerCaseVNetId = tolower(id) | join kind = leftouter ( resources | where type =~ 'microsoft.network/networkwatchers/flowlogs' and properties.enabled == true and properties.provisioningState =~ 'succeeded' | where properties.targetResourceId contains '/Microsoft.Network/virtualNetworks/' | project flowlogId = id, trafficAnalyticsEnabled = properties.flowAnalyticsConfiguration.networkWatcherFlowAnalyticsConfiguration.enabled, lowerCaseTargetVNetId = tolower(properties.targetResourceId) ) on $left.lowerCaseVNetId == $right.lowerCaseTargetVNetId | extend compliant = iff(isnotempty(lowerCaseTargetVNetId), true, false) | project id = lowerCaseVNetId, flowlogId, trafficAnalyticsEnabled, compliant", + "guid": "dfe237de-143b-416c-91d7-aa9b64704489", + "link": "https://learn.microsoft.com/azure/network-watcher/vnet-flow-logs-overview", + "service": "NSG", "severity": "Medium", - "text": "Use Auto-Healing with custom rules to restart App Service instances automatically when failures occur.", - "waf": "Reliability" + "text": "Enable VNet Flow Logs and feed them into Traffic Analytics to gain insights into internal and external traffic flows.", + "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/", + "waf": "Security" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Configure Azure Monitor alerts based on Application Insights metrics for response times, failure rates, and overall availability. Alerts help detect issues proactively and reduce mean-time-to-recovery (MTTR).", - "guid": "e52e4514-02a7-4e81-a98e-88ce1b18e557", - "link": "https://learn.microsoft.com/azure/azure-monitor/app/alerts", - "service": "App Services", + "arm-service": "Microsoft.Network/networkSecurityGroups", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900)", + "guid": "0390417d-53dc-44d9-b3f4-c8832f359b41", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits", + "service": "NSG", "severity": "Medium", - "text": "Set up alerts for critical Application Insights metrics, such as response time and failure rates.", + "text": "Do not implement more than 900 NSG rules per NSG, due to the limit of 1000 rules.", + "training": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works", "waf": "Reliability" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Use Azure Policy to enforce security, compliance, and governance configurations for App Service. Policies can ensure that critical settings such as TLS versions, backup configurations, and network restrictions are enforced across all App Service instances.", - "guid": "361e886f-ca40-4ead-a8e9-1379c642ae9c", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "App Services", - "severity": "High", - "text": "Apply Azure Policy to enforce compliance across App Service configurations.", - "waf": "Governance" + "arm-service": "microsoft.network/virtualWans", + "checklist": "Azure Landing Zone Review", + "guid": "412e7f98-3f63-4047-82dd-69c5b5c2622f", + "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-any-to-any", + "service": "VWAN", + "severity": "Medium", + "text": "Use Virtual WAN if your scenario is explicitly described in the list of Virtual WAN routing designs.", + "training": "https://learn.microsoft.com/learn/modules/introduction-azure-virtual-wan/", + "waf": "Operations" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "Leverage Azure Cost Management to track and forecast App Service expenses. Set up alerts for budget thresholds to avoid overspending, and optimize costs based on resource utilization trends.", - "guid": "42eb48f0-28ff-497c-b2c0-a8fa1f989832", - "link": "https://learn.microsoft.com/azure/cost-management-billing/", - "service": "App Services", - "severity": "Low", - "text": "Monitor App Service costs using Azure Cost Management and create cost alerts.", - "waf": "Cost" + "arm-service": "microsoft.network/virtualWans", + "checklist": "Azure Landing Zone Review", + "guid": "54b69bad-33aa-4d5e-ac68-e1d76667313b", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/virtual-wan-network-topology#virtual-wan-network-design-recommendationst", + "service": "VWAN", + "severity": "Medium", + "text": "Use a Virtual WAN hub per Azure region to connect multiple landing zones together across Azure regions via a common global Azure Virtual WAN.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "waf": "Performance" }, { - "arm-service": "microsoft.web/sites", - "checklist": "Azure App Service Review", - "description": "If you have predictable and steady usage of App Service, purchasing Reserved Instances can significantly reduce long-term costs. Commit to one or three years for lower pricing compared to pay-as-you-go.", - "guid": "e489221b-487e-48a3-aaab-48e3d205ca12", - "link": "https://learn.microsoft.com/azure/cost-management-billing/reservations/", - "service": "App Services", + "arm-service": "microsoft.network/virtualWans", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant", + "guid": "7d5d1e4e-6146-458d-9558-fd77249b8211", + "link": "https://learn.microsoft.com/azure/virtual-wan/howto-firewall", + "service": "VWAN", "severity": "Medium", - "text": "Purchase reserved instances for App Service plans to optimize long-term costs.", - "waf": "Cost" + "text": "For outbound Internet traffic protection and filtering, deploy Azure Firewall in secured hubs.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Security" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Logic Apps checklist", - "guid": "3b7a56de-5020-4642-b3cb-c976e80b6d6d", - "link": "https://learn.microsoft.com/azure/logic-apps/single-tenant-overview-compare", - "service": "Logic Apps", - "severity": "High", - "text": "Select the right Logic App hosting plan based on your business & SLO requirements", + "arm-service": "microsoft.network/virtualWans", + "checklist": "Azure Landing Zone Review", + "guid": "6667313b-4f56-464b-9e98-4a859c773e7d", + "link": "https://learn.microsoft.com/azure/virtual-wan/migrate-from-hub-spoke-topology", + "service": "VWAN", + "severity": "Medium", + "text": "Ensure that your virtual WAN network architecture aligns to an identified architecture scenario.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", "waf": "Reliability" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Logic Apps checklist", - "guid": "3d7008bd-6bc1-4b03-8aa8-ec2a3b55786a", - "link": "https://learn.microsoft.com/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps", - "service": "Logic Apps", - "severity": "High", - "text": "Protect logic apps from region failures with zone redundancy and availability zones", - "waf": "Reliability" + "arm-service": "microsoft.network/virtualWans", + "checklist": "Azure Landing Zone Review", + "guid": "261623a7-65a9-417e-8f34-8ef254c27d42", + "link": "https://learn.microsoft.com/azure/virtual-wan/azure-monitor-insights", + "service": "VWAN", + "severity": "Medium", + "text": "Use Azure Monitor Insights for Virtual WAN to monitor the end-to-end topology of the Virtual WAN, status, and key metrics.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "waf": "Operations" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Logic Apps checklist", - "guid": "1cda768f-a206-445d-8234-56f6a6e7286e", - "link": "https://learn.microsoft.com/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json", - "service": "Logic Apps", - "severity": "High", - "text": "Consider a Cross-Region DR strategy for critical workloads", + "arm-service": "microsoft.network/virtualWans", + "checklist": "Azure Landing Zone Review", + "graph": "resources| where type =~ 'microsoft.network/virtualwans' | extend compliant= (properties.allowBranchToBranchTraffic == 'true') | distinct id,compliant", + "guid": "727c77e1-b9aa-4a37-a024-129d042422c1", + "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#is-branch-to-branch-connectivity-allowed-in-virtual-wan", + "service": "VWAN", + "severity": "Medium", + "text": "Do not disable branch-to-branch traffic in Virtual WAN, unless these flows should be explicitly blocked.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", "waf": "Reliability" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Logic Apps checklist", - "guid": "82118ec5-ed6f-4c68-9471-eb0da98a1b34", - "link": "https://learn.microsoft.com/azure/app-service/environment/intro", - "service": "Logic Apps", - "severity": "High", - "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3", + "arm-service": "microsoft.network/virtualWans", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type =~ 'microsoft.network/virtualhubs'| extend compliant= (properties.hubRoutingPreference =~ 'ASPath') | distinct id,compliant", + "guid": "d49ac006-6670-4bc9-9948-d3e0a3a94f4d", + "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing-preference", + "service": "VWAN", + "severity": "Medium", + "text": "Use AS-Path as hub routing preference, since it is more flexible than ExpressRoute or VPN.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", "waf": "Reliability" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Logic Apps checklist", - "guid": "74275fa5-9e08-4c7e-b096-13b538fe1501", - "link": "https://learn.microsoft.com/training/modules/deploy-azure-functions/", - "service": "Logic Apps", + "arm-service": "microsoft.network/virtualWans", + "checklist": "Azure Landing Zone Review", + "guid": "2586b854-237e-47f1-84a1-d45d4cd2310d", + "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing#labels", + "service": "VWAN", "severity": "Medium", - "text": "Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Logic App code", - "waf": "Operations" + "text": "Configure label-based propagation in Virtual WAN, otherwise connectivity between virtual hubs will be impaired.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Devices/IotHubs", - "checklist": "IoT Hub Review", - "guid": "ac1d6380-f866-4bbd-a9b4-b1ee5d7908b8", - "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#availability-zones", - "service": "IoT", + "arm-service": "microsoft.network/virtualWans", + "checklist": "Azure Landing Zone Review", + "graph": "resources | where type =~ 'microsoft.network/virtualhubs' | extend addressSpace = properties.addressPrefix | extend compliant= (toint(substring(addressSpace, indexof(addressSpace, '/') + 1)) < 23) | distinct name, id, compliant", + "guid": "9c75dfef-573c-461c-a698-68598595581a", + "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#what-is-the-recommended-hub-address-space-during-hub-creation", + "service": "VWAN", "severity": "High", - "text": "Leverage Availability Zones if regionally applicable (this is automatically enabled)", - "waf": "Reliability" - }, - { - "arm-service": "Microsoft.Devices/IotHubs", - "checklist": "IoT Hub Review", - "guid": "35f651e8-0124-4ef7-8c57-658e38609e6e", - "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover", - "service": "IoT", - "severity": "Medium", - "text": "Be aware of Microsoft-initiated failovers. These are exercised by Microsoft in rare situations to fail over all the IoT hubs from an affected region to the corresponding geo-paired region.", + "text": "Assign at least a /23 prefix to virtual hubs to ensure enough IP space is available.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", "waf": "Reliability" }, { - "arm-service": "Microsoft.Devices/IotHubs", - "checklist": "IoT Hub Review", - "guid": "4ed3e490-dc06-4a1e-b467-5d0239d85540", - "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#cross-region-dr", - "service": "IoT", + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "5c986cb2-9131-456a-8247-6e49f541acdc", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "Policy", "severity": "High", - "text": "Consider a Cross-Region DR strategy for critical workloads", - "waf": "Reliability" + "text": "Leverage Azure Policy strategically, define controls for your environment, using Policy Initiatives to group related policies.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "waf": "Security" }, { - "arm-service": "Microsoft.Devices/IotHubs", - "checklist": "IoT Hub Review", - "guid": "a11ecab0-db47-46f7-9aa7-17764e7e45a1", - "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover", - "service": "IoT", - "severity": "High", - "text": "Learn how to trigger a manual failover.", - "waf": "Reliability" + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "d8a2adb1-17d6-4326-af62-5ca44e5695f2", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "Policy", + "severity": "Medium", + "text": "Map regulatory and compliance requirements to Azure Policy definitions and Azure role assignments.", + "training": "https://learn.microsoft.com/training/modules/governance-security/", + "waf": "Security" }, { - "arm-service": "Microsoft.Devices/IotHubs", - "checklist": "IoT Hub Review", - "guid": "f9db8dfb-1194-460b-aedd-34dd6a69db22", - "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#failback", - "service": "IoT", - "severity": "High", - "text": "Learn how to fail back after a failover.", - "waf": "Reliability" + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "223ace8c-b123-408c-a501-7f154e3ab369", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "Policy", + "severity": "Medium", + "text": "Establish Azure Policy definitions at the intermediate root management group so that they can be assigned at inherited scopes.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "waf": "Security" }, { - "arm-service": "Microsoft.Search/searchServices", - "checklist": "Cognitive Search Review Checklist", - "guid": "41faa1ed-b7f0-447d-8cba-4a4905e5bb83", - "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability", - "service": "Cognitive Search", + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "3829e7e3-1618-4368-9a04-77a209945bda", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "Policy", "severity": "High", - "text": "Enable 2 replicas to have 99.9% availability for read operations", - "waf": "Reliability" + "text": "Manage policy assignments at the highest appropriate level with exclusions at bottom levels, if required.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "waf": "Security" }, { - "arm-service": "Microsoft.Search/searchServices", - "checklist": "Cognitive Search Review Checklist", - "guid": "7d956fd9-788a-4845-9b9f-c0340972d810", - "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability", - "service": "Cognitive Search", - "severity": "Medium", - "text": "Enable 3 replicas to have 99.9% availability for read/write operations", - "waf": "Reliability" + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "43334f24-9116-4341-a2ba-527526944008", + "link": "https://learn.microsoft.com/security/benchmark/azure/mcsb-asset-management#am-2-use-only-approved-services", + "service": "Policy", + "severity": "Low", + "text": "Use Azure Policy to control which services users can provision at the subscription/management group level.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "waf": "Security" }, { - "arm-service": "Microsoft.Search/searchServices", - "checklist": "Cognitive Search Review Checklist", - "guid": "44dc5f2b-a032-4d03-aae8-90c3f2c0a4c3", - "link": "https://learn.microsoft.com/azure/search/search-reliability#availability-zone-support", - "service": "Cognitive Search", + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "be7d7e48-4327-46d8-adc0-55bcf619e8a1", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "Policy", "severity": "High", - "text": "Leverage Availability Zones by enabling read and/or write replicas", - "waf": "Reliability" + "text": "Use built-in policies where possible to minimize operational overhead.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "waf": "Security" }, { - "arm-service": "Microsoft.Search/searchServices", - "checklist": "Cognitive Search Review Checklist", - "guid": "cd0730f0-0ff1-4b77-9a2b-2a1f7dd5e291", - "link": "https://learn.microsoft.com/azure/search/search-reliability#multiple-services-in-separate-geographic-regions", - "service": "Cognitive Search", + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "description": "Assigning the Resource Policy Contributor role to specific scopes allows you to delegate policy management to relevant teams. For instance, a central IT team may oversee management group-level policies, while application teams handle policies for their subscriptions, enabling distributed governance with adherence to organizational standards.", + "guid": "3f988795-25d6-4268-a6d7-0ba6c97be995", + "link": "https://learn.microsoft.com/azure/governance/policy/overview#azure-rbac-permissions-in-azure-policy", + "service": "Policy", "severity": "Medium", - "text": "For regional redudancy, Manually create services in 2 or more regions for Search as it doesn't provide an automated method of replicating search indexes across geographic regions", - "waf": "Reliability" + "text": "Assign the built-in Resource Policy Contributor role at a particular scope to enable application-level governance.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "waf": "Security" }, { - "arm-service": "Microsoft.Search/searchServices", - "checklist": "Cognitive Search Review Checklist", - "guid": "3c964882-aec9-4d44-9f68-4b5f2efbbdb6", - "link": "https://learn.microsoft.com/azure/search/search-reliability#synchronize-data-across-multiple-services", - "service": "Cognitive Search", + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "19048384-5c98-46cb-8913-156a12476e49", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "Policy", "severity": "Medium", - "text": "To synchronize data across multiple services either Use indexers for updating content on multiple services or Use REST APIs for pushing content updates on multiple services", - "waf": "Reliability" + "text": "Limit the number of Azure Policy assignments made at the root management group scope to avoid managing through exclusions at inherited scopes.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "waf": "Security" }, { - "arm-service": "Microsoft.Search/searchServices", - "checklist": "Cognitive Search Review Checklist", - "guid": "85ee93c9-f53c-4803-be51-e6e4aa37ff4e", - "link": "https://learn.microsoft.com/azure/search/search-reliability#use-azure-traffic-manager-to-coordinate-requests", - "service": "Cognitive Search", + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "5a917e1f-348e-4f25-9c27-d42e8bbac757", + "link": "https://learn.microsoft.com/industry/release-plan/2023wave2/cloud-sovereignty/enable-data-sovereignty-policy-baseline", + "service": "Policy", "severity": "Medium", - "text": "Use Azure Traffic Manager to coordinate requests", - "waf": "Reliability" + "text": "If any data sovereignty requirements exist, Azure Policies should be deployed to enforce them.", + "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/", + "waf": "Security" }, { - "arm-service": "Microsoft.Search/searchServices", - "checklist": "Cognitive Search Review Checklist", - "guid": "7be10278-57c1-4a61-8ee3-895aebfec5aa", - "link": "https://learn.microsoft.com/azure/search/search-reliability#back-up-and-restore-alternatives", - "service": "Cognitive Search", - "severity": "High", - "text": "Backup and Restore an Azure Cognitive Search Index. Use this sample code to back up index definition and snapshot to a series of Json files", - "waf": "Reliability" + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "78b22132-b41c-460b-a4d3-df8f73a67dc2", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/sovereign-landing-zone", + "service": "Policy", + "severity": "Medium", + "text": "For Sovereign Landing Zone, deploy sovereignty policy baseline and assign at correct management group level.", + "waf": "Security" }, { - "arm-service": "Microsoft.BotService/botServices", - "checklist": "Azure Bot Service", - "guid": "6ad48408-ee72-4734-a476-ba28fdcf590c", - "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot", - "service": "Bot service", + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "caeea0e9-1024-41df-a52e-d99c3f22a6f4", + "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline", + "service": "Policy", "severity": "Medium", - "text": "Follow reliability support recommendations in Azure Bot Service", - "waf": "Reliability" + "text": "For Sovereign Landing Zone, document Sovereign Control objectives to policy mapping.", + "waf": "Security" }, { - "arm-service": "Microsoft.BotService/botServices", - "checklist": "Azure Bot Service", - "guid": "e65de8e1-3f9c-4cbd-9682-66abca264f9a", - "link": "https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-concept-regionalization", - "service": "Bot service", + "arm-service": "Microsoft.Authorization/policyDefinitions", + "checklist": "Azure Landing Zone Review", + "guid": "9b461617-db7b-4399-8ac6-d4eb7153893a", + "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline#sovereignty-baseline-policy-initiatives", + "service": "Policy", "severity": "Medium", - "text": "Deploying bots with local data residency and regional compliance", - "waf": "Reliability" + "text": "For Sovereign Landing Zone, ensure process is in place for management of 'Sovereign Control objectives to policy mapping'.", + "waf": "Security" }, { - "arm-service": "Microsoft.BotService/botServices", - "checklist": "Azure Bot Service", - "guid": "19bfe9d5-5d04-4c3c-9919-ca1b2d1215ae", - "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot#cross-region-disaster-recovery-in-multi-region-geography", - "service": "Bot service", + "arm-service": "Microsoft.Insights/components", + "checklist": "Azure Landing Zone Review", + "guid": "67e7a8ed-4b30-4e38-a3f2-9812b2363cef", + "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/logs/workspace-design#azure-regions", + "service": "Monitor", "severity": "Medium", - "text": "Azure Bot Service runs in active-active mode for both global and regional services. When an outage occurs, you don't need to detect errors or manage the service. Azure Bot Service automatically performs auto failover and auto recovery in a multi-region geographical architecture. For the EU bot regional service, Azure Bot Service provides two full regions inside Europe with active/active replication to ensure redundancy. For the global bot service, all available regions/geographies can be served as the global footprint.", - "waf": "Reliability" + "text": "Use a single monitor logs workspace to manage platforms centrally except where Azure role-based access control (Azure RBAC), data sovereignty requirements, or data retention policies mandate separate workspaces.", + "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", + "waf": "Operations" }, { "arm-service": "Microsoft.Insights/components", - "checklist": "Cost Optimization Checklist", - "guid": "a95b86ad-8840-48e3-9273-4b875ba18f20", - "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models", + "checklist": "Azure Landing Zone Review", + "guid": "7418ada9-4199-4c28-8286-d15e9433e8f3", + "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", "service": "Monitor", "severity": "Medium", - "text": "Data collection rules in Azure Monitor -https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-rule-overview", - "training": "https://azure.microsoft.com/pricing/reservations/", - "waf": "Cost" + "text": "Decide whether to use a single Azure Monitor Logs workspace for all regions or to create multiple workspaces to cover various geographical regions. Each approach has advantages and disadvantages, including potential cross-region networking charges", + "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", + "waf": "Reliability" }, { - "arm-service": "Microsoft.RecoveryServices/vaults", - "checklist": "Cost Optimization Checklist", - "guid": "45901365-d38e-443f-abcb-d868266abca2", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation", - "service": "Backup", - "severity": "Medium", - "text": "check backup instances with the underlying datasource not found", - "waf": "Cost" + "arm-service": "Microsoft.Insights/components", + "checklist": "Azure Landing Zone Review", + "guid": "5e6c4cfd-3e50-4454-9c24-47ec66138a72", + "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work", + "service": "Monitor", + "severity": "High", + "text": "Export logs to Azure Storage if your log retention requirements exceed twelve years. Use immutable storage with a write-once, read-many policy to make data non-erasable and non-modifiable for a user-specified interval.", + "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/", + "waf": "Operations" }, { "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "64f9a19a-f29c-495d-94c6-c7919ca0f6c5", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse", + "checklist": "Azure Landing Zone Review", + "guid": "e7d7e484-3276-4d8b-bc05-5bcf619e8a13", + "link": "https://learn.microsoft.com/azure/governance/machine-configuration/overview", "service": "VM", "severity": "Medium", - "text": "Delete or archive unassociated services (disks, nics, ip addresses etc)", - "waf": "Cost" + "text": "Monitor OS level virtual machine (VM) configuration drift using Azure Policy. Enabling Azure Automanage Machine Configuration audit capabilities through policy helps application team workloads to immediately consume feature capabilities with little effort.", + "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", + "waf": "Operations" }, { - "arm-service": "Microsoft.RecoveryServices/vaults", - "checklist": "Cost Optimization Checklist", - "guid": "69bad37a-ad53-4cc7-ae1d-76667357c449", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations", - "service": "Backup", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Azure Landing Zone Review", + "guid": "f9887952-5d62-4688-9d70-ba6c97be9951", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations", + "service": "VM", "severity": "Medium", - "text": "Consider a good balance between site recovery storage and backup for non mission critical applications", - "waf": "Cost" + "text": "Use Azure Update Manager as a patching mechanism for Windows and Linux VMs in Azure.", + "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms", + "waf": "Operations" }, { - "arm-service": "Microsoft.Insights/components", - "checklist": "Cost Optimization Checklist", - "guid": "674b5ed8-5a85-49c7-933b-e2a1a27b765a", - "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/direct-ea-administration#manage-notification-contacts", - "service": "Monitor", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Azure Landing Zone Review", + "guid": "c806c048-26b7-4ddf-b4c2-b4f0c476925d", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations ", + "service": "VM", "severity": "Medium", - "text": "Check spending and savings opportunities among the 40 different log analytics workspaces- use different retention and data collection for nonprod workspaces-create daily cap for awareness and tier sizing - If you do set a daily cap, in addition to creating an alert when the cap is reached,ensure that you also create an alert rule to be notified when some percentage has been reached (90% for example). - consider workspace transformation if possible - https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-transformations#workspace-transformation-dcr ", - "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/understand-work-scopes", - "waf": "Cost" + "text": "Use Azure Update Manager as a patching mechanism for Windows and Linux VMs outside of Azure using Azure Arc.", + "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms", + "waf": "Operations" + }, + { + "arm-service": "microsoft.network/networkWatchers", + "checklist": "Azure Landing Zone Review", + "guid": "90483845-c986-4cb2-a131-56a12476e49f", + "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview", + "service": "Network Watcher", + "severity": "Medium", + "text": "Use Network Watcher to proactively monitor traffic flows.", + "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/", + "waf": "Operations" }, { "arm-service": "Microsoft.Insights/components", - "checklist": "Cost Optimization Checklist", - "guid": "91be1f38-8ef3-494c-8bd4-63cbbac75819", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", + "checklist": "Azure Landing Zone Review", + "guid": "6944008b-e7d7-4e48-9327-6d8bdc055bcf", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor", "service": "Monitor", "severity": "Medium", - "text": "Enforce a purging log policy and automation (if needed, logs can be moved to cold storage)", - "training": "https://www.youtube.com/watch?v=nHQYcYGKuyw", - "waf": "Cost" + "text": "Use Azure Monitor Logs for insights and reporting.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-monitor/", + "waf": "Operations" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "6aae01e6-a84d-4e5d-b36d-1d92881a1bd5", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", - "service": "VM", + "arm-service": "Microsoft.Insights/components", + "checklist": "Azure Landing Zone Review", + "guid": "97be9951-9048-4384-9c98-6cb2913156a1", + "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/alerts-overview", + "service": "Monitor", "severity": "Medium", - "text": "Check that the disks are really needed, if not: delete. If they are needed, find lower storage tiers or use backup -", - "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/manage-automation", - "waf": "Cost" + "text": "Use Azure Monitor alerts for the generation of operational alerts.", + "training": "https://learn.microsoft.com/training/modules/incident-response-with-alerting-on-azure/", + "waf": "Operations" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Cost Optimization Checklist", - "guid": "d1e44a19-659d-4395-afd7-7289b835556d", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", - "service": "Storage", + "arm-service": "Microsoft.Insights/components", + "checklist": "Azure Landing Zone Review", + "guid": "fed3c55f-a67e-4875-aadd-3aba3f9fde31", + "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings", + "service": "Monitor", "severity": "Medium", - "text": "Consider moving unused storage to lower tier, with customized rule - https://learn.microsoft.com/azure/storage/blobs/lifecycle-management-policy-configure ", - "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance", - "waf": "Cost" + "text": "When using Change and Inventory Tracking via Azure Automation Accounts, ensure that you have selected supported regions for linking your Log Analytics workspace and automation accounts together.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-automation-devops/", + "waf": "Operations" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "d0102cac-6aae-401e-9a84-de5de36d1d92", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "VM", - "severity": "Medium", - "text": "Make sure advisor is configured for VM right sizing ", - "waf": "Cost" + "arm-service": "Microsoft.RecoveryServices/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "eba8cf22-45c6-4dc1-9b57-2cceb3b97ce5", + "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy", + "service": "Backup", + "severity": "Low", + "text": "When using Azure Backup, use the correct backup types (GRS, ZRS & LRS) for your backup, as the default setting is GRS.", + "training": "https://learn.microsoft.com/training/modules/design-solution-for-backup-disaster-recovery/", + "waf": "Reliability" }, { "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "description": "check by searching the Meter Category Licenses in the Cost analysys", - "guid": "59ae568b-a38d-4498-9e22-13dbd7bb012f", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/centralize-operations", + "checklist": "Azure Landing Zone Review", + "guid": "f541acdc-e979-4377-acdb-3751ab2ab13a", + "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration", "service": "VM", "severity": "Medium", - "text": "run the script on all windows VMs https://learn.microsoft.com/azure/virtual-machines/windows/hybrid-use-benefit-licensing?ref=andrewmatveychuk.com#convert-an-existing-vm-using-azure-hybrid-benefit-for-windows-server- consider implementing a policy if windows VMs are created frequently", - "waf": "Cost" + "text": "Use Azure guest policies to automatically deploy software configurations through VM extensions and enforce a compliant baseline VM configuration.", + "waf": "Security" }, { "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "7b95e06e-158e-42ea-9992-c2de6e2065b3", - "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure", + "checklist": "Azure Landing Zone Review", + "description": "Use Azure Policy's guest configuration features to audit and remediate machine settings (e.g., OS, application, environment) to ensure resources align with expected configurations, and Update Management can enforce patch management for VMs.", + "guid": "da6e55d7-d8a2-4adb-817d-6326af625ca4", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift", "service": "VM", "severity": "Medium", - "text": " this can be also put under AHUB if you already have licenses https://learn.microsoft.com/azure/virtual-machines/linux/azure-hybrid-benefit-linux?tabs=rhelpayg%2Crhelbyos%2CrhelEnablebyos%2Crhelcompliance", - "waf": "Cost" + "text": "Monitor VM security configuration drift via Azure Policy.", + "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/", + "waf": "Security" }, { "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "75c1e945-b459-4837-bf7a-e7c6d3b475a5", - "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal", + "checklist": "Azure Landing Zone Review", + "guid": "2476e49f-541a-4cdc-b979-377bcdb3751a", + "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview", "service": "VM", "severity": "Medium", - "text": "Consolidate reserved VM families with flexibility option (no more than 4-5 families)", - "training": "https://learn.microsoft.com/azure/automation/automation-solution-vm-management", - "waf": "Cost" + "text": "Use Azure Site Recovery for Azure-to-Azure Virtual Machines disaster recovery scenarios. This enables you to replicate workloads across regions.", + "training": "https://learn.microsoft.com/training/modules/protect-infrastructure-with-site-recovery/", + "waf": "Operations" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "c7acbe49-bbe6-44dd-a9f2-e87778468d55", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access#prerequisites-for-a-landing-zone---design-recommendations", - "service": "VM", + "arm-service": "Microsoft.RecoveryServices/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "f625ca44-e569-45f2-823a-ce8cb12308ca", + "link": "https://learn.microsoft.com/azure/backup/backup-center-overview", + "service": "Backup", "severity": "Medium", - "text": "Utilize Azure Reserved Instances: This feature allows you to reserve VMs for a period of 1 or 3 years, providing significant cost savings compared to PAYG prices.", - "waf": "Cost" + "text": "Use Azure-native backup capabilities, or an Azure-compatible, 3rd-party backup solution.", + "training": "https://learn.microsoft.com/training/modules/design-solution-for-backup-disaster-recovery/", + "waf": "Operations" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "a6bcca2b-4fea-41db-b3dd-95d48c7c891d", - "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview", - "service": "VM", - "severity": "Medium", - "text": "Only larger disks can be reserved => 1 TiB -", - "waf": "Cost" + "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "89cc5e11-aa4d-4c3b-893d-feb99215266a", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs", + "service": "WAF", + "severity": "High", + "text": "Add diagnostic settings to save WAF logs from application delivery services like Azure Front Door and Azure Application Gateway. Regularly review the logs to check for attacks and for false positive detections.", + "training": "https://learn.microsoft.com/training/modules/capture-application-logs-app-service/", + "waf": "Operations" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "cb1f7d57-59ae-4568-aa38-d4985e2213db", - "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain", - "service": "VM", + "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", + "checklist": "Azure Landing Zone Review", + "guid": "7f408960-c626-44cb-a018-347c8d790cdf", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel", + "service": "WAF", "severity": "Medium", - "text": "After the right-sizing optimization", - "waf": "Cost" + "text": "Send WAF logs from your application delivery services like Azure Front Door and Azure Application Gateway to Microsoft Sentinel. Detect attacks and integrate WAF telemetry into your overall Azure environment.", + "training": "https://learn.microsoft.com/training/paths/sc-200-connect-logs-to-azure-sentinel/", + "waf": "Operations" }, { - "arm-service": "Microsoft.Sql/servers", - "checklist": "Cost Optimization Checklist", - "guid": "d7bb012f-7b95-4e06-b158-e2ea3992c2de", - "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy", - "service": "SQL", - "severity": "Medium", - "text": "Check if applicable and enforce policy/change https://learn.microsoft.com/azure/azure-sql/azure-hybrid-benefit?view=azuresql&tabs=azure-portalhttps://learn.microsoft.com/azure/cost-management-billing/scope-level/create-sql-license-assignments?source=recommendations", - "waf": "Cost" + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "5017f154-e3ab-4369-9829-e7e316183687", + "link": "https://learn.microsoft.com/azure/key-vault/general/overview", + "service": "Key Vault", + "severity": "High", + "text": "Use Azure Key Vault to store your secrets and credentials.", + "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", + "waf": "Security" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "6e2065b3-a76a-4f4a-991e-8839ada46667", - "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices", - "service": "VM", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "graph": "ResourceContainers | where type=='microsoft.resources/subscriptions'| parse id with '/subscriptions/' SubscriptionID| project subscriptionId, SubscriptionName = name| join kind=leftouter (Resources| where type == 'microsoft.keyvault/vaults'| project id, name, subscriptionId) on subscriptionId| join kind= leftouter (Resources| where type == 'microsoft.keyvault/vaults'| summarize ResourceCount = count() by subscriptionId) on subscriptionId| extend RCount = iff(isnull(ResourceCount), 0, ResourceCount)| project-away ResourceCount| extend compliant = (RCount <> 1)", + "guid": "a0477a20-9945-4bda-9333-4f2491163418", + "link": "https://learn.microsoft.com/azure/key-vault/general/overview-throttling", + "service": "Key Vault", "severity": "Medium", - "text": "The VM + license part discount (ahub + 3YRI) is around 70% discount", - "waf": "Cost" + "text": "Use different Azure Key Vaults for different applications, environments and regions to avoid transaction scale limits and restrict access to secrets.", + "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", + "waf": "Security" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "ccbd9792-a6bc-4ca2-a4fe-a1dbf3dd95d4", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel", - "service": "VM", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "2ba52752-6944-4008-ae7d-7e4843276d8b", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", "severity": "Medium", - "text": "Consider using a VMSS to match demand rather than flat sizing", - "waf": "Cost" + "text": "Provision Azure Key Vault with the soft delete and purge policies enabled to allow retention protection for deleted objects.", + "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", + "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Cost Optimization Checklist", - "guid": "c1b1cd52-1e54-4a29-a9de-39ac0e7c28dc", - "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure", - "service": "AKS", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "dc055bcf-619e-48a1-9f98-879525d62688", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", "severity": "Medium", - "text": "Use AKS autoscaler to match your clusters usage (make sure the pods requirements match the scaler)", - "waf": "Cost" + "text": "Follow a least privilege model by limiting authorization to permanently delete keys, secrets, and certificates to specialized custom Microsoft Entra ID roles.", + "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", + "waf": "Security" }, { - "arm-service": "Microsoft.RecoveryServices/vaults", - "checklist": "Cost Optimization Checklist", - "guid": "44be3b1a-27f8-4b9e-a1be-1f38df03a822", - "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work", - "service": "Backup", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "6d70ba6c-97be-4995-8904-83845c986cb2", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", "severity": "Medium", - "text": "Move recovery points to vault-archive where applicable (Validate)", - "training": "https://azure.microsoft.com/pricing/reservations/", - "waf": "Cost" + "text": "Automate the certificate management and renewal process with public certificate authorities to ease administration.", + "training": "https://learn.microsoft.com/en-us/training/modules/configure-and-manage-azure-key-vault/", + "waf": "Security" }, { - "arm-service": "Microsoft.Databricks/workspaces", - "checklist": "Cost Optimization Checklist", - "guid": "cd463cbb-bc8a-4c29-aebc-91a43da1dae2", - "link": "https://learn.microsoft.com/azure/databricks/clusters/cluster-config-best-practices#automatic-termination", - "service": "Databricks", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "913156a1-2476-4e49-b541-acdce979377b", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", "severity": "Medium", - "text": "Consider using Spot VMs with fallback where possible. Consider autotermination of clusters.", - "waf": "Cost" + "text": "Establish an automated process for key and certificate rotation.", + "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", + "waf": "Security" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Cost Optimization Checklist", - "guid": "cc881470-607c-41cc-a0e6-14658dd458e9", - "link": "https://learn.microsoft.com/azure/governance/policy/how-to/guest-configuration-create", - "service": "Functions", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "cdb3751a-b2ab-413a-ba6e-55d7d8a2adb1", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", "severity": "Medium", - "text": "Functions - Reuse connections", - "training": "https://learn.microsoft.com/azure/cost-management-billing/reservations/reservation-apis?toc=%2Fazure%2Fcost-management-billing%2Ftoc.json", - "waf": "Cost" + "text": "Enable firewall and virtual network service endpoint or private endpoint on the vault to control access to the key vault.", + "training": "https://learn.microsoft.com/training/modules/design-implement-private-access-to-azure-services/", + "waf": "Security" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Cost Optimization Checklist", - "guid": "27139b82-1102-4dbd-9eaf-11e6f843e52f", - "link": "https://learn.microsoft.com/azure/automation/update-management/overview", - "service": "Functions", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "17d6326a-f625-4ca4-9e56-95f2223ace8c", + "link": "https://learn.microsoft.com/azure/key-vault/general/monitor-key-vault", + "service": "Key Vault", "severity": "Medium", - "text": "Functions - Cache data locally", - "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-compute-resources/", - "waf": "Cost" + "text": "Use the platform-central Azure Monitor Log Analytics workspace to audit key, certificate, and secret usage within each instance of Key Vault.", + "training": "https://learn.microsoft.com/training/modules/analyze-infrastructure-with-azure-monitor-logs/", + "waf": "Security" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Cost Optimization Checklist", - "guid": "4722d928-c1b1-4cd5-81e5-4a29b9de39ac", - "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview", - "service": "Functions", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "b12308ca-5017-4f15-9e3a-b3693829e7e3", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", "severity": "Medium", - "text": "Functions - Cold starts-Use the 'Run from package' functionality. This way, the code is downloaded as a single zip file. This can, for example, result in significant improvements with Javascript functions, which have a lot of node modules.Use language specific tools to reduce the package size, for example, tree shaking Javascript applications.", - "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/", - "waf": "Cost" + "text": "Delegate Key Vault instantiation and privileged access and use Azure Policy to enforce a consistent compliant configuration.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-key-vault-networking-settings/", + "waf": "Security" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Cost Optimization Checklist", - "guid": "0e7c28dc-9366-4572-82bf-f4564b0d934a", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json", - "service": "Functions", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "25d62688-6d70-4ba6-a97b-e99519048384", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "Key Vault", "severity": "Medium", - "text": "Functions - Keep your functions warm", - "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", - "waf": "Cost" + "text": "If you want to bring your own keys, this might not be supported across all considered services. Implement relevant mitigation so that inconsistencies don't hinder desired outcomes. Choose appropriate region pairs and disaster recovery regions that minimize latency.", + "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", + "waf": "Security" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Cost Optimization Checklist", - "guid": "359c363e-7dd6-4162-9a36-4a907ebae38e", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "Functions", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "4ac6b67c-b3a4-4ff9-8e87-b07a7ce7bbdb", + "link": "https://learn.microsoft.com/industry/sovereignty/key-management", + "service": "Key Vault", "severity": "Medium", - "text": "When using autoscale with different functions, there might be one driving all the autoscale for all the resources - consider moving it to a separate consumption plan (and consider higher plan for CPU)", - "waf": "Cost" + "text": "For Sovereign Landing Zone, use Azure Key Vault managed HSM to store your secrets and credentials.", + "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", + "waf": "Security" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Cost Optimization Checklist", - "guid": "ad53cc7d-e2e8-4aaa-a357-1549ab9153d8", - "link": "https://learn.microsoft.com/azure/service-health/alerts-activity-log-service-notifications-portal", - "service": "Functions", + "checklist": "Azure Landing Zone Review", + "guid": "4e5695f2-223a-4ce8-ab12-308ca5017f15", + "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/overview-reports", + "service": "Entra", "severity": "Medium", - "text": "Function apps in a given plan are all scaled together, so any issues with scaling can affect all apps in the plan.", - "waf": "Cost" + "text": "Use Microsoft Entra ID reporting capabilities to generate access control audit reports.", + "training": "https://learn.microsoft.com/training/modules/monitor-report-aad-security-events/", + "waf": "Security" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Cost Optimization Checklist", - "guid": "9f89dc7b-44be-43b1-a27f-8b9e91be1f38", - "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/action-groups", - "service": "Functions", - "severity": "Medium", - "text": "Am I billed for 'await time'? This question is typically asked in the context of a C# function that does an async operation and waits for the result, e.g. await Task.Delay(1000) or await client.GetAsync('http://google.com'). The answer is yes - the GB second calculation is based on the start and end time of the function and the memory usage over that period. What actually happens over that time in terms of CPU activity is not factored into the calculation.One exception to this rule is if you are using durable functions. You are not billed for time spent at awaits in orchestrator functions.apply demand shaping techinques where possible (dev environments?) https://github.com/Azure-Samples/functions-csharp-premium-scaler", - "waf": "Cost" + "checklist": "Azure Landing Zone Review", + "guid": "09945bda-4333-44f2-9911-634182ba5275", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/concept-cloud-security-posture-management", + "service": "Defender", + "severity": "High", + "text": "Enable Defender Cloud Security Posture Management for all subscriptions.", + "training": "https://learn.microsoft.com/training/modules/microsoft-defender-cloud-security-posture/", + "waf": "Security" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Cost Optimization Checklist", - "guid": "3da1dae2-cc88-4147-8607-c1cca0e61465", - "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", - "service": "Front Door", - "severity": "Medium", - "text": "Frontdoor - Turn off the default homepageIn the application settings of your App, set AzureWebJobsDisableHomepage to true. This will return a 204 (No Content) to the PoP so only header data is returned.", - "waf": "Cost" + "checklist": "Azure Landing Zone Review", + "guid": "36a72a48-fffe-4c40-9747-0ab5064355ba", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/plan-defender-for-servers-select-plan", + "service": "Defender", + "severity": "High", + "text": "Enable a Defender Cloud Workload Protection Plan for Servers on all subscriptions.", + "training": "https://learn.microsoft.com/training/modules/understand-azure-defender-cloud-workload-protection/", + "waf": "Security" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Cost Optimization Checklist", - "guid": "8dd458e9-2713-49b8-8110-2dbd6eaf11e6", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor", - "service": "Front Door", - "severity": "Medium", - "text": "Frontdoor - Route to something that returns nothing. Either set up a Function, Function Proxy, or add a route in your WebApp that returns 200 (OK) and sends no or minimal content. The advantage of this is you will be able to log out when it is called.", - "waf": "Cost" + "checklist": "Azure Landing Zone Review", + "guid": "77425f48-ecba-43a0-aeac-a3ac733ccc6a", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/connect-azure-subscription", + "service": "Defender", + "severity": "High", + "text": "Enable Defender Cloud Workload Protection Plans for Azure Resources on all subscriptions.", + "training": "https://learn.microsoft.com/training/modules/understand-azure-defender-cloud-workload-protection/", + "waf": "Security" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Cost Optimization Checklist", - "guid": "7e31c67d-68cf-46a6-8a11-94956d697dc3", - "link": "https://learn.microsoft.com/azure/architecture/best-practices/monitoring", - "service": "Storage", - "severity": "Medium", - "text": "Consider archiving tiers for less used data", - "waf": "Cost" + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Azure Landing Zone Review", + "guid": "24d96b30-61ee-4436-a1cc-d6ef08bc574b", + "link": "https://learn.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection", + "service": "VM", + "severity": "High", + "text": "Enable Endpoint Protection on IaaS Servers.", + "training": "https://learn.microsoft.com/training/modules/design-solutions-securing-server-client-endpoints/", + "waf": "Security" }, { "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "a2ed27b2-d186-4f1a-8252-bddde68a487c", - "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings", + "checklist": "Azure Landing Zone Review", + "guid": "15833ee7-ad6c-46d3-9331-65c7acbe44ab", + "link": "https://learn.microsoft.com/azure/security-center/", "service": "VM", "severity": "Medium", - "text": "Check disk sizes where the size does not match the tier (i.e. A 513 GiB disk will pay a P30 (1TiB) and consider resizing", - "waf": "Cost" + "text": "Monitor base operating system patching drift via Azure Monitor Logs and Defender for Cloud.", + "training": "https://learn.microsoft.com/training/modules/create-log-analytics-workspace-microsoft-defender-cloud/", + "waf": "Security" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Cost Optimization Checklist", - "guid": "dec4861b-c3bc-410a-b77e-26e4d5a3bec2", - "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration", - "service": "Storage", + "arm-service": "Microsoft.Insights/components", + "checklist": "Azure Landing Zone Review", + "guid": "e5f8d79f-2e87-4768-924c-516775c6ea95", + "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", + "service": "Monitor", "severity": "Medium", - "text": "Consider using standard SSD rather than Premium or Ultra where possible", - "waf": "Cost" + "text": "Connect default resource configurations to a centralized Azure Monitor Log Analytics workspace.", + "training": "https://learn.microsoft.com/training/modules/analyze-infrastructure-with-azure-monitor-logs/", + "waf": "Security" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Cost Optimization Checklist", - "guid": "c4e2436b-1336-4db5-9f17-960eee0bdf5c", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift", - "service": "Storage", - "severity": "Medium", - "text": "For storage accounts, make sure that the chosen tier is not adding up transaction charges (it might be cheaper to move to the next tier)", - "waf": "Cost" + "checklist": "Azure Landing Zone Review", + "graph": "resources| where type == 'microsoft.operationalinsights/workspaces'| extend wsid = properties.customerId| project workspaceResourceId = tolower(id), name, wsid| join (resources| where type == 'microsoft.operationsmanagement/solutions'| where name has 'SecurityInsights'| extend workspaceResourceId = tostring(tolower(properties.workspaceResourceId))| project workspaceResourceId | summarize ResourceCount = count() by workspaceResourceId) on workspaceResourceId| extend RCount = iff(isnull(ResourceCount), 0, ResourceCount)| project-away ResourceCount| extend compliant = (RCount <> 0)", + "guid": "a56888b2-7e83-4404-bd31-b886528502d1", + "link": "https://learn.microsoft.com/en-us/azure/well-architected/security/monitor-threats#centralized-threat-detection-with-correlated-logs", + "service": "Entra", + "severity": "High", + "text": "Centralized threat detection with correlated logs - consolidate security data in a central location where it can be correlated across various services via SIEM (security information and event management)", + "waf": "Security" }, { - "arm-service": "Microsoft.RecoveryServices/vaults", - "checklist": "Cost Optimization Checklist", - "guid": "c2efc5d7-61d4-41d2-900b-b47a393a040f", - "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview", - "service": "Site Recovery", + "checklist": "Azure Landing Zone Review", + "guid": "1761e147-f65e-4d09-bbc2-f464f23e2eba", + "link": "https://learn.microsoft.com/industry/sovereignty/transparency-logs", + "service": "Entra", "severity": "Medium", - "text": "For ASR, consider using Standard SSD disks if the RPO/RTO and replication throughput allow it", - "waf": "Cost" + "text": "For Sovereign Landing Zone, enable transparancy logs on the Entra ID tenant.", + "waf": "Security" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Cost Optimization Checklist", - "guid": "d3294798-b118-48b2-a5a4-6ceb544451e1", - "link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery", - "service": "Storage", + "checklist": "Azure Landing Zone Review", + "guid": "d21a922d-5ca7-427a-82a6-35f7b21f1bfc", + "link": "https://learn.microsoft.com/azure/security/fundamentals/customer-lockbox-overview", + "service": "Entra", "severity": "Medium", - "text": "Storage accounts: check hot tier and/or GRS necessary", - "waf": "Cost" + "text": "For Sovereign Landing Zone, enable customer Lockbox on the Entra ID tenant.", + "waf": "Security" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "92d34429-3c76-4286-97a5-51c5b04e4f18", - "link": "https://learn.microsoft.com/azure/backup/backup-center-overview", - "service": "VM", - "severity": "Medium", - "text": "Disks - validate use of Premium SSD disks everywhere: for example, non-prod could swap to Standard SSD or on-demand Premium SSD ", - "waf": "Cost" - }, - { - "arm-service": "Microsoft.Synapse/workspaces", - "checklist": "Cost Optimization Checklist", - "guid": "54387e5c-ed12-46cd-832a-f5b2fc6998a5", - "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview", - "service": "Synapse", - "severity": "Medium", - "text": "Create budgets to manage costs and create alerts that automatically notify stakeholders of spending anomalies and overspending risks.", - "waf": "Cost" - }, - { - "arm-service": "Microsoft.Synapse/workspaces", - "checklist": "Cost Optimization Checklist", - "guid": "35e33789-7e31-4c67-b68c-f6a62a119495", - "link": "https://learn.microsoft.com/azure/virtual-machines/availability", - "service": "Synapse", - "severity": "Medium", - "text": "Export cost data to a storage account for additional data analysis.", - "waf": "Cost" - }, - { - "arm-service": "Microsoft.Synapse/workspaces", - "checklist": "Cost Optimization Checklist", - "guid": "6d697dc3-a2ed-427b-8d18-6f1a1252bddd", - "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", - "service": "Synapse", - "severity": "Medium", - "text": "Control costs for a dedicated SQL pool by pausing the resource when it is not in use.", - "waf": "Cost" - }, - { - "arm-service": "Microsoft.Synapse/workspaces", - "checklist": "Cost Optimization Checklist", - "guid": "e68a487c-dec4-4861-ac3b-c10ae77e26e4", - "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/overview", - "service": "Synapse", - "severity": "Medium", - "text": "Enable the serverless Apache Spark automatic pause feature and set your timeout value accordingly.", - "waf": "Cost" - }, - { - "arm-service": "Microsoft.Synapse/workspaces", - "checklist": "Cost Optimization Checklist", - "guid": "d5a3bec2-c4e2-4436-a133-6db55f17960e", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates", - "service": "Synapse", - "severity": "Medium", - "text": "Create multiple Apache Spark pool definitions of various sizes.", - "waf": "Cost" - }, - { - "arm-service": "Microsoft.Synapse/workspaces", - "checklist": "Cost Optimization Checklist", - "guid": "ee0bdf5c-c2ef-4c5d-961d-41d2500bb47a", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-groups-in-the-azure-landing-zone-accelerator", - "service": "Synapse", - "severity": "Medium", - "text": "Purchase Azure Synapse commit units (SCU) for one year with a pre-purchase plan to save on your Azure Synapse Analytics costs.", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "Cost" - }, - { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "393a040f-d329-4479-ab11-88b2c5a46ceb", - "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2", - "service": "VM", - "severity": "Medium", - "text": "Use Spot VMs for interruptible jobs: These are VMs that can be bid on and purchased at a discounted price, providing a cost-effective solution for non-critical workloads.", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "Cost" - }, - { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "544451e1-92d3-4442-a3c7-628637a551c5", - "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", - "service": "VM", - "severity": "Medium", - "text": "Right-sizing all VMs", - "waf": "Cost" - }, - { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "b04e4f18-5438-47e5-aed1-26cd032af5b2", - "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet", - "service": "VM", - "severity": "Medium", - "text": "Swap VM sized with normalized and most recent sizes", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "Cost" - }, - { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "fc6998a5-35e3-4378-a7e3-1c67d68cf6a6", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "VM", - "severity": "Medium", - "text": "right-sizing VMs - start with monitoring usage below 5% and then work up to 40%", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "Cost" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Landing Zone Review", + "guid": "b03ed428-4617-4067-a787-85468b9ccf3f", + "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer", + "service": "Storage", + "severity": "High", + "text": "Enable secure transfer to storage accounts.", + "training": "https://learn.microsoft.com/training/modules/secure-azure-storage-account/", + "waf": "Security" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Cost Optimization Checklist", - "guid": "2a119495-6d69-47dc-9a2e-d27b2d186f1a", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "VM", - "severity": "Medium", - "text": "Containerizing an application can improve VM density and save money on scaling it", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "Cost" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Landing Zone Review", + "guid": "159aac9f-863f-4f48-82cf-00c28fa97a0e", + "link": "https://learn.microsoft.com/azure/storage/blobs/data-protection-overview#recommendations-for-basic-data-protection", + "service": "Storage", + "severity": "High", + "text": "Enable container soft delete for the storage account to recover a deleted container and its contents.", + "waf": "Security" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "cdnresources | where type =~ 'microsoft.Cdn/profiles/secrets' | extend frontDoorId = substring(id, 0, indexof(id, '/secrets')) | where properties.parameters.type =~ 'CustomerCertificate' | extend compliant = properties.parameters.useLatestVersion == true | project compliant, id=frontDoorId, certificateName = name | distinct id, certificateName, compliant", - "guid": "f00a69de-7076-4734-a734-6e4552cad9e1", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates", - "service": "Front Door", - "severity": "Medium", - "text": "If you use customer-managed TLS certificates with Azure Front Door, use the 'Latest' certificate version. Reduce the risk of outages caused by manual certificate renewal.", + "arm-service": "Microsoft.KeyVault/vaults", + "checklist": "Azure Landing Zone Review", + "guid": "108d5099-a11d-4445-bd8b-e12a5e95412e", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/development-strategy-development-lifecycle#automated-builds", + "service": "Key Vault", + "severity": "High", + "text": "Use Key Vault secrets to avoid hard-coding sensitive information such as credentials (virtual machines user passwords), certificates or keys.", + "training": "https://learn.microsoft.com/en-us/training/modules/implement-azure-key-vault/", "waf": "Operations" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type =~ 'microsoft.cdn/profiles' and sku has 'AzureFrontDoor' | project name, cdnprofileid=tolower(id), tostring(tags), resourceGroup, subscriptionId,skuname=tostring(sku.name) | join kind= fullouter ( cdnresources | where type == 'microsoft.cdn/profiles/securitypolicies' | extend wafpolicyid=tostring(properties['parameters']['wafPolicy']['id']) | extend splitid=split(id, '/') | extend cdnprofileid=tolower(strcat_array(array_slice(splitid, 0, 8), '/')) | project secpolname=name, cdnprofileid, wafpolicyid ) on cdnprofileid | project name, cdnprofileid, secpolname, wafpolicyid,skuname | join kind = fullouter ( resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | extend managedrulesenabled=iff(tostring(properties.managedRules.managedRuleSets) != '[]', true, false), enabledState = tostring(properties.policySettings.enabledState) | project afdwafname=name, managedrulesenabled, wafpolicyid=id, enabledState, tostring(tags) ) on wafpolicyid | where name != '' | summarize associatedsecuritypolicies=countif(secpolname != ''), wafswithmanagedrules=countif(managedrulesenabled == 1) by name, id=cdnprofileid, tags,skuname | extend compliant = (associatedsecuritypolicies > 0 and wafswithmanagedrules > 0) | project id, compliant", - "guid": "e79d17b7-3b22-4a5a-97e7-a8ed4b30e38c", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "Front Door", - "severity": "Medium", - "text": "Use Azure Front Door with WAF policies to deliver and help protect global HTTP/S apps that span multiple Azure regions.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "Security" - }, - { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "3f29812b-2363-4cef-b179-b599de0d5973", - "link": "https://learn.microsoft.com/azure/frontdoor/origin-security?tabs=application-gateway&pivots=front-door-standard-premium#example-configuration", - "service": "Front Door", - "severity": "Medium", - "text": "When using Front Door and Application Gateway to help protect HTTP/S apps, use WAF policies in Front Door. Lock down Application Gateway to receive traffic only from Front Door.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "Security" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "a85b86ad-884f-48e3-9273-4b875ba18f10", + "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/system-message#define-additional-safety-and-behavioral-guardrails", + "service": "OpenAI", + "severity": "High", + "text": "Follow Metaprompting guardrails for resonsible AI", + "waf": "Operational Excellence" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode", - "guid": "ae248989-b306-4591-9186-de482e3f0f0e", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings", - "service": "Front Door", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "d4391898-cd28-48be-b6b1-7cb8245451e1", + "link": "https://github.com/Azure-Samples/AI-Gateway", + "service": "OpenAI", "severity": "High", - "text": "Deploy your WAF policy for Front Door in 'Prevention' mode' so that Web Application Firewall takes appropriate action to allow or deny traffic.", - "waf": "Security" + "text": "Consider Gateway patterns with APIM or solutions like AI central for better rate limiting, load balancing, authentication and logging", + "waf": "Operational Excellence" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend compliant = properties['hostName'] !endswith '.trafficmanager.net' | project compliant, id=frontDoorId", - "guid": "062d5839-4d36-402f-bfa4-02811eb936e9", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door", - "service": "Front Door", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "aed3453a-ec72-4392-97a1-52d6cc5e4029", + "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/azure-openai-insights-monitoring-ai-with-confidence/ba-p/4026850", + "service": "OpenAI", "severity": "High", - "text": "Avoid placing Traffic Manager behind Front Door.", - "waf": "Security" + "text": "Enable monitoring for your AOAI instances", + "waf": "Operational Excellence" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origins')) | extend compliant = isempty(properties.originHostHeader) or (tostring(properties.hostName) =~ tostring(properties.originHostHeader)) | project id=frontDoorId, originName = name, compliant", - "guid": "5efeb96a-003f-4b18-8fcd-b4d84459c2b2", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin", - "service": "Front Door", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "graph": "resources | where type == 'microsoft.insights/metricalerts' | extend compliant = (properties.targetResourceType =~ 'Microsoft.CognitiveServices/accounts') | project id, compliant", + "guid": "697cb391-ed16-4b2d-886f-0a0241addde6", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring#set-up-alerts", + "service": "OpenAI", "severity": "High", - "text": "Use the same domain name on Azure Front Door and your origin. Mismatched host names can cause subtle bugs.", - "waf": "Security" + "text": "Create alerts to notify teams of events such as an entry in the activity log created by an action performed on the resource, such as regenerating its subscription keys or a metric threshold such as the number of errors exceeding 10 in an hour", + "waf": "Operational Excellence" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant", - "guid": "0b5a380c-4bfb-47bc-b1d7-dcfef363a61b", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group", - "service": "Front Door", - "severity": "Low", - "text": "Disable health probes when there is only one origin in an Azure Front Door origin group.", - "waf": "Performance" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "8a477cde-b486-41bc-9bc1-0ae66e25d4d5", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring", + "service": "OpenAI", + "severity": "High", + "text": "Monitor token usage to prevent service disruptions due to capacity", + "waf": "Operational Excellence" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "5567048e-e5d7-4206-9c55-b5ed45d2cc0c", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints", - "service": "Front Door", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "a3aec2c4-e243-46b0-936c-b45e17960eee", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring", + "service": "OpenAI", "severity": "Medium", - "text": "Select good health probe endpoints for Azure Front Door. Consider building health endpoints that check all of your application's dependencies.", - "waf": "Reliability" + "text": "observe metrics like processed inference tokens, generated completion tokens monitor for rate limit", + "waf": "Operational Excellence" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId", - "guid": "a13f72f3-8f5c-4864-95e5-75bf37fbbeb1", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes", - "service": "Front Door", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "fbdf4cc2-eec4-4d76-8c31-d25ffbb46a39", + "link": "https://techcommunity.microsoft.com/t5/apps-on-azure-blog/build-an-enterprise-ready-azure-openai-solution-with-azure-api/ba-p/3907562", + "service": "OpenAI", "severity": "Low", - "text": "Use HEAD health probes with Azure Front Door, to reduce the traffic that Front Door sends to your application.", - "waf": "Performance" + "text": "Enable and configure Diagnostics for the Azure OpenAI Service. If not sufficient, consider using a gateway such as Azure API Managements in front of Azure OpenAI to log both incoming prompts and outgoing responses, where permitted", + "waf": "Operational Excellence" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId", - "guid": "af95c92d-d723-4f4a-98d7-8722324efd4d", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates", - "service": "Front Door", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "3af30ed3-2947-498b-8178-a2c5a46ceb54", + "link": "https://github.com/Azure-Samples/openai-enterprise-iac", + "service": "OpenAI", "severity": "High", - "text": "Use managed TLS certificates with Azure Front Door. Reduce operational cost and risk of outages due to certificate renewals.", - "waf": "Operations" - }, - { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "189ea962-3969-4863-8f5a-5ad808c2cf4b", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#define-your-waf-configuration-as-code", - "service": "Front Door", - "severity": "Medium", - "text": "Define your Azure Front Door WAF configuration as code. By using code, you can more easily adopt new rule set version and gain additional protection.", - "waf": "Operations" + "text": "Use Infrastructure as code to deploy the Azure OpenAI Service, model deployments, and all related resources", + "waf": "Operational Excellence" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "cdnresources | where type == 'microsoft.cdn/profiles/afdendpoints/routes' | extend frontDoorId = substring(id, 0, indexof(id, '/afdendpoints')) | extend forwardingProtocol=tostring(properties.forwardingProtocol),supportedProtocols=properties.supportedProtocols,httpsRedirect=properties.httpsRedirect | extend compliant = forwardingProtocol =~ 'httpsonly' and (supportedProtocols has 'https' or httpsRedirect =~ 'enabled') | project id = frontDoorId, compliant", - "guid": "2e30abab-5478-417c-81bf-bf1ad4ed1ed4", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-end-to-end-tls", - "service": "Front Door", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "4350d092-d234-4292-a752-8537a551c5bf", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity", + "service": "OpenAI", "severity": "High", - "text": "Use end-to-end TLS with Azure Front Door. Use TLS for connections from your clients to Front Door, and from Front Door to your origin.", + "text": "Use Microsoft Entra Authentication with Managed Identity instead of API Key", "waf": "Security" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "cdnresources | where type == 'microsoft.cdn/profiles/afdendpoints/routes' | extend frontDoorId = substring(id, 0, indexof(id, '/afdendpoints')) | extend forwardingProtocol=tostring(properties.forwardingProtocol),supportedProtocols=properties.supportedProtocols,httpsRedirect=properties.httpsRedirect | extend compliant = httpsRedirect =~ 'enabled' | project id = frontDoorId, compliant", - "guid": "10aa45af-166f-44c4-9f36-b6d592dac2ca", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-http-to-https-redirection", - "service": "Front Door", - "severity": "Medium", - "text": "Use HTTP to HTTPS redirection with Azure Front Door. Support older clients by redirecting them to an HTTPS request automatically.", - "waf": "Security" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "4e4f1854-287d-45cd-a126-cc031af5b1fc", + "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-bulk-test-evaluate-flow?view=azureml-api-2", + "service": "OpenAI", + "severity": "High", + "text": "Evaluate the performance/accuracy of the system with a known golden dataset which has the inputs and the correct answers. Leverage capabilities in PromptFlow for Evaluation.", + "waf": "Operational Excellence" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type =~ 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=~'Enabled') and (mode=~'Prevention')), enabledState, mode", - "guid": "28b9ee82-b2c7-45aa-bc98-6de6f59a095d", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#enable-the-waf", - "service": "Front Door", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "68889535-e327-4897-b31b-67d67be5962a", + "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---performance-efficiency", + "service": "OpenAI", "severity": "High", - "text": "Enable the Azure Front Door WAF. Protect your application from a range of attacks.", - "waf": "Security" + "text": "Evaluate usage of Provisioned throughput model ", + "waf": "Performance" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "2902d8cc-1b0c-4495-afad-624ab70f7bd6", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#tune-your-waf", - "service": "Front Door", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "cd288bed-6b17-4cb8-8454-51e1aed3453a", + "link": "https://learn.microsoft.com/azure/ai-services/content-safety/overview", + "service": "OpenAI", "severity": "High", - "text": "Tune the Azure Front Door WAF for your workload by configuring the WAF in Detection mode to reduce and fix false positive detections.", - "waf": "Security" + "text": "Review and implement Azure AI content safety", + "waf": "Operational Excellence" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "17ba124b-127d-42b6-9322-388d5b2bbcfc", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection", - "service": "Front Door", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "1193846d-697c-4b39-8ed1-6b2d186f0a02", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#system-level-throughput", + "service": "OpenAI", "severity": "High", - "text": "Enable request body inspection feature enabled in Azure Front Door WAF policy.", - "waf": "Security" + "text": "Define and evaluate the throughput of the system based on tokens & response per minute and align with requirements", + "waf": "Performance" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "49a98f2b-ec22-4a87-9415-6a10b00d6555", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-default-rule-sets", - "service": "Front Door", - "severity": "High", - "text": "Enable the Azure Front Door WAF default rule sets. The default rule sets detect and block common attacks.", - "waf": "Security" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "41addde6-8a47-47cd-bb48-61bc3bc10ae6", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#improve-performance", + "service": "OpenAI", + "severity": "Medium", + "text": "Improve latency of the system by limiting token sizes, streaming options for applications like chatbots or conversational interfaces. Streaming can enhance the perceived performance of Azure OpenAI applications by delivering responses to users in an incremental manner", + "waf": "Performance" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "147a13d4-2a2f-4824-a524-f5855b52b946", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-bot-management-rules", - "service": "Front Door", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "6e25d4d5-a3ae-4c2c-9e24-36b0336cb45e", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching", + "service": "OpenAI", + "severity": "Medium", + "text": "Estimate elasticity demands to determine synchronous and batch request segregation based on priority. For high priority, use synchronous approach and for low priority, asynchronous batch processing with queue is preferred", + "waf": "Performance" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "5bda4332-4f24-4811-9331-82ba51752694", + "link": "https://github.com/Azure/azure-openai-benchmark/", + "service": "OpenAI", "severity": "High", - "text": "Enable the Azure Front Door WAF bot protection rule set. The bot rules detect good and bad bots.", - "waf": "Security" + "text": "Benchmark token consumption requirements based on estimated demands from consumers. Consider using the Azure OpenAI benchmarking tool to help you validate the throughput if you are using Provisioned Throughput Unit deployments", + "waf": "Performance" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "d7dcdcb9-0d99-44b9-baab-ac7570ede79a", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-the-latest-ruleset-versions", - "service": "Front Door", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "4008ae7d-7e47-4432-96d8-bdcf55bce619", + "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268", + "service": "OpenAI", "severity": "Medium", - "text": "Use the latest Azure Front Door WAF rule set version. Rule set updates are regularly updated to take account of the current threat landscape.", - "waf": "Security" + "text": "If you are using Provisioned Throughput Units (PTUs), consider deploying a token-per-minute (TPM) deployment for overflow requests. Use a gateway to route requests to the TPM deployment when the PTU limits are reached.", + "waf": "Performance" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "b9620385-1cde-418f-914b-a84a06982ffc", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-rate-limiting", - "service": "Front Door", - "severity": "Medium", - "text": "Add rate limiting to the Azure Front Door WAF. Rate limiting blocks clients accidentally or intentionally sending large amounts of traffic in a short period of time.", - "waf": "Security" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "e8a13f98-8794-424d-9267-86d60b96c97b", + "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/models", + "service": "OpenAI", + "severity": "High", + "text": "Choose the right model for the right task. Pick models with right tradeoff between speed, quality of response and output complexity", + "waf": "Performance" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "6dc36c52-0124-4ffe-9eaf-23ec1282dedb", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-a-high-threshold-for-rate-limits", - "service": "Front Door", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "e9951904-8384-45c9-a6cb-2912156a1147", + "link": "https://github.com/Azure/azure-openai-benchmark/", + "service": "OpenAI", "severity": "Medium", - "text": "Use a high threshold for Azure Front Door WAF rate limits. High rate limit thresholds avoid blocking legitimate traffic, while still providing protection against extremely high numbers of requests that might overwhelm your infrastructure.", - "waf": "Security" + "text": "Have a baseline for performance without fine-tuning for knowing whether or not fine-tuning has improved model performance", + "waf": "Performance" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "388a3d0e-0a43-4367-90b2-3dd2aeece5ee", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#geo-filter-traffic", - "service": "Front Door", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "5e39f541-accc-4d97-a376-bcdb3750ab2a", + "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability", + "service": "OpenAI", "severity": "Low", - "text": "If you are not expecting traffic from all geographical regions, use geo-filters to block traffic from non-expected countries.", - "waf": "Security" + "text": "Deploy multiple OAI instances across regions", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "00acd8a9-6975-414f-8491-2be6309893b8", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#specify-the-unknown-zz-location", - "service": "Front Door", - "severity": "Medium", - "text": "Specify the unknown (ZZ) location when geo-filtering traffic with the Azure Front Door WAF. Avoid accidentally blocking legitimate requests when IP addresses can't be geo-matched.", - "waf": "Security" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "b039da6d-55d7-4c89-8adb-107d5325af62", + "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability", + "service": "OpenAI", + "severity": "High", + "text": "Implement retry & healthchecks with Gateway pattern like APIM", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "4cea4050-7946-4a7c-89e6-b021b73c352d", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs", - "service": "Front Door", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "5ca44e46-85e2-4223-ace8-bb12308ca5f1", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#introduction-to-quota", + "service": "OpenAI", "severity": "Medium", - "text": "Capture logs and metrics by turning on Diagnostic Settings. Include resource activity logs, access logs, health probe logs, and WAF logs. Set up alerts.", - "waf": "Operations" + "text": "Ensure having adequate quotas of TPM & RPM for the workload", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "845f5f91-9c21-4674-a725-5ce890850e20", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel", - "service": "Front Door", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "ec723923-7a15-42d6-ac5e-402925387e5c", + "link": "https://www.microsoft.com/research/project/guidelines-for-human-ai-interaction/", + "service": "OpenAI", "severity": "Medium", - "text": "Send Azure Front Door WAF logs to Microsoft Sentinel.", - "waf": "Operations" + "text": "Review the considerations in HAI toolkit guidance and apply those interaction practices for the slution", + "waf": "Operational Excellence" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "3bb0a854-ea3d-4212-bd8e-3f0cb7792b02", - "link": "https://learn.microsoft.com/azure/frontdoor/routing-methods", - "service": "Front Door", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "7f154e3a-a369-4282-ae7e-316183687a04", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/business-continuity-disaster-recovery", + "service": "OpenAI", "severity": "Medium", - "text": "Choose a routing method that supports your deployment strategy. The weighted method, which distributes traffic based on the configured weight coefficient, supports active-active models. A priority-based value that configures the primary region to receive all traffic and send traffic to the secondary region as a backup supports active-passive models. Combine the preceding methods with latency so that the origin with the lowest latency receives traffic.", + "text": "Deploy separate fine tuned models across regions if finetuning is employed", "waf": "Reliability" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend healthprobe=tostring(properties.healthProbeSettings) | project origingroupname=name, id, tags, resourceGroup, subscriptionId, healthprobe, frontDoorId | join ( cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/Origins' | extend origingroupname = tostring(properties.originGroupName) ) on origingroupname | summarize origincount=count(), enabledhealthprobecount=countif(healthprobe != '') by origingroupname, id, tostring(tags), resourceGroup, subscriptionId, frontDoorId | extend compliant = origincount > 1 | project id = frontDoorId, compliant", - "guid": "c3a769e4-cc78-40a9-b36a-f9bcab19ec2d", - "link": "https://learn.microsoft.com/azure/frontdoor/quickstart-create-front-door", - "service": "Front Door", - "severity": "High", - "text": "Support redundancy by having multiple origins in one or more back-end pools. Always have redundant instances of your application and make sure each instance exposes an endpoint or origin. You can place those origins in one or more back-end pools.", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "77a1f893-5bda-4433-84f2-4811633182ba", + "link": "https://learn.microsoft.com/azure/backup/backup-overview", + "service": "OpenAI", + "severity": "Medium", + "text": "Regularly backup and replicate critical data to ensure data availability and recoverability in case of data loss or system failures. Leverage Azure's backup and disaster recovery services to protect your data.", "waf": "Reliability" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "999852be-2137-4179-8fc3-30d1df6fed1d", - "link": "https://learn.microsoft.com/azure/frontdoor/troubleshoot-issues#troubleshooting-steps", - "service": "Front Door", - "severity": "Medium", - "text": "Set a timeout on forwarding requests to the back end. Adjust the timeout setting according to your endpoints' needs. If you don't, Azure Front Door might close the connection before the origin sends the response. You can also lower the default timeout for Azure Front Door if all of your origins have a shorter timeout.", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "graph": "resources | where type == 'microsoft.search/searchservices' | extend compliant = (sku.name != 'free' and properties.replicaCount >= 3) | project id, compliant", + "guid": "95b96ad8-844c-4e3b-8b38-b876ba2cf204", + "link": "https://learn.microsoft.com/azure/search/search-reliability", + "service": "OpenAI", + "severity": "High", + "text": "Azure AI search service tiers should be choosen to have a SLA ", "waf": "Reliability" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "17bf6351-3e5e-41f1-87bb-d5ad0b4e3de6", - "link": "https://learn.microsoft.com/azure/frontdoor/routing-methods#23session-affinity", - "service": "Front Door", - "severity": "Medium", - "text": "Decide if your application requires session affinity. If you have high reliability requirements, we recommend that you disable session affinity.", - "waf": "Reliability" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "99013a5d-3ce4-474d-acbd-8682a6abca2a", + "link": "https://learn.microsoft.com/purview/purview", + "service": "OpenAI", + "severity": "Low", + "text": "Classify data and sensitivity, labeling with Microsoft Purview before generating the embeddings and make sure to treat the embeddings generated with same sensitivity and classification", + "waf": "Security" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "425bfb31-94c4-4007-b9ae-46da9fe57cc7", - "link": "https://learn.microsoft.com/azure/frontdoor/origin?pivots=front-door-standard-premium#origin-host-header", - "service": "Front Door", - "severity": "Medium", - "text": "Send the host header to the back end. The back-end services should be aware of the host name so that they can create rules to accept traffic only from that host.", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "4fda1dbf-3dd9-45d4-ac7c-891dca1f6d56", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/use-your-data-securely", + "service": "OpenAI", + "severity": "High", + "text": "Encrypt data used for RAG with SSE/Disk encryption with optional BYOK", "waf": "Security" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "81a5398a-2414-450f-9fc3-e048bc65784c", - "link": "https://learn.microsoft.com/azure/frontdoor/front-door-caching", - "service": "Front Door", - "severity": "Medium", - "text": "Use caching for endpoints that support it.", - "waf": "Cost" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "59ae558b-937d-4498-9e11-12dbd7ba012f", + "link": "https://learn.microsoft.com/azure/search/search-security-overview", + "service": "OpenAI", + "severity": "High", + "text": "Ensure TLS is enforced for data in transit across data sources, AI search used for Retrieval-Augmented Generation (RAG) and LLM communication", + "waf": "Security" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend healthprobe=tostring(properties.healthProbeSettings) | project origingroupname=name, id, tags, resourceGroup, subscriptionId, healthprobe, frontDoorId | join ( cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/Origins' | extend origingroupname = tostring(properties.originGroupName) ) on origingroupname | summarize origincount=count(), enabledhealthprobecount=countif(healthprobe != '') by origingroupname, id, tostring(tags), resourceGroup, subscriptionId, frontDoorId | extend compliant = origincount > 1 or (origincount == 1 and enabledhealthprobecount == 0) | project id = frontDoorId, compliant", - "guid": "34069d73-e4de-46c5-a36f-625f87575a56", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group", - "service": "Front Door", - "severity": "Low", - "text": "Disable health checks in single back-end pools. If you have only one origin configured in your Azure Front Door origin group, these calls are unnecessary. This is only recommended if you can't have multiple origins in your endpoint.", - "waf": "Cost" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "7b94ef6e-047d-42ea-8992-b1cd6e2054b2", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control", + "service": "OpenAI", + "severity": "High", + "text": "Use RBAC to manage access to Azure OpenAI services. Assign appropriate permissions to users and restrict access based on their roles and responsibilities", + "waf": "Security" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "c92d6786-cdd1-444d-9cad-934a192a276a", - "link": "https://learn.microsoft.com/azure/frontdoor/standard-premium/how-to-reports", - "service": "Front Door", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "9769e4a6-91e8-4838-ac93-6667e13c0056", + "link": "https://learn.microsoft.com/azure/security/fundamentals/data-encryption-best-practices", + "service": "OpenAI", "severity": "Medium", - "text": "We recommend using the Premium Tier for leveraging the Security reports while the Standard Azure Front Door Profile provides only traffic reports under built-in analytics/reports.", - "waf": "Operations" + "text": "Implement data encryption, masking or redaction techniques to hide sensitive data or replace it with obfuscated values in non-production environments or when sharing data for testing or troubleshooting purposes", + "waf": "Security" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "440cf7de-30a1-4550-ab50-c9f6eac140cd", - "link": "https://learn.microsoft.com/azure/frontdoor/front-door-wildcard-domain", - "service": "Front Door", - "severity": "Medium", - "text": "Use wildcard TLS certificates when possible.", - "waf": "Operations" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "74b1e945-b459-4837-be7a-d6c6d3b375a5", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/ai-onboarding", + "service": "OpenAI", + "severity": "High", + "text": "Utilize Azure Defender to detect and respond to security threats and set up monitoring and alerting mechanisms to identify suspicious activities or breaches. Leverage Azure Sentinel for advanced threat detection and response", + "waf": "Security" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "556e2733-6ca9-4edd-9cc7-26de66d46c2e", - "link": "https://learn.microsoft.com/azure/frontdoor/front-door-caching", - "service": "Front Door", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "c7acbe48-abe5-44cd-99f2-e87768468c55", + "link": "https://techcommunity.microsoft.com/t5/azure-storage-blog/managing-long-term-log-retention-or-any-business-data/ba-p/2494791", + "service": "OpenAI", "severity": "Medium", - "text": "Optimize your application query string for caching. For purely static content, ignore query strings to maximize your use of the cache. If your application uses query strings, consider including them in the cache key. Including the query strings in the cache key allows Azure Front Door to serve cached responses or other responses, based on your configuration.", - "waf": "Performance" + "text": "Establish data retention and disposal policies to adhere to compliance regulations. Implement secure deletion methods for data that is no longer required and maintain an audit trail of data retention and disposal activities", + "waf": "Security" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "c0b7e55e-fcab-4e66-bdae-bd0290f6aece", - "link": "https://learn.microsoft.com/azure/frontdoor/standard-premium/how-to-compression", - "service": "Front Door", - "severity": "Medium", - "text": "Use file compression when you're accessing downloadable content.", - "waf": "Performance" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "a9c27d9c-42bb-46bd-8c69-99a246f3389a", + "link": "https://learn.microsoft.com/azure/ai-services/content-safety/concepts/jailbreak-detection", + "service": "OpenAI", + "severity": "High", + "text": "Implement Prompt shields and groundedness detection using Content Safety ", + "waf": "Operational Excellence" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type =~ 'microsoft.network/frontdoors' and properties['resourceState'] !~ 'migrated' | extend compliant = false | project id, compliant", - "guid": "cb8eb8c0-aa73-4a26-a495-6eba8dc4a243", - "link": "https://learn.microsoft.com/azure/cdn/tier-migration", - "service": "Front Door", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "a775c6ee-95b9-46ad-a844-ce3b2b38b876", + "link": "https://learn.microsoft.com/azure/compliance/", + "service": "OpenAI", "severity": "High", - "text": "Consider migrating to Standard or Premium SKU if you are using Classic Azure Front Door currently as Classic Azure Front Door will be deprecated by March 2027.", - "waf": "Operations" + "text": "Ensure compliance with relevant data protection regulations, such as GDPR or HIPAA, by implementing privacy controls and obtaining necessary consents or permissions for data processing activities.", + "waf": "Security" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "67c33697-15b1-4752-aeee-0b9b588defc4", - "link": "https://learn.microsoft.com/azure/architecture/guide/networking/global-web-applications/mission-critical-content-delivery", - "service": "Front Door", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "ba2cf204-9901-43a5-b3ce-474dccbd8682", + "service": "OpenAI", "severity": "Medium", - "text": "Consider using Traffic Manager load balancing Azure Front Door and a third party CDN provider CDN profile for mission critical high availability scenario. ", - "waf": "Reliability" + "text": "Educate your employees about data security best practices, the importance of handling data securely, and potential risks associated with data breaches. Encourage them to follow data security protocols diligently.", + "waf": "Security" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "972cd4cd-25b0-4b70-96e9-eab4bfd32907", - "link": "https://learn.microsoft.com/azure/app-service/app-service-ip-restrictions?tabs=azurecli#restrict-access-to-a-specific-azure-front-door-instance", - "service": "Front Door", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "eae01e6e-842e-452f-9721-d928c1b1cd52", + "service": "OpenAI", "severity": "High", - "text": "When using Front Door with origin as App services, consider locking down the traffic to app services only through Azure Front Door using access restrictions. ", + "text": "Keep production data separate from development and testing data. Only use real sensitive data in production and utilize anonymized or synthetic data in development and test environments.", "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "ab5351f6-383a-45ed-9c5e-b143b16db40a", - "link": "https://learn.microsoft.com/azure/aks/use-windows-hpc", - "service": "AKS", - "severity": "Low", - "text": "If required for AKS Windows workloads HostProcess containers can be used", - "waf": "Reliability" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "1e54a29a-9de3-499c-bd7b-28dc93555620", + "service": "OpenAI", + "severity": "Medium", + "text": "If you have varying levels of data sensitivity, consider creating separate indexes for each level. For instance, you could have one index for general data and another for sensitive data, each governed by different access protocols", + "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "a280dcf5-90ce-465d-b8e1-3f9ccbd46926", - "link": "https://learn.microsoft.com/azure/azure-functions/functions-kubernetes-keda", - "service": "AKS", - "severity": "Low", - "text": "Use KEDA if running event-driven workloads", - "waf": "Performance" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "2bfe4564-b0d8-434a-948b-263e6dd60512", + "service": "OpenAI", + "severity": "Medium", + "text": "Take segregation a step further by placing sensitive datasets in different instances of the service. Each instance can be controlled with its own specific set of RBAC policies", + "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "26886d20-b66c-457b-a591-19bf8e8f5c58", - "link": "https://dapr.io/", - "service": "AKS", - "severity": "Low", - "text": "Use Dapr to ease microservice development", - "waf": "Operations" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "a36498f6-dbad-438e-ad53-cc7ce1d7aaab", + "service": "OpenAI", + "severity": "High", + "text": "Recognize that embeddings and vectors generated from sensitive information are themselves sensitive. This data should be afforded the same protective measures as the source material", + "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (sku.tier=='Paid') | distinct id,compliant", - "guid": "71d41e36-10cc-457b-9a4b-1410d4395898", - "link": "https://learn.microsoft.com/azure/aks/uptime-sla", - "service": "AKS", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "3571449a-b805-43d8-af89-dc7b33be2a1a", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control", + "service": "OpenAI", "severity": "High", - "text": "Use the SLA-backed AKS offering", - "waf": "Reliability" + "text": "Apply RBAC to th data stores having embeddings and vectors and scope access based on role's access requirements", + "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "c1288b3c-6a57-4cfc-9444-51e1a3d3453a", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler", - "service": "AKS", - "severity": "Low", - "text": "Use Disruption Budgets in your pod and deployment definitions", - "waf": "Reliability" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "graph": "resources | where type =~ 'Microsoft.CognitiveServices/accounts' or type == 'microsoft.search/searchservices' | project id, compliant = (properties.privateEndpointConnections != '[]' and properties.publicNetworkAccess !~ 'enabled')", + "guid": "27f7b9e9-1be1-4f38-aef3-9812bd463cbb", + "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/azure-openai-private-endpoints-connecting-across-vnet-s/ba-p/3913325", + "service": "OpenAI", + "severity": "High", + "text": "Configure private endpoint for AI services to restrict service access within your network", + "waf": "Security" }, { - "arm-service": "microsoft.containerregistry/registries", - "checklist": "Azure AKS Review", - "guid": "3c763963-7a55-42d5-a15e-401955387e5c", - "link": "https://learn.microsoft.com/azure/container-registry/container-registry-geo-replication", - "service": "ACR", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "ac8ac199-ebb9-41a3-9d90-cae2cc881370", + "service": "OpenAI", "severity": "High", - "text": "If using a private registry, configure region replication to store images in multiple regions", - "waf": "Reliability" + "text": "Enforce strict inbound and outbound traffic control with Azure Firewall and UDRs and limit the external integration points", + "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "f82cb8eb-8c0a-4a63-a25a-4956eaa8dc4a", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/aks/eslz-cost-governance-with-kubecost", - "service": "AKS", - "severity": "Low", - "text": "Use an external application such as kubecost to allocate costs to different users", - "waf": "Cost" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "6f7c0cba-fe51-4464-add4-57e927138b82", + "service": "OpenAI", + "severity": "High", + "text": "Implement network segmentation and access controls to restrict access to the LLM application only to authorized users and systems and prevent lateral movement", + "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "4d3dfbab-9924-4831-a68d-fdf0d72f462c", - "link": "https://learn.microsoft.com/azure/aks/scale-down-mode", - "service": "AKS", - "severity": "Low", - "text": "Use scale down mode to delete/deallocate nodes", - "waf": "Cost" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "7f42c78e-78cb-46a2-8ad1-90916e6a8d8f", + "link": "https://www.microsoft.com/research/blog/llmlingua-innovating-llm-efficiency-with-prompt-compression/", + "service": "OpenAI", + "severity": "Medium", + "text": "Use prompt compression tools like LLMLingua or gprtrim", + "waf": "Cost Optimization" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "87e651ea-bc4a-4a87-a6df-c06a4b570ebc", - "link": "https://learn.microsoft.com/azure/aks/gpu-multi-instance", - "service": "AKS", - "severity": "Medium", - "text": "When required use multi-instance partitioning GPU on AKS Clusters", - "waf": "Cost" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "graph": "resources | where type =~ 'Microsoft.CognitiveServices/accounts' or type == 'microsoft.search/searchservices' | project id, compliant = (isnotnull(identity))", + "guid": "1102cac6-eae0-41e6-b842-e52f4721d928", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity", + "service": "OpenAI", + "severity": "High", + "text": "Ensure that APIs and endpoints used by the LLM application are properly secured with authentication and authorization mechanisms, such as Managed identities, API keys or OAuth, to prevent unauthorized access.", + "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "2b72a08b-0410-4cd6-9093-e068a5cf27e8", - "link": "https://learn.microsoft.com/azure/aks/start-stop-nodepools", - "service": "AKS", - "severity": "Low", - "text": "If running a Dev/Test cluster use NodePool Start/Stop", - "waf": "Cost" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "c1b1cd52-1e54-4a29-a9de-399cfd7b28dc", + "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/security-best-practices-for-genai-applications-openai-in-azure/ba-p/4027885", + "service": "OpenAI", + "severity": "Medium", + "text": "Enforce strong end user authentication mechanisms, such as multi-factor authentication, to prevent unauthorized access to the LLM application and associated network resources", + "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.azurepolicy) and properties.addonProfiles.azurepolicy.enabled==true) | distinct id,compliant", - "guid": "9ca48e4a-85e2-4223-bce8-bb12307ca5f1", - "link": "https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes", - "service": "AKS", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "93555620-2bfe-4456-9b0d-834a348b263e", + "service": "OpenAI", "severity": "Medium", - "text": "Use Azure Policy for Kubernetes to ensure cluster compliance", + "text": "Implement network monitoring tools to detect and analyze network traffic for any suspicious or malicious activities. Enable logging to capture network events and facilitate forensic analysis in case of security incidents", "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | project id,name,resourceGroup,poolcount=array_length(pools) | extend compliant = (poolcount > 1)", - "guid": "6f158e3e-a3a9-42c2-be7e-2165c3a87af4", - "link": "https://learn.microsoft.com/azure/aks/use-system-pools", - "service": "AKS", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "6dd60512-a364-498f-9dba-d38ead53cc7c", + "service": "OpenAI", "severity": "Medium", - "text": "Separate applications from the control plane with user/system node pools", + "text": "Conduct security audits and penetration testing to identify and address any network security weaknesses or vulnerabilities in the LLM application's network infrastructure", "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "a7a1f893-9bda-4477-98f2-4c116775c2ea", - "link": "https://learn.microsoft.com/azure/aks/use-system-pools", - "service": "AKS", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "graph": "resources | where type == 'microsoft.cognitiveservices/accounts' or type == 'microsoft.search/searchservices' | project id, compliant = (tags != '{}')", + "guid": "e1d7aaab-3571-4449-ab80-53d89f89dc7b", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/tag-resources?tabs=json", + "service": "OpenAI", "severity": "Low", - "text": "Add taint to your system nodepool to make it dedicated", - "waf": "Security" + "text": "Azure AI Services are properly tagged for better management", + "waf": "Operational Excellence" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "55b46a94-8008-4ae7-b7e4-b475b6c8bdbf", - "link": "https://learn.microsoft.com/azure/container-registry/", - "service": "AKS", - "severity": "Medium", - "text": "Use a private registry for your images, such as ACR", - "waf": "Security" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations", + "service": "OpenAI", + "severity": "Low", + "text": "Azure AI Service accounts follows organizational naming conventions", + "waf": "Operational Excellence" }, { - "arm-service": "microsoft.containerregistry/registries", - "checklist": "Azure AKS Review", - "guid": "59bce65d-e8a0-43f9-9879-468d66a786d6", - "link": "https://learn.microsoft.com/azure/security-center/container-security", - "service": "ACR", - "severity": "Medium", - "text": "Scan your images for vulnerabilities", - "waf": "Security" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36", + "link": "https://learn.microsoft.com/azure/ai-services/diagnostic-logging", + "service": "OpenAI", + "severity": "High", + "text": "Diagnostic logs in Azure AI services resources should be enabled", + "waf": "Operational Excellence" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "d167dd18-2b0a-4c24-8b99-9a646f8389a7", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-cluster-isolation", - "service": "AKS", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "graph": "resources | where type =~ 'Microsoft.CognitiveServices/accounts' or type == 'microsoft.search/searchservices' | project id, compliant = (properties.disableLocalAuth == true)", + "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d", + "link": "https://learn.microsoft.com/azure/ai-services/authentication", + "service": "OpenAI", "severity": "High", - "text": "Define app separation requirements (namespace/nodepool/cluster)", + "text": "Key access (local authentication) is recommended to be disabled for security. After disabling key based access, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. ", "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "5e3df584-eccc-4d97-a3b6-bcda3b50eb2e", - "link": "https://github.com/Azure/secrets-store-csi-driver-provider-azure", - "service": "AKS", - "severity": "Medium", - "text": "Store your secrets in Azure Key Vault with the CSI Secrets Store driver", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "6b57cfc6-5546-41e1-a3e3-453a3c863964", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "OpenAI", + "severity": "High", + "text": "Store and manage keys securely using Azure Key Vault. Avoid hard-coding or embedding sensitive keys within your LLM application's code and retrieve them securely from Azure Key Vault using managed identities", "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "b03dda6d-58d7-4c89-8ddb-107d5769ae66", - "link": "https://learn.microsoft.com/azure/aks/update-credentials", - "service": "AKS", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "8b652d6c-15f5-4129-9539-8e6ded227dd1", + "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "service": "OpenAI", "severity": "High", - "text": "If using Service Principals for the cluster, refresh credentials periodically (like quarterly)", + "text": "Regularly rotate and expire keys stored in Azure Key Vault to minimize the risk of unauthorized access.", "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "e7ba73a3-0508-4f80-806f-527db30cee96", - "link": "https://learn.microsoft.com/azure/aks/use-kms-etcd-encryption", - "service": "AKS", - "severity": "Medium", - "text": "If required add Key Management Service etcd encryption", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "adfe27be-e297-401a-a352-baaab79b088d", + "link": "https://github.com/openai/tiktoken", + "service": "OpenAI", + "severity": "High", + "text": "Use tiktoken to understand token sizes for token optimizations in conversational mode", + "waf": "Cost Optimization" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "42b06c21-d799-49a6-96f4-389a7f42c78e", + "link": "https://learn.microsoft.com/azure/security/develop/secure-dev-overview", + "service": "OpenAI", + "severity": "High", + "text": "Follow secure coding practices to prevent common vulnerabilities such as injection attacks, cross-site scripting (XSS), or security misconfigurations", "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "ec8e4e42-0344-41b0-b865-9123e8956d31", - "link": "https://learn.microsoft.com/azure/confidential-computing/confidential-nodes-aks-overview", - "service": "AKS", - "severity": "Low", - "text": "If required consider using Confidential Compute for AKS", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "78c06a73-a22a-4495-9e6a-8dc4a20e27c3", + "link": "https://learn.microsoft.com/azure/devops/repos/security/github-advanced-security-dependency-scanning?view=azure-devops", + "service": "OpenAI", + "severity": "High", + "text": "Setup a process to regularly update and patch the LLM libraries and other system components", "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "c9e95ffe-6dd1-4a17-8c5f-110389ca9b21", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable", - "service": "AKS", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "e29711b1-352b-4eee-879b-588defc4972c", + "link": "https://learn.microsoft.com/legal/cognitive-services/openai/code-of-conduct", + "service": "OpenAI", + "severity": "High", + "text": "Adhere to Azure OpenAI or other LLMs terms of use, policies and guidance and allowed use cases", + "waf": "Operational Excellence" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "d3cd21bf-7703-46e5-b6b4-bed3d503547c", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs#base-series-and-codex-series-fine-tuned-models", + "service": "OpenAI", "severity": "Medium", - "text": "Consider using Defender for Containers", - "waf": "Security" + "text": "Understand difference in cost of base models and fine tuned models and token step sizes", + "waf": "Cost Optimization" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.servicePrincipalProfile.clientId=='msi') | distinct id,compliant", - "guid": "ed127dd1-42b0-46b2-8c69-99a646f3389a", - "link": "https://learn.microsoft.com/azure/aks/use-managed-identity", - "service": "AKS", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "1347dc56-028a-471f-be1c-e15dd3f0d5e7", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching", + "service": "OpenAI", "severity": "High", - "text": "Use managed identities instead of Service Principals", - "waf": "Security" + "text": "Batch requests, where possible, to minimize the per-call overhead which can reduce overall costs. Ensure you optimize batch size", + "waf": "Cost Optimization" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.aadProfile) | distinct id,compliant", - "guid": "7e42c78e-78c0-46a6-8a21-94956e698dc4", - "link": "https://learn.microsoft.com/azure/aks/managed-aad", - "service": "AKS", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "72d41e36-11cc-457b-9a4b-1410d43958a8", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs", + "service": "OpenAI", "severity": "Medium", - "text": "Integrate authentication with AAD (using the managed integration)", - "waf": "Security" + "text": "Set up a cost tracking system that monitors model usage and use that information to help inform model choices and prompt sizes", + "waf": "Cost Optimization" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "a2fe27b2-e287-401a-8352-beedf79b488d", - "link": "https://learn.microsoft.com/azure/aks/control-kubeconfig-access", - "service": "AKS", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "166cd072-af9b-4141-a898-a535e737897e", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#understanding-rate-limits", + "service": "OpenAI", "severity": "Medium", - "text": "Limit access to admin kubeconfig (get-credentials --admin)", - "waf": "Security" + "text": "Set a maximum limit on the number of tokens per model response (max_tokens and the number of completions to generate). Optimize the size to ensure it is large enough for a valid response", + "waf": "Cost Optimization" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "eec4962c-c3bd-421b-b77f-26e5e6b3bec3", - "link": "https://learn.microsoft.com/azure/aks/manage-azure-rbac", - "service": "AKS", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "3266b225-86f4-4a16-92bd-ddea8a487cde", + "link": "https://learn.microsoft.com/azure/search/vector-search-index-size?tabs=portal-vector-quota", + "service": "OpenAI", "severity": "Medium", - "text": "Integrate authorization with AAD RBAC", - "waf": "Security" + "text": "Plan and manage AI Search Vector storage", + "waf": "Operational Excellence" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "d4f3537c-1346-4dc5-9027-a71ffe1bd05d", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-identity", - "service": "AKS", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "b4861bc3-bc14-4aeb-9e66-e8d9a3aec218", + "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-end-to-end-llmops-with-prompt-flow?view=azureml-api-2", + "service": "OpenAI", + "severity": "Medium", + "text": "Ensure deployment of Azure OpenAI instances across your various environments, such as development, test, and production supporting lrarning & experimentation. Apply LLMOps practices to automate the lifecycle management of your GenAI applications", + "waf": "Operational Excellence" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "aa80932c-8ec9-4d1b-a770-26e5e6beba9e", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/provisioned-throughput-onboarding#understanding-the-provisioned-throughput-purchase-model", + "service": "OpenAI", "severity": "High", - "text": "Use namespaces for restricting RBAC privilege in Kubernetes", - "waf": "Security" + "text": "Evaluate usage of billing models - PAYG vs PTU. Start with PAYG and consider PTU when the usage is predictable in production since it offers dedicated memory and compute, reserved capacity, and consistent maximum latency for the specified model version", + "waf": "Cost Optimization" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "e6436b07-36db-455f-9796-03334bdf9cc2", + "link": "https://techcommunity.microsoft.com/t5/ai-azure-ai-services-blog/how-to-control-azure-openai-models/ba-p/4146793", + "service": "OpenAI", + "severity": "Medium", + "text": "Evaluate the quality of prompts and applications when switching between model versions", + "waf": "Operational Excellence" + }, + { + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "3418db61-2712-4650-9bb4-7a393a080327", + "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/concept-model-monitoring-generative-ai-evaluation-metrics?view=azureml-api-2", + "service": "OpenAI", + "severity": "Medium", + "text": "Evaluate, monitor and refine your GenAI apps for features like groundedness, relevance, accuracy, coherence and fluency", + "waf": "Operational Excellence" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "d2e0d5d7-71d4-41e3-910c-c57b4a4b1410", - "link": "https://learn.microsoft.com/azure/aks/workload-identity-migration-sidecar", - "service": "AKS", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "294798b1-578b-4219-a46c-eb5443513592", + "service": "OpenAI", "severity": "Medium", - "text": "For Pod Identity Access Management use Azure AD Workload Identity (preview)", - "waf": "Security" + "text": "Evaluate your Azure AI Search results based on different search parameters", + "waf": "Operational Excellence" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "f4dcf690-1b30-407d-abab-6f8aa780d3a3", - "link": "https://learn.microsoft.com/azure/aks/managed-aad#non-interactive-sign-in-with-kubelogin", - "service": "AKS", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "2744293b-b628-4537-a551-19b08e8f5854", + "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/fine-tuning-considerations", + "service": "OpenAI", "severity": "Medium", - "text": "For AKS non-interactive logins use kubelogin (preview)", - "waf": "Security" + "text": "Look at fine tuning models as way of increasing accuracy only when you have tried other basic approaches like prompt engineering and RAG with your data", + "waf": "Operational Excellence" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.disableLocalAccounts==true) | distinct id,compliant", - "guid": "b085b1f2-3119-4771-8c9a-bbf4411810ec", - "link": "https://learn.microsoft.com/azure/aks/managed-aad#disable-local-accounts", - "service": "AKS", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "287d9cec-166c-4d07-8af9-b141a898a535", + "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/advanced-prompt-engineering?pivots=programming-language-chat-completions", + "service": "OpenAI", "severity": "Medium", - "text": "Disable AKS local accounts", - "waf": "Security" + "text": "Use prompt engineering techniques to improve the accuracy of LLM responses", + "waf": "Operational Excellence" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "36abb0db-c118-4f4c-9880-3f30f9a2deb6", - "link": "https://learn.microsoft.com/azure/aks/managed-aad#configure-just-in-time-cluster-access-with-azure-ad-and-aks", - "service": "AKS", - "severity": "Low", - "text": "Configure if required Just-in-time cluster access", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "e737897e-71ca-47da-acfa-962a1594946d", + "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/red-teaming", + "service": "OpenAI", + "severity": "Medium", + "text": "Red team your GenAI applications", "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "c4d7f4c6-79bf-45d0-aa05-ce8fc717e150", - "link": "https://learn.microsoft.com/azure/aks/managed-aad#use-conditional-access-with-azure-ad-and-aks", - "service": "AKS", - "severity": "Low", - "text": "Configure if required AAD conditional access for AKS", - "waf": "Security" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "edb117e6-76aa-4f66-aca4-8e5a95f2223e", + "link": "https://www.microsoft.com/haxtoolkit/guideline/encourage-granular-feedback/", + "service": "OpenAI", + "severity": "Medium", + "text": "Provide end users with scoring options for LLM responses and track these scores. ", + "waf": "Operational Excellence" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "e1123a7c-a333-4eb4-a120-4ee3f293c9f3", - "link": "https://learn.microsoft.com/azure/aks/use-group-managed-service-accounts", - "service": "AKS", - "severity": "Low", - "text": "If required for Windows AKS workloads configure gMSA ", - "waf": "Security" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "d5f3547c-c346-4d81-9028-a71ffe1b9b5d", + "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268", + "service": "OpenAI", + "severity": "High", + "text": "Consider Quota management practices. Use dynamic quota for certain use cases when your application can use extra capacity opportunistically or the application itself is driving the rate at which the Azure OpenAI API is called", + "waf": "Cost Optimization" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "1f711a74-3672-470b-b8b8-a2148d640d79", - "link": "https://learn.microsoft.com/azure/aks/use-managed-identity#use-a-pre-created-kubelet-managed-identity", - "service": "AKS", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc410", + "link": "https://github.com/Azure/aoai-apim/blob/main/README.md", + "service": "OpenAI", "severity": "Medium", - "text": "For finer control consider using a managed Kubelet Identity", - "waf": "Security" + "text": "Use Load balancer solutions like APIM based gateway for balancing load and capacity across services and regions", + "waf": "Operational Excellence" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "cbd8ac2a-aebc-4a2a-94da-1dbf3dc99248", - "link": "https://azure.github.io/application-gateway-kubernetes-ingress/setup/install-existing/", - "service": "AKS", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc411", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/fine-tuning?tabs=turbo%2Cpython-new&pivots=programming-language-studio#import-training-data-from-azure-blob-store", + "service": "OpenAI", "severity": "Medium", - "text": "If using AGIC, do not share an AppGW across clusters", + "text": "Follow the guidance for fine-tuning with large data files and import the data from an Azure blob store. Large files, 100 MB or larger, can become unstable when uploaded through multipart forms because the requests are atomic and can't be retried or resumed", "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnull(properties.addonProfiles.httpApplicationRouting) or properties.addonProfiles.httpApplicationRouting.enabled==false) | distinct id,compliant", - "guid": "8008ae7d-7e4b-4475-a6c8-bdbf59bce65d", - "link": "https://learn.microsoft.com/azure/aks/http-application-routing", - "service": "AKS", - "severity": "High", - "text": "Do not use AKS HTTP Routing Add-On, use instead the managed NGINX ingress with the application routing add-on.", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc412", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest", + "service": "OpenAI", + "severity": "Medium", + "text": "Manage rate limits for your model deployments and monitor usage of tokens per minute (TPM) and requests per minute (RPM) for pay-as-you-go deployments", "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "7bacd7b9-c025-4a9d-a5d2-25d6bc5439d9", - "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview", - "service": "AKS", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc413", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitor-openai", + "service": "OpenAI", "severity": "Medium", - "text": "For Windows workloads use Accelerated Networking", - "waf": "Performance" + "text": "Monitor provision-managed utilization if you're using the provisioned throughput payment model", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (tolower(properties.networkProfile.loadBalancerSku)=='standard') | distinct id,compliant", - "guid": "ba7da7be-9952-4914-a384-5d997cb39132", - "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard", - "service": "AKS", - "severity": "High", - "text": "Use the standard ALB (as opposed to the basic one)", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc414", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/content-filters", + "service": "OpenAI", + "severity": "Medium", + "text": "Tune content filters to minimize false positives from overly aggressive filters", "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "22fbe8d6-9b40-47ef-9011-25bb1a555a6b", - "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#add-a-node-pool-with-a-unique-subnet", - "service": "AKS", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc415", + "link": "https://learn.microsoft.com/azure/ai-services/openai/encrypt-data-at-rest", + "service": "OpenAI", "severity": "Medium", - "text": "If using Azure CNI, consider using different Subnets for NodePools", + "text": "Use customer-managed keys for fine-tuned models and training data that's uploaded to Azure OpenAI", "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "c3c39c98-6bb2-4c12-859a-114b5e3df584", - "link": "https://learn.microsoft.com/azure/private-link/private-link-overview", - "service": "AKS", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "graph": "resources | where type == 'microsoft.cognitiveservices/accounts' and kind =~ 'contentsafety' | project id, compliant = 1", + "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc416", + "link": "https://learn.microsoft.com/azure/ai-services/content-safety/concepts/jailbreak-detection", + "service": "OpenAI", "severity": "Medium", - "text": "Use Private Endpoints (preferred) or Virtual Network Service Endpoints to access PaaS services from the cluster", + "text": "Implement jailbreak risk detection to safeguard your language model deployments against prompt injection attacks", "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.networkPlugin=='azure') | distinct id,compliant", - "guid": "a0f61565-9de5-458f-a372-49c831112dbd", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network", - "service": "AKS", - "severity": "High", - "text": "Choose the best CNI network plugin for your requirements (Azure CNI recommended)", - "waf": "Reliability" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc417", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitor-openai", + "service": "OpenAI", + "severity": "Medium", + "text": "Use security controls like throttling, service isolation and gateway pattern to prevent attacks that might exhaust model usage quotas", + "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "7faf12e7-0943-4f63-8472-2da29c2b1cd6", - "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", - "service": "AKS", - "severity": "High", - "text": "If using Azure CNI, size your subnet accordingly considering the maximum number of pods per node", - "waf": "Performance" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "72d41e36-11cc-457b-9a4b-1410d43958a9", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs", + "service": "OpenAI", + "severity": "Medium", + "text": "Develop your cost model, considering prompt sizes. Understanding prompt input and response sizes and how text translates into tokens helps you create a viable cost model", + "waf": "Cost Optimization" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "22f54b29-bade-43aa-b1e8-c38ec9366673", - "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", - "service": "AKS", - "severity": "High", - "text": "If using Azure CNI, check the maximum pods/node (default 30)", - "waf": "Performance" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "72d41e36-11cc-457b-9a4b-1410d43958a1", + "link": "https://azure.microsoft.com/pricing/details/cognitive-services/openai-service/", + "service": "OpenAI", + "severity": "Medium", + "text": "Consider model pricing and capabilities when you choose models. Start with less-costly models for less-complex tasks like text generation or completion tasks and for complex tasks like language translation or content understanding, consider using more advanced models. Optimize costs while still achieving the desired application performance", + "waf": "Cost Optimization" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "description": "For internal apps organizations often open the whole AKS subnet in their firewalls. This opens network access to the nodes too, and potentially to the pods as well (if using Azure CNI). If LoadBalancer IPs are in a different subnet, only this one needs to be available to the app clients. Another reason is that if the IP addresses in the AKS subnet are a scarce resource, consuming its IP addresses for services will reduce the maximum scalability of the cluster .", - "guid": "13c00567-4b1e-4945-a459-c373e7ed6162", - "link": "https://learn.microsoft.com/azure/aks/internal-lb", - "service": "AKS", - "severity": "Low", - "text": "If using private-IP LoadBalancer services, use a dedicated subnet (not the AKS subnet)", - "waf": "Security" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "72d41e36-11cc-457b-9a4b-1410d43958a2", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs", + "service": "OpenAI", + "severity": "Medium", + "text": "Maximize Azure OpenAI price breakpoints like fine-tuning and model breakpoints like image generation to your advantage. Fine-tuning is charged per hour, use as much time as you have available per hour to improve results without slipping into the next billing period. The cost for generating 100 images is the same as the cost for 1 image", + "waf": "Cost Optimization" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "43f63047-22d9-429c-8b1c-d622f54b29ba", - "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", - "service": "AKS", - "severity": "High", - "text": "Size the service IP address range accordingly (it is going to limit the cluster scalability)", - "waf": "Reliability" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "72d41e36-11cc-457b-9a4b-1410d43958a3", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs", + "service": "OpenAI", + "severity": "Medium", + "text": "Remove unused fine-tuned models when they're no longer being consumed to avoid incurring an ongoing hosting fee", + "waf": "Cost Optimization" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "57bf217f-6dc8-481c-81e2-785773e9c00f", - "link": "https://learn.microsoft.com/azure/aks/use-byo-cni", - "service": "AKS", - "severity": "Low", - "text": "If required add your own CNI plugin", - "waf": "Security" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "7f42c78e-78cb-46a2-8ad1-90916e6a8d8g", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs", + "service": "OpenAI", + "severity": "Medium", + "text": "Create concise prompts that provide enough context for the model to generate a useful response. Also ensure that you optimize the limit of the response length.", + "waf": "Cost Optimization" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "4b3bb365-9458-44d9-9ed1-5c8f52890364", - "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools", - "service": "AKS", - "severity": "Low", - "text": "If required configure Public IP per node in AKS", - "waf": "Performance" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "b4861bc3-bc14-4aeb-9e66-e8d9a3aec219", + "link": "https://learn.microsoft.com/azure/ai-services/create-account-bicep", + "service": "OpenAI", + "severity": "Medium", + "text": "Use infrastructure as code (IaC) to deploy Azure OpenAI, model deployments, and other infrastructure required for fine-tuning models", + "waf": "Operational Excellence" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "b3808b9f-a1cf-4204-ad01-3a923ce474db", - "link": "https://learn.microsoft.com/azure/aks/concepts-network", - "service": "AKS", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Azure OpenAI Review", + "guid": "2744293b-b628-4537-a551-19b08e8f5855", + "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/service/openai", + "service": "OpenAI", "severity": "Medium", - "text": "Use an ingress controller to expose web-based apps instead of exposing them with LoadBalancer-type services", - "waf": "Reliability" + "text": "Consider using dedicated model deployments per consumer group to provide per-model usage isolation that can help prevent noisy neighbors between your consumer groups", + "waf": "Operational Excellence" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "ccb534e7-416e-4a1d-8e93-533b53199085", - "link": "https://learn.microsoft.com/azure/aks/nat-gateway", - "service": "AKS", - "severity": "Low", - "text": "Use Azure NAT Gateway as outboundType for scaling egress traffic", - "waf": "Reliability" + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "d7941d4a-7b6f-458f-8714-2f8f8c059ad4", + "link": "https://learn.microsoft.com/azure/api-management/api-management-error-handling-policies", + "service": "APIM", + "severity": "Medium", + "text": "Implement an error handling policy at the global level", + "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "8ee9a69a-1b58-4b1e-9c61-476e110a160b", - "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni#dynamic-allocation-of-ips-and-enhanced-subnet-support", - "service": "AKS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "0b0c0765-ff37-4369-90bd-3eb23ce71b08", + "link": "https://learn.microsoft.com/azure/api-management/set-edit-policies?tabs=form#use-base-element-to-set-policy-evaluation-order", + "service": "APIM", "severity": "Medium", - "text": "Use Dynamic allocations of IPs in order to avoid Azure CNI IP exhaustion", - "waf": "Reliability" + "text": "Ensure all APIs policies include a element.", + "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.outboundType=='userDefinedRouting') | distinct id,compliant", - "guid": "3b365a91-7ecb-4e48-bbe5-4cd7df2e8bba", - "link": "https://learn.microsoft.com/azure/aks/limit-egress-traffic", - "service": "AKS", - "severity": "High", - "text": "Filter egress traffic with AzFW/NVA if your security requirements mandate it", - "waf": "Security" + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "a5c45b03-93b6-42fe-b16b-8fccb6a79902", + "link": "https://learn.microsoft.com/azure/api-management/policy-fragments", + "service": "APIM", + "severity": "Medium", + "text": "Use Policy Fragments to avoid repeating same policies definitions across multiple APIs", + "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = ((isnull(properties.apiServerAccessProfile.enablePrivateCluster) or properties.apiServerAccessProfile.enablePrivateCluster==false) and isnotnull(properties.apiServerAccessProfile.authorizedIPRanges)) | distinct id,compliant", - "guid": "c4581559-bb91-463e-a908-aed8c44ce3b2", - "link": "https://learn.microsoft.com/azure/aks/api-server-authorized-ip-ranges", - "service": "AKS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "c3818a95-6ff3-4474-88dc-e809b46dad6a", + "link": "https://learn.microsoft.com/azure/api-management/monetization-support", + "service": "APIM", "severity": "Medium", - "text": "If using a public API endpoint, restrict the IP addresses that can access it", - "waf": "Security" + "text": "If you are planning to monetize your APIs, review the 'monetization support' article for best practices", + "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant", - "guid": "ecccd979-3b6b-4cda-9b50-eb2eb03dda6d", - "link": "https://learn.microsoft.com/azure/aks/private-clusters", - "service": "AKS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "a7d0840a-c8c4-4e83-adec-5ca578eb4049", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor#resource-logs", + "service": "APIM", "severity": "High", - "text": "Use private clusters if your requirements mandate it", - "waf": "Security" + "text": "Enable Diagnostics Settings to export logs to Azure Monitor", + "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant", - "guid": "ce7f2a7c-297c-47c6-adea-a6ff838db665", - "link": "https://learn.microsoft.com/azure/aks/use-network-policies", - "service": "AKS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "8691fa38-45ed-4299-a247-fecd98d35deb", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-app-insights", + "service": "APIM", "severity": "Medium", - "text": "For Windows 2019 and 2022 AKS nodes Calico Network Policies can be used ", - "waf": "Security" + "text": "Enable Application Insights for more detailed telemetry", + "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.networkProfile.networkPolicy) | distinct id,compliant", - "guid": "58d7c892-ddb1-407d-9769-ae669ca48e4a", - "link": "https://learn.microsoft.com/azure/aks/use-network-policies", - "service": "AKS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "55fd27bb-76ac-4a91-bc37-049e885be6b7", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor", + "service": "APIM", "severity": "High", - "text": "Enable a Kubernetes Network Policy option (Calico/Azure)", - "waf": "Security" + "text": "Configure alerts on the most critical metrics", + "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "85e2223e-ce8b-4b12-907c-a5f16f158e3e", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network", - "service": "AKS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "39460bdb-156f-4dc2-a87f-1e8c11ab0998", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#certificate-management-in-azure-key-vault", + "service": "APIM", "severity": "High", - "text": "Use Kubernetes network policies to increase intra-cluster security", + "text": "Ensure that custom SSL certificates are stored an Azure Key Vault so they can be securely accessed and updated", "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "a3a92c2d-e7e2-4165-a3a8-7af4a7a1f893", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network", - "service": "AKS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "e9217997-5f6c-479d-8576-8f2adf706ec8", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-ad-authentication-required-for-data-plane-access", + "service": "APIM", "severity": "High", - "text": "Use a WAF for web workloads (UIs or APIs)", + "text": "Protect incoming requests to APIs (data plane) with Azure AD", "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')", - "guid": "9bda4776-8f24-4c11-9775-c2ea55b46a94", - "link": "https://learn.microsoft.com/azure/virtual-network/ddos-protection-overview", - "service": "AKS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "5e5f64ba-c90e-480e-8888-398d96cf0bfb", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-aad", + "service": "APIM", "severity": "Medium", - "text": "Use DDoS Standard in the AKS Virtual Network", + "text": "Use Microsoft Entra ID to authenticate users in the Developer Portal", "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')", - "guid": "6c46b91a-1107-4485-ad66-3183e2a8c266", - "link": "https://learn.microsoft.com/azure/aks/http-proxy", - "service": "AKS", - "severity": "Low", - "text": "If required add company HTTP Proxy", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "f8e574ce-280f-49c8-b2ef-68279b081cf3", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-create-groups", + "service": "APIM", + "severity": "Medium", + "text": "Create appropriate groups to control the visibility of the products", "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "e9855d04-c3c3-49c9-a6bb-2c12159a114b", - "link": "https://learn.microsoft.com/azure/aks/servicemesh-about", - "service": "AKS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "06862505-2d9a-4874-9491-2837b00a3475", + "link": "https://learn.microsoft.com/azure/api-management/backends", + "service": "APIM", + "severity": "Medium", + "text": "Use Backends feature to eliminate redundant API backend configurations", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "03b125d5-b69b-4739-b7fd-84b86da4933e", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-properties?tabs=azure-portal", + "service": "APIM", + "severity": "Medium", + "text": "Use Named Values to store common values that can be used in policies", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "graph": "resources | where type == 'microsoft.apimanagement/service' | extend compliant = ( sku.name == 'Premium' and isnotnull(properties.additionalLocations)) | distinct id, compliant", + "guid": "beae759e-4ddb-4326-bf26-47f87d3454b6", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region", + "service": "APIM", + "severity": "Medium", + "text": "For DR, leverage the premium tier with deployments scaled across two or more regions for 99.99% SLA", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "graph": "resources | where type == 'microsoft.apimanagement/service' | extend compliant = ( sku.name == 'Premium' and isnotnull(zones) and sku.capacity >= 2 ) | distinct id, compliant", + "guid": "9c8d1664-dd9a-49d4-bd83-950af0af4044", + "link": "https://learn.microsoft.com/azure/api-management/high-availability", + "service": "APIM", "severity": "Medium", - "text": "Consider using a service mesh for advanced microservice communication management", - "waf": "Security" + "text": "Deploy at least one unit in two or more availability zones for an increased SLA of 99.99%", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "67f7a9ed-5b31-4f38-a3f3-9812b2463cff", - "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-metric-alerts", - "service": "AKS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "8d2db6e8-85c6-4118-a52c-ae76a4f27934", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#service-native-backup-capability", + "service": "APIM", "severity": "High", - "text": "Configure alerts on the most critical metrics (see Container Insights for recommendations)", - "waf": "Operations" + "text": "Ensure there is an automated backup routine", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "337453a3-cc63-4963-9a65-22ac19e80696", - "link": "https://learn.microsoft.com/azure/advisor/advisor-get-started", - "service": "AKS", - "severity": "Low", - "text": "Check regularly Azure Advisor for recommendations on your cluster", - "waf": "Operations" + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "43e60b94-7bca-43a2-aadf-efb04d63a485", + "link": "https://learn.microsoft.com/azure/api-management/retry-policy", + "service": "APIM", + "severity": "Medium", + "text": "Use Policies to add a fail-over backend URL and caching to reduce failing calls.", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "3aa70560-e7e7-4968-be3d-628af35b2ced", - "link": "https://learn.microsoft.com/azure/aks/certificate-rotation", - "service": "AKS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "8210699f-8d43-45c2-8f19-57e54134bd8f", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-log-event-hubs", + "service": "APIM", "severity": "Low", - "text": "Enable AKS auto-certificate rotation", + "text": "If you need to log at high performance levels, consider Event Hubs policy", "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "e189c599-df0d-45a7-9dd4-ce32c1881370", - "link": "https://learn.microsoft.com/azure/aks/supported-kubernetes-versions", - "service": "AKS", - "severity": "High", - "text": "Have a regular process to upgrade your kubernetes version periodically (quarterly, for example), or use the AKS autoupgrade feature", - "waf": "Operations" + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "121bfc39-fa7b-4096-b93b-ab56c1bc0bed", + "link": "https://learn.microsoft.com/azure/api-management/api-management-sample-flexible-throttling", + "service": "APIM", + "severity": "Medium", + "text": "Apply throttling policies to control the number of requests per second", + "training": "https://learn.microsoft.com/training/modules/protect-apis-on-api-management/", + "waf": "Performance" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "6f7c4c0d-4e51-4464-ad24-57ed67138b82", - "link": "https://learn.microsoft.com/azure/aks/node-updates-kured", - "service": "AKS", - "severity": "High", - "text": "Use kured for Linux node upgrades in case you are not using node-image upgrade", - "waf": "Operations" + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "graph": "resources | where type == 'microsoft.apimanagement/service' | join kind = leftouter (resources | where type == 'microsoft.insights/autoscalesettings' | extend targetResourceUri = tostring(properties.targetResourceUri)) on $left.id == $right.targetResourceUri | extend compliant = (sku.name == 'Premium' and isnotempty(targetResourceUri) and properties1.enabled == true) | distinct id, compliant", + "guid": "bb5f356b-3daf-47a2-a9ee-867a8100bbd5", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-autoscale", + "service": "APIM", + "severity": "Medium", + "text": "Configure autoscaling to scale out the number of instances when the load increases", + "waf": "Performance" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "139c9580-ade3-426a-ba09-cf157d9f6477", - "link": "https://learn.microsoft.com/azure/aks/node-image-upgrade", - "service": "AKS", - "severity": "High", - "text": "Have a regular process to upgrade the cluster node images periodically (weekly, for example)", - "waf": "Operations" + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "84b94abb-59b6-4b9d-8587-3413669468e8", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-provision-self-hosted-gateway", + "service": "APIM", + "severity": "Medium", + "text": "Deploy self-hosted gateways where Azure doesn't have a region close to the backend APIs.", + "waf": "Performance" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "0102ce16-ee30-41e6-b882-e52e4621dd68", - "link": "https://learn.microsoft.com/azure/architecture/example-scenario/bedrock/bedrock-automated-deployments", - "service": "AKS", - "severity": "Low", - "text": "Consider gitops to deploy applications or cluster configuration to multiple clusters", - "waf": "Operations" + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "1fe8db45-a017-4888-8c4d-4422583cfae0", + "link": "https://learn.microsoft.com/azure/api-management/upgrade-and-scale#upgrade-and-scale", + "service": "APIM", + "severity": "Medium", + "text": "Use the premium tier for production workloads.", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "d7672c26-7602-4482-85a4-14527fbe855c", - "link": "https://learn.microsoft.com/azure/aks/command-invoke", - "service": "AKS", - "severity": "Low", - "text": "Consider using AKS command invoke on private clusters", - "waf": "Operations" + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "1b8d68a4-66cd-44d5-ba94-3ee94440e8d6", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region#-route-api-calls-to-regional-backend-services", + "service": "APIM", + "severity": "Medium", + "text": "In multi-region model, use Policies to route the requests to regional backends based on availability or latency.", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "31d7aaab-7571-4449-ab80-53d89e89d17b", - "link": "https://learn.microsoft.com/azure/aks/node-auto-repair#node-autodrain", - "service": "AKS", - "severity": "Low", - "text": "For planned events consider using Node Auto Drain", - "waf": "Operations" + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "46f07d33-ef9a-44e8-8f98-67c097c5d8cd", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits#api-management-limits", + "service": "APIM", + "severity": "High", + "text": "Be aware of APIM's limits", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "ed0fda7f-211b-47c7-8b6e-c18873fb473c", - "link": "https://learn.microsoft.com/azure/aks/faq", - "service": "AKS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "graph": "resources | where type =~ 'microsoft.apimanagement/service' | extend compliant = (properties.platformVersion != 'stv1') | project id, compliant", + "guid": "46f07d33-ef9a-44e8-8f98-67c097c5d8ce", + "link": "https://learn.microsoft.com/en-us/azure/api-management/migrate-stv1-to-stv2", + "service": "APIM", "severity": "High", - "text": "Develop own governance practices to make sure no changes are performed by operators in the node RG (aka 'infra RG')", - "waf": "Operations" + "text": "Upgrade the platform version and follow lifecyle. stv1 is retirng on 31 August 2024", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.nodeResourceGroup !startswith 'MC_') | distinct id,compliant", - "guid": "73b32a5a-67f7-4a9e-b5b3-1f38c3f39812", - "link": "https://learn.microsoft.com/azure/aks/cluster-configuration", - "service": "AKS", - "severity": "Low", - "text": "Use custom Node RG (aka 'Infra RG') name", - "waf": "Operations" + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "10f58602-f0f9-4d77-972a-956f6e0f2600", + "link": "https://learn.microsoft.com/en-us/azure/api-management/self-hosted-gateway-overview", + "service": "APIM", + "severity": "High", + "text": "Ensure that the self-hosted gateway deployments are resilient.", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "b2463cff-e189-4c59-adf0-d5a73dd4ce32", - "link": "https://kubernetes.io/docs/setup/release/notes/", - "service": "AKS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "7519e385-a88b-4d34-966b-6269d686e890", + "link": "https://learn.microsoft.com/azure/api-management/front-door-api-management", + "service": "APIM", "severity": "Medium", - "text": "Do not use deprecated Kubernetes APIs in your YAML manifests", - "waf": "Operations" - }, - { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "c1881370-6f7c-44c0-b4e5-14648d2457ed", - "link": "https://learn.microsoft.com/azure-stack/aks-hci/adapt-apps-mixed-os-clusters", - "service": "AKS", - "severity": "Low", - "text": "Taint Windows nodes", - "waf": "Operations" + "text": "Use Azure Front Door in front of APIM for multi-region deployment", + "waf": "Performance" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "67138b82-0102-4ce1-9ee3-01e6e882e52e", - "link": "https://learn.microsoft.com/virtualization/windowscontainers/deploy-containers/version-compatibility?tabs=windows-server-20H2%2Cwindows-10-20H2", - "service": "AKS", - "severity": "Low", - "text": "Keep windows containers patch level in sync with host patch level", - "waf": "Operations" + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "graph": "resources | where type == 'microsoft.apimanagement/service' | extend compliant = (isnotnull(properties.virtualNetworkConfiguration)) | distinct id, compliant", + "guid": "cd45c90e-7690-4753-930b-bf290c69c074", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#virtual-network-integration", + "service": "APIM", + "severity": "Medium", + "text": "Deploy the service within a Virtual Network (VNet)", + "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "description": "Via Diagnostic Settings at the cluster level", - "guid": "5b56ad48-408f-4e72-934c-476ba280dcf5", - "link": "https://learn.microsoft.com/azure/aks/monitor-aks", - "service": "AKS", - "severity": "Low", - "text": "Send master logs (aka API logs) to Azure Monitor or your preferred log management solution", - "waf": "Operations" + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "02661582-b3d1-48d1-9d7b-c6a918a0ca33", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#network-security-group-support", + "service": "APIM", + "severity": "Medium", + "text": "Deploy network security groups (NSG) to your subnets to restrict or monitor traffic to/from APIM.", + "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "64d1a846-e28a-4b6b-9a33-22a635c15a21", - "link": "https://learn.microsoft.com/azure/aks/node-pool-snapshot", - "service": "AKS", - "severity": "Low", - "text": "If required use nodePool snapshots", - "waf": "Cost" + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "graph": "resources | where type == 'microsoft.apimanagement/service' | extend compliant = (properties.virtualNetworkType == 'None' and isnotnull(properties.privateEndpointConnections)) | distinct id, compliant", + "guid": "67437a28-2721-4a2c-becd-caa54c8237a5", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-private-link", + "service": "APIM", + "severity": "Medium", + "text": "Deploy Private Endpoints to filter incoming traffic when APIM is not deployed to a VNet.", + "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "c5a5b252-1e44-4a59-a9d2-399c4d7b68d0", - "link": "https://learn.microsoft.com/azure/aks/spot-node-pool", - "service": "AKS", - "severity": "Low", - "text": "Consider spot node pools for non time-sensitive workloads", - "waf": "Operations" + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "graph": "resources | where type == 'microsoft.apimanagement/service' | extend compliant = (properties.virtualNetworkType == 'Internal') | distinct id, compliant", + "guid": "d698adbd-3288-44cb-b10a-9b572da395ae", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#disable-public-network-access", + "service": "APIM", + "severity": "High", + "text": "Disable Public Network Access", + "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.aciConnectorLinux) and properties.addonProfiles.aciConnectorLinux.enabled==true) | distinct id,compliant", - "guid": "c755562f-2b4e-4456-9b4d-874a748b662e", - "link": "https://learn.microsoft.com/azure/aks/concepts-scale", - "service": "AKS", - "severity": "Low", - "text": "Consider AKS virtual node for quick bursting", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "0674d750-0c6f-4ac0-8717-ceec04d0bdbd", + "link": "https://learn.microsoft.com/azure/api-management/automation-manage-api-management", + "service": "APIM", + "severity": "Medium", + "text": "Simplify management with PowerShell automation scripts", "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "6f8389a7-f82c-4b8e-a8c0-aa63a25a4956", - "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview", - "service": "AKS", - "severity": "High", - "text": "Monitor your cluster metrics with Container Insights (or other tools like Prometheus)", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "c385bfcd-49fd-4786-81ba-cedbb4c57345", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/app-platform/api-management/platform-automation-and-devops#design-recommendations", + "service": "APIM", + "severity": "Medium", + "text": "Configure APIM via Infrastructure-as-code. Review DevOps best practices from the Cloud Adaption Framework APIM Landing Zone Accelerator", "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.omsagent) and properties.addonProfiles.omsagent.enabled==true) | distinct id,compliant", - "guid": "eaa8dc4a-2436-47b3-9697-15b1752beee0", - "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview", - "service": "AKS", - "severity": "High", - "text": "Store and analyze your cluster logs with Container Insights (or other tools like Telegraf/ElasticSearch)", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "6c3a27c0-197f-426c-9ffa-86fed51d9ab6", + "link": "https://learn.microsoft.com/azure/api-management/visual-studio-code-tutorial", + "service": "APIM", + "severity": "Medium", + "text": "Promote usage of Visual Studio Code APIM extension for faster API development", "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "4621dd68-c5a5-4be2-bdb1-1726769ef669", - "link": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-analyze", - "service": "AKS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "354f1c03-8112-4965-85ad-c0074bddf231", + "link": "https://learn.microsoft.com/azure/api-management/devops-api-development-templates", + "service": "APIM", "severity": "Medium", - "text": "Monitor CPU and memory utilization of the nodes", + "text": "Implement DevOps and CI/CD in your workflow", "waf": "Operations" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "1a4835ac-9422-423e-ae80-b123081a5417", - "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", - "service": "AKS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "b6439493-426a-45f3-9697-cf65baee208d", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates-for-clients", + "service": "APIM", "severity": "Medium", - "text": "If using Azure CNI, monitor % of pod IPs consumed per node", - "waf": "Operations" + "text": "Secure APIs using client certificate authentication", + "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "description": "I/O in the OS disk is a critical resource. If the OS in the nodes gets throttled on I/O, this could lead to unpredictable behavior, typically ending up in node being declared NotReady", - "guid": "415833ea-3ad3-4c2d-b733-165c3acbe04b", - "link": "https://learn.microsoft.com/azure/virtual-machines/premium-storage-performance", - "service": "AKS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "2a67d143-1033-4c0a-8732-680896478f08", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates", + "service": "APIM", "severity": "Medium", - "text": "Monitor OS disk queue depth in nodes", - "waf": "Operations" + "text": "Secure backend services using client certificate authentication", + "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "be209d39-fda4-4777-a424-d116785c2fa5", - "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard", - "service": "AKS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "074435f5-4a46-41ac-b521-d6114cb5d845", + "link": "https://learn.microsoft.com/azure/api-management/mitigate-owasp-api-threats", + "service": "APIM", "severity": "Medium", - "text": "If not using egress filtering with AzFW/NVA, monitor standard ALB allocated SNAT ports", - "waf": "Operations" + "text": "Review 'Recommendations to mitigate OWASP API Security Top 10 threats' article and check what is applicable to your APIs", + "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "74c2ee76-569b-4a79-a57e-dedf91b022c9", - "link": "https://learn.microsoft.com/azure/aks/aks-resource-health", - "service": "AKS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "5507c4b8-a7f8-41d6-9661-418c987100c9", + "link": "https://learn.microsoft.com/azure/api-management/authorizations-overview", + "service": "APIM", "severity": "Medium", - "text": "Subscribe to resource health notifications for your AKS cluster", - "waf": "Operations" + "text": "Use Authorizations feature to simplify management of OAuth 2.0 token for your backend APIs", + "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "b54eb2eb-03dd-4aa3-9927-18e2edb11726", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler", - "service": "AKS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "2deee033-b906-4bc2-9f26-c8d3699fe091", + "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-manage-protocols-ciphers", + "service": "APIM", "severity": "High", - "text": "Configure requests and limits in your pod specs", - "waf": "Operations" + "text": "Use the latest TLS version when encrypting information in transit. Disable outdated and unnecessary protocols and ciphers when possible.", + "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "769ef669-1a48-435a-a942-223ece80b123", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler", - "service": "AKS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "f8af3d94-1d2b-4070-846f-849197524258", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#im-8-restrict-the-exposure-of-credential-and-secrets", + "service": "APIM", + "severity": "High", + "text": "Ensure that secrets (Named values) are stored an Azure Key Vault so they can be securely accessed and updated", + "waf": "Security" + }, + { + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "graph": "resources | where type == 'microsoft.apimanagement/service' | extend compliant = (isnotnull(identity)) | distinct id, compliant", + "guid": "791abd8b-7706-4e31-9569-afefde724be3", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#managed-identities", + "service": "APIM", "severity": "Medium", - "text": "Enforce resource quotas for namespaces", - "waf": "Operations" + "text": "Use managed identities to authenticate to other Azure resources whenever possible", + "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "081a5417-4158-433e-a3ad-3c2de733165c", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits", - "service": "AKS", + "arm-service": "Microsoft.ApiManagement/service", + "checklist": "Azure API Management Review", + "guid": "220c4ca6-6688-476b-b2b5-425a78e6fb87", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#ns-6-deploy-web-application-firewall", + "service": "APIM", "severity": "High", - "text": "Ensure your subscription has enough quota to scale out your nodepools", - "waf": "Operations" + "text": "Use web application firewall (WAF) by deploying Application Gateway in front of APIM", + "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "f4fd0602-7ab5-46f1-b66a-e9dea9654a65", - "link": "https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/", - "service": "AKS", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Leverage zone-redundancy to ensure high availability in the event of zone-level failures. Use Premium V2/V3 or Isolated v2 tiers, which provide support for zone-redundant deployments and ensure minimal downtime during disasters.", + "guid": "b32e1aa1-4813-4602-88fe-27ca2891f421", + "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/app-service-web-app/zone-redundant?source=recommendations", + "service": "App Services", + "severity": "Low", + "text": "Implement a baseline highly available zone-redundant web application architecture. Ensure your Azure App Service is on Premium V2/V3 or Isolated v2 tiers for zone-redundant support.", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Leverage staging slots for zero-downtime deployments and automated backups to ensure disaster recovery. Choose the appropriate tier (Standard or Premium) based on the number of slots and disaster recovery requirements.", + "graph": "resources | where type =~ 'microsoft.web/serverfarms' | extend compliant = (sku.tier == 'Premium' or sku.tier == 'Standard') | distinct id,compliant", + "guid": "e4b31c6a-2e3f-4df1-8e8b-9c3aa5a27820", + "link": "https://learn.microsoft.com/azure/app-service/overview-hosting-plans", + "service": "App Services", + "severity": "Medium", + "text": "Use Premium and Standard tiers for staging slots and automated backups. Align your backup retention period with disaster recovery needs.", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Availability Zones provide physical isolation across datacenters in a region, reducing downtime during outages. Verify your region supports Availability Zones and use Premium V2/V3 tiers for zone-redundant deployments.", + "guid": "a7e2e6c2-491f-4fa4-a82b-521d0bc3b202", + "link": "https://learn.microsoft.com/azure/reliability/migrate-app-service", + "service": "App Services", "severity": "High", - "text": "Configure Liveness and Readiness probes for all deployments", - "waf": "Operations" + "text": "Leverage Availability Zones where regionally applicable (Premium V2/V3 tier required). Check region support for Availability Zones.", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.autoScalerProfile)) | distinct id,compliant", - "guid": "90ce65de-8e13-4f9c-abd4-69266abca264", - "link": "https://learn.microsoft.com/azure/aks/concepts-scale", - "service": "AKS", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Enable health checks to detect unhealthy instances in real-time and automatically replace them to maintain high availability and application reliability.", + "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.HealthCheckPath != '') | distinct id,compliant", + "guid": "1275e4a9-7b6a-43c3-a9cd-5ee18d8995ad", + "link": "https://learn.microsoft.com/azure/app-service/monitor-instances-health-check", + "service": "App Services", "severity": "Medium", - "text": "Use the Cluster Autoscaler", - "waf": "Performance" + "text": "Implement health checks to monitor and detect issues with App Service instances. Health checks enable automatic instance replacement on failure.", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Follow best practices for configuring backups and restores in Azure App Service and ASE to guarantee data availability and ensure recovery during disaster scenarios.", + "guid": "35a91c5d-4ad6-4d9b-8e0f-c47db9e6d1e7", + "link": "https://learn.microsoft.com/azure/app-service/manage-backup", + "service": "App Services", + "severity": "High", + "text": "Refer to backup and restore best practices for Azure App Service and App Service Environments (ASE) to ensure data availability and recovery.", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Ensure high availability by incorporating scaling, fault tolerance, monitoring, and zone redundancy into your App Service architecture. Leverage health checks and availability zones to maintain uptime.", + "guid": "e68cd0ec-afc6-4bd8-a27f-7860ad9a0db2", + "link": "https://learn.microsoft.com/azure/architecture/framework/services/compute/azure-app-service/reliability", + "service": "App Services", + "severity": "High", + "text": "Implement Azure App Service reliability best practices, including auto-scaling, fault tolerance, health checks, and zone redundancy.", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.austoscalerProfile)) | distinct id,compliant", - "guid": "831c2872-c693-4b39-a887-a561bada49bc", - "link": "https://learn.microsoft.com/azure/aks/custom-node-configuration", - "service": "AKS", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Prepare for disaster recovery by implementing region failover strategies. Utilize active-active and active-passive configurations, automated failover, and Infrastructure as Code (IaC) for seamless failover during outages.", + "guid": "bd2a865c-0835-4418-bb58-4df91a5a9b3f", + "link": "https://learn.microsoft.com/azure/app-service/manage-disaster-recovery#recover-app-content-only", + "service": "App Services", "severity": "Low", - "text": "Customize node configuration for AKS node pools", - "waf": "Performance" - }, - { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "faa19bfe-9d55-4d04-a3c4-919ca1b2d121", - "link": "https://learn.microsoft.com/azure/aks/concepts-scale", - "service": "AKS", - "severity": "Medium", - "text": "Use the Horizontal Pod Autoscaler when required", - "waf": "Performance" + "text": "Familiarize with App Service region failover, including active-active and active-passive configurations, automated failover, and IaC deployment.", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "description": "Larger nodes will bring higher performance and features such as ephemeral disks and accelerated networking, but they will increase the blast radius and decrease the scaling granularity", - "guid": "5ae124ba-34df-4585-bcdc-e9bd3bb0cdb3", - "link": "https://blog.cloudtrooper.net/2020/10/23/which-vm-size-should-i-choose-as-aks-node/", - "service": "AKS", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Azure App Service offers built-in reliability features, including scaling, fault tolerance, and service-level agreements (SLAs). Leverage these features to maintain consistent performance during outages.", + "guid": "f3d2f1e4-e6d4-4b7a-a5a5-e2a9b2c6f293", + "link": "https://learn.microsoft.com/azure/reliability/reliability-app-service", + "service": "App Services", "severity": "High", - "text": "Consider an appropriate node size, not too large or too small", - "waf": "Performance" + "text": "Familiarize with reliability support in Azure App Service, including scaling options, SLAs, and automated recovery mechanisms.", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "38800e6a-ae01-40a2-9fbc-ae5a06e5462d", - "link": "https://learn.microsoft.com/azure/aks/quotas-skus-regions#service-quotas-and-limits", - "service": "AKS", - "severity": "Low", - "text": "If more than 5000 nodes are required for scalability then consider using an additional AKS cluster", - "waf": "Performance" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Enabling 'Always On' for Function Apps ensures that the app does not go idle, maintaining its availability and responsiveness at all times.", + "guid": "c7b5f3d1-0569-4fd2-9f32-c0b64e9c0c5e", + "link": "https://learn.microsoft.com/azure/azure-functions/dedicated-plan#always-on", + "service": "App Services", + "severity": "Medium", + "text": "Ensure 'Always On' is enabled for Function Apps running on App Service plans to prevent idling and ensure continuous availability.", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "9583c0f6-6083-43f6-aa6b-df7102c901bb", - "link": "https://learn.microsoft.com/azure/event-grid/event-schema-aks", - "service": "AKS", - "severity": "Low", - "text": "Consider subscribing to EventGrid Events for AKS automation", - "waf": "Performance" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Health checks monitor the health of App Service instances, enabling automatic replacement of unhealthy instances to maintain high availability.", + "guid": "a3b4d5f6-758c-4f9d-9e1a-d7c6b7e8f9ab", + "link": "https://learn.microsoft.com/azure/app-service/monitor-instances-health-check", + "service": "App Services", + "severity": "Medium", + "text": "Monitor App Service instances using Health checks to detect unhealthy instances and automatically replace them.", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "c5016d8c-c6c9-4165-89ae-673ef0fff19d", - "link": "https://learn.microsoft.com/azure/aks/manage-abort-operations", - "service": "AKS", - "severity": "Low", - "text": "For long running operation on an AKS cluster consider event termination", - "waf": "Performance" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "guid": "c7d3e5f9-a19c-4833-8ca6-1dcb0128e129", + "link": "https://learn.microsoft.com/azure/azure-monitor/app/availability-overview", + "service": "App Services", + "severity": "Medium", + "text": "Monitor availability and responsiveness of web app or website using Application Insights availability tests, ensuring proactive detection of performance issues and downtime.", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "c4e37133-f186-4ce1-aed9-9f1b32f6e021", - "link": "https://learn.microsoft.com/azure/aks/use-azure-dedicated-hosts", - "service": "AKS", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "guid": "b4e3f2d5-a5c6-4d7e-8b2f-c5d9e7a8f0ea", + "link": "https://learn.microsoft.com/azure/azure-monitor/app/availability-standard-tests", + "service": "App Services", "severity": "Low", - "text": "If required consider using Azure Dedicated Hosts for AKS nodes", - "waf": "Performance" + "text": "Use Application Insights Standard test to monitor availability and responsiveness of web app or website", + "waf": "Reliability" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | mvexpand pools | extend compliant = (pools.osDiskType=='Ephemeral') | project id,name=strcat(name,'-',pools.name), resourceGroup, compliant", - "guid": "24367b33-6971-45b1-952b-eee0b9b588de", - "link": "https://learn.microsoft.com/azure/aks/cluster-configuration", - "service": "AKS", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Azure Key Vault ensures secrets are encrypted, securely stored, and accessed only by authorized applications. It supports audit logging, and secret versioning, and reduces the risk of accidental exposure of sensitive information.", + "guid": "834ac932-223e-4ce8-8b12-3071a5416415", + "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references", + "service": "App Services", "severity": "High", - "text": "Use ephemeral OS disks", - "waf": "Performance" + "text": "Use Azure Key Vault to store any secrets the application needs. Key Vault provides a secure, managed, and audited environment for storing secrets, and integrates seamlessly with App Service via App Service Key Vault References for enhanced security.", + "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "f0ce315f-1120-4166-8206-94f2cf3a4d07", - "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types", - "service": "AKS", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Managed Identity eliminates the need for hard-coded credentials by allowing App Service to authenticate to Azure Key Vault securely. This reduces the risk of credential exposure and simplifies secret management for enhanced security.", + "guid": "833ea3ad-2c2d-4e73-8165-c3acbef4abe1", + "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references", + "service": "App Services", "severity": "High", - "text": "For non-ephemeral disks, use high IOPS and larger OS disks for the nodes when running many pods/node since it requires high performance for running multiple pods and will generate huge logs with default AKS log rotation thresholds", - "waf": "Performance" + "text": "Use Managed Identity to securely connect to Azure Key Vault for accessing secrets, through App Service Key Vault References.", + "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "39c486ce-d5af-4062-89d5-18bb5fd795db", - "link": "https://learn.microsoft.com/azure/aks/use-ultra-disks", - "service": "AKS", - "severity": "Low", - "text": "For hyper performance storage option use Ultra Disks on AKS", - "waf": "Performance" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Storing TLS certificates in Azure Key Vault enhances security by providing centralized, secure management and automated renewal of certificates. This reduces the risk of manual handling errors and certificate expiration.", + "guid": "f8d39fda-4776-4831-9c11-5775c2ea55b4", + "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-certificate", + "service": "App Services", + "severity": "High", + "text": "Use Azure Key Vault to securely store and manage TLS certificates for App Service.", + "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "9f7547c1-747d-4c56-868a-714435bd19dd", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region", - "service": "AKS", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "To minimize exposure and improve security, isolate systems processing sensitive data. Leverage separate App Service Plans or App Service Environments for isolation, and use different subscriptions or management groups to enforce stricter boundaries and governance.", + "guid": "6ad48408-ee72-4734-a475-ba18fdbf590c", + "link": "https://learn.microsoft.com/azure/app-service/overview-hosting-plans", + "service": "App Services", "severity": "Medium", - "text": "Avoid keeping state in the cluster, and store data outside (AzStorage, AzSQL, Cosmos, etc)", - "waf": "Performance" + "text": "Isolate systems that process sensitive information using separate App Service Plans, App Service Environments (ASE), and consider different subscriptions or management groups for enhanced security.", + "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "24429eb7-2281-4376-85cc-57b4a4b18142", - "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-storage", - "service": "AKS", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Local disks on App Service are not encrypted and sensitive data should not be stored on those. (For example: D:\\\\Local and %TMP%).", + "guid": "e65de8e0-3f9b-4cbd-9682-66abca264f9a", + "link": "https://learn.microsoft.com/azure/app-service/operating-system-functionality#file-access", + "service": "App Services", "severity": "Medium", - "text": "If using AzFiles Standard, consider AzFiles Premium and/or ANF for performance reasons", - "waf": "Performance" + "text": "Do not store sensitive data on local disk", + "waf": "Security" }, { - "arm-service": "microsoft.containerservice/managedClusters", - "checklist": "Azure AKS Review", - "guid": "83958a8c-2689-4b32-ab57-cfc64546135a", - "link": "https://learn.microsoft.com/azure/aks/availability-zones#azure-disk-availability-zone-support", - "service": "AKS", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Use Microsoft Entra ID or B2C for secure user authentication and Single Sign-On (SSO) across applications. Integrate using the built-in App Service Authentication/Authorization feature for streamlined security and compliance with modern authentication protocols like OpenID Connect.", + "guid": "919ca0b2-c121-459e-814b-933df574eccc", + "link": "https://learn.microsoft.com/azure/app-service/overview-authentication-authorization", + "service": "App Services", "severity": "Medium", - "text": "If using Azure Disks and AZs, consider having nodepools within a zone for LRS disk with VolumeBindingMode:WaitForFirstConsumer for provisioning storage in right zone or use ZRS disk for nodepools spanning multiple zones", - "waf": "Performance" - }, - { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "a85b86ad-884f-48e3-9273-4b875ba18f10", - "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/system-message#define-additional-safety-and-behavioral-guardrails", - "service": "OpenAI", - "severity": "High", - "text": "Follow Metaprompting guardrails for resonsible AI", - "waf": "Operational Excellence" - }, - { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "d4391898-cd28-48be-b6b1-7cb8245451e1", - "link": "https://github.com/Azure-Samples/AI-Gateway", - "service": "OpenAI", - "severity": "High", - "text": "Consider Gateway patterns with APIM or solutions like AI central for better rate limiting, load balancing, authentication and logging", - "waf": "Operational Excellence" + "text": "Use Microsoft Entra ID or B2C for secure authentication and Single Sign-On (SSO).", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "aed3453a-ec72-4392-97a1-52d6cc5e4029", - "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/azure-openai-insights-monitoring-ai-with-confidence/ba-p/4026850", - "service": "OpenAI", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Ensure all code deployments to App Service originate from a controlled, secured environment, such as a well-managed DevOps pipeline. This practice mitigates the risk of deploying unauthorized or malicious code by enforcing version control, code verification, and secure hosting.", + "guid": "3f9bcbd4-6826-46ab-aa26-4f9a19aed9c5", + "link": "https://learn.microsoft.com/azure/app-service/deploy-best-practices", + "service": "App Services", "severity": "High", - "text": "Enable monitoring for your AOAI instances", - "waf": "Operational Excellence" + "text": "Deploy code to App Service from a trusted and secure environment.", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "graph": "resources | where type == 'microsoft.insights/metricalerts' | extend compliant = (properties.targetResourceType =~ 'Microsoft.CognitiveServices/accounts') | project id, compliant", - "guid": "697cb391-ed16-4b2d-886f-0a0241addde6", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring#set-up-alerts", - "service": "OpenAI", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Disable basic authentication for FTP/FTPS and WebDeploy/SCM to enhance security by enforcing Microsoft Entra ID secured endpoints for deployment. This ensures that only authenticated users using Microsoft Entra ID credentials can access deployment services, including the SCM site.", + "guid": "5d04c2c3-919c-4a0b-8c12-159e114b933d", + "link": "https://learn.microsoft.com/azure/app-service/deploy-configure-credentials#disable-basic-authentication", + "service": "App Services", "severity": "High", - "text": "Create alerts to notify teams of events such as an entry in the activity log created by an action performed on the resource, such as regenerating its subscription keys or a metric threshold such as the number of errors exceeding 10 in an hour", - "waf": "Operational Excellence" + "text": "Disable basic authentication for FTP/FTPS and WebDeploy/SCM.", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "8a477cde-b486-41bc-9bc1-0ae66e25d4d5", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring", - "service": "OpenAI", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Wherever possible, use Managed Identity to securely connect to Microsoft Entra ID-secured resources without storing credentials. If this is not feasible, store secrets in Azure Key Vault and access them using Managed Identity to maintain security and reduce the risk of credential exposure.", + "guid": "f574eccc-d9bd-43ba-bcda-3b54eb2eb03d", + "link": "https://learn.microsoft.com/azure/app-service/overview-managed-identity?tabs=portal%2Chttp", + "service": "App Services", "severity": "High", - "text": "Monitor token usage to prevent service disruptions due to capacity", - "waf": "Operational Excellence" + "text": "Use Managed Identity to connect to Microsoft Entra ID secured resources.", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "a3aec2c4-e243-46b0-936c-b45e17960eee", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring", - "service": "OpenAI", - "severity": "Medium", - "text": "observe metrics like processed inference tokens, generated completion tokens monitor for rate limit", - "waf": "Operational Excellence" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "When using images stored in Azure Container Registry, pull these images using a Managed Identity to avoid storing credentials. This ensures secure access to container images and reduces the risk of credential exposure.", + "guid": "d9a25827-18d2-4ddb-8072-5769ee6691a4", + "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-managed-identity-to-pull-image-from-azure-container-registry", + "service": "App Services", + "severity": "High", + "text": "Pull container images from Azure Container Registry using a Managed Identity.", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "fbdf4cc2-eec4-4d76-8c31-d25ffbb46a39", - "link": "https://techcommunity.microsoft.com/t5/apps-on-azure-blog/build-an-enterprise-ready-azure-openai-solution-with-azure-api/ba-p/3907562", - "service": "OpenAI", - "severity": "Low", - "text": "Enable and configure Diagnostics for the Azure OpenAI Service. If not sufficient, consider using a gateway such as Azure API Managements in front of Azure OpenAI to log both incoming prompts and outgoing responses, where permitted", - "waf": "Operational Excellence" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Configure diagnostic settings to send telemetry and security logs (including HTTP, platform, and audit logs) to Log Analytics. Centralized logging enhances monitoring, threat detection, and compliance reporting.", + "guid": "47768314-c115-4775-a2ea-55b46ad48408", + "link": "https://learn.microsoft.com/azure/app-service/troubleshoot-diagnostic-logs", + "service": "App Services", + "severity": "Medium", + "text": "Send App Service runtime and security logs to Log Analytics for centralized monitoring and alerting.", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "3af30ed3-2947-498b-8178-a2c5a46ceb54", - "link": "https://github.com/Azure-Samples/openai-enterprise-iac", - "service": "OpenAI", - "severity": "High", - "text": "Use Infrastructure as code to deploy the Azure OpenAI Service, model deployments, and all related resources", - "waf": "Operational Excellence" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Set up a diagnostic setting to send the activity log to Log Analytics as the central destination for logging and monitoring. This allows you to monitor control plane activity on the App Service resource itself.", + "guid": "ee72734b-475b-4a18-bdbf-590ce65de8e0", + "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log", + "service": "App Services", + "severity": "Medium", + "text": "Send App Service activity logs to Log Analytics", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "4350d092-d234-4292-a752-8537a551c5bf", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity", - "service": "OpenAI", - "severity": "High", - "text": "Use Microsoft Entra Authentication with Managed Identity instead of API Key", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Use regional VNet integration, Network Security Groups (NSGs), and User-Defined Routes (UDRs) to control outbound network access. Route traffic through a Network Virtual Appliance (NVA), such as Azure Firewall, and monitor firewall logs to ensure traffic is properly controlled and secure.", + "guid": "c12159e1-14b9-433d-b574-ecccd9bd3baf", + "link": "https://learn.microsoft.com/azure/app-service/overview-vnet-integration", + "service": "App Services", + "severity": "Medium", + "text": "Control outbound network access for App Service using VNet integration, NSGs, UDRs, and firewalls.", "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "4e4f1854-287d-45cd-a126-cc031af5b1fc", - "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-bulk-test-evaluate-flow?view=azureml-api-2", - "service": "OpenAI", - "severity": "High", - "text": "Evaluate the performance/accuracy of the system with a known golden dataset which has the inputs and the correct answers. Leverage capabilities in PromptFlow for Evaluation.", - "waf": "Operational Excellence" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Provide a stable outbound IP by using VNet integration with a NAT Gateway or Network Virtual Appliance (NVA) like Azure Firewall. This enables the receiving party to allow-list based on IP, if necessary. For communications with Azure services, use mechanisms like Service Endpoints or private endpoints to avoid relying on static IPs, ensuring secure and efficient connectivity.", + "guid": "cda3b54e-b2eb-403d-b9a2-582718d2ddb1", + "link": "https://learn.microsoft.com/azure/app-service/networking/nat-gateway-integration", + "service": "App Services", + "severity": "Low", + "text": "Ensure a stable IP for outbound communications by using VNet NAT Gateway or Azure Firewall.", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "68889535-e327-4897-b31b-67d67be5962a", - "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---performance-efficiency", - "service": "OpenAI", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Control inbound network access by configuring App Service Access Restrictions, Service Endpoints, or Private Endpoints. Ensure appropriate restrictions are set for both the web app and the SCM (deployment) site to limit unauthorized access and enhance security.", + "guid": "0725769e-e669-41a4-a34a-c932223ece80", + "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions", + "service": "App Services", "severity": "High", - "text": "Evaluate usage of Provisioned throughput model ", - "waf": "Performance" + "text": "Control inbound network access using Access Restrictions, Service Endpoints, or Private Endpoints.", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "cd288bed-6b17-4cb8-8454-51e1aed3453a", - "link": "https://learn.microsoft.com/azure/ai-services/content-safety/overview", - "service": "OpenAI", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Protect App Service from malicious inbound traffic by deploying a Web Application Firewall (WAF) using Azure Application Gateway or Azure Front Door. Ensure WAF logs are monitored regularly to detect and respond to security threats.", + "guid": "b123071a-5416-4415-a33e-a3ad2c2de732", + "link": "https://learn.microsoft.com/azure/app-service/networking/app-gateway-with-service-endpoints", + "service": "App Services", "severity": "High", - "text": "Review and implement Azure AI content safety", - "waf": "Operational Excellence" + "text": "Use a Web Application Firewall (WAF) in front of App Service.", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "1193846d-697c-4b39-8ed1-6b2d186f0a02", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#system-level-throughput", - "service": "OpenAI", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "To prevent the Web Application Firewall (WAF) from being bypassed, lock down access to App Service by using Access Restrictions, Service Endpoints, and Private Endpoints. This ensures that all traffic is routed through the WAF, providing a secure front layer of protection.", + "guid": "165c3acb-ef4a-4be1-b8d3-9fda47768314", + "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions", + "service": "App Services", "severity": "High", - "text": "Define and evaluate the throughput of the system based on tokens & response per minute and align with requirements", - "waf": "Performance" + "text": "Ensure the WAF cannot be bypassed by securing access to App Service.", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "41addde6-8a47-47cd-bb48-61bc3bc10ae6", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#improve-performance", - "service": "OpenAI", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Ensure that the minimum TLS policy is set to 1.2 or higher, with a preference for TLS 1.3, to enhance security through stronger encryption protocols. TLS 1.3 provides additional security improvements and faster handshake times, reducing vulnerabilities associated with older versions.", + "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.MinTlsVersion>=1.2) | distinct id,compliant", + "guid": "c115775c-2ea5-45b4-9ad4-8408ee72734b", + "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-tls-versions", + "service": "App Services", "severity": "Medium", - "text": "Improve latency of the system by limiting token sizes, streaming options for applications like chatbots or conversational interfaces. Streaming can enhance the perceived performance of Azure OpenAI applications by delivering responses to users in an incremental manner", - "waf": "Performance" + "text": "Set minimum TLS policy to 1.2 or higher, preferably 1.3, in App Service configuration.", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "6e25d4d5-a3ae-4c2c-9e24-36b0336cb45e", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching", - "service": "OpenAI", - "severity": "Medium", - "text": "Estimate elasticity demands to determine synchronous and batch request segregation based on priority. For high priority, use synchronous approach and for low priority, asynchronous batch processing with queue is preferred", - "waf": "Performance" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Configure App Service to enforce HTTPS-only, automatically redirecting all HTTP traffic to HTTPS. Additionally, implement HTTP Strict Transport Security (HSTS) in your code or via a Web Application Firewall (WAF) to ensure browsers only access the site over HTTPS, enhancing security by preventing downgrade attacks.", + "graph": "where (type=='microsoft.web/sites' and (kind == 'app' or kind == 'app,linux' )) | extend compliant = (properties.httpsOnly==true) | distinct id,compliant", + "guid": "475ba18f-dbf5-490c-b65d-e8e03f9bcbd4", + "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https", + "service": "App Services", + "severity": "High", + "text": "Use HTTPS only and consider enabling HTTP Strict Transport Security (HSTS).", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "5bda4332-4f24-4811-9331-82ba51752694", - "link": "https://github.com/Azure/azure-openai-benchmark/", - "service": "OpenAI", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Do not use wildcards (*) in your CORS configuration, as this permits unrestricted access from any origin, compromising security. Instead, explicitly specify trusted origins that are allowed to access the service, ensuring controlled access.", + "guid": "68266abc-a264-4f9a-89ae-d9c55d04c2c3", + "link": "https://learn.microsoft.com/azure/app-service/app-service-web-tutorial-rest-api", + "service": "App Services", "severity": "High", - "text": "Benchmark token consumption requirements based on estimated demands from consumers. Consider using the Azure OpenAI benchmarking tool to help you validate the throughput if you are using Provisioned Throughput Unit deployments", - "waf": "Performance" + "text": "Avoid using wildcards for CORS; specify allowed origins explicitly.", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "4008ae7d-7e47-4432-96d8-bdcf55bce619", - "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268", - "service": "OpenAI", - "severity": "Medium", - "text": "If you are using Provisioned Throughput Units (PTUs), consider deploying a token-per-minute (TPM) deployment for overflow requests. Use a gateway to route requests to the TPM deployment when the PTU limits are reached.", - "waf": "Performance" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Remote debugging should not be enabled in production as it opens additional ports, increasing the attack surface. Although App Service automatically turns off remote debugging after 48 hours, it is recommended to disable it manually in production to maintain a secure environment.", + "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.RemoteDebuggingEnabled == false) | distinct id,compliant", + "guid": "d9bd3baf-cda3-4b54-bb2e-b03dd9a25827", + "link": "https://learn.microsoft.com/azure/app-service/configure-common#configure-general-settings", + "service": "App Services", + "severity": "High", + "text": "Turn off remote debugging in production environments.", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "e8a13f98-8794-424d-9267-86d60b96c97b", - "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/models", - "service": "OpenAI", - "severity": "High", - "text": "Choose the right model for the right task. Pick models with right tradeoff between speed, quality of response and output complexity", - "waf": "Performance" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Enable Defender for App Service. This (amongst other threats) detects communications to known malicious IP addresses. Review the recommendations from Defender for App Service as part of your operations.", + "guid": "18d2ddb1-0725-4769-be66-91a4834ac932", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-app-service-introduction", + "service": "App Services", + "severity": "Medium", + "text": "Enable Defender for Cloud - Defender for App Service", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "e9951904-8384-45c9-a6cb-2912156a1147", - "link": "https://github.com/Azure/azure-openai-benchmark/", - "service": "OpenAI", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Azure provides DDoS Basic protection on its network, which can be improved with intelligent DDoS Standard capabilities which learns about normal traffic patterns and can detect unusual behavior. DDoS Standard applies to a Virtual Network so it must be configured for the network resource in front of the app, such as Application Gateway or an NVA.", + "guid": "223ece80-b123-4071-a541-6415833ea3ad", + "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", + "service": "App Services", "severity": "Medium", - "text": "Have a baseline for performance without fine-tuning for knowing whether or not fine-tuning has improved model performance", - "waf": "Performance" + "text": "Enable DDOS Protection Standard on the WAF VNet", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "5e39f541-accc-4d97-a376-bcdb3750ab2a", - "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability", - "service": "OpenAI", - "severity": "Low", - "text": "Deploy multiple OAI instances across regions", - "waf": "Reliability" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "When using images stored in Azure Container Registry, ensure they are pulled over a virtual network by using a private endpoint and configuring the app setting 'WEBSITE_PULL_IMAGE_OVER_VNET'. This ensures secure communication between App Service and the registry, preventing exposure to the public internet.", + "guid": "2c2de732-165c-43ac-aef4-abe1f8d39fda", + "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-an-image-from-a-network-protected-registry", + "service": "App Services", + "severity": "Medium", + "text": "Pull container images over a Virtual Network from Azure Container Registry.", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "b039da6d-55d7-4c89-8adb-107d5325af62", - "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability", - "service": "OpenAI", - "severity": "High", - "text": "Implement retry & healthchecks with Gateway pattern like APIM", - "waf": "Reliability" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Perform a penetration test on the web application in accordance with Azure's penetration testing rules of engagement. This helps identify vulnerabilities and security weaknesses that can be addressed before they are exploited.", + "guid": "eb2eb03d-d9a2-4582-918d-2ddb10725769", + "link": "https://learn.microsoft.com/azure/security/fundamentals/pen-testing", + "service": "App Services", + "severity": "Medium", + "text": "Conduct a penetration test on the web application.", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "5ca44e46-85e2-4223-ace8-bb12308ca5f1", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#introduction-to-quota", - "service": "OpenAI", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Ensure that only trusted code, which has been validated and scanned for vulnerabilities, is deployed to production following DevSecOps practices. This minimizes the risk of introducing security vulnerabilities into the application environment.", + "guid": "19aed9c5-5d04-4c2c-9919-ca0b2c12159e", + "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/devsecops-in-azure", + "service": "App Services", "severity": "Medium", - "text": "Ensure having adequate quotas of TPM & RPM for the workload", - "waf": "Reliability" + "text": "Deploy validated and vulnerability-scanned code.", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "ec723923-7a15-42d6-ac5e-402925387e5c", - "link": "https://www.microsoft.com/research/project/guidelines-for-human-ai-interaction/", - "service": "OpenAI", - "severity": "Medium", - "text": "Review the considerations in HAI toolkit guidance and apply those interaction practices for the slution", - "waf": "Operational Excellence" + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Ensure that the latest versions of supported platforms, programming languages, protocols, and frameworks are used. Regular updates mitigate the risk of security vulnerabilities and ensure compatibility with security patches.", + "guid": "114b933d-f574-4ecc-ad9b-d3bafcda3b54", + "link": "https://learn.microsoft.com/azure/app-service/overview-patch-os-runtime", + "service": "App Services", + "severity": "High", + "text": "Use up-to-date platforms, languages, protocols and frameworks", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "7f154e3a-a369-4282-ae7e-316183687a04", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/business-continuity-disaster-recovery", - "service": "OpenAI", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Leverage Auto-Healing in Azure App Service to automatically restart instances or trigger custom actions based on pre-defined failure conditions like memory thresholds, HTTP errors, or specific event logs.", + "guid": "60b3a935-33e5-45c9-87c7-53882e395b46", + "link": "https://learn.microsoft.com/azure/app-service/overview-diagnostics", + "service": "App Services", "severity": "Medium", - "text": "Deploy separate fine tuned models across regions if finetuning is employed", + "text": "Use Auto-Healing with custom rules to restart App Service instances automatically when failures occur.", "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "77a1f893-5bda-4433-84f2-4811633182ba", - "link": "https://learn.microsoft.com/azure/backup/backup-overview", - "service": "OpenAI", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Configure Azure Monitor alerts based on Application Insights metrics for response times, failure rates, and overall availability. Alerts help detect issues proactively and reduce mean-time-to-recovery (MTTR).", + "guid": "e52e4514-02a7-4e81-a98e-88ce1b18e557", + "link": "https://learn.microsoft.com/azure/azure-monitor/app/alerts", + "service": "App Services", "severity": "Medium", - "text": "Regularly backup and replicate critical data to ensure data availability and recoverability in case of data loss or system failures. Leverage Azure's backup and disaster recovery services to protect your data.", + "text": "Set up alerts for critical Application Insights metrics, such as response time and failure rates.", "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "graph": "resources | where type == 'microsoft.search/searchservices' | extend compliant = (sku.name != 'free' and properties.replicaCount >= 3) | project id, compliant", - "guid": "95b96ad8-844c-4e3b-8b38-b876ba2cf204", - "link": "https://learn.microsoft.com/azure/search/search-reliability", - "service": "OpenAI", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Use Azure Policy to enforce security, compliance, and governance configurations for App Service. Policies can ensure that critical settings such as TLS versions, backup configurations, and network restrictions are enforced across all App Service instances.", + "guid": "361e886f-ca40-4ead-a8e9-1379c642ae9c", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "App Services", "severity": "High", - "text": "Azure AI search service tiers should be choosen to have a SLA ", - "waf": "Reliability" + "text": "Apply Azure Policy to enforce compliance across App Service configurations.", + "waf": "Governance" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "99013a5d-3ce4-474d-acbd-8682a6abca2a", - "link": "https://learn.microsoft.com/purview/purview", - "service": "OpenAI", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "Leverage Azure Cost Management to track and forecast App Service expenses. Set up alerts for budget thresholds to avoid overspending, and optimize costs based on resource utilization trends.", + "guid": "42eb48f0-28ff-497c-b2c0-a8fa1f989832", + "link": "https://learn.microsoft.com/azure/cost-management-billing/", + "service": "App Services", "severity": "Low", - "text": "Classify data and sensitivity, labeling with Microsoft Purview before generating the embeddings and make sure to treat the embeddings generated with same sensitivity and classification", - "waf": "Security" + "text": "Monitor App Service costs using Azure Cost Management and create cost alerts.", + "waf": "Cost" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "4fda1dbf-3dd9-45d4-ac7c-891dca1f6d56", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/use-your-data-securely", - "service": "OpenAI", + "arm-service": "microsoft.web/sites", + "checklist": "Azure App Service Review", + "description": "If you have predictable and steady usage of App Service, purchasing Reserved Instances can significantly reduce long-term costs. Commit to one or three years for lower pricing compared to pay-as-you-go.", + "guid": "e489221b-487e-48a3-aaab-48e3d205ca12", + "link": "https://learn.microsoft.com/azure/cost-management-billing/reservations/", + "service": "App Services", + "severity": "Medium", + "text": "Purchase reserved instances for App Service plans to optimize long-term costs.", + "waf": "Cost" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "32e42e36-11c8-418b-8a0b-c510e43a18a9", + "service": "AVS", "severity": "High", - "text": "Encrypt data used for RAG with SSE/Disk encryption with optional BYOK", + "text": "Ensure ADDS domain controller(s) are deployed in the identity subscription in native Azure", "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "59ae558b-937d-4498-9e11-12dbd7ba012f", - "link": "https://learn.microsoft.com/azure/search/search-security-overview", - "service": "OpenAI", - "severity": "High", - "text": "Ensure TLS is enforced for data in transit across data sources, AI search used for Retrieval-Augmented Generation (RAG) and LLM communication", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "75089c20-990d-4927-b105-885576f76fc2", + "service": "AVS", + "severity": "Medium", + "text": "Ensure ADDS sites and services is configured to keep authentication requests from Azure-based resources (including Azure VMware Solution) local to Azure", "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "7b94ef6e-047d-42ea-8992-b1cd6e2054b2", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control", - "service": "OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "de3aad1e-7c28-4ec9-9666-b7570449aa80", + "service": "AVS", "severity": "High", - "text": "Use RBAC to manage access to Azure OpenAI services. Assign appropriate permissions to users and restrict access based on their roles and responsibilities", + "text": "Ensure that vCenter is connected to ADDS to enable authentication based on 'named user accounts'", "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "9769e4a6-91e8-4838-ac93-6667e13c0056", - "link": "https://learn.microsoft.com/azure/security/fundamentals/data-encryption-best-practices", - "service": "OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "cd289ced-6b17-4db8-8554-61e2aee3553a", + "service": "AVS", "severity": "Medium", - "text": "Implement data encryption, masking or redaction techniques to hide sensitive data or replace it with obfuscated values in non-production environments or when sharing data for testing or troubleshooting purposes", + "text": "Ensure that the connection from vCenter to ADDS is using a secure protocol (LDAPS)", "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "74b1e945-b459-4837-be7a-d6c6d3b375a5", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/ai-onboarding", - "service": "OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "b9d37dac-43bc-46cd-8d79-a9b24604489a", + "service": "AVS", + "severity": "Medium", + "text": "CloudAdmin account in vCenter IdP is used only as an emergency account (break-glass)", + "waf": "Security" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "53d88e89-d17b-473b-82a5-a67e7a9ed5b3", + "service": "AVS", "severity": "High", - "text": "Utilize Azure Defender to detect and respond to security threats and set up monitoring and alerting mechanisms to identify suspicious activities or breaches. Leverage Azure Sentinel for advanced threat detection and response", + "text": "Ensure that NSX-Manager is integrated with an external Identity provider (LDAPS)", "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "c7acbe48-abe5-44cd-99f2-e87768468c55", - "link": "https://techcommunity.microsoft.com/t5/azure-storage-blog/managing-long-term-log-retention-or-any-business-data/ba-p/2494791", - "service": "OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "ae0e37ce-e297-411b-b352-caaab79b198d", + "service": "AVS", "severity": "Medium", - "text": "Establish data retention and disposal policies to adhere to compliance regulations. Implement secure deletion methods for data that is no longer required and maintain an audit trail of data retention and disposal activities", + "text": "Has an RBAC model been created for use within VMware vSphere", "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "a9c27d9c-42bb-46bd-8c69-99a246f3389a", - "link": "https://learn.microsoft.com/azure/ai-services/content-safety/concepts/jailbreak-detection", - "service": "OpenAI", - "severity": "High", - "text": "Implement Prompt shields and groundedness detection using Content Safety ", - "waf": "Operational Excellence" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "ab81932c-9fc9-4d1b-a780-36f5e6bfbb9e", + "service": "AVS", + "severity": "Medium", + "text": "RBAC permissions should be granted on ADDS groups and not on specific users", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "a775c6ee-95b9-46ad-a844-ce3b2b38b876", - "link": "https://learn.microsoft.com/azure/compliance/", - "service": "OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "d503547c-c447-4e82-9128-a71f0f1cac6d", + "service": "AVS", "severity": "High", - "text": "Ensure compliance with relevant data protection regulations, such as GDPR or HIPAA, by implementing privacy controls and obtaining necessary consents or permissions for data processing activities.", + "text": "RBAC permissions on the Azure VMware Solution resource in Azure are 'locked down' to a limited set of owners only", "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "ba2cf204-9901-43a5-b3ce-474dccbd8682", - "service": "OpenAI", - "severity": "Medium", - "text": "Educate your employees about data security best practices, the importance of handling data securely, and potential risks associated with data breaches. Encourage them to follow data security protocols diligently.", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "fd9f0df4-68dc-4976-b9a9-e6a79f7682c5", + "service": "AVS", + "severity": "High", + "text": "Ensure all custom roles are scoped with CloudAdmin permitted authorizations", "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "eae01e6e-842e-452f-9721-d928c1b1cd52", - "service": "OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "9ef1d5e8-32e4-42e3-911c-818b0a0bc510", + "link": "https://github.com/Azure/AzureCAT-AVS/tree/main/networking", + "service": "AVS", "severity": "High", - "text": "Keep production data separate from development and testing data. Only use real sensitive data in production and utilize anonymized or synthetic data in development and test environments.", - "waf": "Security" + "text": "Is the correct Azure VMware Solution connectivity model selected for the customer use case at hand", + "waf": "Performance" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "eb710a37-cbc1-4055-8dd5-a936a8bb7cf5", + "service": "AVS", + "severity": "High", + "text": "Ensure ExpressRoute or VPN connections from on-premises to Azure are monitored using 'connection monitor'", + "waf": "Operations" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "1e54a29a-9de3-499c-bd7b-28dc93555620", - "service": "OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "976e24f2-a7f8-426c-9253-2a92a2a7ed99", + "service": "AVS", "severity": "Medium", - "text": "If you have varying levels of data sensitivity, consider creating separate indexes for each level. For instance, you could have one index for general data and another for sensitive data, each governed by different access protocols", - "waf": "Security" + "text": "Ensure a connection monitor is created from an Azure native resource to an Azure VMware Solution virtual machine to monitor the Azure VMware Solution back-end ExpressRoute connection", + "waf": "Operations" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "2bfe4564-b0d8-434a-948b-263e6dd60512", - "service": "OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "f41ce6a0-64f3-4805-bc65-3ab50df01265", + "service": "AVS", "severity": "Medium", - "text": "Take segregation a step further by placing sensitive datasets in different instances of the service. Each instance can be controlled with its own specific set of RBAC policies", - "waf": "Security" + "text": "Ensure a connection monitor is created from an on-premises resource to an Azure VMware Solution virtual machine to monitor end-2-end connectivity", + "waf": "Operations" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "a36498f6-dbad-438e-ad53-cc7ce1d7aaab", - "service": "OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "563b4dc7-4a74-48b6-933a-d1a0916a6649", + "service": "AVS", "severity": "High", - "text": "Recognize that embeddings and vectors generated from sensitive information are themselves sensitive. This data should be afforded the same protective measures as the source material", - "waf": "Security" + "text": "When route server is used, ensure no more then 1000 routes are propagated from route server to ExR gateway to on-premises (ARS limit).", + "waf": "Operations" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "3571449a-b805-43d8-af89-dc7b33be2a1a", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control", - "service": "OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "6128a71f-0f1c-4ac6-b9ef-1d5e832e42e3", + "service": "AVS", "severity": "High", - "text": "Apply RBAC to th data stores having embeddings and vectors and scope access based on role's access requirements", + "text": "Is Privileged Identity Management implemented for roles managing the Azure VMware Solution resource in the Azure Portal (no standing permissions allowed)", "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "graph": "resources | where type =~ 'Microsoft.CognitiveServices/accounts' or type == 'microsoft.search/searchservices' | project id, compliant = (properties.privateEndpointConnections != '[]' and properties.publicNetworkAccess !~ 'enabled')", - "guid": "27f7b9e9-1be1-4f38-aef3-9812bd463cbb", - "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/azure-openai-private-endpoints-connecting-across-vnet-s/ba-p/3913325", - "service": "OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "c4e2436b-b336-4d71-9f17-960eee0b9b5c", + "service": "AVS", "severity": "High", - "text": "Configure private endpoint for AI services to restrict service access within your network", + "text": "Privileged Identity Management audit reporting should be implemented for the Azure VMware Solution PIM roles", "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "ac8ac199-ebb9-41a3-9d90-cae2cc881370", - "service": "OpenAI", - "severity": "High", - "text": "Enforce strict inbound and outbound traffic control with Azure Firewall and UDRs and limit the external integration points", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "78c447a8-26b2-4863-af0f-1cac599ef1d5", + "service": "AVS", + "severity": "Medium", + "text": "If using Privileged Identity Management is being used, ensure that a valid Entra ID enabled account is created with a valid SMTP record for Azure VMware Solution Automatic Host replacement notifications. (standing permissions required)", "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "6f7c0cba-fe51-4464-add4-57e927138b82", - "service": "OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "8defc4d7-21d3-41d2-90fb-707ae9eab40e", + "service": "AVS", "severity": "High", - "text": "Implement network segmentation and access controls to restrict access to the LLM application only to authorized users and systems and prevent lateral movement", + "text": "Limit use of CloudAdmin account to emergency access only", "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "7f42c78e-78cb-46a2-8ad1-90916e6a8d8f", - "link": "https://www.microsoft.com/research/blog/llmlingua-innovating-llm-efficiency-with-prompt-compression/", - "service": "OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "d329f798-bc17-48bd-a5a0-6ca7144351d1", + "service": "AVS", "severity": "Medium", - "text": "Use prompt compression tools like LLMLingua or gprtrim", - "waf": "Cost Optimization" - }, - { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "graph": "resources | where type =~ 'Microsoft.CognitiveServices/accounts' or type == 'microsoft.search/searchservices' | project id, compliant = (isnotnull(identity))", - "guid": "1102cac6-eae0-41e6-b842-e52f4721d928", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity", - "service": "OpenAI", - "severity": "High", - "text": "Ensure that APIs and endpoints used by the LLM application are properly secured with authentication and authorization mechanisms, such as Managed identities, API keys or OAuth, to prevent unauthorized access.", + "text": "Create custom RBAC roles in vCenter to implement a least-privilege model inside vCenter", "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "c1b1cd52-1e54-4a29-a9de-399cfd7b28dc", - "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/security-best-practices-for-genai-applications-openai-in-azure/ba-p/4027885", - "service": "OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "9dd24429-eb72-4281-97a1-51c5bb4e4f18", + "service": "AVS", "severity": "Medium", - "text": "Enforce strong end user authentication mechanisms, such as multi-factor authentication, to prevent unauthorized access to the LLM application and associated network resources", + "text": "Is a process defined to regularly rotate cloudadmin (vCenter) and admin (NSX) credentials", "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "93555620-2bfe-4456-9b0d-834a348b263e", - "service": "OpenAI", - "severity": "Medium", - "text": "Implement network monitoring tools to detect and analyze network traffic for any suspicious or malicious activities. Enable logging to capture network events and facilitate forensic analysis in case of security incidents", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "586cb291-ec16-4a1d-876e-f9f141acdce5", + "service": "AVS", + "severity": "High", + "text": "Use a centralized identity provider to be used for workloads (VM's) running on Azure VMware Solution", "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "6dd60512-a364-498f-9dba-d38ead53cc7c", - "service": "OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "79377bcd-b375-41ab-8ab0-ead66e15d3d4", + "service": "AVS", "severity": "Medium", - "text": "Conduct security audits and penetration testing to identify and address any network security weaknesses or vulnerabilities in the LLM application's network infrastructure", + "text": "Is East-West traffic filtering implemented within NSX-T", "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "graph": "resources | where type == 'microsoft.cognitiveservices/accounts' or type == 'microsoft.search/searchservices' | project id, compliant = (tags != '{}')", - "guid": "e1d7aaab-3571-4449-ab80-53d89f89dc7b", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/tag-resources?tabs=json", - "service": "OpenAI", - "severity": "Low", - "text": "Azure AI Services are properly tagged for better management", - "waf": "Operational Excellence" - }, - { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations", - "service": "OpenAI", - "severity": "Low", - "text": "Azure AI Service accounts follows organizational naming conventions", - "waf": "Operational Excellence" - }, - { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36", - "link": "https://learn.microsoft.com/azure/ai-services/diagnostic-logging", - "service": "OpenAI", - "severity": "High", - "text": "Diagnostic logs in Azure AI services resources should be enabled", - "waf": "Operational Excellence" - }, - { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "graph": "resources | where type =~ 'Microsoft.CognitiveServices/accounts' or type == 'microsoft.search/searchservices' | project id, compliant = (properties.disableLocalAuth == true)", - "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d", - "link": "https://learn.microsoft.com/azure/ai-services/authentication", - "service": "OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "a2adb1c3-d232-46af-825c-a44e1695fddd", + "service": "AVS", "severity": "High", - "text": "Key access (local authentication) is recommended to be disabled for security. After disabling key based access, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. ", + "text": "Workloads on Azure VMware Solution are not directly exposed to the internet. Traffic is filtered and inspected by Azure Application Gateway, Azure Firewall or 3rd party solutions", "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "6b57cfc6-5546-41e1-a3e3-453a3c863964", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "eace4cb1-deb4-4c65-8c3f-c14eeab36938", + "service": "AVS", "severity": "High", - "text": "Store and manage keys securely using Azure Key Vault. Avoid hard-coding or embedding sensitive keys within your LLM application's code and retrieve them securely from Azure Key Vault using managed identities", + "text": "Auditing and logging is implemented for inbound internet requests to Azure VMware Solution and Azure VMware Solution based workloads", "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "8b652d6c-15f5-4129-9539-8e6ded227dd1", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "OpenAI", - "severity": "High", - "text": "Regularly rotate and expire keys stored in Azure Key Vault to minimize the risk of unauthorized access.", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "29e3eec2-1836-487a-8077-a2b5945bda43", + "service": "AVS", + "severity": "Medium", + "text": "Session monitoring is implemented for outbound internet connections from Azure VMware Solution or Azure VMware Solution based workloads to identify suspicious/malicious activity", "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "adfe27be-e297-401a-a352-baaab79b088d", - "link": "https://github.com/openai/tiktoken", - "service": "OpenAI", - "severity": "High", - "text": "Use tiktoken to understand token sizes for token optimizations in conversational mode", - "waf": "Cost Optimization" - }, - { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "42b06c21-d799-49a6-96f4-389a7f42c78e", - "link": "https://learn.microsoft.com/azure/security/develop/secure-dev-overview", - "service": "OpenAI", - "severity": "High", - "text": "Follow secure coding practices to prevent common vulnerabilities such as injection attacks, cross-site scripting (XSS), or security misconfigurations", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "graph": "resources| where type =~ 'Microsoft.Network/virtualNetworkGateways'| mv-expand ipConfigurations=properties.ipConfigurations| project subnetId=tostring(ipConfigurations.properties.subnet.id)| where isnotempty(subnetId)| join (resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | project id, compliant = (enableDdosProtection == 'true')", + "guid": "334fdf91-c234-4182-a652-75269440b4be", + "service": "AVS", + "severity": "Medium", + "text": "Is DDoS standard protection enabled on ExR/VPN Gateway subnet in Azure", "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "78c06a73-a22a-4495-9e6a-8dc4a20e27c3", - "link": "https://learn.microsoft.com/azure/devops/repos/security/github-advanced-security-dependency-scanning?view=azure-devops", - "service": "OpenAI", - "severity": "High", - "text": "Setup a process to regularly update and patch the LLM libraries and other system components", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "3d3e0843-276d-44bd-a015-bcf219e4a1eb", + "service": "AVS", + "severity": "Medium", + "text": "Use a dedicated privileged access workstation (PAW) to manage Azure VMware Solution, vCenter, NSX manager and HCX manager", "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "e29711b1-352b-4eee-879b-588defc4972c", - "link": "https://learn.microsoft.com/legal/cognitive-services/openai/code-of-conduct", - "service": "OpenAI", - "severity": "High", - "text": "Adhere to Azure OpenAI or other LLMs terms of use, policies and guidance and allowed use cases", - "waf": "Operational Excellence" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "9ccbd869-266a-4cca-874f-aa19bf39d95d", + "service": "AVS", + "severity": "Medium", + "text": "Enable Advanced Threat Detection (Microsoft Defender for Cloud aka ASC) for workloads running on Azure VMware Solution", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "d3cd21bf-7703-46e5-b6b4-bed3d503547c", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs#base-series-and-codex-series-fine-tuned-models", - "service": "OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "44c7c891-9ca1-4f6d-9315-ae524ba34d45", + "service": "AVS", "severity": "Medium", - "text": "Understand difference in cost of base models and fine tuned models and token step sizes", - "waf": "Cost Optimization" + "text": "Use Azure ARC for Servers to properly govern workloads running on Azure VMware Solution using Azure native technologies (Azure ARC for Azure VMware Solution is not yet available)", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "1347dc56-028a-471f-be1c-e15dd3f0d5e7", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching", - "service": "OpenAI", - "severity": "High", - "text": "Batch requests, where possible, to minimize the per-call overhead which can reduce overall costs. Ensure you optimize batch size", - "waf": "Cost Optimization" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "85e12139-bd7b-4b01-8f7b-95ef6e043e2a", + "service": "AVS", + "severity": "Low", + "text": "Ensure workloads on Azure VMware Solution use sufficient data encryption during run-time (like in-guest disk encryption and SQL TDE). (vSAN encryption at rest is default)", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "72d41e36-11cc-457b-9a4b-1410d43958a8", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs", - "service": "OpenAI", - "severity": "Medium", - "text": "Set up a cost tracking system that monitors model usage and use that information to help inform model choices and prompt sizes", - "waf": "Cost Optimization" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "a3592718-e6e2-4051-9267-6ae46691e883", + "service": "AVS", + "severity": "Low", + "text": "When in-guest encryption is used, store encryption keys in Azure Key vault when possible", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "166cd072-af9b-4141-a898-a535e737897e", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#understanding-rate-limits", - "service": "OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "5ac94222-3e13-4810-9230-81a941741583", + "service": "AVS", "severity": "Medium", - "text": "Set a maximum limit on the number of tokens per model response (max_tokens and the number of completions to generate). Optimize the size to ensure it is large enough for a valid response", - "waf": "Cost Optimization" + "text": "Consider using extended security update support for workloads running on Azure VMware Solution (Azure VMware Solution is eligible for ESU)", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "3266b225-86f4-4a16-92bd-ddea8a487cde", - "link": "https://learn.microsoft.com/azure/search/vector-search-index-size?tabs=portal-vector-quota", - "service": "OpenAI", - "severity": "Medium", - "text": "Plan and manage AI Search Vector storage", - "waf": "Operational Excellence" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "3ef7ad7c-6d37-4331-95c7-acbe44bbe609", + "service": "AVS", + "severity": "High", + "text": "Ensure that the appropriate vSAN Data redundancy method is used (RAID specification)", + "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "b4861bc3-bc14-4aeb-9e66-e8d9a3aec218", - "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-end-to-end-llmops-with-prompt-flow?view=azureml-api-2", - "service": "OpenAI", - "severity": "Medium", - "text": "Ensure deployment of Azure OpenAI instances across your various environments, such as development, test, and production supporting lrarning & experimentation. Apply LLMOps practices to automate the lifecycle management of your GenAI applications", - "waf": "Operational Excellence" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "d88408f3-7273-44c8-96ba-280214590146", + "service": "AVS", + "severity": "High", + "text": "Ensure that the Failure-to-tolerate policy is in place to meet your vSAN storage needs", + "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "aa80932c-8ec9-4d1b-a770-26e5e6beba9e", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/provisioned-throughput-onboarding#understanding-the-provisioned-throughput-purchase-model", - "service": "OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "d89f2e87-7784-424d-9167-85c6fa95b96a", + "service": "AVS", "severity": "High", - "text": "Evaluate usage of billing models - PAYG vs PTU. Start with PAYG and consider PTU when the usage is predictable in production since it offers dedicated memory and compute, reserved capacity, and consistent maximum latency for the specified model version", - "waf": "Cost Optimization" + "text": "Ensure that you have requested enough quota, ensuring you have considered growth and Disaster Recovery requirement", + "waf": "Reliability" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "e6436b07-36db-455f-9796-03334bdf9cc2", - "link": "https://techcommunity.microsoft.com/t5/ai-azure-ai-services-blog/how-to-control-azure-openai-models/ba-p/4146793", - "service": "OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "5d38e53f-9ccb-4d86-a266-acca274faa19", + "service": "AVS", "severity": "Medium", - "text": "Evaluate the quality of prompts and applications when switching between model versions", - "waf": "Operational Excellence" + "text": "Ensure that access constraints to ESXi are understood, there are access limits which might affect 3rd party solutions.", + "waf": "Operations" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "3418db61-2712-4650-9bb4-7a393a080327", - "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/concept-model-monitoring-generative-ai-evaluation-metrics?view=azureml-api-2", - "service": "OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "bf39d95d-44c7-4c89-89ca-1f6d5315ae52", + "service": "AVS", "severity": "Medium", - "text": "Evaluate, monitor and refine your GenAI apps for features like groundedness, relevance, accuracy, coherence and fluency", - "waf": "Operational Excellence" + "text": "Ensure that you have a policy around ESXi host density and efficiency, keeping in mind the lead time for requesting new nodes", + "waf": "Operations" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "294798b1-578b-4219-a46c-eb5443513592", - "service": "OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "4ba34d45-85e1-4213-abd7-bb012f7b95ef", + "service": "AVS", "severity": "Medium", - "text": "Evaluate your Azure AI Search results based on different search parameters", - "waf": "Operational Excellence" + "text": "Ensure a good cost management process is in place for Azure VMware Solution - Azure Cost Management can be used", + "waf": "Cost" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "2744293b-b628-4537-a551-19b08e8f5854", - "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/fine-tuning-considerations", - "service": "OpenAI", - "severity": "Medium", - "text": "Look at fine tuning models as way of increasing accuracy only when you have tried other basic approaches like prompt engineering and RAG with your data", - "waf": "Operational Excellence" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "6e043e2a-a359-4271-ae6e-205172676ae4", + "service": "AVS", + "severity": "Low", + "text": "Are Azure reserved instances used to optimize cost for using Azure VMware Solution", + "waf": "Cost" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "287d9cec-166c-4d07-8af9-b141a898a535", - "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/advanced-prompt-engineering?pivots=programming-language-chat-completions", - "service": "OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "6691e883-5ac9-4422-83e1-3810523081a9", + "service": "AVS", "severity": "Medium", - "text": "Use prompt engineering techniques to improve the accuracy of LLM responses", - "waf": "Operational Excellence" + "text": "Consider the use of Azure Private-Link when using other Azure Native Services", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "e737897e-71ca-47da-acfa-962a1594946d", - "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/red-teaming", - "service": "OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "db611712-6904-40b4-aa3d-3e0803276d4b", + "service": "AVS", + "severity": "High", + "text": "Ensure all required resource reside within the same Azure availability zone(s)", + "waf": "Performance" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "48b262d6-cc5f-4512-a253-98e6db9d37da", + "service": "AVS", "severity": "Medium", - "text": "Red team your GenAI applications", + "text": "Enable Microsoft Defender for Cloud for Azure VMware Solution guest VM workloads", "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "edb117e6-76aa-4f66-aca4-8e5a95f2223e", - "link": "https://www.microsoft.com/haxtoolkit/guideline/encourage-granular-feedback/", - "service": "OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "41741583-3ef7-4ad7-a6d3-733165c7acbe", + "service": "AVS", "severity": "Medium", - "text": "Provide end users with scoring options for LLM responses and track these scores. ", - "waf": "Operational Excellence" + "text": "Use Azure Arc enabled servers to manage your Azure VMware Solution guest VM workloads", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "d5f3547c-c346-4d81-9028-a71ffe1b9b5d", - "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268", - "service": "OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "88f03a4d-2cd4-463c-abbc-868295abc91a", + "service": "AVS", "severity": "High", - "text": "Consider Quota management practices. Use dynamic quota for certain use cases when your application can use extra capacity opportunistically or the application itself is driving the rate at which the Azure OpenAI API is called", - "waf": "Cost Optimization" - }, - { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc410", - "link": "https://github.com/Azure/aoai-apim/blob/main/README.md", - "service": "OpenAI", - "severity": "Medium", - "text": "Use Load balancer solutions like APIM based gateway for balancing load and capacity across services and regions", - "waf": "Operational Excellence" + "text": "Enable Diagnostic and metric logging on Azure VMware Solution", + "waf": "Operations" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc411", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/fine-tuning?tabs=turbo%2Cpython-new&pivots=programming-language-studio#import-training-data-from-azure-blob-store", - "service": "OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "4ed90dae-2cc8-44c4-9b6b-781cbafe6c46", + "service": "AVS", "severity": "Medium", - "text": "Follow the guidance for fine-tuning with large data files and import the data from an Azure blob store. Large files, 100 MB or larger, can become unstable when uploaded through multipart forms because the requests are atomic and can't be retried or resumed", - "waf": "Reliability" + "text": "Deploy the Log Analytics Agents to Azure VMware Solution guest VM workloads", + "waf": "Operations" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc412", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest", - "service": "OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "589d457a-927c-4397-9d11-02cad6aae11e", + "service": "AVS", "severity": "Medium", - "text": "Manage rate limits for your model deployments and monitor usage of tokens per minute (TPM) and requests per minute (RPM) for pay-as-you-go deployments", - "waf": "Reliability" + "text": "Ensure you have a documented and implemented backup policy and solution for Azure VMware Solution VM workloads", + "waf": "Operations" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc413", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitor-openai", - "service": "OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "ee29711b-d352-4caa-ab79-b198dab81932", + "service": "AVS", "severity": "Medium", - "text": "Monitor provision-managed utilization if you're using the provisioned throughput payment model", - "waf": "Reliability" + "text": "Use Microsoft Defender for Cloud for compliance monitoring of workloads running on Azure VMware Solution", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc414", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/content-filters", - "service": "OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "c9fc9d1b-b780-436f-9e6b-fbb9ed503547", + "service": "AVS", "severity": "Medium", - "text": "Tune content filters to minimize false positives from overly aggressive filters", - "waf": "Reliability" + "text": "Are the applicable compliance baselines added to Microsoft Defender for Cloud", + "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc415", - "link": "https://learn.microsoft.com/azure/ai-services/openai/encrypt-data-at-rest", - "service": "OpenAI", - "severity": "Medium", - "text": "Use customer-managed keys for fine-tuned models and training data that's uploaded to Azure OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "cc447e82-6128-4a71-b0f1-cac6d9ef1d5e", + "service": "AVS", + "severity": "High", + "text": "Was data residency evaluated when selecting Azure regions to use for Azure VMware Solution deployment", "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "graph": "resources | where type == 'microsoft.cognitiveservices/accounts' and kind =~ 'contentsafety' | project id, compliant = 1", - "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc416", - "link": "https://learn.microsoft.com/azure/ai-services/content-safety/concepts/jailbreak-detection", - "service": "OpenAI", - "severity": "Medium", - "text": "Implement jailbreak risk detection to safeguard your language model deployments against prompt injection attacks", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "832e42e3-611c-4818-a0a0-bc510e43a18a", + "service": "AVS", + "severity": "High", + "text": "Are data processing implications (service provider / service consumer model) clear and documented", "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc417", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitor-openai", - "service": "OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "547c1747-dc56-4068-a714-435cd19dd244", + "service": "AVS", "severity": "Medium", - "text": "Use security controls like throttling, service isolation and gateway pattern to prevent attacks that might exhaust model usage quotas", + "text": "Consider using CMK (Customer Managed Key) for vSAN only if needed for compliance reason(s).", "waf": "Security" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "72d41e36-11cc-457b-9a4b-1410d43958a9", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs", - "service": "OpenAI", - "severity": "Medium", - "text": "Develop your cost model, considering prompt sizes. Understanding prompt input and response sizes and how text translates into tokens helps you create a viable cost model", - "waf": "Cost Optimization" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "e43a18a9-cd28-49ce-b6b1-7db8255461e2", + "service": "AVS", + "severity": "High", + "text": "Create dashboards to enable core Azure VMware Solution monitoring insights", + "waf": "Operations" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "72d41e36-11cc-457b-9a4b-1410d43958a1", - "link": "https://azure.microsoft.com/pricing/details/cognitive-services/openai-service/", - "service": "OpenAI", - "severity": "Medium", - "text": "Consider model pricing and capabilities when you choose models. Start with less-costly models for less-complex tasks like text generation or completion tasks and for complex tasks like language translation or content understanding, consider using more advanced models. Optimize costs while still achieving the desired application performance", - "waf": "Cost Optimization" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "graph": "resources| where type =~ 'Microsoft.AVS/privateClouds'| join kind=leftouter(resources| where type =~ 'Microsoft.Insights/metricalerts'| mv-expand scopes=properties.scopes| mv-expand criteria=properties.criteria.allOf| extend metricName=criteria.metricName| distinct tostring(scopes), tostring(metricName))on $left.id == $right.scopes| extend compliant=toint(metricName in ('UsageAverage', 'EffectiveCpuAverage', 'DiskUsedPercentage'))| summarize compliant=min(compliant) by id", + "guid": "6b84ee5d-f47d-42d9-8881-b1cd5d1e54a2", + "service": "AVS", + "severity": "High", + "text": "Create warning alerts for critical thresholds for automatic alerting on Azure VMware Solution performance (CPU >80%, Avg Memory >80%, vSAN >70%)", + "waf": "Operations" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "72d41e36-11cc-457b-9a4b-1410d43958a2", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs", - "service": "OpenAI", - "severity": "Medium", - "text": "Maximize Azure OpenAI price breakpoints like fine-tuning and model breakpoints like image generation to your advantage. Fine-tuning is charged per hour, use as much time as you have available per hour to improve results without slipping into the next billing period. The cost for generating 100 images is the same as the cost for 1 image", - "waf": "Cost Optimization" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "graph": "resources| where type =~ 'Microsoft.AVS/privateClouds'| join kind=leftouter(resources| where type =~ 'Microsoft.Insights/metricalerts'| mv-expand scopes=properties.scopes| mv-expand criteria=properties.criteria.allOf| extend metricName=criteria.metricName| distinct tostring(scopes), tostring(metricName))on $left.id == $right.scopes| extend compliant=toint(metricName in ('UsageAverage', 'EffectiveCpuAverage', 'DiskUsedPercentage'))| summarize compliant=min(compliant) by id", + "guid": "9659e396-80e7-4828-ac93-5657d02bff45", + "service": "AVS", + "severity": "High", + "text": "Ensure critical alert is created to monitor if vSAN consumption is below 75% as this is a support threshold from VMware", + "waf": "Operations" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "72d41e36-11cc-457b-9a4b-1410d43958a3", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs", - "service": "OpenAI", - "severity": "Medium", - "text": "Remove unused fine-tuned models when they're no longer being consumed to avoid incurring an ongoing hosting fee", - "waf": "Cost Optimization" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "graph": "resources| distinct subscriptionId| join kind=leftouter( resources | where type =~ 'microsoft.insights/activitylogalerts' | mv-expand condition1 = properties.condition.allOf | mv-expand condition2 = condition1.anyOf | extend alertEnabled = tostring(properties.enabled) | summarize set_condition1=make_set(condition1.equals), set_condition2=make_set(condition2.equals) by id, name,type,tenantId,resourceGroup,subscriptionId, alertEnabled | where set_has_element(set_condition1, 'ServiceHealth') | extend category = 'ServiceHealth' | extend all = iff(set_has_element(set_condition1, 'ServiceHealth') and array_length(set_condition2) == 0, true, false) | extend incident = iff(all, true, iff(set_has_element(set_condition1, 'Incident'), true, set_has_element(set_condition2, 'Incident'))) | extend maintenance = iff(all, true, iff(set_has_element(set_condition1, 'Maintenance'), true, set_has_element(set_condition2, 'Maintenance'))) | extend informational = iff(all, true, iff(set_has_element(set_condition1, 'Informational') or set_has_element(set_condition1, 'ActionRequired'), true, set_has_element(set_condition2, 'Informational') or set_has_element(set_condition2, 'ActionRequired'))) | extend security = iff(all, true, iff(set_has_element(set_condition1, 'Security'), true, set_has_element(set_condition2, 'Security'))) | project id, name, subscriptionId, category, tostring(alertEnabled), tostring(incident), tostring(maintenance), tostring(informational), tostring(security) | summarize count_alertEnabled=countif(alertEnabled == 'true'), count_incident=countif(incident == 'True'), count_maintenance=countif(maintenance == 'True'), count_informational=countif(informational == 'True'), count_security=countif(security == 'True') by subscriptionId) on subscriptionId| project subscriptionId, alertEnabled=iff(isnotnull(count_alertEnabled), count_alertEnabled, 0), incident=iff(isnotnull(count_incident), count_incident, 0), security=iff(isnotnull(count_security), count_security, 0), maintenance=iff(isnotnull(count_maintenance), count_maintenance, 0), informational=iff(isnotnull(count_informational), count_informational, 0)| order by incident, maintenance, informational, security desc| project id=subscriptionId, compliant=(alertEnabled > 0 and incident > 0 and security > 0 and maintenance > 0 and informational > 0)", + "guid": "64b0d934-a348-4726-be79-d6b5c3a36495", + "service": "AVS", + "severity": "High", + "text": "Ensure alerts are configured for Azure Service Health alerts and notifications", + "waf": "Operations" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "7f42c78e-78cb-46a2-8ad1-90916e6a8d8g", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs", - "service": "OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "b6abad38-aad5-43cc-99e1-d86667357c54", + "service": "AVS", "severity": "Medium", - "text": "Create concise prompts that provide enough context for the model to generate a useful response. Also ensure that you optimize the limit of the response length.", - "waf": "Cost Optimization" + "text": "Configure Azure VMware Solution logging to be send to an Azure Storage account or Azure EventHub for processing", + "waf": "Operations" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "b4861bc3-bc14-4aeb-9e66-e8d9a3aec219", - "link": "https://learn.microsoft.com/azure/ai-services/create-account-bicep", - "service": "OpenAI", - "severity": "Medium", - "text": "Use infrastructure as code (IaC) to deploy Azure OpenAI, model deployments, and other infrastructure required for fine-tuning models", - "waf": "Operational Excellence" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "9674c5ed-85b8-459c-9733-be2b1a27b775", + "service": "AVS", + "severity": "Low", + "text": "If deep insight in VMware vSphere is required: Is vRealize Operations and/or vRealize Network Insights used in the solution?", + "waf": "Operations" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Azure OpenAI Review", - "guid": "2744293b-b628-4537-a551-19b08e8f5855", - "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/service/openai", - "service": "OpenAI", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "a91be1f3-88f0-43a4-b2cd-463cbbbc8682", + "service": "AVS", + "severity": "High", + "text": "Ensure the vSAN storage policy for VM's is NOT the default storage policy as this policy applies thick provisioning", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "d9ef1d5e-832d-442e-9611-c818b0afbc51", + "service": "AVS", "severity": "Medium", - "text": "Consider using dedicated model deployments per consumer group to provide per-model usage isolation that can help prevent noisy neighbors between your consumer groups", - "waf": "Operational Excellence" + "text": "Ensure vSphere content libraries are not placed on vSAN as vSAN is a finite resource", + "waf": "Operations" }, { - "arm-service": "Microsoft.Kusto/clusters", - "checklist": "Azure Data Explorer Review Checklist", - "description": "Using the correct approach to feed a datalake with cold data and having the Kusto query engine at your disposal at the same time, as in the short-term storage", - "guid": "ba7da7be-9951-4914-a384-5d997cb39132", - "link": "https://learn.microsoft.com/azure/data-explorer/kusto/management/data-export/continuous-data-export", - "service": "Azure Data Explorer", - "text": "Leverage External Tables and Continuous data export overview to reduce costs", - "waf": "Reliability" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "0e43a18a-9cd2-489b-bd6b-17db8255461e", + "service": "AVS", + "severity": "Medium", + "text": "Ensure data repositories for the backup solution are stored outside of vSAN storage. Either in Azure native or on a disk pool-backed datastore", + "waf": "Operations" }, { - "arm-service": "Microsoft.Kusto/clusters", - "checklist": "Azure Data Explorer Review Checklist", - "description": "Azure Data Explorer provides an optional follower capability for a leader cluster to be followed by other follower clusters for read-only access to the leader's data and metadata. Changes in the leader, such as create, append, and drop are automatically synchronized to the follower. While the leaders could span Azure regions, the follower clusters should be hosted in the same region(s) as the leader. If the leader cluster is down or databases or tables are accidentally dropped, the follower clusters will lose access until access is recovered in the leader.", - "guid": "56a22586-f490-4641-addd-ea8a377cdeb3", - "link": "https://learn.microsoft.com/azure/data-explorer/follower?tabs=csharp", - "service": "Azure Data Explorer", - "text": "To share data, explore Leader-follower cluster configuration", - "waf": "Reliability" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "2aee3453-aec8-4339-848b-262d6cc5f512", + "service": "AVS", + "severity": "Medium", + "text": "Ensure workloads running on Azure VMware Solution are hybrid managed using Azure Arc for Servers (Arc for Azure VMware Solution is in preview)", + "waf": "Operations" }, { - "arm-service": "Microsoft.Kusto/clusters", - "checklist": "Azure Data Explorer Review Checklist", - "description": "Azure Data Explorer doesn't support automatic protection against the outage of an entire Azure region. This disruption can happen during a natural disaster, like an earthquake. If you require a solution for a disaster recovery situation, do the following steps to ensure business continuity. In these steps, you'll replicate your clusters, management, and data ingestion in two Azure paired regions.", - "guid": "861bb2bc-14ae-4a6e-95d8-d9a3adc218e6", - "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution#create-multiple-independent-clusters", - "service": "Azure Data Explorer", - "text": "To protect against regional failure, create Multiple independent clusters, preferably in two Azure Paired regions", - "waf": "Reliability" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "925398e6-da9d-437d-ac43-bc6cd1d79a9b", + "service": "AVS", + "severity": "Medium", + "text": "Ensure workloads running on Azure VMware Solution are monitored using Azure Log Analytics and Azure Monitor", + "waf": "Operations" }, { - "arm-service": "Microsoft.Kusto/clusters", - "checklist": "Azure Data Explorer Review Checklist", - "guid": "436b0635-cb45-4e57-a603-324ace8cc123", - "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution#replicate-management-activities", - "service": "Azure Data Explorer", - "text": "Replicate all management activities such as creating new tables or managing user roles on each cluster.", - "waf": "Reliability" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "24604489-a8f4-42d7-ae78-cb6a33bd2a09", + "service": "AVS", + "severity": "Medium", + "text": "Include workloads running on Azure VMware Solution in existing update management tooling or in Azure Update Management", + "waf": "Operations" }, { - "arm-service": "Microsoft.Kusto/clusters", - "checklist": "Azure Data Explorer Review Checklist", - "guid": "18ca6017-0265-4f4b-a46a-393af7f31728", - "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution", - "service": "Azure Data Explorer", - "text": "Ingest data into each cluster in parallel", - "waf": "Reliability" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "17e7a8d9-0ae0-4e27-aee2-9711bd352caa", + "service": "AVS", + "severity": "Medium", + "text": "Use Azure Policy to onboard Azure VMware Solution workloads in the Azure Management, Monitoring and Security solutions", + "waf": "Operations" }, { - "arm-service": "Microsoft.Kusto/clusters", - "checklist": "Azure Data Explorer Review Checklist", - "description": "This configuration is also called 'always-on'. For critical application deployments with no tolerance for outages, you should use multiple Azure Data Explorer clusters across Azure paired regions.", - "guid": "58a9c279-9c42-4bb6-9d0c-65556246b338", - "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-active-active-configuration", - "service": "Azure Data Explorer", - "text": "For critical application with no tolerance for outages, create Active-Active-Active (always-on) configuration", - "waf": "Reliability" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "aee3553a-fc83-4392-98b2-62d6cc5f5129", + "service": "AVS", + "severity": "Medium", + "text": "Ensure workloads running on Azure VMware Solution are onboarded to Microsoft Defender for Cloud", + "waf": "Security" }, { - "arm-service": "Microsoft.Kusto/clusters", - "checklist": "Azure Data Explorer Review Checklist", - "description": "This configuration is identical to the active-active-active configuration, but only involves two Azure paired regions. Configure dual ingestion, processing, and curation. Users are routed to the nearest region. The cluster SKU must be the same across regions.", - "guid": "563a4dc7-4a74-48b6-922a-d190916a6649", - "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-active-configuration", - "service": "Azure Data Explorer", - "text": "For critical applications, create Active-Active configuration in two paired regions", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "25398e6d-b9d3-47da-a43b-c6cd1d79a9b2", + "service": "AVS", + "severity": "Medium", + "text": "Ensure backups are not stored on vSAN as vSAN is a finite resource", "waf": "Reliability" }, { - "arm-service": "Microsoft.Kusto/clusters", - "checklist": "Azure Data Explorer Review Checklist", - "description": "The Active-Hot configuration is similar to the Active-Active configuration in dual ingest, processing, and curation. While the standby cluster is online for ingestion, process, and curation, it isn't available to query. The standby cluster doesn't need to be in the same SKU as the primary cluster. It can be of a smaller SKU and scale, which may result in it being less performant. In a disaster scenario, users are redirected to the standby cluster, which can optionally be scaled up to increase performance.", - "guid": "8fadfe27-7de2-483b-8ac3-52baa9b75708", - "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-hot-standby-configuration", - "service": "Azure Data Explorer", - "text": "For applications, which required only read during failure, create Active-Hot standby configuration", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "5e6bfbb9-ed50-4354-9cc4-47e826028a71", + "service": "AVS", + "severity": "Medium", + "text": "Have all DR solutions been considered and a solution that is best for your business been decided upon? [SRM/JetStream/Zerto/Veeam/...]", "waf": "Reliability" }, { - "arm-service": "Microsoft.Kusto/clusters", - "checklist": "Azure Data Explorer Review Checklist", - "description": "This solution offers the least resiliency (highest RPO and RTO), is the lowest in cost and highest in effort. In this configuration, there's no data recovery cluster. Configure continuous export of curated data (unless raw and intermediate data is also required) to a storage account that is configured GRS (Geo Redundant Storage). A data recovery cluster is spun up if there is a disaster recovery scenario. At that time, DDLs, configuration, policies, and processes are applied. Data is ingested from storage with the ingestion property kustoCreationTime to over-ride the ingestion time that defaults to system time.", - "guid": "49aa8092-dc8e-4b9d-8bb7-3b26a5a67eba", - "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#on-demand-data-recovery-configuration", - "service": "Azure Data Explorer", - "text": "For applications, where cost is a concern and can withstand some downtime during failure, create on-demand data recovery cluster configuration", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "f0f1cac6-d9ef-41d5-b832-d42e3611c818", + "service": "AVS", + "severity": "Medium", + "text": "Use Azure Site Recovery when the Disaster Recovery technology is native Azure IaaS", "waf": "Reliability" }, { - "arm-service": "Microsoft.Kusto/clusters", - "checklist": "Azure Data Explorer Review Checklist", - "description": "All database objects, policies, and configurations should be persisted in source control so they can be released to the cluster from your release automation tool.", - "guid": "5a907e1e-348e-4f25-9c27-d32e8bbac757", - "link": "https://learn.microsoft.com/azure/data-explorer/devops", - "service": "Azure Data Explorer", - "text": "Wrap DevOps and source control around all your code", - "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "b0afbc51-0e43-4a18-a9cd-289bed6b17db", + "service": "AVS", + "severity": "High", + "text": "Use Automated recovery plans with either of the Disaster solutions, avoid manual tasks as much as possible", "waf": "Reliability" }, { - "arm-service": "Microsoft.Kusto/clusters", - "checklist": "Azure Data Explorer Review Checklist", - "guid": "1559ab91-53e8-4908-ae28-b84c33b6b780", - "link": "https://learn.microsoft.com/azure/data-explorer/devops", - "service": "Azure Data Explorer", - "text": "Design, develop, and implement validation routines to ensure all clusters are in-sync from a data perspective.", - "training": "https://learn.microsoft.com/learn/modules/azure-active-directory/", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "8255461e-2aee-4345-9aec-8339248b262d", + "service": "AVS", + "severity": "Medium", + "text": "Use the geopolitical region pair as the secondary disaster recovery environment", "waf": "Reliability" }, { - "arm-service": "Microsoft.Kusto/clusters", - "checklist": "Azure Data Explorer Review Checklist", - "guid": "8b9fe5c4-1049-4d40-9a82-2c3474d00f18", - "link": "https://learn.microsoft.com/azure/data-explorer/devops", - "service": "Azure Data Explorer", - "text": "Be fully cognizant of what it takes to build a cluster from scratch. Leverage Infrastructure as a Code for your deployments", - "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "6cc5f512-9253-498e-9da9-d37dac43bc6c", + "service": "AVS", + "severity": "High", + "text": "Use 2 different address spaces between the regions, for example: 10.0.0.0/16 and 192.168.0.0/16 for the different regions", "waf": "Reliability" }, { - "arm-service": "Microsoft.DataFactory/datafactories", - "checklist": "Azure Data Factory Review Checklist", - "guid": "ab91932c-9fc9-4d1b-a881-37f5e6c0cb9e", - "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-ADF_v1.docx", - "service": "Azure Data Factory", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "d1d79a9b-2460-4448-aa8f-42d78e78cb6a", + "service": "AVS", "severity": "Medium", - "text": "Leverage FTA Resiliency Playbook for Azure Data Factory", + "text": "Will ExpressRoute Global Reach be used for connectivity between the primary and secondary Azure VMware Solution Private Clouds or is routing done through network virtual appliances?", "waf": "Reliability" }, { - "arm-service": "Microsoft.DataFactory/datafactories", - "checklist": "Azure Data Factory Review Checklist", - "guid": "e503547c-d447-4e82-9138-a7200f1cac6d", - "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery", - "service": "Azure Data Factory", - "severity": "High", - "text": "Use zone redundant pipelines in regions that support Availability Zones", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "33bd2a09-17e7-4a8d-a0ae-0e27cee29711", + "service": "AVS", + "severity": "Medium", + "text": "Have all Backup solutions been considered and a solution that is best for your business been decided upon? [ MABS/CommVault/Metallic.io/Veeam/�. ]", "waf": "Reliability" }, { - "arm-service": "Microsoft.DataFactory/datafactories", - "checklist": "Azure Data Factory Review Checklist", - "guid": "9ef1d6e8-32e5-42e3-911c-818b1a0bc511", - "link": "https://learn.microsoft.com/azure/data-factory/source-control", - "service": "Azure Data Factory", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "bd352caa-ab79-4b18-adab-81932c9fc9d1", + "service": "AVS", "severity": "Medium", - "text": "Use DevOps to Backup the ARM templates with Github/Azure DevOps integration ", + "text": "Deploy your backup solution in the same region as your Azure VMware Solution private cloud", "waf": "Reliability" }, { - "arm-service": "Microsoft.DataFactory/datafactories", - "checklist": "Azure Data Factory Review Checklist", - "guid": "e43a18a9-cd29-49cf-b7b1-7db8255562f2", - "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery", - "service": "Azure Data Factory", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "bb77036f-5e6b-4fbb-aed5-03547cc447e8", + "service": "AVS", "severity": "Medium", - "text": "Make sure you replicate the Self-Hosted Integration Runtime VMs in another region ", + "text": "Deploy your backup solution outside of vSan, on Azure native components", "waf": "Reliability" }, { - "arm-service": "Microsoft.DataFactory/datafactories", - "checklist": "Azure Data Factory Review Checklist", - "guid": "aee4563a-fd83-4393-98b2-62d6dc5f512a", - "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery", - "service": "Azure Data Factory", - "severity": "Medium", - "text": "Make sure you replicate or duplicate your network in the sister region. You have to make a copy of your Vnet in another region", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "26028a71-f0f1-4cac-9d9e-f1d5e832d42e", + "service": "AVS", + "severity": "Low", + "text": "Is a process in place to request a restore of the VMware components managed by the Azure Platform?", "waf": "Reliability" }, { - "arm-service": "Microsoft.DataFactory/datafactories", - "checklist": "Azure Data Factory Review Checklist", - "description": "If your ADF Pipelines use Key Vault you don't have to do anything to replicate Key Vault. Key Vault is a managed service and Microsoft takes care of it for you", - "guid": "25498f6d-bad3-47da-a43b-c6ce1d7aa9b2", - "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance", - "service": "Azure Data Factory", + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "4604489a-8f42-4d78-b78c-b7a33bd2a0a1", + "service": "AVS", "severity": "Low", - "text": "If using Keyvault integration, use SLA of Keyvault to understand your availablity", - "waf": "Reliability" + "text": "For manual deployments, all configuration and deployments must be documented", + "waf": "Operations" }, { - "arm-service": "microsoft.cache/redis", - "checklist": "Redis Resiliency checklist", - "guid": "65285269-440b-44be-9d3e-0844276d4bdc", - "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-zone-redundancy", - "service": "Redis", - "severity": "High", - "text": "Enable zone redundancy for Azure Cache for Redis. Azure Cache for Redis supports zone redundant configurations in the Premium and Enterprise tiers. A zone redundant cache can place its nodes across different Azure Availability Zones in the same region. It eliminates data center or AZ outage as a single point of failure and increases the overall availability of your cache.", - "waf": "Reliability" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "7e7a8d90-ae0e-437c-be29-711bd352caaa", + "service": "AVS", + "severity": "Low", + "text": "For manual deployments, consider implementing resource locks to prevent accidental actions on your Azure VMware Solution Private Cloud", + "waf": "Operations" }, { - "arm-service": "microsoft.cache/redis", - "checklist": "Redis Resiliency checklist", - "guid": "bc178bdc-5a06-4ca7-8443-51e19dd34429", - "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#persistence", - "service": "Redis", - "severity": "Medium", - "text": "Configure data persistence for an Azure Cache for Redis instance. Because your cache data is stored in memory, a rare and unplanned failure of multiple nodes can cause all the data to be dropped. To avoid losing data completely, Redis persistence allows you to take periodic snapshots of in-memory data, and store it to your storage account.", - "waf": "Reliability" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "b79b198d-ab81-4932-a9fc-9d1bb78036f5", + "service": "AVS", + "severity": "Low", + "text": "For automated deployments, deploy a minimal private cloud and scale as needed", + "waf": "Operations" }, { - "arm-service": "microsoft.cache/redis", - "checklist": "Redis Resiliency checklist", - "guid": "eb722823-7a15-41c5-ab4e-4f1814387e5c", - "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#storage-account-for-persistence", - "service": "Redis", - "severity": "Medium", - "text": "Use Geo-redundant storage account to persist Azure Cache for Redis data, or zonally redundant where geo-redundancy is not available", - "waf": "Reliability" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "e6bfbb9e-d503-4547-ac44-7e826128a71f", + "service": "AVS", + "severity": "Low", + "text": "For automated deployments, request or reserve quota prior to starting the deployment", + "waf": "Operations" }, { - "arm-service": "microsoft.cache/redis", - "checklist": "Redis Resiliency checklist", - "guid": "a8c26c9b-32ab-45bd-bc69-98a135e33789", - "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-geo-replication", - "service": "Redis", - "severity": "Medium", - "text": "Configure passive geo-replication for Premium Azure Cache for Redis instances. Geo-replication is a mechanism for linking two or more Azure Cache for Redis instances, typically spanning two Azure regions. Geo-replication is designed mainly for cross-region disaster recovery. Two Premium tier cache instances are connected through geo-replication in a way that provides reads and writes to your primary cache, and that data is replicated to the secondary cache.", - "waf": "Reliability" + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "0f1cac6d-9ef1-4d5e-a32e-42e3611c818b", + "service": "AVS", + "severity": "Low", + "text": "For automated deployment, ensure that relevant resource locks are created through the automation or through Azure Policy for proper governance", + "waf": "Operations" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "32e42e36-11c8-418b-8a0b-c510e43a18a9", + "guid": "e2cc95d4-8c6b-4791-bca0-f6c56589e558", "service": "AVS", - "severity": "High", - "text": "Ensure ADDS domain controller(s) are deployed in the identity subscription in native Azure", - "waf": "Security" + "severity": "Low", + "text": "Implement human understandable names for ExR authorization keys to allow for easy identification of the keys purpose/use", + "waf": "Operations" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "75089c20-990d-4927-b105-885576f76fc2", + "guid": "255461e2-aee3-4553-afc8-339248b262d6", "service": "AVS", - "severity": "Medium", - "text": "Ensure ADDS sites and services is configured to keep authentication requests from Azure-based resources (including Azure VMware Solution) local to Azure", - "waf": "Security" + "severity": "Low", + "text": "Use Key vault to store secrets and authorization keys when separate Service Principles are used for deploying Azure VMware Solution and ExpressRoute", + "waf": "Operations" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "de3aad1e-7c28-4ec9-9666-b7570449aa80", + "guid": "cc5f5129-2539-48e6-bb9d-37dac43bc6cd", "service": "AVS", - "severity": "High", - "text": "Ensure that vCenter is connected to ADDS to enable authentication based on 'named user accounts'", - "waf": "Security" + "severity": "Low", + "text": "Define resource dependencies for serializing actions in IaC when many resources need to be deployed in/on Azure VMware Solution as Azure VMware Solution only supports a limited number of parallel operations.", + "waf": "Operations" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "cd289ced-6b17-4db8-8554-61e2aee3553a", + "guid": "1d79a9b2-4604-4489-a8f4-2d78e78cb7a3", + "service": "AVS", + "severity": "Low", + "text": "When performing automated configuration of NSX-T segments with a single Tier-1 gateway, use Azure Portal APIs instead of NSX-Manager APIs", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "3bd2a0a1-7e7a-48d9-8ae0-e37cee29711b", + "service": "AVS", + "severity": "Medium", + "text": "When intending to use automated scale-out, be sure to apply for sufficient Azure VMware Solution quota for the subscriptions running Azure VMware Solution", + "waf": "Performance" + }, + { + "arm-service": "Microsoft.AVS/privateClouds", + "checklist": "Azure VMware Solution Design Review", + "guid": "d352caaa-b79b-4198-bab8-1932c9fc9d1b", "service": "AVS", "severity": "Medium", - "text": "Ensure that the connection from vCenter to ADDS is using a secure protocol (LDAPS)", - "waf": "Security" + "text": "When intending to use automated scale-in, be sure to take storage policy requirements into account before performing such action", + "waf": "Performance" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "b9d37dac-43bc-46cd-8d79-a9b24604489a", + "guid": "b78036f5-e6bf-4bb9-bd50-3547cc447e82", "service": "AVS", "severity": "Medium", - "text": "CloudAdmin account in vCenter IdP is used only as an emergency account (break-glass)", - "waf": "Security" + "text": "Scaling operations always need to be serialized within a single SDDC as only one scale operation can be performed at a time (even when multiple clusters are used)", + "waf": "Performance" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "53d88e89-d17b-473b-82a5-a67e7a9ed5b3", + "guid": "bf15bce2-19e4-4a0e-a588-79424d226786", "service": "AVS", - "severity": "High", - "text": "Ensure that NSX-Manager is integrated with an external Identity provider (LDAPS)", - "waf": "Security" + "severity": "Medium", + "text": "Consider and validate scaling operations on 3rd party solutions used in the architecture (supported or not)", + "waf": "Performance" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "ae0e37ce-e297-411b-b352-caaab79b198d", + "guid": "d20b56c5-7be5-4851-a0f8-3835c586cb29", "service": "AVS", "severity": "Medium", - "text": "Has an RBAC model been created for use within VMware vSphere", - "waf": "Security" + "text": "Define and enforce scale in/out maximum limits for your environment in the automations", + "waf": "Performance" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "ab81932c-9fc9-4d1b-a780-36f5e6bfbb9e", + "guid": "1dc15a1c-075e-4e9f-841a-cccd579376bc", "service": "AVS", "severity": "Medium", - "text": "RBAC permissions should be granted on ADDS groups and not on specific users", - "waf": "Security" + "text": "Implement monitoring rules to monitor automated scaling operations and monitor success and failure to enable appropriate (automated) responses", + "waf": "Operations" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "d503547c-c447-4e82-9128-a71f0f1cac6d", + "guid": "c5972cd4-cd21-4b07-9036-f5e6b4bfd3d5", + "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", "service": "AVS", "severity": "High", - "text": "RBAC permissions on the Azure VMware Solution resource in Azure are 'locked down' to a limited set of owners only", - "waf": "Security" + "text": "When using MON, be aware of the limits of simulataneously configured VMs (MON Limit for HCX [400 - standard, 1000 - Larger appliance])", + "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/", + "waf": "Reliability" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "fd9f0df4-68dc-4976-b9a9-e6a79f7682c5", + "guid": "be1f38cf-03a8-422b-b463-cbbbc8ac299e", + "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", "service": "AVS", "severity": "High", - "text": "Ensure all custom roles are scoped with CloudAdmin permitted authorizations", - "waf": "Security" + "text": "When using MON, you cannot enable MON on more than 100 Network extensions", + "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/", + "waf": "Reliability" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "9ef1d5e8-32e4-42e3-911c-818b0a0bc510", - "link": "https://github.com/Azure/AzureCAT-AVS/tree/main/networking", + "guid": "bc91a43d-90da-4e2c-a881-4706f7c1cbaf", "service": "AVS", - "severity": "High", - "text": "Is the correct Azure VMware Solution connectivity model selected for the customer use case at hand", + "severity": "Medium", + "text": "If using a VPN connection for migrations, adjust your MTU size accordingly.", "waf": "Performance" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "eb710a37-cbc1-4055-8dd5-a936a8bb7cf5", + "guid": "e614658d-d457-4e92-9139-b821102cad6e", "service": "AVS", - "severity": "High", - "text": "Ensure ExpressRoute or VPN connections from on-premises to Azure are monitored using 'connection monitor'", - "waf": "Operations" + "severity": "Medium", + "text": "For low connectivity regions connecting into Azure (500Mbps or less), considering deploying the HCX WAN optimization appliance", + "waf": "Performance" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "976e24f2-a7f8-426c-9253-2a92a2a7ed99", + "guid": "ae01e6e8-43e5-42f4-922d-928c1b1cd521", "service": "AVS", "severity": "Medium", - "text": "Ensure a connection monitor is created from an Azure native resource to an Azure VMware Solution virtual machine to monitor the Azure VMware Solution back-end ExpressRoute connection", - "waf": "Operations" + "text": "Ensure that migrations are started from the on-premises appliance and NOT from the Cloud appliance (do NOT perform a reverse migration)", + "waf": "Reliability" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "f41ce6a0-64f3-4805-bc65-3ab50df01265", + "guid": "e54a29a9-de39-4ac0-b7c2-8dc935657202", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings", "service": "AVS", "severity": "Medium", - "text": "Ensure a connection monitor is created from an on-premises resource to an Azure VMware Solution virtual machine to monitor end-2-end connectivity", - "waf": "Operations" + "text": "When Azure Netapp Files is used to extend storage for Azure VMware Solution,consider using this as a VMware datastore instead of attaching directly to a VM.", + "waf": "Reliability" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "563b4dc7-4a74-48b6-933a-d1a0916a6649", + "guid": "bff4564b-0d93-44a3-98b2-63e7dd60513a", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door", "service": "AVS", - "severity": "High", - "text": "When route server is used, ensure no more then 1000 routes are propagated from route server to ExR gateway to on-premises (ARS limit).", - "waf": "Operations" + "severity": "Medium", + "text": "Ensure that a dedicated ExpressRoute Gateway is being used for external data storage solutions", + "waf": "Reliability" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "6128a71f-0f1c-4ac6-b9ef-1d5e832e42e3", + "guid": "3649906e-bad3-48ea-b53c-c7de1d8aaab3", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin", "service": "AVS", - "severity": "High", - "text": "Is Privileged Identity Management implemented for roles managing the Azure VMware Solution resource in the Azure Portal (no standing permissions allowed)", - "waf": "Security" + "severity": "Medium", + "text": "Ensure that FastPath is enabled on the ExpressRoute Gateway that is being used for external data storage solutions", + "waf": "Reliability" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "c4e2436b-b336-4d71-9f17-960eee0b9b5c", + "guid": "571549ab-8153-4d89-b89d-c7b33be2b1a2", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group", "service": "AVS", "severity": "High", - "text": "Privileged Identity Management audit reporting should be implemented for the Azure VMware Solution PIM roles", - "waf": "Security" + "text": "If using stretched cluster, ensure that your selected Disaster Recovery solution is supported by the vendor", + "waf": "Reliability" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "78c447a8-26b2-4863-af0f-1cac599ef1d5", + "guid": "4c486b6d-8bdc-4059-acf7-5ee8a1309888", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints", "service": "AVS", - "severity": "Medium", - "text": "If using Privileged Identity Management is being used, ensure that a valid Entra ID enabled account is created with a valid SMTP record for Azure VMware Solution Automatic Host replacement notifications. (standing permissions required)", - "waf": "Security" + "severity": "High", + "text": "If using stretched cluster, ensure that the SLA provided will meet your requirements", + "waf": "Reliability" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "8defc4d7-21d3-41d2-90fb-707ae9eab40e", + "guid": "9579d66b-896d-471f-a6ca-7be9955d04c3", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes", "service": "AVS", "severity": "High", - "text": "Limit use of CloudAdmin account to emergency access only", - "waf": "Security" + "text": "If using stretched cluster, ensure that both ExpressRoute circuits are connected to your connectivity hub.", + "waf": "Reliability" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "d329f798-bc17-48bd-a5a0-6ca7144351d1", + "guid": "c49d987c-b3d1-4325-aa12-4b6e4d0685ed", + "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity", "service": "AVS", - "severity": "Medium", - "text": "Create custom RBAC roles in vCenter to implement a least-privilege model inside vCenter", - "waf": "Security" + "severity": "High", + "text": "If using stretched cluster, ensure that both ExpressRoute circuits have GlobalReach enabled.", + "waf": "Reliability" }, { "arm-service": "Microsoft.AVS/privateClouds", "checklist": "Azure VMware Solution Design Review", - "guid": "9dd24429-eb72-4281-97a1-51c5bb4e4f18", + "guid": "dce9793b-7bcd-4b3b-91eb-2ec14eea6e59", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates", "service": "AVS", - "severity": "Medium", - "text": "Is a process defined to regularly rotate cloudadmin (vCenter) and admin (NSX) credentials", - "waf": "Security" + "severity": "High", + "text": "Have site disaster tolerance settings been properly considered and changed for your business if needed.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "586cb291-ec16-4a1d-876e-f9f141acdce5", - "service": "AVS", + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure Function Review", + "guid": "4238f409-2ea0-43be-a06b-2a993c98aa7b", + "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans", + "service": "Azure Functions", "severity": "High", - "text": "Use a centralized identity provider to be used for workloads (VM's) running on Azure VMware Solution", - "waf": "Security" + "text": "Select the right Function hosting plan based on your business & SLO requirements", + "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "79377bcd-b375-41ab-8ab0-ead66e15d3d4", - "service": "AVS", + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure Function Review", + "guid": "a9808100-d640-4f77-ac56-1ec0600f6752", + "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans", + "query": "resources | where type =~ 'Microsoft.Web/sites' and kind has 'functionapp' and tolower(kind) !contains 'workflow' | extend aspResourceId = tostring(properties.serverFarmId), managedEnvId = tostring(properties.managedEnvironmentId), sku = tostring(properties.sku) | extend sku = iif(isnotempty(sku), sku, iif(isnotempty(managedEnvId), 'ContainerApps', '')) | where sku !in ('Dynamic', 'FlexConsumption', '') | extend aspName = tostring(split(aspResourceId, '/').[-1]), managedEnvName = tostring(split(managedEnvId, '/').[-1]) | extend HostingPlan = tostring(iif(isnotempty(aspName), aspName, managedEnvName)) | project functionAppName = name, functionAppId = id, HostingPlan, sku | join kind=inner ( resources | where type =~ 'Microsoft.Web/serverfarms' or type =~ 'Microsoft.App/managedEnvironments' | extend HostingPlan = tostring(name), zoneRedundant = tostring(properties.zoneRedundant), compliant = tobool(properties.zoneRedundant) | project HostingPlan, resourceId = id, zoneRedundant, compliant ) on HostingPlan | project functionAppName, functionAppId, sku, HostingPlan, resourceId, zoneRedundant, compliant", + "service": "Azure Functions", + "severity": "High", + "text": "Leverage Availability Zones where regionally applicable (not available for Consumption tier)", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure Function Review", + "guid": "5969d03e-eacf-4042-b127-73c55e3575fa", + "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-functions?tabs=azure-portal#cross-region-disaster-recovery-and-business-continuity", + "service": "Azure Functions", "severity": "Medium", - "text": "Is East-West traffic filtering implemented within NSX-T", - "waf": "Security" + "text": "Consider a Cross-Region DR strategy for critical workloads", + "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "a2adb1c3-d232-46af-825c-a44e1695fddd", - "service": "AVS", + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure Function Review", + "guid": "47a0aae0-d8a0-43b1-9791-e934dee3754c", + "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro", + "service": "Azure Functions", "severity": "High", - "text": "Workloads on Azure VMware Solution are not directly exposed to the internet. Traffic is filtered and inspected by Azure Application Gateway, Azure Firewall or 3rd party solutions", - "waf": "Security" + "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3", + "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "eace4cb1-deb4-4c65-8c3f-c14eeab36938", - "service": "AVS", + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure Function Review", + "guid": "17232891-f89f-4eaa-90f1-3b34bf798ed5", + "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on", + "query": "resources | where type =~ 'Microsoft.Web/sites' and kind has 'functionapp' | where tolower(kind) !contains 'workflow' | where isnotempty(properties.serverFarmId) | extend sku = tostring(properties.sku) | where isnotempty(sku) | where sku !in ('Dynamic', 'FlexConsumption', 'ElasticPremium') | extend alwaysOn = properties.siteConfig.alwaysOn | project functionAppName = name, functionAppId = id, serverFarmId = tostring(properties.serverFarmId), sku, alwaysOn, compliant = tobool(alwaysOn)", + "service": "Azure Functions", "severity": "High", - "text": "Auditing and logging is implemented for inbound internet requests to Azure VMware Solution and Azure VMware Solution based workloads", - "waf": "Security" + "text": "Ensure 'Always On' is enabled for all Function Apps running on App Service Plan", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure Function Review", + "guid": "40a325c2-7c0e-49e6-86d8-c273b4dc21ba", + "link": "https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations?tabs=azure-cli#shared-storage-accounts", + "service": "Azure Functions", + "severity": "Medium", + "text": "Pair a Function App to its own storage account. Try not to re-use storage accounts for Function Apps unless they are tightly coupled", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Azure Function Review", + "guid": "bb42650c-257d-4cb0-822a-131138b8e6f0", + "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/", + "service": "Azure Functions", + "severity": "Medium", + "text": "Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Function App code", + "waf": "Operations" + }, + { + "arm-service": "Microsoft.BotService/botServices", + "checklist": "Azure Bot Service", + "guid": "6ad48408-ee72-4734-a476-ba28fdcf590c", + "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot", + "service": "Bot service", + "severity": "Medium", + "text": "Follow reliability support recommendations in Azure Bot Service", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.BotService/botServices", + "checklist": "Azure Bot Service", + "guid": "e65de8e1-3f9c-4cbd-9682-66abca264f9a", + "link": "https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-concept-regionalization", + "service": "Bot service", + "severity": "Medium", + "text": "Deploying bots with local data residency and regional compliance", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.BotService/botServices", + "checklist": "Azure Bot Service", + "guid": "19bfe9d5-5d04-4c3c-9919-ca1b2d1215ae", + "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot#cross-region-disaster-recovery-in-multi-region-geography", + "service": "Bot service", + "severity": "Medium", + "text": "Azure Bot Service runs in active-active mode for both global and regional services. When an outage occurs, you don't need to detect errors or manage the service. Azure Bot Service automatically performs auto failover and auto recovery in a multi-region geographical architecture. For the EU bot regional service, Azure Bot Service provides two full regions inside Europe with active/active replication to ensure redundancy. For the global bot service, all available regions/geographies can be served as the global footprint.", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.AppPlatform/Spring", + "checklist": "Azure Spring Apps Review", + "guid": "6d8e32a8-3892-479d-a40b-10f6b4f6f298", + "link": "https://learn.microsoft.com/azure/spring-apps/concepts-blue-green-deployment-strategies", + "service": "Spring Apps", + "severity": "Medium", + "text": "Azure Spring Apps permits two deployments for every app, only one of which receives production traffic. You can achieve zero downtime with blue green deployment strategies. Blue green deployment is only available in Standard and Enterprise tiers. You could automate deployment using CI/CD with ADO/GitHub actions", + "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "29e3eec2-1836-487a-8077-a2b5945bda43", - "service": "AVS", + "arm-service": "Microsoft.AppPlatform/Spring", + "checklist": "Azure Spring Apps Review", + "guid": "fbcb40ac-9480-4a6d-bcf4-8081252a6716", + "link": "https://learn.microsoft.com/azure/architecture/web-apps/spring-apps/architectures/spring-apps-multi-region", + "service": "Spring Apps", "severity": "Medium", - "text": "Session monitoring is implemented for outbound internet connections from Azure VMware Solution or Azure VMware Solution based workloads to identify suspicious/malicious activity", - "waf": "Security" + "text": "Azure Spring Apps instances could be created in multiple regions for your applications and traffic could be routed by Traffic Manager/Front Door.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "graph": "resources| where type =~ 'Microsoft.Network/virtualNetworkGateways'| mv-expand ipConfigurations=properties.ipConfigurations| project subnetId=tostring(ipConfigurations.properties.subnet.id)| where isnotempty(subnetId)| join (resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | project id, compliant = (enableDdosProtection == 'true')", - "guid": "334fdf91-c234-4182-a652-75269440b4be", - "service": "AVS", + "arm-service": "Microsoft.AppPlatform/Spring", + "checklist": "Azure Spring Apps Review", + "guid": "ff1ae6a7-9301-4feb-9d11-56cd72f1d4ef", + "link": "https://learn.microsoft.com/azure/reliability/reliability-spring-apps", + "service": "Spring Apps", "severity": "Medium", - "text": "Is DDoS standard protection enabled on ExR/VPN Gateway subnet in Azure", - "waf": "Security" + "text": "In supported region, Azure Spring Apps can be deployed as zone redundant, which means that instances are automatically distributed across availability zones. This feature is only available in Standard and Enterprise tiers.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "3d3e0843-276d-44bd-a015-bcf219e4a1eb", - "service": "AVS", + "arm-service": "Microsoft.AppPlatform/Spring", + "checklist": "Azure Spring Apps Review", + "guid": "ffc735ad-fbb1-4802-b43f-ad6387c4c066", + "link": "https://learn.microsoft.com/azure/spring-apps/concept-understand-app-and-deployment", + "service": "Spring Apps", "severity": "Medium", - "text": "Use a dedicated privileged access workstation (PAW) to manage Azure VMware Solution, vCenter, NSX manager and HCX manager", - "waf": "Security" + "text": "Use more than 1 app instance for your apps", + "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "9ccbd869-266a-4cca-874f-aa19bf39d95d", - "service": "AVS", + "arm-service": "Microsoft.AppPlatform/Spring", + "checklist": "Azure Spring Apps Review", + "guid": "7504c230-6035-4183-95a5-85762acc6075", + "link": "https://learn.microsoft.com/azure/spring-apps/diagnostic-services", + "service": "Spring Apps", "severity": "Medium", - "text": "Enable Advanced Threat Detection (Microsoft Defender for Cloud aka ASC) for workloads running on Azure VMware Solution", - "waf": "Security" + "text": "Monitor Azure Spring Apps with logs, metrics and tracing. Integrate ASA with application insights and track failures and create workbooks.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "44c7c891-9ca1-4f6d-9315-ae524ba34d45", - "service": "AVS", + "arm-service": "Microsoft.AppPlatform/Spring", + "checklist": "Azure Spring Apps Review", + "guid": "1eb48d58-3eec-4ef5-80b0-d2b0dde3f0c6", + "link": "https://learn.microsoft.com/azure/spring-apps/how-to-configure-enterprise-spring-cloud-gateway", + "service": "Spring Apps", "severity": "Medium", - "text": "Use Azure ARC for Servers to properly govern workloads running on Azure VMware Solution using Azure native technologies (Azure ARC for Azure VMware Solution is not yet available)", - "waf": "Security" + "text": "Set up autoscaling in Spring Cloud Gateway", + "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "85e12139-bd7b-4b01-8f7b-95ef6e043e2a", - "service": "AVS", + "arm-service": "Microsoft.AppPlatform/Spring", + "checklist": "Azure Spring Apps Review", + "guid": "97411607-b6fd-4335-99d1-9885faf4e392", + "link": "https://learn.microsoft.com/azure/spring-apps/how-to-setup-autoscale", + "service": "Spring Apps", "severity": "Low", - "text": "Ensure workloads on Azure VMware Solution use sufficient data encryption during run-time (like in-guest disk encryption and SQL TDE). (vSAN encryption at rest is default)", - "waf": "Security" + "text": "Enable autoscale for the apps with Standard consumption & dedicated plan.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "a3592718-e6e2-4051-9267-6ae46691e883", - "service": "AVS", - "severity": "Low", - "text": "When in-guest encryption is used, store encryption keys in Azure Key vault when possible", - "waf": "Security" + "arm-service": "Microsoft.AppPlatform/Spring", + "checklist": "Azure Spring Apps Review", + "guid": "dfcaffd1-d27c-4ef2-998d-64c1df3a7ac3", + "link": "https://learn.microsoft.com/azure/spring-apps/overview", + "service": "Spring Apps", + "severity": "Medium", + "text": "Use Enterprise plan for commercial support of spring boot for mission critical apps. With other tiers you get OSS support.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "5ac94222-3e13-4810-9230-81a941741583", - "service": "AVS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Apply guidance from the Microsoft cloud security benchmark related to Storage", + "guid": "d237de14-3b16-4c21-b7aa-9b64604489a8", + "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/storage-security-baseline", + "service": "Storage", "severity": "Medium", - "text": "Consider using extended security update support for workloads running on Azure VMware Solution (Azure VMware Solution is eligible for ESU)", + "text": "Consider the 'Azure security baseline for storage'", "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "3ef7ad7c-6d37-4331-95c7-acbe44bbe609", - "service": "AVS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Azure Storage by default has a public IP address and is Internet-reachable. Private endpoints allow to securely expose Azure Storage only to those Azure Compute resources that need access, thus eliminating exposure to the public Internet", + "graph": "resources | where type =~ 'Microsoft.Storage/StorageAccounts' | where isnull(properties.privateEndpointConnections) or properties.privateEndpointConnections[0].properties.provisioningState != ('Succeeded') or (isnull(properties.networkAcls) and properties.publicNetworkAccess == 'Enabled') | extend compliant = (isnotnull(properties.privateEndpointConnections) and properties.privateEndpointConnections[0].properties.provisioningState == 'Succeeded' and properties.publicNetworkAccess == 'Disabled') | distinct id, compliant", + "guid": "f42d78e7-9d17-4a73-a22a-5a67e7a8ed4b", + "link": "https://learn.microsoft.com/azure/storage/common/storage-private-endpoints", + "service": "Storage", "severity": "High", - "text": "Ensure that the appropriate vSAN Data redundancy method is used (RAID specification)", - "waf": "Reliability" + "text": "Consider using private endpoints for Azure Storage", + "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "d88408f3-7273-44c8-96ba-280214590146", - "service": "AVS", - "severity": "High", - "text": "Ensure that the Failure-to-tolerate policy is in place to meet your vSAN storage needs", - "waf": "Reliability" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Newly created storage accounts are created using the ARM deployment model, so that RBAC, auditing etc. are all enabled. Ensure that there are no old storage accounts with classic deployment model in a subscription", + "guid": "30e37c3e-2971-41b2-963c-eee079b598de", + "link": "https://learn.microsoft.com/azure/virtual-machines/migration-classic-resource-manager-overview#migration-of-storage-accounts", + "service": "Storage", + "severity": "Medium", + "text": "Ensure older storage accounts are not using 'classic deployment model'", + "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "d89f2e87-7784-424d-9167-85c6fa95b96a", - "service": "AVS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Leverage Microsoft Defender to learn about suspicious activity and misconfigurations.", + "graph": "resources | where type =~ 'Microsoft.Storage/StorageAccounts' | project storageAccountId = id | join kind=leftouter (resourceContainers | where type == 'microsoft.security/pricings' | where name == 'StorageAccounts' | project resourceId = id, pricingTier = properties.pricingTier) on $left.storageAccountId == $right.resourceId | where isnull(pricingTier) or pricingTier != 'Standard' | extend compliant = false | distinct storageAccountId, compliant", + "guid": "fc5972cd-4cd2-41b0-a803-7f5e6b4bfd3d", + "link": "https://learn.microsoft.com/azure/storage/common/azure-defender-storage-configure", + "service": "Storage", "severity": "High", - "text": "Ensure that you have requested enough quota, ensuring you have considered growth and Disaster Recovery requirement", - "waf": "Reliability" + "text": "Enable Microsoft Defender for all of your storage accounts", + "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "5d38e53f-9ccb-4d86-a266-acca274faa19", - "service": "AVS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "The soft-delete mechanism allows to recover accidentally deleted blobs.", + "guid": "503547c1-447e-4c66-828a-7100f1ce16dd", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-overview", + "service": "Storage", "severity": "Medium", - "text": "Ensure that access constraints to ESXi are understood, there are access limits which might affect 3rd party solutions.", - "waf": "Operations" + "text": "Enable 'soft delete' for blobs", + "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "bf39d95d-44c7-4c89-89ca-1f6d5315ae52", - "service": "AVS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Consider selectively disabling 'soft delete' for certain blob containers, for example if the application must ensure that deleted information is immediately deleted, e.g. for confidentiality, privacy or compliance reasons. ", + "guid": "3f1d5e87-2e52-4e36-81cc-58b4a4b1510e", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable", + "service": "Storage", "severity": "Medium", - "text": "Ensure that you have a policy around ESXi host density and efficiency, keeping in mind the lead time for requesting new nodes", - "waf": "Operations" + "text": "Disable 'soft delete' for blobs", + "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "4ba34d45-85e1-4213-abd7-bb012f7b95ef", - "service": "AVS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Soft delete for containers enables you to recover a container after it has been deleted, for example recover from an accidental delete operation.", + "guid": "43a58a9c-2289-4c3d-9b57-d0c655462f2a", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-overview", + "service": "Storage", + "severity": "High", + "text": "Enable 'soft delete' for containers", + "waf": "Security" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Consider selectively disabling 'soft delete' for certain blob containers, for example if the application must ensure that deleted information is immediately deleted, e.g. for confidentiality, privacy or compliance reasons. ", + "guid": "3e3453a3-c863-4964-ab65-2d6c15f51296", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable", + "service": "Storage", "severity": "Medium", - "text": "Ensure a good cost management process is in place for Azure VMware Solution - Azure Cost Management can be used", - "waf": "Cost" + "text": "Disable 'soft delete' for containers", + "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "6e043e2a-a359-4271-ae6e-205172676ae4", - "service": "AVS", - "severity": "Low", - "text": "Are Azure reserved instances used to optimize cost for using Azure VMware Solution", - "waf": "Cost" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Prevents accidental deletion of a storage account, by forcing the user to first remove the deletion lock, prior to deletion", + "guid": "5398e6de-d227-4dd1-92b0-6c21d7999a64", + "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource", + "service": "Storage", + "severity": "High", + "text": "Enable resource locks on storage accounts", + "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "6691e883-5ac9-4422-83e1-3810523081a9", - "service": "AVS", - "severity": "Medium", - "text": "Consider the use of Azure Private-Link when using other Azure Native Services", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Consider 'legal hold' or 'time-based retention' policies for blobs, so that is is impossible to delete the blob, the container, or the storage account. Please note that 'impossible' actually means 'impossible'; once a storage account contains an immutable blob, the only way to 'get rid' of that storage account is by cancelling the Azure subscription.", + "guid": "6f4389a8-f42c-478e-98c0-6a73a22a4956", + "link": "https://learn.microsoft.com/azure/storage/blobs/immutable-storage-overview", + "service": "Storage", + "severity": "High", + "text": "Consider immutable blobs", "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "db611712-6904-40b4-aa3d-3e0803276d4b", - "service": "AVS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Consider disabling unprotected HTTP/80 access to the storage account, so that all data transfers are encrypted, integrity protected, and the server is authenticated. ", + "graph": "resources | where type =~ 'Microsoft.Storage/StorageAccounts' | extend compliant = (properties.supportsHttpsTrafficOnly == false) | distinct id, compliant", + "guid": "e7a8dc4a-20e2-47c3-b297-11b1352beee0", + "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer", + "service": "Storage", + "severity": "High", + "text": "Require HTTPS, i.e. disable port 80 on the storage account", + "waf": "Security" + }, + { + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "When configuring a custom domain (hostname) on a storage account, check whether you need TLS/HTTPS; if so, you might have to put Azure CDN in front of your storage account.", + "guid": "79b588de-fc49-472c-b3cd-21bf77036e5e", + "link": "https://learn.microsoft.com/azure/storage/blobs/storage-custom-domain-name", + "service": "Storage", "severity": "High", - "text": "Ensure all required resource reside within the same Azure availability zone(s)", - "waf": "Performance" - }, - { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "48b262d6-cc5f-4512-a253-98e6db9d37da", - "service": "AVS", - "severity": "Medium", - "text": "Enable Microsoft Defender for Cloud for Azure VMware Solution guest VM workloads", + "text": "When enforcing HTTPS (disabling HTTP), check that you do not use custom domains (CNAME) for the storage account.", "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "41741583-3ef7-4ad7-a6d3-733165c7acbe", - "service": "AVS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Requiring HTTPS when a client uses a SAS token to access blob data helps to minimize the risk of credential loss.", + "guid": "6b4bed3d-5035-447c-8347-dc56028a71ff", + "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview", + "service": "Storage", "severity": "Medium", - "text": "Use Azure Arc enabled servers to manage your Azure VMware Solution guest VM workloads", + "text": "Limit shared access signature (SAS) tokens to HTTPS connections only", "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "88f03a4d-2cd4-463c-abbc-868295abc91a", - "service": "AVS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": ". Enforcing the latest TLS version will reject request from clients using the older version. ", + "graph": "resources | where type == 'microsoft.storage/storageaccounts' | extend compliant = (isnull(properties.minimumTlsVersion) == false and properties.minimumTlsVersion in ('TLS1_2', 'TLS1_3')) | distinct id, compliant", + "guid": "e12be569-a18f-4562-8d5d-ce151b9e7d55", + "link": "https://learn.microsoft.com/azure/storage/common/transport-layer-security-configure-minimum-version", + "service": "Storage", "severity": "High", - "text": "Enable Diagnostic and metric logging on Azure VMware Solution", - "waf": "Operations" + "text": "Enforce the latest TLS version for a storage account", + "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "4ed90dae-2cc8-44c4-9b6b-781cbafe6c46", - "service": "AVS", - "severity": "Medium", - "text": "Deploy the Log Analytics Agents to Azure VMware Solution guest VM workloads", - "waf": "Operations" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Microsoft Entra ID tokens should be favored over shared access signatures, wherever possible", + "guid": "e1ce15dd-3f0d-45e7-92d4-1e3611cc57b4", + "link": "https://learn.microsoft.com/azure/storage/common/authorize-data-access", + "service": "Storage", + "severity": "High", + "text": "Use Microsoft Entra ID tokens for blob access", + "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "589d457a-927c-4397-9d11-02cad6aae11e", - "service": "AVS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "When assigning a role to a user, group, or application, grant that security principal only those permissions that are necessary for them to perform their tasks. Limiting access to resources helps prevent both unintentional and malicious misuse of your data.", + "guid": "a4b1410d-4395-48a8-a228-9b3d6b57cfc6", + "service": "Storage", "severity": "Medium", - "text": "Ensure you have a documented and implemented backup policy and solution for Azure VMware Solution VM workloads", - "waf": "Operations" + "text": "Least privilege in IaM permissions", + "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "ee29711b-d352-4caa-ab79-b198dab81932", - "service": "AVS", - "severity": "Medium", - "text": "Use Microsoft Defender for Cloud for compliance monitoring of workloads running on Azure VMware Solution", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "A user delegation SAS is secured with Azure Active Directory (Azure AD) credentials and also by the permissions specified for the SAS. A user delegation SAS is analogous to a service SAS in terms of its scope and function, but offers security benefits over the service SAS. ", + "guid": "55461e1a-3e34-453a-9c86-39648b652d6c", + "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#best-practices-when-using-sas", + "service": "Storage", + "severity": "High", + "text": "When using SAS, prefer 'user delegation SAS' over storage-account-key based SAS.", "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "c9fc9d1b-b780-436f-9e6b-fbb9ed503547", - "service": "AVS", - "severity": "Medium", - "text": "Are the applicable compliance baselines added to Microsoft Defender for Cloud", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Storage account keys ('shared keys') have very little audit capabilities. While it can be monitored on who/when fetched a copy of the keys, once the keys are in the hands of multiple people, it is impossible to attribute usage to a specific user. Solely relying on Entra ID authentication makes it easier to tie storage access to a user. ", + "graph": "resources | where type == 'microsoft.storage/storageaccounts' | extend allowSharedKeyAccess = tostring(properties.allowSharedKeyAccess) | extend compliant = (isnotempty(allowSharedKeyAccess) and allowSharedKeyAccess == 'false') | distinct id, compliant", + "guid": "15f51296-5398-4e6d-bd22-7dd142b06c21", + "link": "https://learn.microsoft.com/rest/api/storageservices/authorize-with-shared-key", + "service": "Storage", + "severity": "High", + "text": "Consider disabling storage account keys, so that only Microsoft Entra ID access (and user delegation SAS) is supported.", "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "cc447e82-6128-4a71-b0f1-cac6d9ef1d5e", - "service": "AVS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Use Activity Log data to identify 'when', 'who', 'what' and 'how' the security of your storage account is being viewed or changed (i.e. storage account keys, access policies, etc.).", + "guid": "d7999a64-6f43-489a-af42-c78e78c06a73", + "link": "https://learn.microsoft.com/azure/storage/blobs/blob-storage-monitoring-scenarios#audit-account-activity", + "service": "Storage", "severity": "High", - "text": "Was data residency evaluated when selecting Azure regions to use for Azure VMware Solution deployment", + "text": "Consider using Azure Monitor to audit control plane operations on the storage account", "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "832e42e3-611c-4818-a0a0-bc510e43a18a", - "service": "AVS", - "severity": "High", - "text": "Are data processing implications (service provider / service consumer model) clear and documented", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "A key expiration policy enables you to set a reminder for the rotation of the account access keys. The reminder is displayed if the specified interval has elapsed and the keys have not yet been rotated.", + "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1", + "link": "https://learn.microsoft.com/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#create-a-key-expiration-policy", + "service": "Storage", + "severity": "Medium", + "text": "When using storage account keys, consider enabling a 'key expiration policy'", "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "547c1747-dc56-4068-a714-435cd19dd244", - "service": "AVS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "A SAS expiration policy specifies a recommended interval over which the SAS is valid. SAS expiration policies apply to a service SAS or an account SAS. When a user generates service SAS or an account SAS with a validity interval that is larger than the recommended interval, they'll see a warning.", + "guid": "352beee0-79b5-488d-bfc4-972cd3cd21bf", + "link": "https://learn.microsoft.com/azure/storage/common/sas-expiration-policy", + "service": "Storage", "severity": "Medium", - "text": "Consider using CMK (Customer Managed Key) for vSAN only if needed for compliance reason(s).", + "text": "Consider configuring an SAS expiration policy", "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "e43a18a9-cd28-49ce-b6b1-7db8255461e2", - "service": "AVS", - "severity": "High", - "text": "Create dashboards to enable core Azure VMware Solution monitoring insights", - "waf": "Operations" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Stored access policies give you the option to revoke permissions for a service SAS without having to regenerate the storage account keys. ", + "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56", + "link": "https://learn.microsoft.com/rest/api/storageservices/define-stored-access-policy", + "service": "Storage", + "severity": "Medium", + "text": "Consider linking SAS to a stored access policy", + "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "graph": "resources| where type =~ 'Microsoft.AVS/privateClouds'| join kind=leftouter(resources| where type =~ 'Microsoft.Insights/metricalerts'| mv-expand scopes=properties.scopes| mv-expand criteria=properties.criteria.allOf| extend metricName=criteria.metricName| distinct tostring(scopes), tostring(metricName))on $left.id == $right.scopes| extend compliant=toint(metricName in ('UsageAverage', 'EffectiveCpuAverage', 'DiskUsedPercentage'))| summarize compliant=min(compliant) by id", - "guid": "6b84ee5d-f47d-42d9-8881-b1cd5d1e54a2", - "service": "AVS", - "severity": "High", - "text": "Create warning alerts for critical thresholds for automatic alerting on Azure VMware Solution performance (CPU >80%, Avg Memory >80%, vSAN >70%)", - "waf": "Operations" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36", + "link": "https://microsoft.github.io/code-with-engineering-playbook/continuous-integration/dev-sec-ops/secret-management/recipes/detect-secrets-ado/", + "service": "Storage", + "severity": "Medium", + "text": "Consider configuring your application's source code repository to detect checked-in connection strings and storage account keys.", + "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "graph": "resources| where type =~ 'Microsoft.AVS/privateClouds'| join kind=leftouter(resources| where type =~ 'Microsoft.Insights/metricalerts'| mv-expand scopes=properties.scopes| mv-expand criteria=properties.criteria.allOf| extend metricName=criteria.metricName| distinct tostring(scopes), tostring(metricName))on $left.id == $right.scopes| extend compliant=toint(metricName in ('UsageAverage', 'EffectiveCpuAverage', 'DiskUsedPercentage'))| summarize compliant=min(compliant) by id", - "guid": "9659e396-80e7-4828-ac93-5657d02bff45", - "service": "AVS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Ideally, your application should be using a managed identity to authenticate to Azure Storage. If that is not possible, consider having the storage credential (connection string, storage account key, SAS, service principal credential) in Azure KeyVault or an equivalent service.", + "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d", + "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys", + "service": "Storage", "severity": "High", - "text": "Ensure critical alert is created to monitor if vSAN consumption is below 75% as this is a support threshold from VMware", - "waf": "Operations" + "text": "Consider storing connection strings in Azure KeyVault (in scenarios where managed identities are not possible)", + "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "graph": "resources| distinct subscriptionId| join kind=leftouter( resources | where type =~ 'microsoft.insights/activitylogalerts' | mv-expand condition1 = properties.condition.allOf | mv-expand condition2 = condition1.anyOf | extend alertEnabled = tostring(properties.enabled) | summarize set_condition1=make_set(condition1.equals), set_condition2=make_set(condition2.equals) by id, name,type,tenantId,resourceGroup,subscriptionId, alertEnabled | where set_has_element(set_condition1, 'ServiceHealth') | extend category = 'ServiceHealth' | extend all = iff(set_has_element(set_condition1, 'ServiceHealth') and array_length(set_condition2) == 0, true, false) | extend incident = iff(all, true, iff(set_has_element(set_condition1, 'Incident'), true, set_has_element(set_condition2, 'Incident'))) | extend maintenance = iff(all, true, iff(set_has_element(set_condition1, 'Maintenance'), true, set_has_element(set_condition2, 'Maintenance'))) | extend informational = iff(all, true, iff(set_has_element(set_condition1, 'Informational') or set_has_element(set_condition1, 'ActionRequired'), true, set_has_element(set_condition2, 'Informational') or set_has_element(set_condition2, 'ActionRequired'))) | extend security = iff(all, true, iff(set_has_element(set_condition1, 'Security'), true, set_has_element(set_condition2, 'Security'))) | project id, name, subscriptionId, category, tostring(alertEnabled), tostring(incident), tostring(maintenance), tostring(informational), tostring(security) | summarize count_alertEnabled=countif(alertEnabled == 'true'), count_incident=countif(incident == 'True'), count_maintenance=countif(maintenance == 'True'), count_informational=countif(informational == 'True'), count_security=countif(security == 'True') by subscriptionId) on subscriptionId| project subscriptionId, alertEnabled=iff(isnotnull(count_alertEnabled), count_alertEnabled, 0), incident=iff(isnotnull(count_incident), count_incident, 0), security=iff(isnotnull(count_security), count_security, 0), maintenance=iff(isnotnull(count_maintenance), count_maintenance, 0), informational=iff(isnotnull(count_informational), count_informational, 0)| order by incident, maintenance, informational, security desc| project id=subscriptionId, compliant=(alertEnabled > 0 and incident > 0 and security > 0 and maintenance > 0 and informational > 0)", - "guid": "64b0d934-a348-4726-be79-d6b5c3a36495", - "service": "AVS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Use near-term expiration times on an ad hoc SAS service SAS or account SAS. In this way, even if a SAS is compromised, it's valid only for a short time. This practice is especially important if you cannot reference a stored access policy. Near-term expiration times also limit the amount of data that can be written to a blob by limiting the time available to upload to it.", + "guid": "27138b82-1102-4cac-9eae-01e6e842e52f", + "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature", + "service": "Storage", "severity": "High", - "text": "Ensure alerts are configured for Azure Service Health alerts and notifications", - "waf": "Operations" + "text": "Strive for short validity periods for ad-hoc SAS", + "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "b6abad38-aad5-43cc-99e1-d86667357c54", - "service": "AVS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "When creating a SAS, be as specific and restrictive as possible. Prefer a SAS for a single resource and operation over a SAS which gives much broader access.", + "guid": "4721d928-c1b1-4cd5-81e5-4a29a9de399c", + "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature", + "service": "Storage", "severity": "Medium", - "text": "Configure Azure VMware Solution logging to be send to an Azure Storage account or Azure EventHub for processing", - "waf": "Operations" + "text": "Apply a narrow scope to a SAS", + "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "9674c5ed-85b8-459c-9733-be2b1a27b775", - "service": "AVS", - "severity": "Low", - "text": "If deep insight in VMware vSphere is required: Is vRealize Operations and/or vRealize Network Insights used in the solution?", - "waf": "Operations" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "A SAS can include parameters on which client IP addresses or address ranges are authorized to request a resource using the SAS. ", + "guid": "fd7b28dc-9355-4562-82bf-e4564b0d834a", + "link": "https://learn.microsoft.com/rest/api/storageservices/create-account-sas", + "service": "Storage", + "severity": "Medium", + "text": "Consider scoping SAS to a specific client IP address, wherever possible", + "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "a91be1f3-88f0-43a4-b2cd-463cbbbc8682", - "service": "AVS", - "severity": "High", - "text": "Ensure the vSAN storage policy for VM's is NOT the default storage policy as this policy applies thick provisioning", - "waf": "Operations" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "A SAS cannot constrain how much data a client uploads; given the pricing model of amount of storage over time, it might make sense to validate whether clients uploaded maliciously large contents.", + "guid": "348b263e-6dd6-4051-8a36-498f6dbad38e", + "service": "Storage", + "severity": "Low", + "text": "Consider checking uploaded data, after clients used a SAS to upload a file. ", + "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "d9ef1d5e-832d-442e-9611-c818b0afbc51", - "service": "AVS", - "severity": "Medium", - "text": "Ensure vSphere content libraries are not placed on vSAN as vSAN is a finite resource", - "waf": "Operations" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "When accessing blob storage via SFTP using a 'local user account', the 'usual' RBAC controls do not apply. Blob access via NFS or REST might be more restrictive than SFTP access. Unfortunately, as of early 2023, local users are the only form of identity management that is currently supported for the SFTP endpoint", + "guid": "ad53cc7c-e1d7-4aaa-a357-1449ab8053d8", + "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support#sftp-permission-model", + "service": "Storage", + "severity": "High", + "text": "SFTP: Limit the amount of 'local users' for SFTP access, and audit whether access is needed over time.", + "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "0e43a18a-9cd2-489b-bd6b-17db8255461e", - "service": "AVS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "guid": "9f89dc7b-33be-42a1-a27f-7b9e91be1f38", + "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-known-issues#authentication-and-authorization", + "service": "Storage", "severity": "Medium", - "text": "Ensure data repositories for the backup solution are stored outside of vSAN storage. Either in Azure native or on a disk pool-backed datastore", - "waf": "Operations" + "text": "SFTP: The SFTP endpoint does not support POSIX-like ACLs.", + "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "2aee3453-aec8-4339-848b-262d6cc5f512", - "service": "AVS", - "severity": "Medium", - "text": "Ensure workloads running on Azure VMware Solution are hybrid managed using Azure Arc for Servers (Arc for Azure VMware Solution is in preview)", - "waf": "Operations" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Storage supports CORS (Cross-Origin Resource Sharing), i.e. an HTTP feature that enables web apps from a different domain to loosen the same-origin policy. When enabling CORS, keep the CorsRules to the least privilege.", + "guid": "cef39812-bd46-43cb-aac8-ac199ebb91a3", + "link": "https://learn.microsoft.com/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services", + "service": "Storage", + "severity": "High", + "text": "Avoid overly broad CORS policies", + "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "925398e6-da9d-437d-ac43-bc6cd1d79a9b", - "service": "AVS", - "severity": "Medium", - "text": "Ensure workloads running on Azure VMware Solution are monitored using Azure Log Analytics and Azure Monitor", - "waf": "Operations" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Data at rest is always encrypted server-side, and in addition might be encrypted client-side as well. Server-side encryption might happen using a platform-managed key (default) or customer-managed key. Client-side encryption might happen by either having the client supply an encryption/decryption key on a per-blob basis to Azure storage, or by completely handling encryption on the client-side. thus not relying on Azure Storage at all for confidentiality guarantees.", + "guid": "3d90cae2-cc88-4137-86f7-c0cbafe61464", + "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption", + "service": "Storage", + "severity": "High", + "text": "Determine how data at rest should be encrypted. Understand the thread model for data.", + "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "24604489-a8f4-42d7-ae78-cb6a33bd2a09", - "service": "AVS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "guid": "8dd457e9-2713-48b8-8110-2cac6eae01e6", + "link": "https://learn.microsoft.com/azure/storage/common/customer-managed-keys-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json", + "service": "Storage", "severity": "Medium", - "text": "Include workloads running on Azure VMware Solution in existing update management tooling or in Azure Update Management", - "waf": "Operations" + "text": "Determine which/if platform encryption should be used.", + "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "17e7a8d9-0ae0-4e27-aee2-9711bd352caa", - "service": "AVS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "guid": "e842e52f-4721-4d92-ac1b-1cd521e54a29", + "link": "https://learn.microsoft.com/azure/storage/blobs/encryption-customer-provided-keys", + "service": "Storage", "severity": "Medium", - "text": "Use Azure Policy to onboard Azure VMware Solution workloads in the Azure Management, Monitoring and Security solutions", - "waf": "Operations" + "text": "Determine which/if client-side encryption should be used.", + "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "aee3553a-fc83-4392-98b2-62d6cc5f5129", - "service": "AVS", - "severity": "Medium", - "text": "Ensure workloads running on Azure VMware Solution are onboarded to Microsoft Defender for Cloud", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "description": "Anonymous access may present a security risk. We recommend that you disable anonymous access for optimal security. Disallowing anonymous access helps to prevent data breaches caused by undesired anonymous access.", + "graph": "resources | where type == 'microsoft.storage/storageaccounts' | extend compliant = (properties.allowBlobPublicAccess == 'false') | distinct id, compliant", + "guid": "659ae558-b937-4d49-a5e1-112dbd7ba012", + "link": "https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#allow-or-disallow-public-read-access-for-a-storage-account", + "service": "Storage", + "severity": "High", + "text": "Consider whether public blob anonymous access is needed, or whether it can be disabled for certain storage accounts. ", "waf": "Security" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "25398e6d-b9d3-47da-a43b-c6cd1d79a9b2", - "service": "AVS", - "severity": "Medium", - "text": "Ensure backups are not stored on vSAN as vSAN is a finite resource", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "guid": "cb8eb8c0-aa62-4a25-a495-6eaa8dc4a243", + "link": "https://learn.microsoft.com/azure/storage/common/storage-account-upgrade?tabs=azure-portal", + "service": "Storage", + "severity": "High", + "text": "Leverage a storagev2 account type for better performance and reliability", "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "5e6bfbb9-ed50-4354-9cc4-47e826028a71", - "service": "AVS", - "severity": "Medium", - "text": "Have all DR solutions been considered and a solution that is best for your business been decided upon? [SRM/JetStream/Zerto/Veeam/...]", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "graph": "resources | where type =~ 'Microsoft.Storage/StorageAccounts' | extend compliant = (sku.name != 'Standard_LRS' and sku.name != 'Premium_LRS') | distinct id, compliant", + "guid": "e05bbe20-9d49-4fda-9777-8424d116785c", + "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy", + "service": "Storage", + "severity": "High", + "text": "Leverage GRS, ZRS or GZRS storage for the highest availability", "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "f0f1cac6-d9ef-41d5-b832-d42e3611c818", - "service": "AVS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "guid": "2fa56c56-ad48-4408-be72-734c486ba280", + "link": "https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance", + "service": "Storage", "severity": "Medium", - "text": "Use Azure Site Recovery when the Disaster Recovery technology is native Azure IaaS", + "text": "For write operation after failover, use customer-Managed Failover ", "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "b0afbc51-0e43-4a18-a9cd-289bed6b17db", - "service": "AVS", - "severity": "High", - "text": "Use Automated recovery plans with either of the Disaster solutions, avoid manual tasks as much as possible", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "guid": "dc0590cf-65de-48e1-909c-cbd579266bcc", + "link": "https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance#microsoft-managed-failover", + "service": "Storage", + "severity": "Medium", + "text": "Understand Microsoft-Managed Failover details", "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "8255461e-2aee-4345-9aec-8339248b262d", - "service": "AVS", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Azure Storage Review Checklist", + "guid": "a274faa1-abfe-49d5-9d04-c3c4919cb1b3", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable?tabs=azure-portal", + "service": "Storage", "severity": "Medium", - "text": "Use the geopolitical region pair as the secondary disaster recovery environment", + "text": "Enable Soft Delete", "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "6cc5f512-9253-498e-9da9-d37dac43bc6c", - "service": "AVS", + "arm-service": "Microsoft.Search/searchServices", + "checklist": "Cognitive Search Review Checklist", + "guid": "41faa1ed-b7f0-447d-8cba-4a4905e5bb83", + "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability", + "service": "Cognitive Search", "severity": "High", - "text": "Use 2 different address spaces between the regions, for example: 10.0.0.0/16 and 192.168.0.0/16 for the different regions", + "text": "Enable 2 replicas to have 99.9% availability for read operations", "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "d1d79a9b-2460-4448-aa8f-42d78e78cb6a", - "service": "AVS", + "arm-service": "Microsoft.Search/searchServices", + "checklist": "Cognitive Search Review Checklist", + "guid": "7d956fd9-788a-4845-9b9f-c0340972d810", + "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability", + "service": "Cognitive Search", "severity": "Medium", - "text": "Will ExpressRoute Global Reach be used for connectivity between the primary and secondary Azure VMware Solution Private Clouds or is routing done through network virtual appliances?", + "text": "Enable 3 replicas to have 99.9% availability for read/write operations", "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "33bd2a09-17e7-4a8d-a0ae-0e27cee29711", - "service": "AVS", + "arm-service": "Microsoft.Search/searchServices", + "checklist": "Cognitive Search Review Checklist", + "guid": "44dc5f2b-a032-4d03-aae8-90c3f2c0a4c3", + "link": "https://learn.microsoft.com/azure/search/search-reliability#availability-zone-support", + "service": "Cognitive Search", + "severity": "High", + "text": "Leverage Availability Zones by enabling read and/or write replicas", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Search/searchServices", + "checklist": "Cognitive Search Review Checklist", + "guid": "cd0730f0-0ff1-4b77-9a2b-2a1f7dd5e291", + "link": "https://learn.microsoft.com/azure/search/search-reliability#multiple-services-in-separate-geographic-regions", + "service": "Cognitive Search", "severity": "Medium", - "text": "Have all Backup solutions been considered and a solution that is best for your business been decided upon? [ MABS/CommVault/Metallic.io/Veeam/�. ]", + "text": "For regional redudancy, Manually create services in 2 or more regions for Search as it doesn't provide an automated method of replicating search indexes across geographic regions", "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "bd352caa-ab79-4b18-adab-81932c9fc9d1", - "service": "AVS", + "arm-service": "Microsoft.Search/searchServices", + "checklist": "Cognitive Search Review Checklist", + "guid": "3c964882-aec9-4d44-9f68-4b5f2efbbdb6", + "link": "https://learn.microsoft.com/azure/search/search-reliability#synchronize-data-across-multiple-services", + "service": "Cognitive Search", "severity": "Medium", - "text": "Deploy your backup solution in the same region as your Azure VMware Solution private cloud", + "text": "To synchronize data across multiple services either Use indexers for updating content on multiple services or Use REST APIs for pushing content updates on multiple services", "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "bb77036f-5e6b-4fbb-aed5-03547cc447e8", - "service": "AVS", + "arm-service": "Microsoft.Search/searchServices", + "checklist": "Cognitive Search Review Checklist", + "guid": "85ee93c9-f53c-4803-be51-e6e4aa37ff4e", + "link": "https://learn.microsoft.com/azure/search/search-reliability#use-azure-traffic-manager-to-coordinate-requests", + "service": "Cognitive Search", "severity": "Medium", - "text": "Deploy your backup solution outside of vSan, on Azure native components", + "text": "Use Azure Traffic Manager to coordinate requests", "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "26028a71-f0f1-4cac-9d9e-f1d5e832d42e", - "service": "AVS", - "severity": "Low", - "text": "Is a process in place to request a restore of the VMware components managed by the Azure Platform?", + "arm-service": "Microsoft.Search/searchServices", + "checklist": "Cognitive Search Review Checklist", + "guid": "7be10278-57c1-4a61-8ee3-895aebfec5aa", + "link": "https://learn.microsoft.com/azure/search/search-reliability#back-up-and-restore-alternatives", + "service": "Cognitive Search", + "severity": "High", + "text": "Backup and Restore an Azure Cognitive Search Index. Use this sample code to back up index definition and snapshot to a series of Json files", "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "4604489a-8f42-4d78-b78c-b7a33bd2a0a1", - "service": "AVS", - "severity": "Low", - "text": "For manual deployments, all configuration and deployments must be documented", - "waf": "Operations" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Cognitive Services Review Checklist", + "guid": "21c30d25-ffb7-4f6a-b9ea-b3fec328f787", + "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-cog_svcs_v1.docx", + "service": "Cognitive Services", + "severity": "Medium", + "text": "Leverage FTA HandBook for Cognitive Services", + "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "7e7a8d90-ae0e-437c-be29-711bd352caaa", - "service": "AVS", - "severity": "Low", - "text": "For manual deployments, consider implementing resource locks to prevent accidental actions on your Azure VMware Solution Private Cloud", - "waf": "Operations" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Cognitive Services Review Checklist", + "guid": "78c34698-16b2-4763-aefe-1b9b599de0d5", + "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/advanced-prompt-engineering?pivots=programming-language-chat-completions", + "service": "Cognitive Services", + "severity": "Medium", + "text": "Backup Your Prompts", + "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "b79b198d-ab81-4932-a9fc-9d1bb78036f5", - "service": "AVS", - "severity": "Low", - "text": "For automated deployments, deploy a minimal private cloud and scale as needed", - "waf": "Operations" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Cognitive Services Review Checklist", + "guid": "750ab2ab-039d-4a6d-95d7-c892adb107d5", + "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/business-continuity-disaster-recovery", + "service": "Cognitive Services", + "severity": "High", + "text": "Business Continuity and Disaster Recovery (BCDR) considerations with Azure OpenAI Service", + "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "e6bfbb9e-d503-4547-ac44-7e826128a71f", - "service": "AVS", - "severity": "Low", - "text": "For automated deployments, request or reserve quota prior to starting the deployment", - "waf": "Operations" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Cognitive Services Review Checklist", + "guid": "325af625-ca44-4e46-a5e2-223ace8bb123", + "link": "https://github.com/abacaj/chatgpt-backup#backup-your-chatgpt-conversations", + "service": "Cognitive Services", + "severity": "Medium", + "text": "Backup Your ChatGPT conversations", + "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "0f1cac6d-9ef1-4d5e-a32e-42e3611c818b", - "service": "AVS", - "severity": "Low", - "text": "For automated deployment, ensure that relevant resource locks are created through the automation or through Azure Policy for proper governance", - "waf": "Operations" + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Cognitive Services Review Checklist", + "guid": "07ca5f17-f154-4e3a-a369-2829e7e31618", + "link": "https://learn.microsoft.com/azure/ai-services/speech-service/how-to-custom-speech-continuous-integration-continuous-deployment", + "service": "Cognitive Services", + "severity": "Medium", + "text": "CI/CD for custom speech", + "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "e2cc95d4-8c6b-4791-bca0-f6c56589e558", - "service": "AVS", + "arm-service": "Microsoft.CognitiveServices/accounts", + "checklist": "Cognitive Services Review Checklist", + "guid": "3687a046-7a1f-4893-9bda-43324f248116", + "link": "https://learn.microsoft.com/azure/ai-services/qnamaker/tutorials/export-knowledge-base", + "service": "Cognitive Services", "severity": "Low", - "text": "Implement human understandable names for ExR authorization keys to allow for easy identification of the keys purpose/use", - "waf": "Operations" + "text": "Move a knowledge base using export-import", + "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "255461e2-aee3-4553-afc8-339248b262d6", - "service": "AVS", - "severity": "Low", - "text": "Use Key vault to store secrets and authorization keys when separate Service Principles are used for deploying Azure VMware Solution and ExpressRoute", - "waf": "Operations" + "arm-service": "Microsoft.App/containerApps", + "checklist": "Container Apps Review", + "guid": "af416482-663c-4ed6-b195-b44c7068e09c", + "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#availability-zone-support", + "query": "resources | where type =~ 'Microsoft.App/managedEnvironments' | project name, resourceGroup, location, zoneRedundancy = tolower(tostring(properties.zoneRedundant)) | extend Compliance = iff(zoneRedundancy == 'true', true, false)", + "service": "Container Apps", + "severity": "High", + "text": "Leverage Availability Zones if regionally applicable", + "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "cc5f5129-2539-48e6-bb9d-37dac43bc6cd", - "service": "AVS", - "severity": "Low", - "text": "Define resource dependencies for serializing actions in IaC when many resources need to be deployed in/on Azure VMware Solution as Azure VMware Solution only supports a limited number of parallel operations.", - "waf": "Operations" + "arm-service": "Microsoft.App/containerApps", + "checklist": "Container Apps Review", + "guid": "95bc80ec-6499-4d14-a7d2-7d296b1d8abc", + "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#set-up-zone-redundancy-in-your-container-apps-environment", + "query": "resources | where type =~ 'Microsoft.App/containerApps' | project name, resourceGroup, location, minReplicas = toint(properties.template.scale.minReplicas), maxReplicas = toint(properties.template.scale.maxReplicas) | extend Compliance = iff(minReplicas >= 1, true, false)", + "service": "Container Apps", + "severity": "High", + "text": "Use more than one replica and enable Zone Redundancy.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "1d79a9b2-4604-4489-a8f4-2d78e78cb7a3", - "service": "AVS", - "severity": "Low", - "text": "When performing automated configuration of NSX-T segments with a single Tier-1 gateway, use Azure Portal APIs instead of NSX-Manager APIs", - "waf": "Operations" + "arm-service": "Microsoft.App/containerApps", + "checklist": "Container Apps Review", + "guid": "ccaa4fc2-fdbc-4432-8bb7-f7e6469e4dc3", + "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#cross-region-disaster-recovery-and-business-continuity", + "service": "Container Apps", + "severity": "High", + "text": "For cross-region DR, deploy container apps in multiple regions and follow active/active or active/passive application guidance.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "3bd2a0a1-7e7a-48d9-8ae0-e37cee29711b", - "service": "AVS", - "severity": "Medium", - "text": "When intending to use automated scale-out, be sure to apply for sufficient Azure VMware Solution quota for the subscriptions running Azure VMware Solution", - "waf": "Performance" + "arm-service": "Microsoft.App/containerApps", + "checklist": "Container Apps Review", + "guid": "2ffada86-c031-4933-bf7d-0c45bc4e5919", + "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#cross-region-disaster-recovery-and-business-continuity", + "service": "Container Apps", + "severity": "High", + "text": "Use Front Door or Traffic Manager to route traffic to the closest region", + "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "d352caaa-b79b-4198-bab8-1932c9fc9d1b", - "service": "AVS", + "arm-service": "microsoft.documentdb/databaseAccounts", + "checklist": "CosmosDB Review Checklist", + "guid": "43e52f47-22d9-428c-8b1c-d521e54a29a9", + "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/pass-foundations-playbooks-CosmosDB_v1.docx", + "service": "CosmosDB", "severity": "Medium", - "text": "When intending to use automated scale-in, be sure to take storage policy requirements into account before performing such action", - "waf": "Performance" + "text": "FTA Resiliency Playbook", + "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "b78036f5-e6bf-4bb9-bd50-3547cc447e82", - "service": "AVS", - "severity": "Medium", - "text": "Scaling operations always need to be serialized within a single SDDC as only one scale operation can be performed at a time (even when multiple clusters are used)", - "waf": "Performance" + "arm-service": "microsoft.documentdb/databaseAccounts", + "checklist": "CosmosDB Review Checklist", + "guid": "de39ac0e-7c28-4dc9-9565-7202bff4564b", + "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#slas", + "service": "CosmosDB", + "severity": "High", + "text": "Leverage Availablity Zones where regionally applicable and ofcourse if the service offers it", + "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "bf15bce2-19e4-4a0e-a588-79424d226786", - "service": "AVS", + "arm-service": "microsoft.documentdb/databaseAccounts", + "checklist": "CosmosDB Review Checklist", + "guid": "0d934a34-8b26-43e7-bd60-513a3649906e", + "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#replica-outages", + "service": "CosmosDB", "severity": "Medium", - "text": "Consider and validate scaling operations on 3rd party solutions used in the architecture (supported or not)", - "waf": "Performance" + "text": "Run multiple replicas of the database (>1 ) in Prod", + "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "d20b56c5-7be5-4851-a0f8-3835c586cb29", - "service": "AVS", + "arm-service": "microsoft.documentdb/databaseAccounts", + "checklist": "CosmosDB Review Checklist", + "description": "Multi-region writes capability allows you to take advantage of the provisioned throughput for your databases and containers across the globe", + "guid": "bad38ead-53cc-47de-8d8a-aab3571449ab", + "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#multiple-write-regions", + "service": "CosmosDB", "severity": "Medium", - "text": "Define and enforce scale in/out maximum limits for your environment in the automations", - "waf": "Performance" + "text": "Leverage Multi-Region Writes", + "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "1dc15a1c-075e-4e9f-841a-cccd579376bc", - "service": "AVS", + "arm-service": "microsoft.documentdb/databaseAccounts", + "checklist": "CosmosDB Review Checklist", + "description": "Span Cosmos account across two or more regions with multi-region writes", + "guid": "8153d89f-89dc-47b3-9be2-b1a27f7b9e91", + "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#slas", + "service": "CosmosDB", "severity": "Medium", - "text": "Implement monitoring rules to monitor automated scaling operations and monitor success and failure to enable appropriate (automated) responses", - "waf": "Operations" - }, - { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "c5972cd4-cd21-4b07-9036-f5e6b4bfd3d5", - "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", - "service": "AVS", - "severity": "High", - "text": "When using MON, be aware of the limits of simulataneously configured VMs (MON Limit for HCX [400 - standard, 1000 - Larger appliance])", - "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/", + "text": "Distribute your data globally", "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "be1f38cf-03a8-422b-b463-cbbbc8ac299e", - "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", - "service": "AVS", + "arm-service": "microsoft.documentdb/databaseAccounts", + "checklist": "CosmosDB Review Checklist", + "description": "Choose from various consistency levels such as Eventual, Consistent Prefix, Session, Bounded Staleness and strong", + "guid": "9f8ea848-25ec-4140-bc32-2758e6ee9ac0", + "link": "https://learn.microsoft.com/azure/cosmos-db/consistency-levels", + "service": "CosmosDB", "severity": "High", - "text": "When using MON, you cannot enable MON on more than 100 Network extensions", - "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/", + "text": "Choose from several well-defined consistency models", "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "bc91a43d-90da-4e2c-a881-4706f7c1cbaf", - "service": "AVS", - "severity": "Medium", - "text": "If using a VPN connection for migrations, adjust your MTU size accordingly.", - "waf": "Performance" - }, - { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "e614658d-d457-4e92-9139-b821102cad6e", - "service": "AVS", + "arm-service": "microsoft.documentdb/databaseAccounts", + "checklist": "CosmosDB Review Checklist", + "description": "Maintain business continuity during regional outages. Azure Cosmos DB supports service-managed failover during a regional outage. During a regional outage, Azure Cosmos DB continues to maintain its latency, availability, consistency, and throughput SLAs. To help make sure that your entire application is highly available, Azure Cosmos DB offers a manual failover API to simulate a regional outage. By using this API, you can carry out regular business continuity drills.", + "guid": "a47e4d1e-bb79-43f9-bf87-69e1032b72fe", + "link": "https://learn.microsoft.com/azure/cosmos-db/how-to-manage-database-account#automatic-failover", + "service": "CosmosDB", "severity": "Medium", - "text": "For low connectivity regions connecting into Azure (500Mbps or less), considering deploying the HCX WAN optimization appliance", - "waf": "Performance" + "text": "Enable Service managed failover", + "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "ae01e6e8-43e5-42f4-922d-928c1b1cd521", - "service": "AVS", + "arm-service": "microsoft.documentdb/databaseAccounts", + "checklist": "CosmosDB Review Checklist", + "description": "Azure Cosmos DB automatically takes backups of your data at regular intervals. The automatic backups are taken without affecting the performance or availability of the database operations. All the backups are stored separately in a storage service.", + "guid": "3499c9c1-133d-42f7-a4b1-a5bd06ff1a90", + "link": "https://learn.microsoft.com/azure/cosmos-db/online-backup-and-restore", + "service": "CosmosDB", "severity": "Medium", - "text": "Ensure that migrations are started from the on-premises appliance and NOT from the Cloud appliance (do NOT perform a reverse migration)", + "text": "Enable Automatic Backups", + "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "e54a29a9-de39-4ac0-b7c2-8dc935657202", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings", - "service": "AVS", + "arm-service": "microsoft.documentdb/databaseAccounts", + "checklist": "CosmosDB Review Checklist", + "description": "This mode is the default backup mode for all existing accounts. In this mode, backup is taken at a periodic interval and the data is restored by creating a request with the support team. In this mode, you configure a backup interval and retention for your account. The maximum retention period extends to a month. The minimum backup interval can be one hour.", + "guid": "a6eb33f6-005c-4d92-9286-7655672d6121", + "link": "https://learn.microsoft.com/azure/cosmos-db/periodic-backup-restore-introduction", + "service": "CosmosDB", "severity": "Medium", - "text": "When Azure Netapp Files is used to extend storage for Azure VMware Solution,consider using this as a VMware datastore instead of attaching directly to a VM.", + "text": "Perform Periodic Backups", + "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "bff4564b-0d93-44a3-98b2-63e7dd60513a", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door", - "service": "AVS", + "arm-service": "microsoft.documentdb/databaseAccounts", + "checklist": "CosmosDB Review Checklist", + "description": "Continous 7 day retention and 30 day retention backups. Azure Cosmos DB performs data backup in the background without consuming any extra provisioned throughput (RUs) or affecting the performance and availability of your database. Continuous backups are taken in every region where the account exists.", + "guid": "d43918a8-cd28-49be-b6b1-7cb8245461e1", + "link": "https://learn.microsoft.com/azure/cosmos-db/continuous-backup-restore-introduction", + "service": "CosmosDB", "severity": "Medium", - "text": "Ensure that a dedicated ExpressRoute Gateway is being used for external data storage solutions", + "text": "Continous Backup with point-in-time restore in Azure Cosmos DB", + "training": "https://learn.microsoft.com/learn/modules/create-custom-azure-roles-with-rbac/", "waf": "Reliability" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "3649906e-bad3-48ea-b53c-c7de1d8aaab3", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin", - "service": "AVS", + "arm-service": "Microsoft.Insights/components", + "checklist": "Cost Optimization Checklist", + "guid": "a95b86ad-8840-48e3-9273-4b875ba18f20", + "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models", + "service": "Monitor", "severity": "Medium", - "text": "Ensure that FastPath is enabled on the ExpressRoute Gateway that is being used for external data storage solutions", - "waf": "Reliability" + "text": "Data collection rules in Azure Monitor -https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-rule-overview", + "training": "https://azure.microsoft.com/pricing/reservations/", + "waf": "Cost" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "571549ab-8153-4d89-b89d-c7b33be2b1a2", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group", - "service": "AVS", - "severity": "High", - "text": "If using stretched cluster, ensure that your selected Disaster Recovery solution is supported by the vendor", - "waf": "Reliability" + "arm-service": "Microsoft.RecoveryServices/vaults", + "checklist": "Cost Optimization Checklist", + "guid": "45901365-d38e-443f-abcb-d868266abca2", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation", + "service": "Backup", + "severity": "Medium", + "text": "check backup instances with the underlying datasource not found", + "waf": "Cost" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "4c486b6d-8bdc-4059-acf7-5ee8a1309888", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints", - "service": "AVS", - "severity": "High", - "text": "If using stretched cluster, ensure that the SLA provided will meet your requirements", - "waf": "Reliability" + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "64f9a19a-f29c-495d-94c6-c7919ca0f6c5", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse", + "service": "VM", + "severity": "Medium", + "text": "Delete or archive unassociated services (disks, nics, ip addresses etc)", + "waf": "Cost" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "9579d66b-896d-471f-a6ca-7be9955d04c3", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes", - "service": "AVS", - "severity": "High", - "text": "If using stretched cluster, ensure that both ExpressRoute circuits are connected to your connectivity hub.", - "waf": "Reliability" + "arm-service": "Microsoft.RecoveryServices/vaults", + "checklist": "Cost Optimization Checklist", + "guid": "69bad37a-ad53-4cc7-ae1d-76667357c449", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations", + "service": "Backup", + "severity": "Medium", + "text": "Consider a good balance between site recovery storage and backup for non mission critical applications", + "waf": "Cost" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "c49d987c-b3d1-4325-aa12-4b6e4d0685ed", - "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity", - "service": "AVS", - "severity": "High", - "text": "If using stretched cluster, ensure that both ExpressRoute circuits have GlobalReach enabled.", - "waf": "Reliability" + "arm-service": "Microsoft.Insights/components", + "checklist": "Cost Optimization Checklist", + "guid": "674b5ed8-5a85-49c7-933b-e2a1a27b765a", + "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/direct-ea-administration#manage-notification-contacts", + "service": "Monitor", + "severity": "Medium", + "text": "Check spending and savings opportunities among the 40 different log analytics workspaces- use different retention and data collection for nonprod workspaces-create daily cap for awareness and tier sizing - If you do set a daily cap, in addition to creating an alert when the cap is reached,ensure that you also create an alert rule to be notified when some percentage has been reached (90% for example). - consider workspace transformation if possible - https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-transformations#workspace-transformation-dcr ", + "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/understand-work-scopes", + "waf": "Cost" }, { - "arm-service": "Microsoft.AVS/privateClouds", - "checklist": "Azure VMware Solution Design Review", - "guid": "dce9793b-7bcd-4b3b-91eb-2ec14eea6e59", - "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates", - "service": "AVS", - "severity": "High", - "text": "Have site disaster tolerance settings been properly considered and changed for your business if needed.", - "waf": "Reliability" + "arm-service": "Microsoft.Insights/components", + "checklist": "Cost Optimization Checklist", + "guid": "91be1f38-8ef3-494c-8bd4-63cbbac75819", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", + "service": "Monitor", + "severity": "Medium", + "text": "Enforce a purging log policy and automation (if needed, logs can be moved to cold storage)", + "training": "https://www.youtube.com/watch?v=nHQYcYGKuyw", + "waf": "Cost" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "Azure Event Hub provides encryption of data at rest. If you use your own key, the data is still encrypted using the Microsoft-managed key, but in addition the Microsoft-managed key will be encrypted using the customer-managed key. ", - "guid": "7aaf12e7-b94e-4f6e-847d-2d92981b1cd6", - "link": "https://learn.microsoft.com/azure/event-hubs/configure-customer-managed-key", - "query": "resources | where type =~ 'Microsoft.EventHub/namespaces' | extend SkuName = tostring(sku.name) | extend EncryptionEnabled = iif(isnotempty(properties.encryption.keySource), 'Enabled', 'Disabled') | extend compliant = iif(EncryptionEnabled == 'Enabled', true, false) | project name, resourceGroup, location, SkuName, EncryptionEnabled, compliant | where SkuName == 'Premium'", - "service": "Event Hubs", - "severity": "Low", - "text": "Use customer-managed key option in data at rest encryption when required", - "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/", - "waf": "Security" + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "6aae01e6-a84d-4e5d-b36d-1d92881a1bd5", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", + "service": "VM", + "severity": "Medium", + "text": "Check that the disks are really needed, if not: delete. If they are needed, find lower storage tiers or use backup -", + "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/manage-automation", + "waf": "Cost" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "Azure Event Hubs namespaces permit clients to send and receive data with TLS 1.0 and above. To enforce stricter security measures, you can configure your Event Hubs namespace to require that clients send and receive data with a newer version of TLS. If an Event Hubs namespace requires a minimum version of TLS, then any requests made with an older version will fail. ", - "guid": "d2f54b29-769e-43a6-a0e7-828ac936657e", - "link": "https://learn.microsoft.com/azure/event-hubs/transport-layer-security-configure-minimum-version", - "query": "resources | where type =~ 'Microsoft.EventHub/namespaces' | extend MinimumTlsVersion = tostring(properties.minimumTlsVersion) | extend compliant = iif(MinimumTlsVersion == '1.2' or MinimumTlsVersion == '1.3', true, false) | project name, resourceGroup, location, MinimumTlsVersion, compliant", - "service": "Event Hubs", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Cost Optimization Checklist", + "guid": "d1e44a19-659d-4395-afd7-7289b835556d", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", + "service": "Storage", "severity": "Medium", - "text": "Enforce a minimum required version of Transport Layer Security (TLS) for requests ", - "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/", - "waf": "Security" + "text": "Consider moving unused storage to lower tier, with customized rule - https://learn.microsoft.com/azure/storage/blobs/lifecycle-management-policy-configure ", + "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance", + "waf": "Cost" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "When you create an Event Hubs namespace, a policy rule named RootManageSharedAccessKey is automatically created for the namespace. This policy has manage permissions for the entire namespace. It�s recommended that you treat this rule like an administrative root account and don�t use it in your application. Using AAD as an authentication provider with RBAC is recommended. ", - "guid": "13b0f566-4b1e-4944-a459-837ee79d6c6d", - "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-shared-access-signature#shared-access-authorization-policies", - "service": "Event Hubs", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "d0102cac-6aae-401e-9a84-de5de36d1d92", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "VM", "severity": "Medium", - "text": "Avoid using root account when it is not necessary", - "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/", - "waf": "Security" + "text": "Make sure advisor is configured for VM right sizing ", + "waf": "Cost" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "Managed identities for Azure resources can authorize access to Event Hubs resources using Azure AD credentials from applications running in Azure Virtual Machines (VMs), Function apps, Virtual Machine Scale Sets, and other services. By using managed identities for Azure resources together with Azure AD authentication, you can avoid storing credentials with your applications that run in the cloud. ", - "guid": "3a365a5c-7acb-4e48-abd5-4cd79f2e8776", - "link": "https://learn.microsoft.com/azure/event-hubs/authenticate-managed-identity?tabs=latest", - "service": "Event Hubs", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "description": "check by searching the Meter Category Licenses in the Cost analysys", + "guid": "59ae568b-a38d-4498-9e22-13dbd7bb012f", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/centralize-operations", + "service": "VM", "severity": "Medium", - "text": "When possible, your application should be using a managed identity to authenticate to Azure Event Hub. If not, consider having the storage credential (SAS, service principal credential) in Azure Key Vault or an equivalent service", - "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", - "waf": "Security" + "text": "run the script on all windows VMs https://learn.microsoft.com/azure/virtual-machines/windows/hybrid-use-benefit-licensing?ref=andrewmatveychuk.com#convert-an-existing-vm-using-azure-hybrid-benefit-for-windows-server- consider implementing a policy if windows VMs are created frequently", + "waf": "Cost" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "When creating permissions, provide fine-grained control over a client's access to Azure Event Hub. Permissions in Azure Event Hub can and should be scoped to the individual resource level e.g. consumer group, event hub entity, event hub namespaces, etc.", - "guid": "8357c559-675c-45ee-a5b8-6ad8844ce3b2", - "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-azure-active-directory#azure-built-in-roles-for-azure-event-hubs", - "service": "Event Hubs", - "severity": "High", - "text": "Use least privilege data plane RBAC", - "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", - "waf": "Security" + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "7b95e06e-158e-42ea-9992-c2de6e2065b3", + "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure", + "service": "VM", + "severity": "Medium", + "text": " this can be also put under AHUB if you already have licenses https://learn.microsoft.com/azure/virtual-machines/linux/azure-hybrid-benefit-linux?tabs=rhelpayg%2Crhelbyos%2CrhelEnablebyos%2Crhelcompliance", + "waf": "Cost" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "Azure Event Hub resource logs include operational logs, virtual network and Kafka logs. Runtime audit logs capture aggregated diagnostic information for all data plane access operations (such as send or receive events) in Event Hubs.", - "guid": "b38b875b-a1cf-4104-a900-3a4d3ce474db", - "link": "https://learn.microsoft.com/azure/event-hubs/monitor-event-hubs-reference", - "service": "Event Hubs", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "75c1e945-b459-4837-bf7a-e7c6d3b475a5", + "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal", + "service": "VM", "severity": "Medium", - "text": "Enable logging for security investigation. Use Azure Monitor to captured metrics and logs such as resource logs, runtime audit logs and Kafka logs", - "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", - "waf": "Security" + "text": "Consolidate reserved VM families with flexibility option (no more than 4-5 families)", + "training": "https://learn.microsoft.com/azure/automation/automation-solution-vm-management", + "waf": "Cost" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "Azure Event Hub by default has a public IP address and is Internet-reachable. Private endpoints allow traffic between your virtual network and Azure Event Hub traverses over the Microsoft backbone network. In addition to that, you should disable public endpoints if those are not used. ", - "guid": "5abca2a4-eda1-4dae-8cc9-5d48c6b791dc", - "link": "https://learn.microsoft.com/azure/event-hubs/private-link-service", - "service": "Event Hubs", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "c7acbe49-bbe6-44dd-a9f2-e87778468d55", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access#prerequisites-for-a-landing-zone---design-recommendations", + "service": "VM", "severity": "Medium", - "text": "Consider using private endpoints to access Azure Event Hub and disable public network access when applicable.", - "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", - "waf": "Security" + "text": "Utilize Azure Reserved Instances: This feature allows you to reserve VMs for a period of 1 or 3 years, providing significant cost savings compared to PAYG prices.", + "waf": "Cost" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "With IP firewall, you can restrict public endpoint further to only a set of IPv4 addresses or IPv4 address ranges in CIDR (Classless Inter-Domain Routing) notation. ", - "guid": "a0e6c465-89e5-458b-a37d-3974d1112dbd", - "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-ip-filtering", - "service": "Event Hubs", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "a6bcca2b-4fea-41db-b3dd-95d48c7c891d", + "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview", + "service": "VM", "severity": "Medium", - "text": "Consider only allowing access to Azure Event Hub namespace from specific IP addresses or ranges", - "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", - "waf": "Security" + "text": "Only larger disks can be reserved => 1 TiB -", + "waf": "Cost" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "guid": "31d41e36-11c8-417b-8afb-c410d4391898", - "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-AEH_v1.docx", - "service": "Event Hubs", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "cb1f7d57-59ae-4568-aa38-d4985e2213db", + "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain", + "service": "VM", "severity": "Medium", - "text": "Leverage FTA Resillency HandBook", - "waf": "Reliability" + "text": "After the right-sizing optimization", + "waf": "Cost" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": " This will be turned on automatically for a new EH namespace created from the portal with Premium, Dedicated, or Standard SKUs in a zone-enabled region. Both the EH metadata and the event data itself are replicated across zones", - "guid": "f15bce21-9e4a-40eb-9787-9424d226786d", - "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-premium-overview#high-availability-with-availability-zones", - "query": "resources | where type =~ 'Microsoft.EventHub/namespaces' | extend zoneRedundant = tobool(properties.zoneRedundant) | extend compliant = iff(zoneRedundant == true, true, false) | project name, resourceGroup, zoneRedundant, compliant", - "service": "Event Hubs", - "severity": "High", - "text": "Leverage Availability Zones if regionally applicable", - "waf": "Reliability" + "arm-service": "Microsoft.Sql/servers", + "checklist": "Cost Optimization Checklist", + "guid": "d7bb012f-7b95-4e06-b158-e2ea3992c2de", + "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy", + "service": "SQL", + "severity": "Medium", + "text": "Check if applicable and enforce policy/change https://learn.microsoft.com/azure/azure-sql/azure-hybrid-benefit?view=azuresql&tabs=azure-portalhttps://learn.microsoft.com/azure/cost-management-billing/scope-level/create-sql-license-assignments?source=recommendations", + "waf": "Cost" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "guid": "20b56c56-ad58-4519-8f82-735c586bb281", - "link": "https://learn.microsoft.com/azure/event-hubs/compare-tiers", - "query": "resources | where type =~ 'Microsoft.EventHub/namespaces' | extend sku = tostring(sku.name) | extend compliant = iff(sku == 'Premium', true, false) | project name, resourceGroup, location, sku, compliant", - "service": "Event Hubs", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "6e2065b3-a76a-4f4a-991e-8839ada46667", + "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices", + "service": "VM", "severity": "Medium", - "text": "Use the Premium or Dedicated SKUs for predicable performance", - "waf": "Reliability" + "text": "The VM + license part discount (ahub + 3YRI) is around 70% discount", + "waf": "Cost" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "The built-in geo-disaster recovery feature, when enabled, ensures that the entire configuration of anamespace (Event Hubs, Consumer Groups and settings) is continuously replicated from a primary namespace to a secondary namespace, and it allows a once-only failover move from the primary to the secondary at any time. Active/Passive feature is designed to make it easier to recover from and abandon a failed Azure region without having to change application configurations", - "guid": "dc15a1c0-75ee-49f1-90ac-ccd579376bcd", - "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-geo-dr?tabs=portal", - "service": "Event Hubs", - "severity": "High", - "text": "Plan for Geo Disaster Recovery using Active Passive configuration", - "waf": "Reliability" + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "ccbd9792-a6bc-4ca2-a4fe-a1dbf3dd95d4", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel", + "service": "VM", + "severity": "Medium", + "text": "Consider using a VMSS to match demand rather than flat sizing", + "waf": "Cost" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "description": "Should be used for DR configurations where an outage or loss of event data in the downed region cannot be tolerated. For these cases, follow the replication guidance and do not use the built-in geo-disaster recovery capability (active/passive). With Active/Active, Maintain multiple Event Hubs in different regions and namespaces, and events will be replicated between the hubs", - "guid": "6e31b67d-67ba-4591-89c0-9e805d597c7e", - "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-federation-overview", - "service": "Event Hubs", + "arm-service": "microsoft.containerservice/managedClusters", + "checklist": "Cost Optimization Checklist", + "guid": "c1b1cd52-1e54-4a29-a9de-39ac0e7c28dc", + "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure", + "service": "AKS", "severity": "Medium", - "text": "For Business Critical Applications, use Active Active configuration", - "waf": "Reliability" + "text": "Use AKS autoscaler to match your clusters usage (make sure the pods requirements match the scaler)", + "waf": "Cost" }, { - "arm-service": "microsoft.eventhub/namespaces", - "checklist": "Azure Event Hub Review", - "guid": "9ced16ad-d186-4f0a-a241-a999a68af77c", - "link": "https://learn.microsoft.com/azure/architecture/serverless/event-hubs-functions/resilient-design", - "service": "Event Hubs", + "arm-service": "Microsoft.RecoveryServices/vaults", + "checklist": "Cost Optimization Checklist", + "guid": "44be3b1a-27f8-4b9e-a1be-1f38df03a822", + "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work", + "service": "Backup", "severity": "Medium", - "text": "Design Resilient Event Hubs", - "waf": "Reliability" + "text": "Move recovery points to vault-archive where applicable (Validate)", + "training": "https://azure.microsoft.com/pricing/reservations/", + "waf": "Cost" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Cognitive Services Review Checklist", - "guid": "21c30d25-ffb7-4f6a-b9ea-b3fec328f787", - "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-cog_svcs_v1.docx", - "service": "Cognitive Services", + "arm-service": "Microsoft.Databricks/workspaces", + "checklist": "Cost Optimization Checklist", + "guid": "cd463cbb-bc8a-4c29-aebc-91a43da1dae2", + "link": "https://learn.microsoft.com/azure/databricks/clusters/cluster-config-best-practices#automatic-termination", + "service": "Databricks", "severity": "Medium", - "text": "Leverage FTA HandBook for Cognitive Services", - "waf": "Reliability" + "text": "Consider using Spot VMs with fallback where possible. Consider autotermination of clusters.", + "waf": "Cost" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Cognitive Services Review Checklist", - "guid": "78c34698-16b2-4763-aefe-1b9b599de0d5", - "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/advanced-prompt-engineering?pivots=programming-language-chat-completions", - "service": "Cognitive Services", + "arm-service": "Microsoft.Web/sites", + "checklist": "Cost Optimization Checklist", + "guid": "cc881470-607c-41cc-a0e6-14658dd458e9", + "link": "https://learn.microsoft.com/azure/governance/policy/how-to/guest-configuration-create", + "service": "Functions", "severity": "Medium", - "text": "Backup Your Prompts", - "waf": "Reliability" + "text": "Functions - Reuse connections", + "training": "https://learn.microsoft.com/azure/cost-management-billing/reservations/reservation-apis?toc=%2Fazure%2Fcost-management-billing%2Ftoc.json", + "waf": "Cost" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Cognitive Services Review Checklist", - "guid": "750ab2ab-039d-4a6d-95d7-c892adb107d5", - "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/business-continuity-disaster-recovery", - "service": "Cognitive Services", - "severity": "High", - "text": "Business Continuity and Disaster Recovery (BCDR) considerations with Azure OpenAI Service", - "waf": "Reliability" + "arm-service": "Microsoft.Web/sites", + "checklist": "Cost Optimization Checklist", + "guid": "27139b82-1102-4dbd-9eaf-11e6f843e52f", + "link": "https://learn.microsoft.com/azure/automation/update-management/overview", + "service": "Functions", + "severity": "Medium", + "text": "Functions - Cache data locally", + "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-compute-resources/", + "waf": "Cost" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Cognitive Services Review Checklist", - "guid": "325af625-ca44-4e46-a5e2-223ace8bb123", - "link": "https://github.com/abacaj/chatgpt-backup#backup-your-chatgpt-conversations", - "service": "Cognitive Services", + "arm-service": "Microsoft.Web/sites", + "checklist": "Cost Optimization Checklist", + "guid": "4722d928-c1b1-4cd5-81e5-4a29b9de39ac", + "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview", + "service": "Functions", "severity": "Medium", - "text": "Backup Your ChatGPT conversations", - "waf": "Reliability" + "text": "Functions - Cold starts-Use the 'Run from package' functionality. This way, the code is downloaded as a single zip file. This can, for example, result in significant improvements with Javascript functions, which have a lot of node modules.Use language specific tools to reduce the package size, for example, tree shaking Javascript applications.", + "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/", + "waf": "Cost" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Cognitive Services Review Checklist", - "guid": "07ca5f17-f154-4e3a-a369-2829e7e31618", - "link": "https://learn.microsoft.com/azure/ai-services/speech-service/how-to-custom-speech-continuous-integration-continuous-deployment", - "service": "Cognitive Services", + "arm-service": "Microsoft.Web/sites", + "checklist": "Cost Optimization Checklist", + "guid": "0e7c28dc-9366-4572-82bf-f4564b0d934a", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json", + "service": "Functions", "severity": "Medium", - "text": "CI/CD for custom speech", - "waf": "Reliability" + "text": "Functions - Keep your functions warm", + "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", + "waf": "Cost" }, { - "arm-service": "Microsoft.CognitiveServices/accounts", - "checklist": "Cognitive Services Review Checklist", - "guid": "3687a046-7a1f-4893-9bda-43324f248116", - "link": "https://learn.microsoft.com/azure/ai-services/qnamaker/tutorials/export-knowledge-base", - "service": "Cognitive Services", - "severity": "Low", - "text": "Move a knowledge base using export-import", - "waf": "Reliability" + "arm-service": "Microsoft.Web/sites", + "checklist": "Cost Optimization Checklist", + "guid": "359c363e-7dd6-4162-9a36-4a907ebae38e", + "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "service": "Functions", + "severity": "Medium", + "text": "When using autoscale with different functions, there might be one driving all the autoscale for all the resources - consider moving it to a separate consumption plan (and consider higher plan for CPU)", + "waf": "Cost" }, { - "checklist": "Azure Service Fabric Review Checklist", - "graph": "resources | where type=~'Microsoft.ServiceFabric/managedClusters' | extend compliant = (sku=~'{\"name\":\"Standard\"}') | distinct id,compliant", - "guid": "182840d2-9ef8-4238-8fd6-0d76186830ac", - "link": "https://learn.microsoft.com/azure/service-fabric/overview-managed-cluster#service-fabric-managed-cluster-skus", - "service": "Azure Service Fabric", + "arm-service": "Microsoft.Web/sites", + "checklist": "Cost Optimization Checklist", + "guid": "ad53cc7d-e2e8-4aaa-a357-1549ab9153d8", + "link": "https://learn.microsoft.com/azure/service-health/alerts-activity-log-service-notifications-portal", + "service": "Functions", "severity": "Medium", - "text": "Use Standard SKU for production scenarios.", - "waf": "Reliability" + "text": "Function apps in a given plan are all scaled together, so any issues with scaling can affect all apps in the plan.", + "waf": "Cost" }, { - "checklist": "Azure Service Fabric Review Checklist", - "graph": "resources | where type=~'Microsoft.ServiceFabric/clusters' | extend nodeTypes= array_concat(properties.nodeTypes) | mv-expand nodeTypes | summarize BronzeDurabilityCount = countif(nodeTypes.durabilityLevel == 'Bronze') by id | extend compliant = (BronzeDurabilityCount == 0) | distinct id,compliant", - "guid": "182840d2-9ef8-4238-8fd6-0d76186830ac", - "link": "https://learn.microsoft.com/azure/service-fabric/service-fabric-cluster-capacity#durability-characteristics-of-the-cluster", - "service": "Azure Service Fabric", + "arm-service": "Microsoft.Web/sites", + "checklist": "Cost Optimization Checklist", + "guid": "9f89dc7b-44be-43b1-a27f-8b9e91be1f38", + "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/action-groups", + "service": "Functions", "severity": "Medium", - "text": "Use durability level Silver (5 VMs) or greater for production scenarios", - "waf": "Reliability" + "text": "Am I billed for 'await time'? This question is typically asked in the context of a C# function that does an async operation and waits for the result, e.g. await Task.Delay(1000) or await client.GetAsync('http://google.com'). The answer is yes - the GB second calculation is based on the start and end time of the function and the memory usage over that period. What actually happens over that time in terms of CPU activity is not factored into the calculation.One exception to this rule is if you are using durable functions. You are not billed for time spent at awaits in orchestrator functions.apply demand shaping techinques where possible (dev environments?) https://github.com/Azure-Samples/functions-csharp-premium-scaler", + "waf": "Cost" }, { - "checklist": "Azure Service Fabric Review Checklist", - "graph": "resources | where type=~'Microsoft.ServiceFabric/managedClusters' | extend compliant= ( properties.zonalResiliency =~ 'true') | distinct id,compliant", - "guid": "2363878d-55c4-4cbd-9bc2-94523c85f12e", - "link": "https://learn.microsoft.com/azure/service-fabric/how-to-managed-cluster-availability-zones", - "service": "Azure Service Fabric", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Cost Optimization Checklist", + "guid": "3da1dae2-cc88-4147-8607-c1cca0e61465", + "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", + "service": "Front Door", "severity": "Medium", - "text": "Consider using Availability Zones for your Service Fabric clusters. Service Fabric managed cluster supports deployments that span across multiple Availability Zones to provide zone resiliency. This configuration will ensure high-availability of the critical system services and your applications to protect from single-points-of-failure.", - "waf": "Reliability" + "text": "Frontdoor - Turn off the default homepageIn the application settings of your App, set AzureWebJobsDisableHomepage to true. This will return a 204 (No Content) to the PoP so only header data is returned.", + "waf": "Cost" }, { - "checklist": "Azure Service Fabric Review Checklist", - "guid": "5ba74cc8-3ca2-44d5-9a67-bdc8e102e7b4", - "link": "https://learn.microsoft.com/azure/service-fabric/service-fabric-api-management-overview", - "service": "Azure Service Fabric", + "arm-service": "microsoft.network/frontdoors", + "checklist": "Cost Optimization Checklist", + "guid": "8dd458e9-2713-49b8-8110-2dbd6eaf11e6", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor", + "service": "Front Door", "severity": "Medium", - "text": "Consider using Azure API Management to expose and offload cross-cutting functionality for APIs hosted on the cluster. API Management can integrate with Service Fabric directly.", - "waf": "Reliability" + "text": "Frontdoor - Route to something that returns nothing. Either set up a Function, Function Proxy, or add a route in your WebApp that returns 200 (OK) and sends no or minimal content. The advantage of this is you will be able to log out when it is called.", + "waf": "Cost" }, { - "checklist": "Azure Service Fabric Review Checklist", - "guid": "ef17bb8f-4e2c-488b-8ceb-a07c3d750dd3", - "link": "https://learn.microsoft.com/azure/service-fabric/service-fabric-reliable-services-introduction", - "service": "Azure Service Fabric", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Cost Optimization Checklist", + "guid": "7e31c67d-68cf-46a6-8a11-94956d697dc3", + "link": "https://learn.microsoft.com/azure/architecture/best-practices/monitoring", + "service": "Storage", "severity": "Medium", - "text": "For stateful workload scenarios, consider using Reliable Services. The Reliable Services model allows your services to stay up even in unreliable environments where your machines fail or hit network issues, or in cases where the services themselves encounter errors and crash or fail. For stateful services, your state is preserved even in the presence of network or other failures.", - "waf": "Reliability" + "text": "Consider archiving tiers for less used data", + "waf": "Cost" }, { - "checklist": "Azure Service Fabric Review Checklist", - "graph": "resources | where type=~'Microsoft.Compute/virtualMachineScaleSets' | extend vmssExtension= array_concat(properties.virtualMachineProfile.extensionProfile.extensions) | mv-expand vmssExtension | where vmssExtension.properties.publisher matches regex '^Microsoft.Azure.ServiceFabric.*' | summarize arg_max(id, *) | summarize compliant = countif(sku.name matches regex '^Standard_[^d]*$' ) by id", - "guid": "4da21268-f775-4c89-a271-eb80543c8df7", - "service": "Azure Service Fabric", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "a2ed27b2-d186-4f1a-8252-bddde68a487c", + "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings", + "service": "VM", "severity": "Medium", - "text": "Avoid VM SKUs with temp disk offerings. Service Fabric uses managed disks by default, so avoiding temp disk offerings ensures you don't pay for unneeded resources.", + "text": "Check disk sizes where the size does not match the tier (i.e. A 513 GiB disk will pay a P30 (1TiB) and consider resizing", "waf": "Cost" }, { - "checklist": "Azure Service Fabric Review Checklist", - "guid": "1890b796-f300-41a3-a8d4-29738c1f4ad0", - "link": "https://learn.microsoft.com/azure/service-fabric/how-to-managed-cluster-stateless-node-type#temporary-disk-support", - "service": "Azure Service Fabric", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Cost Optimization Checklist", + "guid": "dec4861b-c3bc-410a-b77e-26e4d5a3bec2", + "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration", + "service": "Storage", "severity": "Medium", - "text": "If you need to select a certain VM SKU for capacity reasons and it happens to offer temp disk, consider using temporary disk support for your stateless workloads.", + "text": "Consider using standard SSD rather than Premium or Ultra where possible", "waf": "Cost" }, { - "checklist": "Azure Service Fabric Review Checklist", - "guid": "5247bb32-6778-49c7-8b40-e171c9a3ce1e", - "service": "Azure Service Fabric", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Cost Optimization Checklist", + "guid": "c4e2436b-1336-4db5-9f17-960eee0bdf5c", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift", + "service": "Storage", "severity": "Medium", - "text": "Align SKU selection and managed disk size with workload requirements. Matching your selection to your workload demands ensures you don't pay for unneeded resources.", + "text": "For storage accounts, make sure that the chosen tier is not adding up transaction charges (it might be cheaper to move to the next tier)", "waf": "Cost" }, { - "checklist": "Azure Service Fabric Review Checklist", - "guid": "6028759b-446a-41bc-8b0e-7728e61ca704", - "link": "https://learn.microsoft.com/azure/service-fabric/how-to-managed-cluster-networking#manage-nsg-rules", - "service": "Azure Service Fabric", + "arm-service": "Microsoft.RecoveryServices/vaults", + "checklist": "Cost Optimization Checklist", + "guid": "c2efc5d7-61d4-41d2-900b-b47a393a040f", + "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview", + "service": "Site Recovery", "severity": "Medium", - "text": "Ensure Network Security Groups (NSG) are configured to restrict traffic flow between subnets and node types. For example, you may have an API Management instance (one subnet), a frontend subnet (exposing a website directly), and a backend subnet (accessible only to frontend).", - "waf": "Security" + "text": "For ASR, consider using Standard SSD disks if the RPO/RTO and replication throughput allow it", + "waf": "Cost" }, { - "checklist": "Azure Service Fabric Review Checklist", - "graph": "resources | where type=~'Microsoft.Compute/virtualMachineScaleSets' | extend vmssExtension= array_concat(properties.virtualMachineProfile.extensionProfile.extensions) | mv-expand vmssExtension | where vmssExtension.properties.publisher matches regex '^Microsoft.Azure.ServiceFabric.*' | summarize arg_max(id, *) | extend compliant = (isnotnull(properties.virtualMachineProfile.osProfile.secrets))", - "guid": "4e98c903-14cf-4c72-9c45-b8b23bc4cbd8", - "link": "https://learn.microsoft.com/azure/service-fabric/service-fabric-best-practices-security#deploy-key-vault-certificates-to-service-fabric-cluster-virtual-machine-scale-sets", - "service": "Azure Service Fabric", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Cost Optimization Checklist", + "guid": "d3294798-b118-48b2-a5a4-6ceb544451e1", + "link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery", + "service": "Storage", "severity": "Medium", - "text": "Deploy Key Vault certificates to Service Fabric cluster virtual machine scale sets. Centralizing storage of application secrets in Azure Key Vault allows you to control their distribution. Key Vault greatly reduces the chances that secrets may be accidentally leaked.", - "waf": "Security" + "text": "Storage accounts: check hot tier and/or GRS necessary", + "waf": "Cost" }, { - "checklist": "Azure Service Fabric Review Checklist", - "guid": "001cbb6f-d88d-4431-8434-d01333397776", - "link": "https://learn.microsoft.com/azure/service-fabric/service-fabric-best-practices-security#apply-an-access-control-list-acl-to-your-certificate-for-your-service-fabric-cluster", - "service": "Azure Service Fabric", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "92d34429-3c76-4286-97a5-51c5b04e4f18", + "link": "https://learn.microsoft.com/azure/backup/backup-center-overview", + "service": "VM", "severity": "Medium", - "text": "Apply an Access Control List (ACL) to your client certificate for your Service Fabric cluster. Using an ACL provides an additional level of authentication.", - "waf": "Security" + "text": "Disks - validate use of Premium SSD disks everywhere: for example, non-prod could swap to Standard SSD or on-demand Premium SSD ", + "waf": "Cost" }, { - "checklist": "Azure Service Fabric Review Checklist", - "guid": "4b74b7a5-bb1e-4fca-948c-037ba95fb73b", - "link": "https://learn.microsoft.com/azure/service-fabric/service-fabric-resource-governance#resource-governance-mechanism", - "service": "Azure Service Fabric", + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Cost Optimization Checklist", + "guid": "54387e5c-ed12-46cd-832a-f5b2fc6998a5", + "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview", + "service": "Synapse", "severity": "Medium", - "text": "Use resource requests and limits to govern resource usage across the nodes in your cluster. Enforcing resource limits helps ensure that one service doesn't consume too many resources and starve other services.", - "waf": "Security" + "text": "Create budgets to manage costs and create alerts that automatically notify stakeholders of spending anomalies and overspending risks.", + "waf": "Cost" }, { - "checklist": "Azure Service Fabric Review Checklist", - "guid": "cd9233ba-f3aa-4353-8d2f-7ea4a64160e6", - "link": "", - "service": "Azure Service Fabric", + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Cost Optimization Checklist", + "guid": "35e33789-7e31-4c67-b68c-f6a62a119495", + "link": "https://learn.microsoft.com/azure/virtual-machines/availability", + "service": "Synapse", "severity": "Medium", - "text": "Encrypt Service Fabric package secret values. Encryption on your secret values provides an additional level of security.", - "waf": "Security" + "text": "Export cost data to a storage account for additional data analysis.", + "waf": "Cost" }, { - "checklist": "Azure Service Fabric Review Checklist", - "guid": "44b989d4-9f72-42b6-99da-ec2a79f83299", - "link": "", - "service": "Azure Service Fabric", + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Cost Optimization Checklist", + "guid": "6d697dc3-a2ed-427b-8d18-6f1a1252bddd", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", + "service": "Synapse", "severity": "Medium", - "text": "Include client certificates in Service Fabric applications. Having your applications use client certificates for authentication provides opportunities for security at both the cluster and workload level.", - "waf": "Security" + "text": "Control costs for a dedicated SQL pool by pausing the resource when it is not in use.", + "waf": "Cost" }, { - "checklist": "Azure Service Fabric Review Checklist", - "guid": "28e66ff7-4a77-4b2c-910d-0335f141208a", - "link": "https://learn.microsoft.com/azure/service-fabric/how-to-managed-identity-managed-cluster-virtual-machine-scale-sets", - "service": "Azure Service Fabric", + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Cost Optimization Checklist", + "guid": "e68a487c-dec4-4861-ac3b-c10ae77e26e4", + "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/overview", + "service": "Synapse", "severity": "Medium", - "text": "Authenticate Service Fabric applications to Azure Resources using Managed Identity. Using Managed Identity allow you to securely manage the credentials in your code for authenticating to various services without saving them locally on a developer workstation or in source control.", - "waf": "Security" + "text": "Enable the serverless Apache Spark automatic pause feature and set your timeout value accordingly.", + "waf": "Cost" }, { - "checklist": "Azure Service Fabric Review Checklist", - "guid": "f16c413c-00a6-43aa-852c-b97292c33a56", - "link": "https://learn.microsoft.com/azure/service-fabric/service-fabric-best-practices-security#hosting-untrusted-applications-in-a-service-fabric-cluster", - "service": "Azure Service Fabric", + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Cost Optimization Checklist", + "guid": "d5a3bec2-c4e2-4436-a133-6db55f17960e", + "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates", + "service": "Synapse", "severity": "Medium", - "text": "Follow Service Fabric best practices when hosting untrusted applications. Following the best practices provides a security standard to follow.", - "waf": "Security" + "text": "Create multiple Apache Spark pool definitions of various sizes.", + "waf": "Cost" }, { - "arm-service": "Microsoft.AppPlatform/Spring", - "checklist": "Azure Spring Apps Review", - "guid": "6d8e32a8-3892-479d-a40b-10f6b4f6f298", - "link": "https://learn.microsoft.com/azure/spring-apps/concepts-blue-green-deployment-strategies", - "service": "Spring Apps", + "arm-service": "Microsoft.Synapse/workspaces", + "checklist": "Cost Optimization Checklist", + "guid": "ee0bdf5c-c2ef-4c5d-961d-41d2500bb47a", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-groups-in-the-azure-landing-zone-accelerator", + "service": "Synapse", "severity": "Medium", - "text": "Azure Spring Apps permits two deployments for every app, only one of which receives production traffic. You can achieve zero downtime with blue green deployment strategies. Blue green deployment is only available in Standard and Enterprise tiers. You could automate deployment using CI/CD with ADO/GitHub actions", - "waf": "Reliability" + "text": "Purchase Azure Synapse commit units (SCU) for one year with a pre-purchase plan to save on your Azure Synapse Analytics costs.", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "Cost" }, { - "arm-service": "Microsoft.AppPlatform/Spring", - "checklist": "Azure Spring Apps Review", - "guid": "fbcb40ac-9480-4a6d-bcf4-8081252a6716", - "link": "https://learn.microsoft.com/azure/architecture/web-apps/spring-apps/architectures/spring-apps-multi-region", - "service": "Spring Apps", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "393a040f-d329-4479-ab11-88b2c5a46ceb", + "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2", + "service": "VM", "severity": "Medium", - "text": "Azure Spring Apps instances could be created in multiple regions for your applications and traffic could be routed by Traffic Manager/Front Door.", - "waf": "Reliability" + "text": "Use Spot VMs for interruptible jobs: These are VMs that can be bid on and purchased at a discounted price, providing a cost-effective solution for non-critical workloads.", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "Cost" }, { - "arm-service": "Microsoft.AppPlatform/Spring", - "checklist": "Azure Spring Apps Review", - "guid": "ff1ae6a7-9301-4feb-9d11-56cd72f1d4ef", - "link": "https://learn.microsoft.com/azure/reliability/reliability-spring-apps", - "service": "Spring Apps", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "544451e1-92d3-4442-a3c7-628637a551c5", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", + "service": "VM", "severity": "Medium", - "text": "In supported region, Azure Spring Apps can be deployed as zone redundant, which means that instances are automatically distributed across availability zones. This feature is only available in Standard and Enterprise tiers.", - "waf": "Reliability" + "text": "Right-sizing all VMs", + "waf": "Cost" }, { - "arm-service": "Microsoft.AppPlatform/Spring", - "checklist": "Azure Spring Apps Review", - "guid": "ffc735ad-fbb1-4802-b43f-ad6387c4c066", - "link": "https://learn.microsoft.com/azure/spring-apps/concept-understand-app-and-deployment", - "service": "Spring Apps", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "b04e4f18-5438-47e5-aed1-26cd032af5b2", + "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet", + "service": "VM", "severity": "Medium", - "text": "Use more than 1 app instance for your apps", - "waf": "Reliability" + "text": "Swap VM sized with normalized and most recent sizes", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "Cost" }, { - "arm-service": "Microsoft.AppPlatform/Spring", - "checklist": "Azure Spring Apps Review", - "guid": "7504c230-6035-4183-95a5-85762acc6075", - "link": "https://learn.microsoft.com/azure/spring-apps/diagnostic-services", - "service": "Spring Apps", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "fc6998a5-35e3-4378-a7e3-1c67d68cf6a6", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "VM", "severity": "Medium", - "text": "Monitor Azure Spring Apps with logs, metrics and tracing. Integrate ASA with application insights and track failures and create workbooks.", - "waf": "Reliability" + "text": "right-sizing VMs - start with monitoring usage below 5% and then work up to 40%", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "Cost" }, { - "arm-service": "Microsoft.AppPlatform/Spring", - "checklist": "Azure Spring Apps Review", - "guid": "1eb48d58-3eec-4ef5-80b0-d2b0dde3f0c6", - "link": "https://learn.microsoft.com/azure/spring-apps/how-to-configure-enterprise-spring-cloud-gateway", - "service": "Spring Apps", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Cost Optimization Checklist", + "guid": "2a119495-6d69-47dc-9a2e-d27b2d186f1a", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "VM", "severity": "Medium", - "text": "Set up autoscaling in Spring Cloud Gateway", + "text": "Containerizing an application can improve VM density and save money on scaling it", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Cost" + }, + { + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "DataBricks Review Checklist", + "guid": "65285269-440c-44be-9d3e-0844276d4bdc", + "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/pass-foudations-playbooks-ADB_v1.docx", + "service": "Data Factory", + "severity": "High", + "text": "Reference Databricks HA/DR playbook", "waf": "Reliability" }, { - "arm-service": "Microsoft.AppPlatform/Spring", - "checklist": "Azure Spring Apps Review", - "guid": "97411607-b6fd-4335-99d1-9885faf4e392", - "link": "https://learn.microsoft.com/azure/spring-apps/how-to-setup-autoscale", - "service": "Spring Apps", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "DataBricks Review Checklist", + "guid": "a0e6c465-89d5-458b-a37d-3974d1112dbd", + "link": "https://github.com/databrickslabs/databricks-sync", + "service": "Data Factory", "severity": "Low", - "text": "Enable autoscale for the apps with Standard consumption & dedicated plan.", + "text": "Use Databricks Sync", "waf": "Reliability" }, { - "arm-service": "Microsoft.AppPlatform/Spring", - "checklist": "Azure Spring Apps Review", - "guid": "dfcaffd1-d27c-4ef2-998d-64c1df3a7ac3", - "link": "https://learn.microsoft.com/azure/spring-apps/overview", - "service": "Spring Apps", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "DataBricks Review Checklist", + "guid": "89d558b9-37d3-4974-b111-2dbd7aaf12e6", + "link": "https://learn.microsoft.com/azure/databricks/security/secrets/secret-scopes", + "service": "Data Factory", "severity": "Medium", - "text": "Use Enterprise plan for commercial support of spring boot for mission critical apps. With other tiers you get OSS support.", + "text": "Backup your workspace configuration including ARM templates and secret scopes", "waf": "Reliability" }, { - "arm-service": "Microsoft.ServiceBus/namespaces", - "checklist": "Service Bus Review Checklist", - "description": "Azure Service Bus Premium provides encryption of data at rest. If you use your own key, the data is still encrypted using the Microsoft-managed key, but in addition the Microsoft-managed key will be encrypted using the customer-managed key. ", - "guid": "87af4a79-1f89-439b-ba47-768e14c11567", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/configure-customer-managed-key", - "service": "Service Bus", - "severity": "Low", - "text": "Use customer-managed key option in data at rest encryption when required", - "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/", - "waf": "Security" + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "DataBricks Review Checklist", + "guid": "b94ee5ef-47d2-4d92-a81b-1cd6d1f54b29", + "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/sharing-metadata-across-different-databricks-workspaces-using/ba-p/3679757", + "service": "Data Factory", + "severity": "Medium", + "text": "Share metaData across different Databricks workspaces using Hive external metastore", + "waf": "Reliability" }, { - "arm-service": "Microsoft.ServiceBus/namespaces", - "checklist": "Service Bus Review Checklist", - "description": "Communication between a client application and an Azure Service Bus namespace is encrypted using Transport Layer Security (TLS). Azure Service Bus namespaces permit clients to send and receive data with TLS 1.0 and above. To enforce stricter security measures, you can configure your Service Bus namespace to require that clients send and receive data with a newer version of TLS.", - "guid": "5c1ea55b-46a9-448f-b8ae-7d7e4b475b6c", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/transport-layer-security-enforce-minimum-version", - "service": "Service Bus", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "DataBricks Review Checklist", + "guid": "769e3969-0e78-428a-a936-657d03b0f466", + "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/disaster-recovery-strategy-in-azure-databricks-using-the-hive/ba-p/3684581", + "service": "Data Factory", "severity": "Medium", - "text": "Enforce a minimum required version of Transport Layer Security (TLS) for requests ", - "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/", - "waf": "Security" + "text": "Plan Disaster Recovery strategy in Databricks using the Hive External Metastore", + "waf": "Reliability" }, { - "arm-service": "Microsoft.ServiceBus/namespaces", - "checklist": "Service Bus Review Checklist", - "description": "When you create a Service Bus namespace, a SAS rule named RootManageSharedAccessKey is automatically created for the namespace. This policy has Manage permissions for the entire namespace. It's recommended that you treat this rule like an administrative root account and don't use it in your application. Using AAD as an authentication provider with RBAC is recommended. ", - "guid": "8bcbf59b-ce65-4de8-a03f-97879468d66a", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-sas#shared-access-authorization-policies", - "service": "Service Bus", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "DataBricks Review Checklist", + "guid": "4b1d944a-3598-437e-b79d-6c6d3a364a5b", + "link": "https://www.databricks.com/blog/2021/04/20/attack-of-the-delta-clones-against-disaster-recovery-availability-complexity.html", + "service": "Data Factory", "severity": "Medium", - "text": "Avoid using root account when it is not necessary", - "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/", - "waf": "Security" + "text": "Backup your data with deep and shallow clones", + "waf": "Reliability" }, { - "arm-service": "Microsoft.ServiceBus/namespaces", - "checklist": "Service Bus Review Checklist", - "description": "Microsoft Entra ID provides superior security and ease of use over shared access signatures (SAS). With Microsoft Entra ID, there’s no need to store the tokens in your code and risk potential security vulnerabilities. We recommend that you use Microsoft Entra ID with your Azure Service Bus applications when possible.", - "graph": "Resources | where type =~ 'microsoft.servicebus/namespaces' | extend compliant = iif(properties.disableLocalAuth == 'false', 'No', 'Yes') | project id, compliant", - "guid": "786d60f9-6c96-4ad8-a55d-04c2b39c986b", - "link": "https://learn.microsoft.com/en-us/azure/service-bus-messaging/disable-local-authentication", - "service": "Service Bus", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "DataBricks Review Checklist", + "description": "Download the blob using the secondary endpoint in RAGRS storage account", + "guid": "7abae48a-bd54-4cd7-ae2e-86768357c559", + "link": "https://techcommunity.microsoft.com/t5/azure-paas-blog/download-the-blob-using-secondary-endpoint-in-ragrs-storage/ba-p/2403750", + "service": "Data Factory", "severity": "Medium", - "text": "When possible, disable SAS key authentication (or local authentication) and use only Microsoft Entra ID for authentication", - "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", - "waf": "Security" + "text": "Backup your data to Azure Storage RA-GRS", + "waf": "Reliability" }, { - "arm-service": "Microsoft.ServiceBus/namespaces", - "checklist": "Service Bus Review Checklist", - "description": "When creating permissions, provide fine-grained control over a client's access to Azure Service Bus. Permissions in Azure Service Bus can and should be scoped to the individual resource level e.g. queue, topic or subscription. ", - "guid": "f615658d-e558-4f93-9249-b831112dbd7e", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/authenticate-application#azure-built-in-roles-for-azure-service-bus", - "service": "Service Bus", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "DataBricks Review Checklist", + "guid": "675c5ee8-5b85-49c7-944c-e3b1a28b875a", + "link": "https://learn.microsoft.com/azure/databricks/dev-tools/index-ci-cd", + "service": "Data Factory", "severity": "High", - "text": "Use least privilege data plane RBAC", - "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", - "waf": "Security" - }, - { - "arm-service": "Microsoft.ServiceBus/namespaces", - "checklist": "Service Bus Review Checklist", - "description": "Azure Service Bus resource logs include operational logs, virtual network and IP filtering logs. Runtime audit logs capture aggregated diagnostic information for various data plane access operations (such as send or receive messages) in Service Bus.", - "guid": "af12e7f9-43f6-4304-922d-929c2b1cd622", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/monitor-service-bus-reference", - "service": "Service Bus", - "severity": "Medium", - "text": "Enable logging for security investigation. Use Azure Monitor to trace resource logs and runtime audit logs (currently available only in the premium tier)", - "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", - "waf": "Security" + "text": "Backup your code with DevOps", + "waf": "Reliability" }, { - "arm-service": "Microsoft.ServiceBus/namespaces", - "checklist": "Service Bus Review Checklist", - "description": "Azure Service Bus by default has a public IP address and is Internet-reachable. Private endpoints allow traffic between your virtual network and Azure Service Bus traverses over the Microsoft backbone network. In addition to that, you should disable public endpoints if those are not used. ", - "guid": "9ae669ca-48e4-4a85-b222-3ece8bb12307", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/private-link-service", - "service": "Service Bus", - "severity": "Medium", - "text": "Consider using private endpoints to access Azure Service Bus and disable public network access when applicable.", - "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", - "waf": "Security" + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "DataBricks Review Checklist", + "guid": "a1bf1038-9f03-4a4d-8ce4-63dbbbc8682a", + "link": "https://learn.microsoft.com/azure/databricks/administration-guide/disaster-recovery", + "service": "Data Factory", + "severity": "High", + "text": "Plan for Disaster recovery using Active/Active or Active/Passive Configuration", + "waf": "Reliability" }, { - "arm-service": "Microsoft.ServiceBus/namespaces", - "checklist": "Service Bus Review Checklist", - "description": "With IP firewall, you can restrict the public endpoint further to only a set of IPv4 addresses or IPv4 address ranges in CIDR (Classless Inter-Domain Routing) notation. ", - "guid": "ca5f06f1-58e3-4ea3-a92c-2de7e2165c3a", - "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-ip-filtering", - "service": "Service Bus", + "arm-service": "Microsoft.DataFactory/datafactories", + "checklist": "DataBricks Review Checklist", + "description": "Migration package to log all Databricks resources for backup and/or migrating to another Databricks workspace", + "guid": "5abc92a4-eda1-4dae-8cc8-5c47c6b781cc", + "link": "https://github.com/databrickslabs/migrate", + "service": "Data Factory", "severity": "Medium", - "text": "Consider only allowing access to Azure Service Bus namespace from specific IP addresses or ranges", - "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", - "waf": "Security" + "text": "Use Databricks Migration tools", + "waf": "Reliability" }, { "arm-service": "Microsoft.Synapse/workspaces", @@ -8911,500 +8958,389 @@ "waf": "Security" }, { - "arm-service": "Microsoft.DBforMySQL/servers", - "checklist": "MySQL Review Checklist", - "guid": "388c3e25-e800-4ad2-9df3-f3d6ae1050b7", - "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview", - "service": "Azure MySQL", - "severity": "Medium", - "text": "Leverage Flexible Server", - "waf": "Reliability" - }, - { - "arm-service": "Microsoft.DBforMySQL/servers", - "checklist": "MySQL Review Checklist", - "guid": "de3aad1e-8c38-4ec9-9666-7313c005674b", - "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#high-availability-within-and-across-availability-zones", - "service": "Azure MySQL", + "arm-service": "Microsoft.Devices/provisioningServices", + "checklist": "Device Provisioning Service Review", + "guid": "cb26b2ba-a9db-45d1-8260-d9c6ec1447d9", + "link": "https://learn.microsoft.com/en-us/azure/logic-apps/single-tenant-overview-compare", + "service": "IoT Hub DPS", "severity": "High", - "text": "Leverage Availability Zones where regionally applicable", - "waf": "Reliability" - }, - { - "arm-service": "Microsoft.DBforMySQL/servers", - "checklist": "MySQL Review Checklist", - "guid": "1e944a45-9c37-43e7-bd61-623b365a917e", - "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#setup-hybrid-or-multi-cloud-data-synchronization-with-data-in-replication", - "service": "Azure MySQL", - "severity": "Medium", - "text": "Leverage Data-in replication for cross-region DR scenarios", - "waf": "Reliability" - }, - { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant", - "guid": "553585a6-abe0-11ed-afa1-0242ac120002", - "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2", - "service": "App Gateway", - "severity": "Medium", - "text": "Ensure you are using Application Gateway v2 SKU", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "Security" - }, - { - "arm-service": "Microsoft.Network/loadBalancers", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard')", - "guid": "4e35fbf5-0ae2-48b2-97ce-753353edbd1a", - "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", - "service": "Load Balancer", - "severity": "Medium", - "text": "Ensure you are using the Standard SKU for your Azure Load Balancers", - "waf": "Security" - }, - { - "arm-service": "Microsoft.Network/loadBalancers", - "checklist": "Azure Application Delivery Networking", - "guid": "9432621a-8397-4654-a882-5bc856b7ef83", - "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-standard-availability-zones", - "service": "Load Balancer", - "severity": "Medium", - "text": "Ensure your Load Balancers frontend IP addresses are zone-redundant (unless you require zonal frontends).", - "waf": "Security" - }, - { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant", - "guid": "dfc50f87-3800-424c-937b-ed5f186e7c15", - "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet", - "service": "App Gateway", - "severity": "Medium", - "text": "Your Application Gateways v2 should be deployed in subnets with IP prefixes equal or larger than /24", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "Security" - }, - { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "description": "Administration of reverse proxies in general and WAF in particular is closer to the application than to networking, so they belong in the same subscription as the app. Centralizing the Application Gateway and WAF in the connectivity subscription might be OK if it is managed by one single team.", - "guid": "48b662d6-d15f-4512-a654-98f6dfe237de", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "App Gateway", - "severity": "Medium", - "text": "Deploy Azure Application Gateway v2 or partner NVAs used for proxying inbound HTTP(S) connections within the landing-zone virtual network and with the apps that they're securing.", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "Security" - }, - { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "f109e1f3-c79b-4f14-82de-6b5c22314d08", - "link": "https://learn.microsoft.com/azure/application-gateway/tutorial-protect-application-gateway-ddos", - "service": "App Gateway", - "severity": "Medium", - "text": "Use a DDoS Network or IP protection plans for all Public IP addresses in application landing zones.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "Security" - }, - { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant", - "guid": "135bf4ac-f9db-461f-b76b-2ee9e30b12c0", - "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant", - "service": "App Gateway", - "severity": "Medium", - "text": "Configure autoscaling with a minimum amount of instances of two.", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "Reliability" - }, - { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant", - "guid": "060c6964-52b5-48db-af8b-83e4b2d85349", - "link": "https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2", - "service": "App Gateway", - "severity": "Medium", - "text": "Deploy Application Gateway across Availability Zones", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "text": "Select the right Logic App hosting plan based on your business & SLO requirements", "waf": "Reliability" }, { - "arm-service": "microsoft.network/frontdoors", - "checklist": "Azure Application Delivery Networking", - "guid": "3f29812b-2363-4cef-b179-b599de0d5973", - "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", - "service": "Front Door", - "severity": "Medium", - "text": "When using Front Door and Application Gateway to help protect HTTP/S apps, use WAF policies in Front Door. Lock down Application Gateway to receive traffic only from Front Door.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "Security" + "arm-service": "Microsoft.Devices/provisioningServices", + "checklist": "Device Provisioning Service Review", + "guid": "f6dd7977-1123-4f39-b488-f91415a8430a", + "link": "https://learn.microsoft.com/en-us/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps", + "service": "IoT Hub DPS", + "severity": "High", + "text": "Protect logic apps from region failures with zone redundancy and availability zones", + "waf": "Reliability" }, { - "ammp": true, - "arm-service": "microsoft.network/trafficManagerProfiles", - "checklist": "Azure Application Delivery Networking", - "guid": "cd4cd21b-0881-437f-9e6c-4cfd3e504547", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "Traffic Manager", + "arm-service": "Microsoft.Devices/provisioningServices", + "checklist": "Device Provisioning Service Review", + "guid": "8aed4fbf-0830-4883-899d-222a154af478", + "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json", + "service": "IoT Hub DPS", "severity": "High", - "text": "Use Traffic Manager to deliver global apps that span protocols other than HTTP/S.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "text": "Consider a Cross-Region DR strategy for critical workloads", "waf": "Reliability" }, { - "checklist": "Azure Application Delivery Networking", - "guid": "3b4b3e88-a459-4ed5-a22f-644dfbc58204", - "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", - "service": "Entra", - "severity": "Low", - "text": "If users only need access to internal applications, has Microsoft Entra ID Application Proxy been considered as an alternative to Azure Virtual Desktop (AVD)?", - "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/", - "waf": "Security" + "arm-service": "Microsoft.Devices/provisioningServices", + "checklist": "Device Provisioning Service Review", + "guid": "da0f033e-d180-4f36-9aa4-c468dba14203", + "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro", + "service": "IoT Hub DPS", + "severity": "High", + "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3", + "waf": "Reliability" }, { - "checklist": "Azure Application Delivery Networking", - "guid": "01ca7cf1-5754-442d-babb-8ba6772e5c30", - "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", - "service": "Entra", + "arm-service": "Microsoft.Devices/provisioningServices", + "checklist": "Device Provisioning Service Review", + "guid": "62711604-c9d1-4b0a-bdb7-5fda54a4f6c1", + "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/", + "service": "IoT Hub DPS", "severity": "Medium", - "text": "To reduce the number of firewall ports open for incoming connections in your network, consider using Microsoft Entra ID Application Proxy to give remote users secure and authenticated access to internal applications.", - "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/", - "waf": "Security" + "text": "Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Logic App code", + "waf": "Operations" }, { - "ammp": true, - "arm-service": "Microsoft.Network/loadBalancers", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant", - "guid": "97a2fd46-64b0-1dfa-b72d-9c8869496d75", - "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity", - "service": "Load Balancer", + "arm-service": "Microsoft.Devices/deviceUpdateServices", + "checklist": "Device Update Review", + "guid": "0e03f5ee-4648-423c-bb86-7239480f9171", + "link": "https://learn.microsoft.com/en-us/azure/iot-dps/iot-dps-ha-dr#high-availability", + "service": "Device Update for IoT Hub", "severity": "High", - "text": "Use Azure NAT Gateway instead of Load Balancer outbound rules for better SNAT scalability", + "text": "Leverage Availability Zones if regionally applicable (this is automatically enabled).", "waf": "Reliability" }, { - "ammp": true, - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id", - "guid": "2f8e81eb-8e68-4026-8b1f-70f9b05f7cf9", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection", - "service": "App Gateway", + "arm-service": "Microsoft.Devices/deviceUpdateServices", + "checklist": "Device Update Review", + "guid": "c0c273bd-00ad-419a-9f2f-fc72fb181e55", + "link": "https://learn.microsoft.com/en-us/azure/iot-dps/iot-dps-ha-dr#high-availability", + "service": "Device Update for IoT Hub", "severity": "High", - "text": "Enable the Azure Application Gateway WAF bot protection rule set. The bot rules detect good and bad bots.", - "waf": "Security" + "text": "Be aware of Microsoft-initiated failovers. These are exercised by Microsoft in rare situations to fail over all the DPS instances from an affected region to the corresponding geo-paired region.", + "waf": "Reliability" }, { - "ammp": true, - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type =~ 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | extend compliant = (properties['policySettings']['requestBodyCheck'] == 'true' and properties['policySettings']['state'] =~ 'Enabled') | distinct id, name, compliant", - "guid": "8ea8e0d4-84e8-4b33-aeab-493f6391b4d6", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection", - "service": "App Gateway", + "arm-service": "Microsoft.Devices/deviceUpdateServices", + "checklist": "Device Update Review", + "guid": "3af8abe6-07eb-4287-b393-6c4abe3702eb", + "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json", + "service": "Device Update for IoT Hub", "severity": "High", - "text": "Ensure if request body inspection feature is enabled in Azure Application Gateway WAF policy.", - "waf": "Security" + "text": "Consider a Cross-Region DR strategy for critical workloads", + "waf": "Reliability" }, { - "ammp": true, - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "a4dd86d3-5ffa-408c-b660-cce073d085b8", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#tune-your-waf", - "service": "App Gateway", + "arm-service": "Microsoft.Devices/deviceUpdateServices", + "checklist": "Device Update Review", + "guid": "bd91245c-fe32-4e98-a085-794a40f4bfe1", + "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro", + "service": "Device Update for IoT Hub", "severity": "High", - "text": "Tune the Azure Application Gateway WAF in detection mode for your workload. Reduce false positive detections.", - "waf": "Security" + "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3", + "waf": "Reliability" }, { - "ammp": true, - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type =~ 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | extend compliant = (properties['policySettings']['mode'] =~ 'Prevention')| where properties['policySettings']['mode'] =~ 'Prevention' | distinct id, name, compliant", - "guid": "baf8e317-2397-4d49-b3d1-0dcc16d8778d", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/policy-overview?source=recommendations", - "service": "App Gateway", - "severity": "High", - "text": "Deploy your WAF policy for Application Gateway in 'Prevention' mode.", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "Azure Event Hub provides encryption of data at rest. If you use your own key, the data is still encrypted using the Microsoft-managed key, but in addition the Microsoft-managed key will be encrypted using the customer-managed key. ", + "guid": "7aaf12e7-b94e-4f6e-847d-2d92981b1cd6", + "link": "https://learn.microsoft.com/azure/event-hubs/configure-customer-managed-key", + "query": "resources | where type =~ 'Microsoft.EventHub/namespaces' | extend SkuName = tostring(sku.name) | extend EncryptionEnabled = iif(isnotempty(properties.encryption.keySource), 'Enabled', 'Disabled') | extend compliant = iif(EncryptionEnabled == 'Enabled', true, false) | project name, resourceGroup, location, SkuName, EncryptionEnabled, compliant | where SkuName == 'Premium'", + "service": "Event Hubs", + "severity": "Low", + "text": "Use customer-managed key option in data at rest encryption when required", + "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/", "waf": "Security" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "43fae595-8a32-4299-a69e-0f32c454dcc9", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview", - "service": "App Gateway", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "Azure Event Hubs namespaces permit clients to send and receive data with TLS 1.0 and above. To enforce stricter security measures, you can configure your Event Hubs namespace to require that clients send and receive data with a newer version of TLS. If an Event Hubs namespace requires a minimum version of TLS, then any requests made with an older version will fail. ", + "guid": "d2f54b29-769e-43a6-a0e7-828ac936657e", + "link": "https://learn.microsoft.com/azure/event-hubs/transport-layer-security-configure-minimum-version", + "query": "resources | where type =~ 'Microsoft.EventHub/namespaces' | extend MinimumTlsVersion = tostring(properties.minimumTlsVersion) | extend compliant = iif(MinimumTlsVersion == '1.2' or MinimumTlsVersion == '1.3', true, false) | project name, resourceGroup, location, MinimumTlsVersion, compliant", + "service": "Event Hubs", "severity": "Medium", - "text": "Add rate limiting to the Azure Application Gateway WAF. Rate limiting blocks clients accidentally or intentionally sending large amounts of traffic in a short period of time.", + "text": "Enforce a minimum required version of Transport Layer Security (TLS) for requests ", + "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/", "waf": "Security" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "041e0ad8-7b12-4694-a0b7-a0e25ee2470f", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview#rate-limiting-details", - "service": "App Gateway", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "When you create an Event Hubs namespace, a policy rule named RootManageSharedAccessKey is automatically created for the namespace. This policy has manage permissions for the entire namespace. It�s recommended that you treat this rule like an administrative root account and don�t use it in your application. Using AAD as an authentication provider with RBAC is recommended. ", + "guid": "13b0f566-4b1e-4944-a459-837ee79d6c6d", + "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-shared-access-signature#shared-access-authorization-policies", + "service": "Event Hubs", "severity": "Medium", - "text": "Use a high threshold for Azure Application Gateway WAF rate limits. High rate limit thresholds avoid blocking legitimate traffic, while still providing protection against extremely high numbers of requests that might overwhelm your infrastructure. ", - "waf": "Security" - }, - { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "99937189-ff78-492a-b9ca-18d828d82b37", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#geo-filtering-best-practices", - "service": "App Gateway", - "severity": "Low", - "text": "If you are not expecting traffic from all geographical regions, use geo-filters to block traffic from non-expected countries.", + "text": "Avoid using root account when it is not necessary", + "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/", "waf": "Security" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "349a15c1-52f4-4319-9078-3895d95ecafd", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/geomatch-custom-rules", - "service": "App Gateway", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "Managed identities for Azure resources can authorize access to Event Hubs resources using Azure AD credentials from applications running in Azure Virtual Machines (VMs), Function apps, Virtual Machine Scale Sets, and other services. By using managed identities for Azure resources together with Azure AD authentication, you can avoid storing credentials with your applications that run in the cloud. ", + "guid": "3a365a5c-7acb-4e48-abd5-4cd79f2e8776", + "link": "https://learn.microsoft.com/azure/event-hubs/authenticate-managed-identity?tabs=latest", + "service": "Event Hubs", "severity": "Medium", - "text": "Specify the unknown (ZZ) location when geo-filtering traffic with the Azure Application Gateway WAF. Avoid accidentally blocking legitimate requests when IP addresses can't be geo-matched.", + "text": "When possible, your application should be using a managed identity to authenticate to Azure Event Hub. If not, consider having the storage credential (SAS, service principal credential) in Azure Key Vault or an equivalent service", + "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", "waf": "Security" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "6c19dfd5-a61c-436c-9001-491b9b3d0228", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#use-the-latest-ruleset-versions", - "service": "App Gateway", - "severity": "Medium", - "text": "Use the latest Azure Application Gateway WAF rule set version. Rule set updates are regularly updated to take account of the current threat landscape.", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "When creating permissions, provide fine-grained control over a client's access to Azure Event Hub. Permissions in Azure Event Hub can and should be scoped to the individual resource level e.g. consumer group, event hub entity, event hub namespaces, etc.", + "guid": "8357c559-675c-45ee-a5b8-6ad8844ce3b2", + "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-azure-active-directory#azure-built-in-roles-for-azure-event-hubs", + "service": "Event Hubs", + "severity": "High", + "text": "Use least privilege data plane RBAC", + "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", "waf": "Security" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "f84106a2-2e9e-42ac-add6-d3416ecfed53", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#add-diagnostic-settings-to-save-your-wafs-logs", - "service": "App Gateway", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "Azure Event Hub resource logs include operational logs, virtual network and Kafka logs. Runtime audit logs capture aggregated diagnostic information for all data plane access operations (such as send or receive events) in Event Hubs.", + "guid": "b38b875b-a1cf-4104-a900-3a4d3ce474db", + "link": "https://learn.microsoft.com/azure/event-hubs/monitor-event-hubs-reference", + "service": "Event Hubs", "severity": "Medium", - "text": "Add diagnostic settings to save your Azure Application Gateway WAF logs.", - "waf": "Operations" + "text": "Enable logging for security investigation. Use Azure Monitor to captured metrics and logs such as resource logs, runtime audit logs and Kafka logs", + "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", + "waf": "Security" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "92664c60-47e3-4591-8b1b-8d557656e686", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#send-logs-to-microsoft-sentinel", - "service": "App Gateway", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "Azure Event Hub by default has a public IP address and is Internet-reachable. Private endpoints allow traffic between your virtual network and Azure Event Hub traverses over the Microsoft backbone network. In addition to that, you should disable public endpoints if those are not used. ", + "guid": "5abca2a4-eda1-4dae-8cc9-5d48c6b791dc", + "link": "https://learn.microsoft.com/azure/event-hubs/private-link-service", + "service": "Event Hubs", "severity": "Medium", - "text": "Send Azure Application Gateway WAF logs to Microsoft Sentinel.", - "waf": "Operations" + "text": "Consider using private endpoints to access Azure Event Hub and disable public network access when applicable.", + "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", + "waf": "Security" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "ba0e9b26-6e0d-4ec8-8541-023c00afd5b7", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#define-your-waf-configuration-as-code", - "service": "App Gateway", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "With IP firewall, you can restrict public endpoint further to only a set of IPv4 addresses or IPv4 address ranges in CIDR (Classless Inter-Domain Routing) notation. ", + "guid": "a0e6c465-89e5-458b-a37d-3974d1112dbd", + "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-ip-filtering", + "service": "Event Hubs", "severity": "Medium", - "text": "Define your Azure Application Gateway WAF configuration as code. By using code, you can more easily adopt new rule set version and gain additional protection.", - "waf": "Operations" + "text": "Consider only allowing access to Azure Event Hub namespace from specific IP addresses or ranges", + "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", + "waf": "Security" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "f17ec301-8470-4afd-aabc-c1fdfe47dcc0", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/policy-overview", - "service": "App Gateway", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "guid": "31d41e36-11c8-417b-8afb-c410d4391898", + "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-AEH_v1.docx", + "service": "Event Hubs", "severity": "Medium", - "text": "Use WAF Policies instead of the legacy WAF configuration.", - "waf": "Operations" + "text": "Leverage FTA Resillency HandBook", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "d4eb8667-f8cb-4cdd-94e6-2f967ba98f88", - "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-secured-hub-app-gateway", - "service": "App Gateway", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": " This will be turned on automatically for a new EH namespace created from the portal with Premium, Dedicated, or Standard SKUs in a zone-enabled region. Both the EH metadata and the event data itself are replicated across zones", + "guid": "f15bce21-9e4a-40eb-9787-9424d226786d", + "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-premium-overview#high-availability-with-availability-zones", + "query": "resources | where type =~ 'Microsoft.EventHub/namespaces' | extend zoneRedundant = tobool(properties.zoneRedundant) | extend compliant = iff(zoneRedundant == true, true, false) | project name, resourceGroup, zoneRedundant, compliant", + "service": "Event Hubs", + "severity": "High", + "text": "Leverage Availability Zones if regionally applicable", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "guid": "20b56c56-ad58-4519-8f82-735c586bb281", + "link": "https://learn.microsoft.com/azure/event-hubs/compare-tiers", + "query": "resources | where type =~ 'Microsoft.EventHub/namespaces' | extend sku = tostring(sku.name) | extend compliant = iff(sku == 'Premium', true, false) | project name, resourceGroup, location, sku, compliant", + "service": "Event Hubs", "severity": "Medium", - "text": "Filter inbound traffic in the backends so that they only accept connections from the Application Gateway subnet, for example with NSGs.", - "waf": "Security" + "text": "Use the Premium or Dedicated SKUs for predicable performance", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "graph": "resources | where type == 'microsoft.network/applicationgateways'| extend compliant = (properties['backendHttpSettingsCollection'][0]['properties']['port'] =~ '443') |where properties['backendHttpSettingsCollection'][0]['properties']['port'] =~ '443'|distinct id,name,compliant", - "guid": "a66f0fd8-2ca4-422e-8df3-235148127ca2", - "link": "https://learn.microsoft.com/azure/application-gateway/ssl-overview", - "service": "App Gateway", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "The built-in geo-disaster recovery feature, when enabled, ensures that the entire configuration of anamespace (Event Hubs, Consumer Groups and settings) is continuously replicated from a primary namespace to a secondary namespace, and it allows a once-only failover move from the primary to the secondary at any time. Active/Passive feature is designed to make it easier to recover from and abandon a failed Azure region without having to change application configurations", + "guid": "dc15a1c0-75ee-49f1-90ac-ccd579376bcd", + "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-geo-dr?tabs=portal", + "service": "Event Hubs", "severity": "High", - "text": "You should encrypt traffic to the backend servers.", - "waf": "Security" + "text": "Plan for Geo Disaster Recovery using Active Passive configuration", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "3dba65cb-834d-44d8-a3ca-a6aa2f1587be", - "link": "https://learn.microsoft.com/azure/web-application-firewall/overview", - "service": "App Gateway", - "severity": "High", - "text": "You should use a Web Application Firewall.", - "waf": "Security" + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "description": "Should be used for DR configurations where an outage or loss of event data in the downed region cannot be tolerated. For these cases, follow the replication guidance and do not use the built-in geo-disaster recovery capability (active/passive). With Active/Active, Maintain multiple Event Hubs in different regions and namespaces, and events will be replicated between the hubs", + "guid": "6e31b67d-67ba-4591-89c0-9e805d597c7e", + "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-federation-overview", + "service": "Event Hubs", + "severity": "Medium", + "text": "For Business Critical Applications, use Active Active configuration", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "0158fcb6-0bc1-4687-832f-cc7c359c22d2", - "link": "https://learn.microsoft.com/azure/application-gateway/redirect-overview", - "service": "App Gateway", + "arm-service": "microsoft.eventhub/namespaces", + "checklist": "Azure Event Hub Review", + "guid": "9ced16ad-d186-4f0a-a241-a999a68af77c", + "link": "https://learn.microsoft.com/azure/architecture/serverless/event-hubs-functions/resilient-design", + "service": "Event Hubs", "severity": "Medium", - "text": "Redirect HTTP to HTTPS", - "waf": "Security" + "text": "Design Resilient Event Hubs", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "bb697864-1b4c-43af-8667-90cc69aaed5f", - "link": "https://learn.microsoft.com/azure/application-gateway/how-application-gateway-works#modifications-to-the-request", - "service": "App Gateway", + "checklist": "Identity Review Checklist", + "guid": "bb235c70-5e17-496f-bedf-a8a4c8cdec4c", + "link": "https://learn.microsoft.com/entra/identity-platform/msal-acquire-cache-tokens", + "service": "Entra", "severity": "Medium", - "text": "Use gateway-managed cookies to direct traffic from a user session to the same server for processing", - "waf": "Operations" + "text": "Use long-live revocable token, cache your token and acquire your silently using Microsoft Identity Library", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "ff353ad8-15fb-4ae8-9fc5-a85a36d36a35", - "link": "https://learn.microsoft.com/azure/application-gateway/configuration-http-settings", - "service": "App Gateway", - "severity": "High", - "text": "Enable connection draining during planned service updates to prevent connection loss to existing members of the backend pool", - "waf": "Security" + "checklist": "Identity Review Checklist", + "guid": "503547c1-447e-4c66-828a-71f0f1ce16dd", + "link": "https://learn.microsoft.com/azure/active-directory-b2c/deploy-custom-policies-devops", + "service": "AAD B2C", + "severity": "Medium", + "text": "Make sure that your sign-in user flows are backed up and resilient. Make sure that the code that you use to sign-in your users are backed up and recoverable. Resilient interfaces with external processes", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "c8741f03-45a4-4183-a6b8-139e0773b8b5", - "link": "https://learn.microsoft.com/azure/application-gateway/custom-error", - "service": "App Gateway", + "checklist": "Identity Review Checklist", + "guid": "3e3553a4-c873-4964-ab66-2d6c15f51296", + "link": "https://learn.microsoft.com/entra/architecture/resilient-end-user-experience#use-a-content-delivery-network", + "service": "AAD B2C", + "severity": "Medium", + "text": "Custom brand assets should be hosted on a CDN", + "waf": "Performance" + }, + { + "checklist": "Identity Review Checklist", + "guid": "5398e6df-d237-4de1-93b1-6c21d79a9b64", + "link": "https://learn.microsoft.com/entra/identity/monitoring-health/reference-sla-performance", + "service": "AAD B2C", "severity": "Low", - "text": "Create custom error pages to display a personalized user experience", - "waf": "Operations" + "text": "Have multiple identiy providers (i.e., login with your microsoft, google, facebook accounts)", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "f850d46f-f5d7-4b17-b48c-a780741402e1", - "link": "https://learn.microsoft.com/azure/application-gateway/rewrite-http-headers-url", - "service": "App Gateway", + "checklist": "Identity Review Checklist", + "guid": "604489a8-f42d-478e-98c0-7a73b22a4a57", + "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/", + "service": "Windows AD", "severity": "Medium", - "text": "Edit HTTP requests and response headers for easier routing and information exchange between the client and server", - "waf": "Security" + "text": "Follow VM rules for high availability on the VM level (premium disks, two or more in a region, in different availability zones)", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "eadc3164-4a0f-461c-85f1-1a372c04dfd1", - "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview", - "service": "App Gateway", + "checklist": "Identity Review Checklist", + "guid": "e7a8dd4a-30e3-47c3-b297-11b2362ceee0", + "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/", + "service": "Windows AD", "severity": "Medium", - "text": "Configure Front Door to optimize global web traffic routing and top-tier end-user performance, and reliability through quick global failover", - "waf": "Performance" + "text": "Don't replicate! Replication can create issues with directory synchronization", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "29dcc19f-a8fa-4c35-8281-290577538793", - "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", - "service": "App Gateway", + "checklist": "Identity Review Checklist", + "guid": "79b598de-fc59-472c-b4cd-21b078036f5e", + "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/", + "service": "Windows AD", "severity": "Medium", - "text": "Use transport layer load balancing", - "waf": "Performance" + "text": "Have active-active for multi-regions", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "276898c1-af5e-4819-9e8e-049c7801ab9d", - "link": "https://learn.microsoft.com/azure/application-gateway/multiple-site-overview", - "service": "App Gateway", + "checklist": "Identity Review Checklist", + "guid": "6b4bfd3d-5035-447c-8447-ec66128a71f0", + "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill", + "service": "Entra", "severity": "Medium", - "text": "Configure routing based on host or domain name for multiple web applications on a single gateway", - "waf": "Security" + "text": "Add Azure AD Domain service stamps to additional regions and locations", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "5fe365b6-58e8-47ed-a8cf-5163850380a2", - "link": "https://learn.microsoft.com/azure/application-gateway/create-ssl-portal", - "service": "App Gateway", + "checklist": "Identity Review Checklist", + "guid": "f1ce16dd-3f1d-45e8-92e4-2e3611cc58b4", + "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill", + "service": "Entra", "severity": "Medium", - "text": "Centralize SSL certificate management to reduce encryption and decryption overhead from a backend server farm", - "waf": "Security" + "text": "Use Replica Sets for DR", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Application Delivery Networking", - "guid": "fa64b4dd-35c2-4047-ac5c-45dfbf8b0db9", - "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-websocket", - "service": "App Gateway", - "severity": "Low", - "text": "Use Application Gateway for native support for WebSocket and HTTP/2 protocols", - "waf": "Security" + "arm-service": "Microsoft.Devices/IotHubs", + "checklist": "IoT Hub Review", + "guid": "ac1d6380-f866-4bbd-a9b4-b1ee5d7908b8", + "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#availability-zones", + "service": "IoT", + "severity": "High", + "text": "Leverage Availability Zones if regionally applicable (this is automatically enabled)", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Devices/provisioningServices", - "checklist": "Device Provisioning Service Review", - "guid": "cb26b2ba-a9db-45d1-8260-d9c6ec1447d9", - "link": "https://learn.microsoft.com/en-us/azure/logic-apps/single-tenant-overview-compare", - "service": "IoT Hub DPS", - "severity": "High", - "text": "Select the right Logic App hosting plan based on your business & SLO requirements", + "arm-service": "Microsoft.Devices/IotHubs", + "checklist": "IoT Hub Review", + "guid": "35f651e8-0124-4ef7-8c57-658e38609e6e", + "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover", + "service": "IoT", + "severity": "Medium", + "text": "Be aware of Microsoft-initiated failovers. These are exercised by Microsoft in rare situations to fail over all the IoT hubs from an affected region to the corresponding geo-paired region.", "waf": "Reliability" }, { - "arm-service": "Microsoft.Devices/provisioningServices", - "checklist": "Device Provisioning Service Review", - "guid": "f6dd7977-1123-4f39-b488-f91415a8430a", - "link": "https://learn.microsoft.com/en-us/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps", - "service": "IoT Hub DPS", + "arm-service": "Microsoft.Devices/IotHubs", + "checklist": "IoT Hub Review", + "guid": "4ed3e490-dc06-4a1e-b467-5d0239d85540", + "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#cross-region-dr", + "service": "IoT", "severity": "High", - "text": "Protect logic apps from region failures with zone redundancy and availability zones", + "text": "Consider a Cross-Region DR strategy for critical workloads", "waf": "Reliability" }, { - "arm-service": "Microsoft.Devices/provisioningServices", - "checklist": "Device Provisioning Service Review", - "guid": "8aed4fbf-0830-4883-899d-222a154af478", - "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json", - "service": "IoT Hub DPS", + "arm-service": "Microsoft.Devices/IotHubs", + "checklist": "IoT Hub Review", + "guid": "a11ecab0-db47-46f7-9aa7-17764e7e45a1", + "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover", + "service": "IoT", "severity": "High", - "text": "Consider a Cross-Region DR strategy for critical workloads", + "text": "Learn how to trigger a manual failover.", "waf": "Reliability" }, { - "arm-service": "Microsoft.Devices/provisioningServices", - "checklist": "Device Provisioning Service Review", - "guid": "da0f033e-d180-4f36-9aa4-c468dba14203", - "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro", - "service": "IoT Hub DPS", + "arm-service": "Microsoft.Devices/IotHubs", + "checklist": "IoT Hub Review", + "guid": "f9db8dfb-1194-460b-aedd-34dd6a69db22", + "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#failback", + "service": "IoT", "severity": "High", - "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3", + "text": "Learn how to fail back after a failover.", "waf": "Reliability" }, - { - "arm-service": "Microsoft.Devices/provisioningServices", - "checklist": "Device Provisioning Service Review", - "guid": "62711604-c9d1-4b0a-bdb7-5fda54a4f6c1", - "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/", - "service": "IoT Hub DPS", - "severity": "Medium", - "text": "Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Logic App code", - "waf": "Operations" - }, { "arm-service": "Microsoft.KeyVault/vaults", "checklist": "Azure Key Vault", @@ -9517,2739 +9453,2803 @@ "waf": "Security" }, { - "checklist": "Azure Landing Zone Review", - "guid": "70c15989-c726-42c7-b0d3-24b7375b9201", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/considerations-recommendations", - "service": "Entra", + "arm-service": "Microsoft.Web/sites", + "checklist": "Logic Apps checklist", + "guid": "3b7a56de-5020-4642-b3cb-c976e80b6d6d", + "link": "https://learn.microsoft.com/azure/logic-apps/single-tenant-overview-compare", + "service": "Logic Apps", + "severity": "High", + "text": "Select the right Logic App hosting plan based on your business & SLO requirements", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Logic Apps checklist", + "guid": "3d7008bd-6bc1-4b03-8aa8-ec2a3b55786a", + "link": "https://learn.microsoft.com/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps", + "service": "Logic Apps", + "severity": "High", + "text": "Protect logic apps from region failures with zone redundancy and availability zones", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Logic Apps checklist", + "guid": "1cda768f-a206-445d-8234-56f6a6e7286e", + "link": "https://learn.microsoft.com/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json", + "service": "Logic Apps", + "severity": "High", + "text": "Consider a Cross-Region DR strategy for critical workloads", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Logic Apps checklist", + "guid": "82118ec5-ed6f-4c68-9471-eb0da98a1b34", + "link": "https://learn.microsoft.com/azure/app-service/environment/intro", + "service": "Logic Apps", + "severity": "High", + "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Web/sites", + "checklist": "Logic Apps checklist", + "guid": "74275fa5-9e08-4c7e-b096-13b538fe1501", + "link": "https://learn.microsoft.com/training/modules/deploy-azure-functions/", + "service": "Logic Apps", "severity": "Medium", - "text": "Use one Entra tenant for managing your Azure resources, unless you have a clear regulatory or business requirement for multi-tenants.", - "training": "https://learn.microsoft.com/training/modules/deploy-resources-scopes-bicep/2-understand-deployment-scopes", + "text": "Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Logic App code", "waf": "Operations" }, { - "checklist": "Azure Landing Zone Review", - "guid": "6309957b-821a-43d1-b9d9-7fcf1802b747", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation", + "arm-service": "Microsoft.DBforMySQL/servers", + "checklist": "MySQL Review Checklist", + "guid": "388c3e25-e800-4ad2-9df3-f3d6ae1050b7", + "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview", + "service": "Azure MySQL", + "severity": "Medium", + "text": "Leverage Flexible Server", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.DBforMySQL/servers", + "checklist": "MySQL Review Checklist", + "guid": "de3aad1e-8c38-4ec9-9666-7313c005674b", + "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#high-availability-within-and-across-availability-zones", + "service": "Azure MySQL", + "severity": "High", + "text": "Leverage Availability Zones where regionally applicable", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.DBforMySQL/servers", + "checklist": "MySQL Review Checklist", + "guid": "1e944a45-9c37-43e7-bd61-623b365a917e", + "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#setup-hybrid-or-multi-cloud-data-synchronization-with-data-in-replication", + "service": "Azure MySQL", + "severity": "Medium", + "text": "Leverage Data-in replication for cross-region DR scenarios", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant", + "guid": "553585a6-abe0-11ed-afa1-0242ac120002", + "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2", + "service": "App Gateway", + "severity": "Medium", + "text": "Ensure you are using Application Gateway v2 SKU", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "Security" + }, + { + "arm-service": "Microsoft.Network/loadBalancers", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard')", + "guid": "4e35fbf5-0ae2-48b2-97ce-753353edbd1a", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", + "service": "Load Balancer", + "severity": "Medium", + "text": "Ensure you are using the Standard SKU for your Azure Load Balancers", + "waf": "Security" + }, + { + "arm-service": "Microsoft.Network/loadBalancers", + "checklist": "Azure Application Delivery Networking", + "guid": "9432621a-8397-4654-a882-5bc856b7ef83", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-standard-availability-zones", + "service": "Load Balancer", + "severity": "Medium", + "text": "Ensure your Load Balancers frontend IP addresses are zone-redundant (unless you require zonal frontends).", + "waf": "Security" + }, + { + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant", + "guid": "dfc50f87-3800-424c-937b-ed5f186e7c15", + "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet", + "service": "App Gateway", + "severity": "Medium", + "text": "Your Application Gateways v2 should be deployed in subnets with IP prefixes equal or larger than /24", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "Security" + }, + { + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "description": "Administration of reverse proxies in general and WAF in particular is closer to the application than to networking, so they belong in the same subscription as the app. Centralizing the Application Gateway and WAF in the connectivity subscription might be OK if it is managed by one single team.", + "guid": "48b662d6-d15f-4512-a654-98f6dfe237de", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "App Gateway", + "severity": "Medium", + "text": "Deploy Azure Application Gateway v2 or partner NVAs used for proxying inbound HTTP(S) connections within the landing-zone virtual network and with the apps that they're securing.", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "Security" + }, + { + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "f109e1f3-c79b-4f14-82de-6b5c22314d08", + "link": "https://learn.microsoft.com/azure/application-gateway/tutorial-protect-application-gateway-ddos", + "service": "App Gateway", + "severity": "Medium", + "text": "Use a DDoS Network or IP protection plans for all Public IP addresses in application landing zones.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Security" + }, + { + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant", + "guid": "135bf4ac-f9db-461f-b76b-2ee9e30b12c0", + "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant", + "service": "App Gateway", + "severity": "Medium", + "text": "Configure autoscaling with a minimum amount of instances of two.", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant", + "guid": "060c6964-52b5-48db-af8b-83e4b2d85349", + "link": "https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2", + "service": "App Gateway", + "severity": "Medium", + "text": "Deploy Application Gateway across Availability Zones", + "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.network/frontdoors", + "checklist": "Azure Application Delivery Networking", + "guid": "3f29812b-2363-4cef-b179-b599de0d5973", + "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", + "service": "Front Door", + "severity": "Medium", + "text": "When using Front Door and Application Gateway to help protect HTTP/S apps, use WAF policies in Front Door. Lock down Application Gateway to receive traffic only from Front Door.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Security" + }, + { + "ammp": true, + "arm-service": "microsoft.network/trafficManagerProfiles", + "checklist": "Azure Application Delivery Networking", + "guid": "cd4cd21b-0881-437f-9e6c-4cfd3e504547", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "Traffic Manager", + "severity": "High", + "text": "Use Traffic Manager to deliver global apps that span protocols other than HTTP/S.", + "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", + "waf": "Reliability" + }, + { + "checklist": "Azure Application Delivery Networking", + "guid": "3b4b3e88-a459-4ed5-a22f-644dfbc58204", + "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", "service": "Entra", "severity": "Low", - "text": "Use Multi-Tenant Automation approach to managing your Microsoft Entra ID Tenants.", - "training": "https://learn.microsoft.com/entra/architecture/multi-tenant-user-management-introduction/", - "waf": "Operations" + "text": "If users only need access to internal applications, has Microsoft Entra ID Application Proxy been considered as an alternative to Azure Virtual Desktop (AVD)?", + "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/", + "waf": "Security" + }, + { + "checklist": "Azure Application Delivery Networking", + "guid": "01ca7cf1-5754-442d-babb-8ba6772e5c30", + "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", + "service": "Entra", + "severity": "Medium", + "text": "To reduce the number of firewall ports open for incoming connections in your network, consider using Microsoft Entra ID Application Proxy to give remote users secure and authenticated access to internal applications.", + "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/", + "waf": "Security" + }, + { + "ammp": true, + "arm-service": "Microsoft.Network/loadBalancers", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant", + "guid": "97a2fd46-64b0-1dfa-b72d-9c8869496d75", + "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity", + "service": "Load Balancer", + "severity": "High", + "text": "Use Azure NAT Gateway instead of Load Balancer outbound rules for better SNAT scalability", + "waf": "Reliability" }, { - "checklist": "Azure Landing Zone Review", - "guid": "78e11934-499a-45ed-8ef7-aae5578f0ecf", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse", - "service": "Entra", + "ammp": true, + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id", + "guid": "2f8e81eb-8e68-4026-8b1f-70f9b05f7cf9", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection", + "service": "App Gateway", "severity": "High", - "text": "Use Azure Lighthouse for Multi-Tenant Management with the same IDs.", - "training": "https://learn.microsoft.com/azure/lighthouse/concepts/cross-tenant-management-experience", - "waf": "Operations" + "text": "Enable the Azure Application Gateway WAF bot protection rule set. The bot rules detect good and bad bots.", + "waf": "Security" }, { - "checklist": "Azure Landing Zone Review", - "guid": "5d82e6df-6f61-42f2-82e2-3132d293be3d", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations", - "service": "Entra", + "ammp": true, + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type =~ 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | extend compliant = (properties['policySettings']['requestBodyCheck'] == 'true' and properties['policySettings']['state'] =~ 'Enabled') | distinct id, name, compliant", + "guid": "8ea8e0d4-84e8-4b33-aeab-493f6391b4d6", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection", + "service": "App Gateway", "severity": "High", - "text": "If you give a partner access to administer your tenant, use Azure Lighthouse.", - "training": "https://learn.microsoft.com/azure/lighthouse/how-to/onboard-customer", - "waf": "Cost" + "text": "Ensure if request body inspection feature is enabled in Azure Application Gateway WAF policy.", + "waf": "Security" }, { - "checklist": "Azure Landing Zone Review", - "guid": "348ef254-c27d-442e-abba-c7571559ab91", - "link": "https://learn.microsoft.com/azure/role-based-access-control/overview", - "service": "Entra", + "ammp": true, + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "a4dd86d3-5ffa-408c-b660-cce073d085b8", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#tune-your-waf", + "service": "App Gateway", "severity": "High", - "text": "Enforce a RBAC model that aligns to your cloud operating model. Scope and Assign across Management Groups and Subscriptions.", - "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", + "text": "Tune the Azure Application Gateway WAF in detection mode for your workload. Reduce false positive detections.", "waf": "Security" }, { - "checklist": "Azure Landing Zone Review", - "guid": "12e7f983-f630-4472-8dd6-9c5b5c2622f5", - "link": "https://learn.microsoft.com/azure/active-directory/roles/security-planning#identify-microsoft-accounts-in-administrative-roles-that-need-to-be-switched-to-work-or-school-accounts", - "service": "Entra", - "severity": "Medium", - "text": "Only use the authentication type Work or school account for all account types. Avoid using the Microsoft account", - "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", + "ammp": true, + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type =~ 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | extend compliant = (properties['policySettings']['mode'] =~ 'Prevention')| where properties['policySettings']['mode'] =~ 'Prevention' | distinct id, name, compliant", + "guid": "baf8e317-2397-4d49-b3d1-0dcc16d8778d", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/policy-overview?source=recommendations", + "service": "App Gateway", + "severity": "High", + "text": "Deploy your WAF policy for Application Gateway in 'Prevention' mode.", "waf": "Security" }, { - "checklist": "Azure Landing Zone Review", - "guid": "4b69bad3-3aad-45e8-a68e-1d76667313b4", - "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal", - "service": "Entra", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "43fae595-8a32-4299-a69e-0f32c454dcc9", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview", + "service": "App Gateway", "severity": "Medium", - "text": "Only use groups to assign permissions. Add on-premises groups to the Entra ID only group if a group management system is already in place.", - "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", + "text": "Add rate limiting to the Azure Application Gateway WAF. Rate limiting blocks clients accidentally or intentionally sending large amounts of traffic in a short period of time.", "waf": "Security" }, { - "checklist": "Azure Landing Zone Review", - "guid": "53e8908a-e28c-484c-93b6-b7808b9fe5c4", - "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/overview", - "service": "Entra", - "severity": "High", - "text": "Enforce Microsoft Entra ID Conditional Access policies for any user with rights to Azure environments.", - "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "041e0ad8-7b12-4694-a0b7-a0e25ee2470f", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview#rate-limiting-details", + "service": "App Gateway", + "severity": "Medium", + "text": "Use a high threshold for Azure Application Gateway WAF rate limits. High rate limit thresholds avoid blocking legitimate traffic, while still providing protection against extremely high numbers of requests that might overwhelm your infrastructure. ", "waf": "Security" }, { - "checklist": "Azure Landing Zone Review", - "guid": "1049d403-a923-4c34-94d0-0018ac6a9e01", - "link": "https://learn.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks", - "service": "Entra", - "severity": "High", - "text": "Enforce multi-factor authentication for any user with rights to the Azure environments.", - "training": "https://learn.microsoft.com/entra/identity/authentication/concept-mandatory-multifactor-authentication", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "99937189-ff78-492a-b9ca-18d828d82b37", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#geo-filtering-best-practices", + "service": "App Gateway", + "severity": "Low", + "text": "If you are not expecting traffic from all geographical regions, use geo-filters to block traffic from non-expected countries.", "waf": "Security" }, { - "checklist": "Azure Landing Zone Review", - "guid": "14658d35-58fd-4772-99b8-21112df27ee4", - "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure", - "service": "Entra", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "349a15c1-52f4-4319-9078-3895d95ecafd", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/geomatch-custom-rules", + "service": "App Gateway", "severity": "Medium", - "text": "Enforce Microsoft Entra ID Privileged Identity Management (PIM) to establish zero standing access and least privilege.", - "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", + "text": "Specify the unknown (ZZ) location when geo-filtering traffic with the Azure Application Gateway WAF. Avoid accidentally blocking legitimate requests when IP addresses can't be geo-matched.", "waf": "Security" }, { - "checklist": "Azure Landing Zone Review", - "guid": "8b9fe5c4-1049-4d40-9a92-3c3474d00018", - "link": "https://learn.microsoft.com/entra/identity/domain-services/overview", - "service": "Entra", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "6c19dfd5-a61c-436c-9001-491b9b3d0228", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#use-the-latest-ruleset-versions", + "service": "App Gateway", "severity": "Medium", - "text": "If planning to switch from Active Directory Domain Services to Entra domain services, evaluate the compatibility of all workloads.", - "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/", + "text": "Use the latest Azure Application Gateway WAF rule set version. Rule set updates are regularly updated to take account of the current threat landscape.", "waf": "Security" }, { - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.aad/domainservices' | extend replicaSets = properties.replicaSets | where array_length(replicaSets) < 2 | project name=name, id=id, tags=tags, param1=strcat('replicaSetLocation:', replicaSets[0].location)", - "guid": "0dd4e625-9c4b-4a56-b54a-4357bac12761", - "link": "https://learn.microsoft.com/entra/identity/domain-services/overview", - "service": "Entra", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "f84106a2-2e9e-42ac-add6-d3416ecfed53", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#add-diagnostic-settings-to-save-your-wafs-logs", + "service": "App Gateway", "severity": "Medium", - "text": "When using Microsoft Entra Domain Services use replica sets. Replica sets will improve the resiliency of your managed domain and allow you to deploy to additional regions. ", - "training": "https://learn.microsoft.com/training/modules/understand-azure-active-directory/6-examine-azure-domain-services", - "waf": "Reliability" + "text": "Add diagnostic settings to save your Azure Application Gateway WAF logs.", + "waf": "Operations" }, { - "checklist": "Azure Landing Zone Review", - "guid": "1cf0b8da-70bd-44d0-94af-8d99cfc89ae1", - "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/concept-activity-logs-azure-monitor", - "service": "Entra", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "92664c60-47e3-4591-8b1b-8d557656e686", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#send-logs-to-microsoft-sentinel", + "service": "App Gateway", "severity": "Medium", - "text": "Integrate Microsoft Entra ID logs with the platform-central Azure Monitor. Azure Monitor allows for a single source of truth around log and monitoring data in Azure, giving organizations a cloud native options to meet requirements around log collection and retention.", - "training": "https://learn.microsoft.com/entra/identity/monitoring-health/howto-integrate-activity-logs-with-azure-monitor-logs", + "text": "Send Azure Application Gateway WAF logs to Microsoft Sentinel.", + "waf": "Operations" + }, + { + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "ba0e9b26-6e0d-4ec8-8541-023c00afd5b7", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#define-your-waf-configuration-as-code", + "service": "App Gateway", + "severity": "Medium", + "text": "Define your Azure Application Gateway WAF configuration as code. By using code, you can more easily adopt new rule set version and gain additional protection.", + "waf": "Operations" + }, + { + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "f17ec301-8470-4afd-aabc-c1fdfe47dcc0", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/policy-overview", + "service": "App Gateway", + "severity": "Medium", + "text": "Use WAF Policies instead of the legacy WAF configuration.", + "waf": "Operations" + }, + { + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "d4eb8667-f8cb-4cdd-94e6-2f967ba98f88", + "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-secured-hub-app-gateway", + "service": "App Gateway", + "severity": "Medium", + "text": "Filter inbound traffic in the backends so that they only accept connections from the Application Gateway subnet, for example with NSGs.", "waf": "Security" }, { - "ammp": true, - "checklist": "Azure Landing Zone Review", - "guid": "984a859c-773e-47d2-9162-3a765a917e1f", - "link": "https://learn.microsoft.com/azure/active-directory/roles/security-emergency-access", - "service": "Entra", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "graph": "resources | where type == 'microsoft.network/applicationgateways'| extend compliant = (properties['backendHttpSettingsCollection'][0]['properties']['port'] =~ '443') |where properties['backendHttpSettingsCollection'][0]['properties']['port'] =~ '443'|distinct id,name,compliant", + "guid": "a66f0fd8-2ca4-422e-8df3-235148127ca2", + "link": "https://learn.microsoft.com/azure/application-gateway/ssl-overview", + "service": "App Gateway", "severity": "High", - "text": "Implement an emergency access or break-glass accounts to prevent tenant-wide account lockout. MFA will be turned on by default for all users in Oct 2024. We recommend updating these accounts to use passkey (FIDO2) or configure certificate-based authentication for MFA. ", - "training": "https://learn.microsoft.com/entra/identity/role-based-access-control/security-emergency-access#exclude-at-least-one-account-from-conditional-access-policies", + "text": "You should encrypt traffic to the backend servers.", "waf": "Security" }, { - "checklist": "Azure Landing Zone Review", - "guid": "35037e68-9349-4c15-b371-228514f4cdff", - "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices", - "service": "Entra", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "3dba65cb-834d-44d8-a3ca-a6aa2f1587be", + "link": "https://learn.microsoft.com/azure/web-application-firewall/overview", + "service": "App Gateway", + "severity": "High", + "text": "You should use a Web Application Firewall.", + "waf": "Security" + }, + { + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "0158fcb6-0bc1-4687-832f-cc7c359c22d2", + "link": "https://learn.microsoft.com/azure/application-gateway/redirect-overview", + "service": "App Gateway", "severity": "Medium", - "text": "Do not use on-premises synced accounts for Microsoft Entra ID role assignments, unless you have a scenario that specifically requires it.", - "training": "https://learn.microsoft.com/learn/modules/design-identity-security-strategy/", + "text": "Redirect HTTP to HTTPS", "waf": "Security" }, { - "checklist": "Azure Landing Zone Review", - "guid": "d5d1e4e6-1465-48d3-958f-d77249b82111", - "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy", - "service": "Entra", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "bb697864-1b4c-43af-8667-90cc69aaed5f", + "link": "https://learn.microsoft.com/azure/application-gateway/how-application-gateway-works#modifications-to-the-request", + "service": "App Gateway", "severity": "Medium", - "text": "When using Microsoft Entra ID Application Proxy to give remote users access to applications, manage it as a Platform resource as you can only have one instance per tenant.", - "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/", + "text": "Use gateway-managed cookies to direct traffic from a user session to the same server for processing", + "waf": "Operations" + }, + { + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "ff353ad8-15fb-4ae8-9fc5-a85a36d36a35", + "link": "https://learn.microsoft.com/azure/application-gateway/configuration-http-settings", + "service": "App Gateway", + "severity": "High", + "text": "Enable connection draining during planned service updates to prevent connection loss to existing members of the backend pool", "waf": "Security" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "guid": "e8bbac75-7155-49ab-a153-e8908ae28c84", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/network-topology-and-connectivity", - "service": "VNet", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "c8741f03-45a4-4183-a6b8-139e0773b8b5", + "link": "https://learn.microsoft.com/azure/application-gateway/custom-error", + "service": "App Gateway", + "severity": "Low", + "text": "Create custom error pages to display a personalized user experience", + "waf": "Operations" + }, + { + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "f850d46f-f5d7-4b17-b48c-a780741402e1", + "link": "https://learn.microsoft.com/azure/application-gateway/rewrite-http-headers-url", + "service": "App Gateway", "severity": "Medium", - "text": "Use a hub-and-spoke network topology for network scenarios that require maximum flexibility.", - "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", + "text": "Edit HTTP requests and response headers for easier routing and information exchange between the client and server", "waf": "Security" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "guid": "7bc1c396-2461-4698-b57f-30ca69525252", - "link": "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/considerations/regions", - "service": "VNet", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "eadc3164-4a0f-461c-85f1-1a372c04dfd1", + "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview", + "service": "App Gateway", "severity": "Medium", - "text": "Deploy your Azure landing zone connectivity resources in multiple regions, so that you can quickly support multi-region application landing zones and disaster recovery scenarios.", - "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", - "waf": "Reliability" + "text": "Configure Front Door to optimize global web traffic routing and top-tier end-user performance, and reliability through quick global failover", + "waf": "Performance" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "guid": "7dd61623-a364-4a90-9eca-e48ebd54cd7d", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/traditional-azure-networking-topology", - "service": "VNet", - "severity": "High", - "text": "Deploy shared networking services, including ExpressRoute gateways, VPN gateways, and Azure Firewall or partner NVAs in the central-hub virtual network. If necessary, also deploy DNS services.", - "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", - "waf": "Cost" + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "29dcc19f-a8fa-4c35-8281-290577538793", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", + "service": "App Gateway", + "severity": "Medium", + "text": "Use transport layer load balancing", + "waf": "Performance" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Azure Landing Zone Review", - "guid": "e2e8abac-3571-4559-ab91-53e89f89dc7b", - "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha", - "service": "NVA", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "276898c1-af5e-4819-9e8e-049c7801ab9d", + "link": "https://learn.microsoft.com/azure/application-gateway/multiple-site-overview", + "service": "App Gateway", "severity": "Medium", - "text": "When deploying partner networking technologies or NVAs, follow the partner vendor's guidance.", - "waf": "Reliability" + "text": "Configure routing based on host or domain name for multiple web applications on a single gateway", + "waf": "Security" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "ce463dbb-bc8a-4c2a-aebc-92a43da1dae2", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager#to-enable-transit-routing-between-expressroute-and-azure-vpn", - "service": "ExpressRoute", - "severity": "Low", - "text": "If you need transit between ExpressRoute and VPN gateways in hub and spoke scenarios, use Azure Route Server.", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-route-server/", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "5fe365b6-58e8-47ed-a8cf-5163850380a2", + "link": "https://learn.microsoft.com/azure/application-gateway/create-ssl-portal", + "service": "App Gateway", + "severity": "Medium", + "text": "Centralize SSL certificate management to reduce encryption and decryption overhead from a backend server farm", "waf": "Security" }, { - "arm-service": "Microsoft.Network/virtualHubs", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant", - "guid": "91b9d7d5-91e1-4dcb-8f1f-fa7e465646cc", - "link": "https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1", - "service": "ARS", + "arm-service": "microsoft.network/applicationGateways", + "checklist": "Azure Application Delivery Networking", + "guid": "fa64b4dd-35c2-4047-ac5c-45dfbf8b0db9", + "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-websocket", + "service": "App Gateway", "severity": "Low", - "text": "If using Route Server, use a /27 prefix for the Route Server subnet.", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-route-server/", + "text": "Use Application Gateway for native support for WebSocket and HTTP/2 protocols", "waf": "Security" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "guid": "cc881471-607c-41cc-a0e6-14658dd558f9", - "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-faq#can-i-create-a-peering-connection-to-a-vnet-in-a-different-region", - "service": "VNet", + "arm-service": "Microsoft.DBforPostgreSQL/servers", + "checklist": "PostgreSQL Review Checklist", + "guid": "65285269-441c-44bf-9d3e-0844276d4bdc", + "link": "https://learn.microsoft.com/azure/postgresql/flexible-server/overview", + "service": "PostgreSQL", "severity": "Medium", - "text": "For network architectures with multiple hub-and-spoke topologies across Azure regions, use global virtual network peerings between the hub VNets to connect the regions to each other.", - "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-virtual-networks/", - "waf": "Performance" + "text": "Leverage Flexible Server", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "guid": "4722d929-c1b1-4cd6-81f5-4b29bade39ad", - "link": "https://learn.microsoft.com/azure/azure-monitor/insights/network-insights-overview", - "service": "VNet", - "severity": "Medium", - "text": "Use Azure Monitor for Networks to monitor the end-to-end state of the networks on Azure.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/", - "waf": "Operations" + "arm-service": "Microsoft.DBforPostgreSQL/servers", + "checklist": "PostgreSQL Review Checklist", + "guid": "016ccf31-ae5a-41eb-9888-9535e227896d", + "link": "https://learn.microsoft.com/azure/postgresql/flexible-server/overview#architecture-and-high-availability", + "service": "PostgreSQL", + "severity": "High", + "text": "Leverage Availability Zones where regionally applicable", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant", - "guid": "0e7c28ec-9366-4572-83b0-f4664b1d944a", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits", - "service": "VNet", + "arm-service": "Microsoft.DBforPostgreSQL/servers", + "checklist": "PostgreSQL Review Checklist", + "guid": "31b67c67-be59-4519-8083-845d587cb391", + "link": "https://learn.microsoft.com/azure/postgresql/single-server/concepts-business-continuity#cross-region-read-replicas", + "service": "PostgreSQL", "severity": "Medium", - "text": "If you have more than 400 spoke networks in a region, deploy an additional hub to bypass VNet peering limits (500) and the maximum number of prefixes that can be advertised via ExpressRoute (1000).", - "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", + "text": "Leverage cross-region read replicas for BCDR", "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant", - "guid": "3d457936-e9b7-41eb-bdff-314b26450b12", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits", - "service": "VNet", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "1fc2fc14-eea6-4e69-b8d9-a3edc218e687", + "link": "https://polite-sea-0995b240f.2.azurestaticapps.net/technical-delivery-playbook/azure-services/analytics/purview/", + "service": "Purview", "severity": "Medium", - "text": "Limit the number of routes per route table to 400.", - "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", + "text": "Leverage FTA Resillency Handbook", "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True)", - "guid": "c76cb5a2-abe2-11ed-afa1-0242ac120002", - "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering", - "service": "VNet", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "ab067acb-49e5-4b96-8332-4ecf8cc13318", + "link": "https://learn.microsoft.com/purview/disaster-recovery", + "service": "Purview", "severity": "High", - "text": "Use the setting 'Allow traffic to remote virtual network' when configuring VNet peerings.", - "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/", + "text": "Plan for Data Center level outage", "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/loadBalancers", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.network/loadbalancers' | where tolower(sku.name) != 'basic' | mv-expand feIPconfigs = properties.frontendIPConfigurations | extend feConfigName = (feIPconfigs.name), PrivateSubnetId = toupper(feIPconfigs.properties.subnet.id), PrivateIPZones = feIPconfigs.zones, PIPid = toupper(feIPconfigs.properties.publicIPAddress.id), JoinID = toupper(id) | where isnotempty(PrivateSubnetId) | where isnull(PrivateIPZones) or array_length(PrivateIPZones) < 2 | project name, feConfigName, id | union (resources | where type == 'microsoft.network/loadbalancers' | where tolower(sku.name) != 'basic' | mv-expand feIPconfigs = properties.frontendIPConfigurations | extend feConfigName = (feIPconfigs.name), PIPid = toupper(feIPconfigs.properties.publicIPAddress.id), JoinID = toupper(id) | where isnotempty(PIPid) | join kind=innerunique ( resources | where type == 'microsoft.network/publicipaddresses' | where isnull(zones) or array_length(zones) < 2 | extend LBid = toupper(substring(properties.ipConfiguration.id, 0, indexof(properties.ipConfiguration.id, '/frontendIPConfigurations'))), InnerID = toupper(id) ) on $left.PIPid == $right.InnerID) | project name, id, tags, param1='Zones: No Zone or Zonal', param2=strcat('Frontend IP Configuration:', ' ', feConfigName)", - "guid": "9dcd6250-9c4a-4382-aa9b-5b84c64fc1fe", - "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-load-balancer?tabs=graph#zone-redundant", - "service": "Load Balancer", - "severity": "High", - "text": "Use Standard Load Balancer SKU with a zone-redundant deployment, Selecting Standard SKU Load Balancer enhances reliability through availability zones and zone resiliency, ensuring deployments withstand zone and region failures. Unlike Basic, it supports global load balancing and offers an SLA.", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "description": "1. Create the new account 2. Migrate configuration items 3. Run scans 4. Migrate custom typedefs and custom assets 5. Migrate relationships 6. Migrate glossary terms 7. Assign classifications to assets 8. Assign contacts to assets", + "guid": "da611702-69f4-4fb4-aa3d-3ef7f3176c4b", + "link": "https://learn.microsoft.com/purview/disaster-recovery", + "service": "Purview", + "severity": "Medium", + "text": "Practice Failover for BCDR", "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/loadBalancers", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type =~ 'Microsoft.Network/loadBalancers' | extend bep = properties.backendAddressPools | extend BackEndPools = array_length(bep) | where BackEndPools == 0 | project name, id, Param1='backendPools', Param2=toint(0), tags | union (resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name == 'Standard' | extend bep = properties.backendAddressPools | extend BackEndPools = toint(array_length(bep)) | mv-expand bip = properties.backendAddressPools | extend BackendAddresses = array_length(bip.properties.loadBalancerBackendAddresses) | where toint(BackendAddresses) <= 1 | project name, id, tags, Param1='backendAddresses', Param2=toint(BackendAddresses)) | union ( resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name == 'Basic' | mv-expand properties.backendAddressPools | extend backendPoolId = properties_backendAddressPools.id | project id, name, tags, tostring(backendPoolId), Param1='BackEndPools' | join kind = leftouter ( resources | where type =~ 'Microsoft.Network/networkInterfaces' | mv-expand properties.ipConfigurations | mv-expand properties_ipConfigurations.properties.loadBalancerBackendAddressPools | extend backendPoolId = tostring(properties_ipConfigurations_properties_loadBalancerBackendAddressPools.id) | summarize poolMembers = count() by backendPoolId | project tostring(backendPoolId), poolMembers ) on backendPoolId | where toint(poolMembers) <= 1 | extend BackendAddresses = poolMembers | project id, name, tags, Param1='backendAddresses', Param2=toint(BackendAddresses))", - "guid": "48682fb1-1e86-4458-a686-518ebd47393d", - "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-load-balancer?tabs=graph#zone-redundant", - "service": "Load Balancer", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "97b15b8a-219a-44ab-bb57-879024d22678", + "link": "https://learn.microsoft.com/purview/disaster-recovery", + "service": "Purview", "severity": "High", - "text": "Ensure load balancer backend pool(s) contains at least two instances, Deploying Azure Load Balancers with at least two instances in the backend prevents a single point of failure and supports scalability.", + "text": "Plan a backup strategy and take regular backups", "waf": "Reliability" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "de0d5973-cd4c-4d21-a088-137f5e6c4cfd", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-macsec", - "service": "ExpressRoute", - "severity": "Medium", - "text": "When you're using ExpressRoute Direct, configure MACsec in order to encrypt traffic at the layer-two level between the organization's routers and MSEE. The diagram shows this encryption in flow.", - "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", - "waf": "Security" + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "6d20b56c-56a9-4581-89bf-8d8e5c586b7d", + "link": "https://learn.microsoft.com/purview/manage-kafka-dotnet", + "service": "Purview", + "severity": "Low", + "text": "Use Microsoft Purview's Event Hubs to subscribe and create entities to another account", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "ed301d6e-872e-452e-9611-cc58b5a4b151", - "link": "https://learn.microsoft.com/azure/vpn-gateway/site-to-site-vpn-private-peering", - "service": "ExpressRoute", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "8cdc15ac-c075-4ee9-a130-a8889579e76b", + "link": "https://learn.microsoft.com/purview/deployment-best-practices", + "service": "Purview", "severity": "Medium", - "text": "For scenarios where MACsec isn't an option (for example, not using ExpressRoute Direct), use a VPN gateway to establish IPsec tunnels over ExpressRoute private peering.", - "training": "https://learn.microsoft.com/learn/paths/implement-network-security/", - "waf": "Security" - }, - { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "558fd772-49b8-4211-82df-27ee412e7f98", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", - "service": "ExpressRoute", - "severity": "High", - "text": "Ensure no overlapping IP address spaces across Azure regions and on-premises locations are used.", - "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", - "waf": "Security" + "text": "Follow Purview accounts architectures and deployment best practices", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)') | project id, compliant, cidr", - "guid": "3f630472-2dd6-49c5-a5c2-622f54b69bad", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", - "service": "VNet", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "896e710a-7da7-4be9-a56d-14d3c49d997c", + "link": "https://learn.microsoft.com/purview/concept-best-practices-collections", + "service": "Purview", "severity": "Medium", - "text": "Use IP addresses from the address allocation ranges for private internets (RFC 1918).", - "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", - "waf": "Security" - }, - { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant", - "guid": "33aad5e8-c68e-41d7-9667-313b4f5664b5", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", - "service": "VNet", - "severity": "High", - "text": "Ensure that IP address space isn't wasted, don't create unnecessarily large virtual networks (for example /16).", - "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", - "waf": "Performance" + "text": "Follow Collection Architectures and best practices", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "guid": "f348ef25-4c27-4d42-b8bb-ac7571559ab9", - "link": "https://learn.microsoft.com/azure/site-recovery/concepts-on-premises-to-azure-networking#retain-ip-addresses", - "service": "VNet", - "severity": "High", - "text": "Do not use overlapping IP address ranges for production and disaster recovery sites.", - "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "b3d1325a-a225-4c6f-9e06-85edddea8a4b", + "link": "https://learn.microsoft.com/purview/concept-best-practices-asset-lifecycle", + "service": "Purview", + "severity": "Medium", + "text": "Follow Assest lifecycle best practices", "waf": "Reliability" }, { - "checklist": "Azure Landing Zone Review", - "graph": "Resources | where type =~ 'Microsoft.Network/publicIPAddresses' and sku.tier =~ 'Regional' | where isempty(zones) or array_length(zones) <= 1 | extend az = case(isempty(zones), 'Non-zonal', array_length(zones) <= 1, strcat('Zonal (', strcat_array(zones, ','), ')'), zones) | project name, id, tags, param1 = strcat('sku: ', sku.name), param2 = strcat('availabilityZone: ', az)", - "guid": "0c47f486-656d-4699-8c30-edef5b8a93c4", - "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/public-ip-addresses#availability-zone", - "service": "Public IP Addresses", - "severity": "High", - "text": "Use Standard SKU and Zone-Redundant IPs when applicable, Public IP addresses in Azure can be of standard SKU, available as non-zonal, zonal, or zone-redundant. Zone-redundant IPs are accessible across all zones, resisting any single zone failure, thereby providing higher resilience. ", - "training": "https://learn.microsoft.com/en-gb/training/modules/configure-virtual-networks/6-create-public-ip-addressing", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "7cdeb3c6-1fc2-4fc1-9eea-6e69d8d9a3ed", + "link": "https://learn.microsoft.com/purview/concept-best-practices-automation", + "service": "Purview", + "severity": "Medium", + "text": "Follow automation best practices", "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/dnsZones", - "checklist": "Azure Landing Zone Review", - "guid": "153e8908-ae28-4c84-a33b-6b7808b9fe5c", - "link": "https://learn.microsoft.com/azure/dns/private-dns-getstarted-portal", - "service": "DNS", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "c218e687-ab06-47ac-a49e-5b9603324ecf", + "link": "https://learn.microsoft.com/purview/disaster-recovery", + "service": "Purview", "severity": "Medium", - "text": "For environments where name resolution in Azure is all that's required, use Azure Private DNS for resolution with a delegated zone for name resolution (such as 'azure.contoso.com').", - "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", - "waf": "Operations" + "text": "Follow Backup and Migration Best practices", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/dnsZones", - "checklist": "Azure Landing Zone Review", - "guid": "41049d40-3a92-43c3-974d-00018ac6a9e0", - "link": "https://learn.microsoft.com/azure/dns/dns-private-resolver-overview", - "service": "DNS", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "8cc13318-da61-4170-869f-4fb4aa3d3ef7", + "link": "https://learn.microsoft.com/purview/concept-best-practices-glossary", + "service": "Purview", "severity": "Medium", - "text": "For environments where name resolution across Azure and on-premises is required and there is no existing enterprise DNS service like Active Directory, use Azure DNS Private Resolver to route DNS requests to Azure or to on-premises DNS servers.", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-dns-private-resolver/", - "waf": "Security" + "text": "Follow Purview Glossary Best Practices", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/dnsZones", - "checklist": "Azure Landing Zone Review", - "guid": "1e6a83de-5de3-42c1-a924-81607d5d1e4e", - "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances", - "service": "DNS", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "f3176c4b-97b1-45b8-a219-a4abeb578790", + "link": "https://learn.microsoft.com/purview/concept-workflow", + "service": "Purview", "severity": "Low", - "text": "Special workloads that require and deploy their own DNS (such as Red Hat OpenShift) should use their preferred DNS solution.", - "training": "https://learn.microsoft.com/training/courses/az-700t00", - "waf": "Operations" + "text": "Leverage Workflows ", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/dnsZones", - "checklist": "Azure Landing Zone Review", - "guid": "614658d3-558f-4d77-849b-821112df27ee", - "link": "https://learn.microsoft.com/azure/dns/private-dns-autoregistration", - "service": "DNS", - "severity": "High", - "text": "Enable auto-registration for Azure DNS to automatically manage the lifecycle of the DNS records for the virtual machines deployed within a virtual network.", - "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", - "waf": "Operations" + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "24d22678-6d20-4b56-a56a-958119bf8d8e", + "link": "https://learn.microsoft.com/purview/concept-best-practices-security", + "service": "Purview", + "severity": "Medium", + "text": "Follow Purview Security Best Practices", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/dnsZones", - "checklist": "Azure Landing Zone Review", - "guid": "18c80eb0-582a-4198-bf5c-d8800b2d263b", - "link": "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/private-link-and-dns-integration-at-scale#private-link-and-dns-integration-in-hub-and-spoke-network-architectures", - "service": "DNS", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "5c586b7d-8cdc-415a-ac07-5ee9b130a888", + "link": "https://learn.microsoft.com/purview/concept-best-practices-lineage-azure-data-factory", + "service": "Purview", "severity": "Medium", - "text": "Implement a plan for managing DNS resolution between multiple Azure regions and when services fail over to another region", - "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/", + "text": "Follow Purview Data Lineage Best Practices", "waf": "Reliability" }, { - "arm-service": "microsoft.network/bastionHosts", - "checklist": "Azure Landing Zone Review", - "guid": "ee1ac551-c4d5-46cf-b035-d0a3c50d87ad", - "link": "https://learn.microsoft.com/azure/bastion/bastion-overview", - "service": "Bastion", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "9579e76b-896e-4710-a7da-7be9956d14d3", + "link": "https://learn.microsoft.com/purview/concept-best-practices-scanning", + "service": "Purview", "severity": "Medium", - "text": "Use Azure Bastion to securely connect to your network.", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-bastion/", - "waf": "Security" + "text": "Follow Best Practices for Scanning Registered Sources", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/bastionHosts", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant", - "guid": "6eab9eb6-762b-485e-8ea8-15aa5dba0bd0", - "link": "https://learn.microsoft.com/azure/bastion/bastion-faq#subnet", - "service": "Bastion", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "c49d997c-b3d1-4325-aa22-5c6f4e0685ed", + "link": "https://learn.microsoft.com/purview/concept-best-practices-classification", + "service": "Purview", "severity": "Medium", - "text": "Use Azure Bastion in a subnet /26 or larger.", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-bastion/", - "waf": "Security" + "text": "Follow Classification Best Practices in Governance Portal", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "1d7aa9b6-4704-4489-a804-2d88e79d17b7", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview", - "service": "WAF", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "ddea8a4b-7cde-4b3c-91fc-2fc14eea6e69", + "link": "https://learn.microsoft.com/purview/sensitivity-labels-frequently-asked-questions", + "service": "Purview", "severity": "Medium", - "text": "Use Azure Front Door and WAF policies to provide global protection across Azure regions for inbound HTTP/S connections to a landing zone.", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "Security" + "text": "Perform Sensitivity Labelling in the Purview Data Map", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "3b22a5a6-7e7a-48ed-9b30-e38c3f29812b", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "WAF", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "d8d9a3ed-c218-4e68-9ab0-67acb49e5b96", + "link": "https://learn.microsoft.com/purview/concept-data-share", + "service": "Purview", "severity": "Low", - "text": "When using Azure Front Door and Azure Application Gateway to help protect HTTP/S apps, use WAF policies in Azure Front Door. Lock down Azure Application Gateway to receive traffic only from Azure Front Door.", - "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/", - "waf": "Security" - }, - { - "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "2363cefe-179b-4599-be0d-5973cd4cd21b", - "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", - "service": "WAF", - "severity": "High", - "text": "When WAFs and other reverse proxies are required for inbound HTTP/S connections, deploy them within a landing-zone virtual network and together with the apps that they're protecting and exposing to the internet.", - "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", - "waf": "Security" + "text": "Leverage Azure Storage in-place data sharing with Microsoft Purview", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "guid": "088137f5-e6c4-4cfd-9e50-4547c2447ec6", - "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures", - "service": "VNet", - "severity": "High", - "text": "Use Azure DDoS Network or IP Protection plans to help protect Public IP Addresses endpoints within the virtual networks including application landing zones.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "Security" + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "03324ecf-8cc1-4331-ada6-1170269f4fb4", + "link": "https://learn.microsoft.com/purview/concept-insights", + "service": "Purview", + "severity": "Low", + "text": "Leverage Data Estate Insights", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "guid": "b034c01e-110b-463a-b36e-e3346e57f225", - "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/default-outbound-access", - "service": "VNet", - "severity": "High", - "text": "Plan for how to manage your network outbound traffic configuration and strategy before the upcoming breaking change. On September 30, 2025, default outbound access for new deployments will be retired and only explicit access configurations will be allowed.", - "training": "https://learn.microsoft.com/training/modules/configure-virtual-networks/", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "aa3d3ef7-f317-46c4-a97b-15b8a219a4ab", + "link": "https://learn.microsoft.com/purview/catalog-adoption-insights", + "service": "Purview", + "severity": "Low", + "text": "Use Data stewardship and Catalog adoption", "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "guid": "b1c82a3f-2320-4dfa-8972-7ae4823c8930", - "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures", - "service": "VNet", - "severity": "High", - "text": "Add diagnostic settings to save DDoS related logs for all the protected public IP addresses (DDoS IP or Network Protection).", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "Security" + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "eb578790-24d2-4267-a6d2-0b56c56a9581", + "link": "https://learn.microsoft.com/purview/concept-insights", + "service": "Purview", + "severity": "Low", + "text": "Use Inventory and Ownership", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "3c5a808d-c695-4c14-a63c-c7ab7a510e41", - "link": "https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies#corp", - "service": "Policy", - "severity": "High", - "text": "Ensure there is a policy assignment to deny Public IP addresses directly tied to Virtual Machines. Use exclusions if public IPs are needed on specific VMs.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", - "waf": "Security" + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "19bf8d8e-5c58-46b7-b8cd-c15acc075ee9", + "link": "https://learn.microsoft.com/purview/glossary-insights", + "service": "Purview", + "severity": "Low", + "text": "Leverage Insights for Glossary, Classifications, Sensitivity Labels", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "359c373e-7dd6-4162-9a36-4a907ecae48e", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure", - "service": "ExpressRoute", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "b130a888-9579-4e76-a896-e710a7da7be9", + "link": "https://learn.microsoft.com/purview/compliance-manager", + "service": "Purview", "severity": "Medium", - "text": "Use ExpressRoute as the primary connection to Azure. Use VPNs as a source of backup connectivity.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Performance" + "text": "Generate assessment scores", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "description": "You can use AS-path prepending and connection weights to influence traffic from Azure to on-premises, and the full range of BGP attributes in your own routers to influence traffic from on-premises to Azure.", - "guid": "f29812b2-363c-4efe-879b-599de0d5973c", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-routing", - "service": "ExpressRoute", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "956d14d3-c49d-4997-ab3d-1325aa225c6f", + "link": "https://learn.microsoft.com/purview/compliance-manager-scoring", + "service": "Purview", "severity": "Medium", - "text": "When you use multiple ExpressRoute circuits or multiple on-prem locations, use BGP attributes to optimize routing.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "text": "Profiling- get summaries of data content", "waf": "Reliability" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant", - "guid": "d4cd21b0-8813-47f5-b6c4-cfd3e504547c", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways?source=recommendations#gwsku", - "service": "ExpressRoute", - "severity": "Medium", - "text": "Select the right SKU for the ExpressRoute/VPN gateways based on bandwidth and performance requirements.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Performance" + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "4e0685ed-ddea-48a4-a7cd-eb3c61fc2fc1", + "link": "https://learn.microsoft.com/purview/concept-policies-data-owner#microsoft-purview-policy-concepts", + "service": "Purview", + "severity": "Low", + "text": "Follow Microsoft Purview Data Owner access policies", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant", - "guid": "7025b442-f6e9-4af6-b11f-c9574916016f", - "link": "https://learn.microsoft.com/azure/expressroute/plan-manage-cost", - "service": "ExpressRoute", - "severity": "High", - "text": "Ensure that you're using unlimited-data ExpressRoute circuits only if you reach the bandwidth that justifies their cost.", - "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", - "waf": "Cost" + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "4eea6e69-d8d9-4a3e-bc21-8e687ab067ac", + "link": "https://learn.microsoft.com/purview/concept-self-service-data-access-policy", + "service": "Purview", + "severity": "Low", + "text": "Follow Self-service access policies", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id", - "guid": "f4e7926a-ec35-476e-a412-5dd17136bd62", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local", - "service": "ExpressRoute", + "arm-service": "Microsoft.Purview/accounts", + "checklist": "Microsoft Purview Review Checklist", + "guid": "b49e5b96-0332-44ec-b8cc-13318da61170", + "link": "https://learn.microsoft.com/purview/concept-policies-devops", + "service": "Purview", + "severity": "Low", + "text": "Follow DevOps policies", + "waf": "Reliability" + }, + { + "arm-service": "microsoft.cache/redis", + "checklist": "Redis Resiliency checklist", + "guid": "65285269-440b-44be-9d3e-0844276d4bdc", + "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-zone-redundancy", + "service": "Redis", "severity": "High", - "text": "Leverage the Local SKU of ExpressRoute to reduce the cost of your circuits, if your circuit peering location supports your Azure regions for the Local SKU.", - "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", - "waf": "Cost" + "text": "Enable zone redundancy for Azure Cache for Redis. Azure Cache for Redis supports zone redundant configurations in the Premium and Enterprise tiers. A zone redundant cache can place its nodes across different Azure Availability Zones in the same region. It eliminates data center or AZ outage as a single point of failure and increases the overall availability of your cache.", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant", - "guid": "2447ec66-138a-4720-8f1c-e16ed301d6e8", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways", - "service": "ExpressRoute", + "arm-service": "microsoft.cache/redis", + "checklist": "Redis Resiliency checklist", + "guid": "bc178bdc-5a06-4ca7-8443-51e19dd34429", + "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#persistence", + "service": "Redis", "severity": "Medium", - "text": "Deploy a zone-redundant ExpressRoute gateway in the supported Azure regions.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "text": "Configure data persistence for an Azure Cache for Redis instance. Because your cache data is stored in memory, a rare and unplanned failure of multiple nodes can cause all the data to be dropped. To avoid losing data completely, Redis persistence allows you to take periodic snapshots of in-memory data, and store it to your storage account.", "waf": "Reliability" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "72e52e36-11cc-458b-9a4b-1511e43a58a9", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure", - "service": "ExpressRoute", + "arm-service": "microsoft.cache/redis", + "checklist": "Redis Resiliency checklist", + "guid": "eb722823-7a15-41c5-ab4e-4f1814387e5c", + "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#storage-account-for-persistence", + "service": "Redis", "severity": "Medium", - "text": "For scenarios that require bandwidth higher than 10 Gbps or dedicated 10/100-Gbps ports, use ExpressRoute Direct.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Performance" + "text": "Use Geo-redundant storage account to persist Azure Cache for Redis data, or zonally redundant where geo-redundancy is not available", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "c2299c4d-7b57-4d0c-9555-62f2b3e4563a", - "link": "https://learn.microsoft.com/azure/expressroute/about-fastpath", - "service": "ExpressRoute", + "arm-service": "microsoft.cache/redis", + "checklist": "Redis Resiliency checklist", + "guid": "a8c26c9b-32ab-45bd-bc69-98a135e33789", + "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-geo-replication", + "service": "Redis", "severity": "Medium", - "text": "When low latency is required, or throughput from on-premises to Azure must be greater than 10 Gbps, enable FastPath to bypass the ExpressRoute gateway from the data path.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Performance" + "text": "Configure passive geo-replication for Premium Azure Cache for Redis instances. Geo-replication is a mechanism for linking two or more Azure Cache for Redis instances, typically spanning two Azure regions. Geo-replication is designed mainly for cross-region disaster recovery. Two Premium tier cache instances are connected through geo-replication in a way that provides reads and writes to your primary cache, and that data is replicated to the secondary cache.", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/virtualNetworkGateways", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant", - "guid": "4d873974-8b66-42d6-b15f-512a65498f6d", - "link": "https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway", - "service": "VPN", - "severity": "Medium", - "text": "Use zone-redundant VPN gateways to connect branches or remote locations to Azure (where available).", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/", + "arm-service": "Microsoft.Compute/virtualMachineScaleSets", + "checklist": "Resiliency Review", + "description": "Automatic instance repairs ensure that unhealthy instances are promptly identified and replaced, maintaining a set of healthy instances within your scale set.", + "guid": "7e13c105-675c-41e9-95b4-59837ff7ae7c", + "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-instance-repairs", + "service": "VMSS", + "severity": "Low", + "text": "Enable automatic instance repairs for enhanced VM Scale Sets resiliency", "waf": "Reliability" }, { - "arm-service": "microsoft.network/virtualNetworkGateways", - "checklist": "Azure Landing Zone Review", - "guid": "45866df8-cf85-4ca9-bbe2-65ec1478919e", - "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-highlyavailable", - "service": "VPN", - "severity": "Medium", - "text": "Use redundant VPN appliances on-premises (active/active or active/passive).", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Resiliency Review", + "description": "Ensure that Azure Backup is utilized appropriately to meet your organization's resiliency requirements for Azure virtual machines (VMs).", + "guid": "4d874a74-8b66-42d6-b150-512a66498f6d", + "link": "https://learn.microsoft.com/azure/backup/backup-azure-vms-introduction", + "service": "VM", + "severity": "High", + "text": "Consider Azure Backup to meet your resiliency requirements for Azure VMs", "waf": "Reliability" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "718cb437-b060-2589-8856-2e93a5c6633b", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-erdirect-about", - "service": "ExpressRoute", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Resiliency Review", + "description": "Single Instance VMs using Premium SSD or Ultra Disk for all Operating System Disks and Data Disks are guaranteed to have Virtual Machine Connectivity of at least 99.9%", + "guid": "8052d88e-79d1-47b7-9b22-a5a67e7a8ed4", + "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types", + "service": "VM", "severity": "High", - "text": "If using ExpressRoute Direct, consider using ExpressRoute Local circuits to the local Azure regions to save costs.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Cost" + "text": "Use Premium or Ultra disks for production VMs", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "8042d88e-79d1-47b7-9b22-a5a67e7a8ed4", - "link": "https://learn.microsoft.com/azure/architecture/framework/services/networking/expressroute/reliability", - "service": "ExpressRoute", - "severity": "Medium", - "text": "When traffic isolation or dedicated bandwidth is required, such as for separating production and nonproduction environments, use different ExpressRoute circuits. It will help you ensure isolated routing domains and alleviate noisy-neighbor risks.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Security" + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Resiliency Review", + "description": "Azure automatically replicates managed disks within a region to ensure data durability and protect against single-point failures.", + "guid": "b31e38c3-f298-412b-8363-cffe179b599d", + "link": "https://learn.microsoft.com/azure/virtual-machines/managed-disks-overview", + "service": "VM", + "severity": "High", + "text": "Ensure Managed Disks are used for all VMs", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "b30e38c3-f298-412b-8363-cefe179b599d", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-monitoring-metrics-alerts", - "service": "ExpressRoute", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Resiliency Review", + "description": "Temporary disks are intended for short-term storage of non-persistent data such as page files, swap files, or SQL Server tempdb. Storing persistent data on temporary disks can lead to data loss during maintenance events or VM redeployment.", + "guid": "e0d5973c-d4ce-432c-8881-37f6f7c4c0d4", + "link": "https://learn.microsoft.com/azure/virtual-machines/managed-disks-overview#temporary-disk", + "service": "VM", "severity": "Medium", - "text": "Monitor ExpressRoute availability and utilization using built-in Express Route Insights.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Operations" + "text": "Do not use the Temp disk for anything that is not acceptable to be lost", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "5bf68dc9-325e-4873-bf88-f8214ef2e5d2", - "link": "https://learn.microsoft.com/azure/expressroute/how-to-configure-connection-monitor", - "service": "ExpressRoute", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Resiliency Review", + "description": "Co-locate your compute, storage, networking, and data resources across an availability zone, and replicate this arrangement in other availability zones.", + "guid": "e514548d-2447-4ec6-9138-b8200f1ce16e", + "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview", + "service": "VM", "severity": "Medium", - "text": "Use Connection Monitor for connectivity monitoring across the network, especially between on-premises and Azure.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Operations" + "text": "Leverage Availability Zones for your VMs in regions where they are supported", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2)", - "guid": "e0d5973c-d4cd-421b-8881-37f5e6c4cfd3", - "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#need-for-redundant-connectivity-solution", - "service": "ExpressRoute", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Resiliency Review", + "description": "Use at least two VMs in Availability Sets to isolate VMs on different fault and update domains.", + "guid": "5a785d6f-e96c-496a-b884-4cf3b2b38c88", + "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview", + "service": "VM", "severity": "Medium", - "text": "Use ExpressRoute circuits from different peering locations for redundancy.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "text": "For regions that do not support Availability Zones deploy VMs into Availability Sets", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Resiliency Review", + "description": "Azure provides multiple options for VM redundancy to meet different requirements (Availability Zones, Virtual Machine Scale Sets, Availability Sets, Azure Site Recovery)", + "guid": "6ba2c021-4991-414a-9d3c-e574dccbd979", + "link": "https://learn.microsoft.com/azure/virtual-machines/availability", + "service": "VM", + "severity": "High", + "text": "Avoid running a production workload on a single VM", + "waf": "Reliability" + }, + { + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Resiliency Review", + "description": "Azure Site Recovery enables you to achieve low RTO (Recovery Time Objective) for your Azure and hybrid VMs by providing continuous replication and failover capabilities.", + "guid": "2a6bcca2-b5fe-4a1e-af3d-d95d48c7c891", + "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview", + "service": "VM", + "severity": "High", + "text": "For Azure and on-premises VMs (Hyper-V/Phyiscal/VMware) with low RTO requirements use Azure Site Recovery", "waf": "Reliability" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "cf3fe65c-fec0-495a-8edc-9675200f2add", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager", - "service": "ExpressRoute", - "severity": "Medium", - "text": "Use site-to-site VPN as failover of ExpressRoute, if only using a single ExpressRoute circuit.", - "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Resiliency Review", + "description": "By using Capacity Reservations, you can effectively manage capacity for critical workloads, ensuring resource availability in specified regions.", + "guid": "bd7bb012-f7b9-45e0-9e15-8e3ea3992c2d", + "link": "https://learn.microsoft.com/azure/virtual-machines/capacity-reservation-overview", + "service": "VM", + "severity": "Low", + "text": "Use Capacity Reservations for critical workloads that require guaranteed capacity", "waf": "Reliability" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation))", - "guid": "72105cc8-aaea-4ee1-8c7a-ad25977afcaf", - "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub", - "service": "ExpressRoute", - "severity": "High", - "text": "If you are using a route table in the GatewaySubnet, make sure that gateway routes are propagated.", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Resiliency Review", + "description": "By ensuring that the necessary quotas are increased in your DR region before testing failover with ASR, you can avoid any potential resource constraints during the recovery process for failed over VMs.", + "guid": "e6e2065b-3a76-4af4-a691-e8939ada4666", + "link": "https://learn.microsoft.com/azure/quotas/per-vm-quota-requests", + "service": "VM", + "severity": "Medium", + "text": "Increase quotas in DR region before testing failover with ASR", "waf": "Reliability" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "d581a947-69a2-4783-942e-9df3664324c8", - "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute#active-active-connections", - "service": "ExpressRoute", - "severity": "High", - "text": "If using ExpressRoute, your on-premises routing should be dynamic: in the event of a connection failure it should converge to the remaining connection of the circuit. Load should be shared across both connections ideally as active/active, although active/passive is supported too.", - "training": "https://learn.microsoft.com/training/modules/design-implement-azure-expressroute/", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Resiliency Review", + "description": "Scheduled Events is an Azure Metadata Service that provides information about upcoming maintenance events for virtual machines (VMs). By leveraging Scheduled Events, you can proactively prepare your applications for VM maintenance, minimizing disruption and improving the availability of your VMs.", + "guid": "6d3b475a-5c7a-4cbe-99bb-e64dd8902e87", + "link": "https://learn.microsoft.com/azure/virtual-machines/windows/scheduled-events", + "service": "VM", + "severity": "Low", + "text": "Utilize Scheduled Events to prepare for VM maintenance", "waf": "Reliability" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "b258f058-b9f6-46cd-b28d-990106f0c3f8", - "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute", - "service": "ExpressRoute", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Resiliency Review", + "description": "Use Zone-redundant Storage (ZRS) in the primary region for scenarios that require high availability and for restricting replication to a particular country or region. For protection against regional disasters, use Geo-zone-redundant Storage (GZRS), which combines ZRS in the primary region with geo-replication to a secondary region?.", + "guid": "48c7c891-dcb1-4f7d-9769-ae568ba38d4a", + "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy", + "service": "Storage", "severity": "Medium", - "text": "Ensure the two physical links of your ExpressRoute circuit are connected to two distinct edge devices in your network.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "text": "Choose the most appropriate data redundancy option for Azure Storage based on your requirements", "waf": "Reliability" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "fe2a1b53-6fbd-4c67-b58a-85d7c7a0afcb", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-bfd", - "service": "ExpressRoute", - "severity": "Medium", - "text": "Ensure Bidirectional Forwarding Detection (BFD) is enabled and configured on customer or provider edge routing devices.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Resiliency Review", + "description": "Assigning a Delete lock to your storage account helps protect the availability of your data, minimizing the risk of disruptions to your business operations.", + "guid": "85e2213d-bd7b-4b01-8f7b-95e06e158e3e", + "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource", + "service": "Storage", + "severity": "Low", + "text": "Apply a Delete lock to prevent accidental or malicious deletion of storage accounts", "waf": "Reliability" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "669b215a-ce43-4371-8f6f-11047f6490f1", - "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering", - "service": "ExpressRoute", - "severity": "High", - "text": "Connect the ExpressRoute Gateway to two or more circuits from different peering locations for higher resiliency.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Resiliency Review", + "description": "Container soft delete protects your data from being accidentally deleted by maintaining the deleted data in the system for a specified period of time.", + "guid": "a3992c2d-e6e2-4065-a3a7-6af4a691e893", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable", + "service": "Storage", + "severity": "Low", + "text": "Enable soft delete for Storage Account Containers", "waf": "Reliability" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "3f79ed00-203b-4c95-9efd-691505f5a1f9", - "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-howto-setup-alerts-virtual-network-gateway-log", - "service": "ExpressRoute", - "severity": "Medium", - "text": "Configure diagnostic logs and alerts for ExpressRoute virtual network gateway.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Operations" + "arm-service": "Microsoft.Storage/storageAccounts", + "checklist": "Resiliency Review", + "description": "Blob soft delete protects an individual blob and its versions, snapshots, and metadata from accidental deletes or overwrites by maintaining the deleted data in the system for a specified period of time.", + "guid": "9ada4666-7e13-4c10-96b9-153d89f89dc7", + "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable", + "service": "Storage", + "severity": "Low", + "text": "Enable soft delete for blobs", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "5234c93f-b651-41dd-80c1-234177b91ced", - "link": "https://learn.microsoft.com/azure/expressroute/virtual-network-connectivity-guidance", - "service": "ExpressRoute", + "arm-service": "Microsoft.RecoveryServices/vaults", + "checklist": "Resiliency Review", + "description": "Azure Backup enhanced soft delete provides critical protection against ransomware attacks by retaining deleted backups, enabling recovery from potential ransomware encryption or deletion.", + "guid": "b44be3b1-a27f-48b9-b91b-e1038df03a82", + "link": "https://learn.microsoft.com/azure/backup/backup-azure-enhanced-soft-delete-about", + "service": "Backup", "severity": "Medium", - "text": "Do not use ExpressRoute circuits for VNet-to-VNet communication.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Performance" + "text": "Enable Azure Backup enhanced soft delete for improved data protection and recovery", + "waf": "Reliability" }, { - "checklist": "Azure Landing Zone Review", - "guid": "8ac6a9e0-1e6a-483d-b5de-32c199248160", - "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about", - "service": "N/A", + "arm-service": "Microsoft.RecoveryServices/vaults", + "checklist": "Resiliency Review", + "description": "Azure Backup's multi-user authorization enables fine-grained control over user access to backup resources, allowing you to restrict privileges and ensure proper authentication and authorization for backup operations.", + "guid": "2cd463cb-bbc8-4ac2-a9eb-c92a43da1dae", + "link": "https://learn.microsoft.com/azure/backup/multi-user-authorization-concept", + "service": "Backup", "severity": "Low", - "text": "Do not send Azure traffic to hybrid locations for inspection. Instead, follow the principle 'traffic in Azure stays in Azure' so that communication across resources in Azure occurs via the Microsoft backbone network.", - "waf": "Performance" + "text": "Implement multi-user authorization for Azure Backup to ensure secure and controlled access to backup resources", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "e6c4cfd3-e504-4547-a244-7ec66138a720", - "link": "https://learn.microsoft.com/azure/firewall/overview", - "service": "Firewall", - "severity": "High", - "text": "Use Azure Firewall to govern Azure outbound traffic to the internet, non-HTTP/S inbound connections, and East/West traffic filtering (if the organization requires it).", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "Security" + "arm-service": "Microsoft.RecoveryServices/vaults", + "checklist": "Resiliency Review", + "description": "Azure Immutable Storage provides an additional layer of security by ensuring that backup data stored in the vault cannot be modified or deleted for a specified retention period. This helps safeguard your backups from ransomware attacks that may attempt to compromise or manipulate your backup data.", + "guid": "2cc88147-0607-4c1c-aa0e-614658dd458e", + "link": "https://learn.microsoft.com/azure/backup/backup-azure-immutable-vault-concept?source=recommendations&tabs=recovery-services-vault", + "service": "Backup", + "severity": "Low", + "text": "Implement Immutable Storage for your vaults to protect against ransomware and prevent unauthorized modifications to backups", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "5a4b1511-e43a-458a-ac22-99c4d7b57d0c", - "link": "https://learn.microsoft.com/azure/firewall-manager/policy-overview", - "service": "Firewall", - "severity": "Medium", - "text": "Create a global Azure Firewall policy to govern security posture across the global network environment and assign it to all Azure Firewall instances. Allow for granular policies to meet requirements of specific regions by delegating incremental firewall policies to local security teams via Azure role-based access control.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "Security" + "arm-service": "Microsoft.Network/dnsZones", + "checklist": "Resiliency Review", + "description": "To eliminate a single point of failure in your on-premises DNS services and ensure reliable DNS resolution during business continuity and disaster recovery scenarios, it is recommended to utilize Azure DNS Private Resolvers in multiple regions. By deploying two or more Azure DNS private resolvers across different regions, you can enable DNS failover and achieve resiliency in your DNS infrastructure.", + "guid": "43da1dae-2cc8-4814-9060-7c1cca0e6146", + "link": "https://learn.microsoft.com/azure/dns/tutorial-dns-private-resolver-failover", + "service": "DNS", + "severity": "Low", + "text": "Implement DNS Failover using Azure DNS Private Resolvers", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "655562f2-b3e4-4563-a4d8-739748b662d6", - "link": "https://learn.microsoft.com/azure/firewall-manager/deploy-trusted-security-partner", - "service": "Firewall", - "severity": "Low", - "text": "Configure supported partner SaaS security providers within Firewall Manager if the organization wants to use such solutions to help protect outbound connections.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "Security" + "arm-service": "Microsoft.PowerBI/gateways", + "checklist": "Resiliency Review", + "description": "Use an on-premises data gateway cluster to avoid single points of failure and to load balance traffic across gateways.", + "guid": "89f89dc7-b44b-4e3b-8a27-f8b9e91be103", + "link": "https://learn.microsoft.com/data-integration/gateway/service-gateway-high-availability-clusters", + "service": "Data Gateways", + "severity": "Medium", + "text": "Use on-premises data gateway clusters to ensure high availability for business-critical data", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant", - "guid": "14d99880-2f88-47e8-a134-62a7d85c94af", - "link": "https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules", - "service": "Firewall", + "arm-service": "Microsoft.Compute/virtualMachines", + "checklist": "Resiliency Review", + "description": "When choosing the best option for deploying NVAs in Azure, it is crucial to consider the vendor's recommendations and validate that the specific design has been vetted and validated by the NVA vendor. The vendor should also provide the necessary NVA configuration for seamless integration in Azure.", + "guid": "8b1188b3-c6a4-46ce-a544-451e192d3442", + "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha", + "service": "NVA", "severity": "High", - "text": "Use application rules to filter outbound traffic on destination host name for supported protocols. Use FQDN-based network rules and Azure Firewall with DNS proxy to filter egress traffic to the Internet over other protocols.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "Security" + "text": "Deploy Network Virtual Appliances (NVAs) in a vendor supported configuration for High Availability", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant", - "guid": "c10d51ef-f999-455d-bba0-5c90ece07447", - "link": "https://learn.microsoft.com/azure/firewall/premium-features", - "service": "Firewall", - "severity": "High", - "text": "Use Azure Firewall Premium to enable additional security features.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-firewall/", - "waf": "Security" + "checklist": "SAP Checklist", + "guid": "4620dc87-e948-4ce8-8426-f3e6e5d7bd85", + "link": "https://learn.microsoft.com/azure/sap/center-sap-solutions/overview", + "service": "SAP", + "severity": "Medium", + "text": "Azure Center for SAP solutions (ACSS) is an Azure offering that makes SAP a top-level workload on Azure. ACSS is an end-to-end solution that enables you to create and run SAP systems as a unified workload on Azure and provides a more seamless foundation for innovation. You can take advantage of the management capabilities for both new and existing Azure-based SAP systems.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-center-sap-solutions/?source=recommendations", + "waf": "Operations" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant", - "guid": "e9c8f584-6d5e-473b-8dc5-acc9fbaab4e3", - "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps-signature-rules", - "service": "Firewall", - "severity": "High", - "text": "Configure Azure Firewall Threat Intelligence mode to Alert and Deny for additional protection.", - "waf": "Security" + "checklist": "SAP Checklist", + "guid": "5d75e99d-624d-4afe-91d9-e17adc580790", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-platform-automation-and-devops", + "service": "SAP", + "severity": "Medium", + "text": "Azure supports automating SAP deployments in Linux and Windows. SAP Deployment Automation Framework is an open-source orchestration tool that can deploy, install, and maintain SAP environments.", + "training": "https://github.com/Azure/sap-automation", + "waf": "Operations" + }, + { + "checklist": "SAP Checklist", + "guid": "d17f6f39-a377-48a2-931f-5ead3ebe33a8", + "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/data-platform", + "service": "SAP", + "severity": "Medium", + "text": "Perform a point-in-time recovery for your production databases at any point and in a time frame that meets your RTO; point-in-time recovery typically includes operator errors deleting data either on the DBMS layer or through SAP, incidentally", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant", - "guid": "b9d0dff5-bdd4-4cd8-88ed-5811610b2b2c", - "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps", - "service": "Firewall", - "severity": "High", - "text": "Configure Azure Firewall IDPS mode to Deny for additional protection.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-firewall/", - "waf": "Security" + "checklist": "SAP Checklist", + "guid": "c4b8e117-930b-4dbd-ae50-7bc5faf6f91a", + "service": "SAP", + "severity": "Medium", + "text": "Test the backup and recovery times to verify that they meet your RTO requirements for restoring all systems simultaneously after a disaster.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant", - "guid": "a3784907-9836-4271-aafc-93535f8ec08b", - "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview", - "service": "Firewall", + "checklist": "SAP Checklist", + "guid": "b651423c-8552-42db-a545-5cb50c05527a", + "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure", + "service": "SAP", "severity": "High", - "text": "For subnets in VNets not connected to Virtual WAN, attach a route table so that Internet traffic is redirected to Azure Firewall or a Network Virtual Appliance.", - "waf": "Security" + "text": "You can replicate standard storage between paired regions, but you can't use standard storage to store your databases or virtual hard disks. You can replicate backups only between paired regions that you use. For all your other data, run your replication by using native DBMS features like SQL Server Always On or SAP HANA System Replication. Use a combination of Site Recovery, rsync or robocopy, and other third-party software for the SAP application layer.", + "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "715d833d-4708-4527-90ac-1b142c7045ba", - "link": "https://learn.microsoft.com/azure/firewall/firewall-structured-logs", - "service": "Firewall", + "checklist": "SAP Checklist", + "guid": "aa208dca-784f-46c6-9014-cc919c542dc9", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones", + "service": "SAP", "severity": "Medium", - "text": "Add diagnostic settings to save logs, using the Resource Specific destination table, for all Azure Firewall deployments.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "Operations" + "text": "When using Azure Availability Zones to achieve high availability, you must consider latency between SAP application servers and database servers. For zones with high latencies, operational procedures need to be in place to ensure that SAP application servers and database servers are running in the same zone at all times.", + "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "e960fc6b-4ab2-4db6-9609-3745135f9ffa", - "link": "https://learn.microsoft.com/azure/firewall-manager/migrate-to-policy", - "service": "Firewall", + "checklist": "SAP Checklist", + "graph": "resources| where type =~ 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType =~ 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant", + "guid": "ba07c007-1f90-43e9-aa4f-601346b80352", + "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering", + "service": "SAP", "severity": "High", - "text": "Migrate from Azure Firewall Classic rules (if exist) to Firewall Policy.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "Operations" + "text": "Set up ExpressRoute connections from on-premises to the primary and secondary Azure disaster recovery regions. Also, as an alternative to using ExpressRoute, consider setting up VPN connections from on-premises to the primary and secondary Azure disaster recovery regions.", + "training": "https://learn.microsoft.com/azure/expressroute/use-s2s-vpn-as-backup-for-expressroute-privatepeering", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant", - "guid": "22d6419e-b627-4d95-9e7d-019fa759387f", - "link": "https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size", - "service": "Firewall", - "severity": "High", - "text": "Use a /26 prefix for your Azure Firewall subnets.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-firewall/", - "waf": "Security" + "checklist": "SAP Checklist", + "guid": "d2b30195-b11d-4a8f-a672-28b2b4169a7c", + "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance", + "service": "SAP", + "severity": "Low", + "text": "Replicate key vault contents like certificates, secrets, or keys across regions so you can decrypt data in the DR region.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "828cec2e-af6c-40c2-8fa2-1b681ee63eb7", - "link": "https://learn.microsoft.com/azure/firewall-manager/rule-hierarchy", - "service": "Firewall", + "checklist": "SAP Checklist", + "guid": "05f1101d-250f-40e7-b2a1-b674ab50edbd", + "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-s4hana", + "service": "SAP", "severity": "Medium", - "text": "Arrange rules within the firewall policy into Rule Collection Groups and Rule Collections and based on their frequency of use.", - "training": "https://learn.microsoft.com/training/modules/intro-to-azure-firewall-manager/", - "waf": "Performance" + "text": "Peer the primary and disaster recovery virtual networks. For example, for HANA System Replication, an SAP HANA DB virtual network needs to be peered to the disaster recovery site's SAP HANA DB virtual network.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "0da83bb1-2f39-49af-b5c9-835fc455e3d1", - "link": "https://learn.microsoft.com/azure/firewall/ip-groups", - "service": "Firewall", - "severity": "Medium", - "text": "Use IP Groups or IP prefixes to reduce number of IP table rules.", - "waf": "Performance" + "checklist": "SAP Checklist", + "guid": "d3351bf7-628a-46de-917d-dfc11d3b6b40", + "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-service-levels", + "service": "SAP", + "severity": "Low", + "text": "If you use Azure NetApp Files storage for your SAP deployments, at a minimum, create two Azure NetApp Files accounts in the Premium tier, in two regions.", + "training": "https://learn.microsoft.com/training/modules/choose-service-level-azure-netapp-files-hpc-applications/2-identify-decision-criteria", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "c44c6f0e-1642-4a61-a17b-0922f835c93a", - "link": "https://learn.microsoft.com/azure/firewall/tutorial-firewall-dnat", - "service": "Firewall", - "severity": "Medium", - "text": "Do not use wildcards as a source IP for DNATS, such as * or any, you should specify source IPs for incoming DNATs.", - "training": "https://learn.microsoft.com/training/modules/introduction-to-azure-virtual-networks/", - "waf": "Performance" + "checklist": "SAP Checklist", + "guid": "726a1d3e-5508-4a06-9d54-93f4b50040c1", + "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows", + "service": "SAP", + "severity": "High", + "text": "Native database replication technology should be used to synchronize the database in a HA pair.", + "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/?source=recommendations", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "7371dc21-251a-47a3-af14-6e01b9da4757", - "link": "https://learn.microsoft.com/azure/firewall/integrate-with-nat-gateway", - "service": "Firewall", - "severity": "Medium", - "text": "Prevent SNAT Port exhaustion by monitoring SNAT port usage, evaluating NAT Gateway settings, and ensuring seamless failover. If the port count approaches the limit, it’s a sign that SNAT exhaustion might be imminent.", - "training": "https://learn.microsoft.com/training/modules/introduction-to-azure-virtual-networks/", - "waf": "Performance" + "checklist": "SAP Checklist", + "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\.|172\\.(1[6-9]|2[0-9]|3[01])\\.|192\\.168\\.)') | project id, compliant, cidr", + "guid": "6561f847-3db5-4ff8-9200-5ad3c3b436ad", + "link": "https://learn.microsoft.com/ja-jp/azure/virtual-network/virtual-networks-faq", + "service": "SAP", + "severity": "High", + "text": "The CIDR for the primary virtual network (VNet) shouldn't conflict or overlap with the CIDR of the DR site's VNet", + "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "346840b8-1064-496e-8396-4b1340172d52", - "link": "https://learn.microsoft.com/azure/firewall/premium-features#tls-inspection", - "service": "Firewall", + "checklist": "SAP Checklist", + "guid": "0258ed30-fe42-434f-87b9-58f91f908e0a", + "service": "SAP", "severity": "High", - "text": "If you are using Azure Firewall Premium, enable TLS Inspection.", - "waf": "Performance" + "text": "Use Site Recovery to replicate an application server to a DR site. Site Recovery can also help with replicating central-services cluster VMs to the DR site. When you invoke DR, you'll need to reconfigure the Linux Pacemaker cluster on the DR site (for example, replace the VIP or SBD, run corosync.conf, and more).", + "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "39990a13-915c-45f9-a2d3-562d7d6c4b7c", - "link": "https://learn.microsoft.com/azure/firewall/premium-features#web-categories", - "service": "Firewall", - "severity": "Low", - "text": "Use web categories to allow or deny outbound access to specific topics.", - "waf": "Performance" + "checklist": "SAP Checklist", + "guid": "8300cb30-766b-4084-b126-0dd8fb1269a1", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery", + "service": "SAP", + "severity": "High", + "text": "Consider the availability of SAP software against single points of failure. This includes single points of failure within applications such as DBMSs utilized in SAP NetWeaver and SAP S/4HANA architectures, SAP ABAP and ASCS + SCS. Also, other tools such as SAP Web Dispatcher.", + "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/2-explore-high-availability-disaster-recovery-support-azure-for-sap-workloads?source=recommendations", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "6eff7e6c-6c4a-43d7-be3f-6641c2cb3d4a", - "link": "https://learn.microsoft.com/azure/architecture/example-scenario/gateway/application-gateway-before-azure-firewall", - "service": "Firewall", - "severity": "Medium", - "text": "As part of your TLS inspection, plan for receiving traffic from Azure App Gateways for inspection.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-application-gateway/", - "waf": "Performance" + "checklist": "SAP Checklist", + "guid": "56402f11-ccbe-42c3-a2f6-c6f6f38ab579", + "link": "https://learn.microsoft.com/azure/sap/workloads/planning-supported-configurations", + "service": "SAP", + "severity": "High", + "text": "For SAP and SAP databases, consider implementing automatic failover clusters. In Windows, Windows Server Failover Clustering supports failover. In Linux, Linux Pacemaker or third-party tools like SIOS Protection Suite and Veritas InfoScale support failover.", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type =~ 'Microsoft.Network/firewallPolicies' | where array_length(properties.firewalls) > 0 | extend compliant = (properties.dnsSettings.enableProxy =~ 'true') | distinct id, compliant", - "guid": "94f3eede-9aa3-4088-92a3-bb9a56509fad", - "link": "https://learn.microsoft.com/azure/firewall/dns-details", - "service": "Firewall", - "severity": "Medium", - "text": "Enable Azure Firewall DNS proxy configuration.", - "training": "https://learn.microsoft.com/training/courses/az-700t00/", - "waf": "Security" + "checklist": "SAP Checklist", + "guid": "afae6bec-2671-49ae-bc69-140b8ec8d320", + "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows", + "service": "SAP", + "severity": "High", + "text": "Azure doesn't support architectures in which the primary and secondary VMs share storage for DBMS data. For the DBMS layer, the common architecture pattern is to replicate databases at the same time and with different storage stacks than the ones that the primary and secondary VMs use.", + "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/?source=recommendationshttps%3A%2F%2Flearn.microsoft.com%2Fja-jp%2Ftraining%2Fpaths%2Fensure-business-continuity-implement-disaster-recovery%2F%3Fsource%3Drecommendations", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "1dc04554-dece-4ffb-a49e-5c683e09f8da", - "link": "https://learn.microsoft.com/azure/firewall/firewall-diagnostics", - "service": "Firewall", + "checklist": "SAP Checklist", + "guid": "ac614e95-6767-4bc3-b8a4-9953533da6ba", + "link": "https://learn.microsoft.com/azure/sap/workloads/dbms-guide-general", + "service": "SAP", "severity": "High", - "text": "Integrate Azure Firewall with Azure Monitor and enable diagnostic logging to store and analyze firewall logs and metrics.", - "training": "https://learn.microsoft.com/training/courses/az-700t00/", - "waf": "Operations" + "text": "The DBMS data and transaction/redo log files are stored in Azure supported block storage or Azure NetApp Files. Azure Files or Azure Premium Files isn't supported as storage for DBMS data and/or redo log files with SAP workload.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-databases/2-explore-database-support-azure-for-sap-workloads", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "64e7000e-3c06-485e-b455-ced7f454cba3", - "link": "https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall", - "service": "Firewall", - "severity": "Low", - "text": "Implement backups for your firewall rules", - "training": "https://learn.microsoft.com/training/courses/az-104t00/", - "waf": "Operations" + "checklist": "SAP Checklist", + "guid": "1f737179-8e7f-4e1a-a30c-e5a649a3092b", + "link": "https://learn.microsoft.com/azure/sap/workloads/sap-high-availability-guide-wsfc-shared-disk", + "service": "SAP", + "severity": "High", + "text": "You can use Azure shared disks in Windows for ASCS + SCS components and specific high-availability scenarios. Set up your failover clusters separately for SAP application layer components and the DBMS layer. Azure doesn't currently support high-availability architectures that combine SAP application layer components and the DBMS layer into one failover cluster.", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.network/azurefirewalls' | where array_length(zones) <= 1 or isnull(zones) | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | project name, id, tags, param1='multipleZones:false'", - "guid": "d38ad60c-bc9e-4d49-b699-97e5d4dcf707", - "link": "https://learn.microsoft.com/azure/firewall/deploy-availability-zone-powershell", - "service": "Firewall", + "checklist": "SAP Checklist", + "graph": "resources | where type =~ 'Microsoft.Network/loadBalancers' | extend bep = properties.backendAddressPools | extend BackEndPools = array_length(bep) | where BackEndPools =~ 0 | project name, id, Param1='backendPools', Param2=toint(0), tags | union (resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name =~ 'Standard' | extend bep = properties.backendAddressPools | extend BackEndPools = toint(array_length(bep)) | mv-expand bip = properties.backendAddressPools | extend BackendAddresses = array_length(bip.properties.loadBalancerBackendAddresses) | where toint(BackendAddresses) <= 1 | project name, id, tags, Param1='backendAddresses', Param2=toint(BackendAddresses)) | union ( resources | where type =~ 'Microsoft.Network/loadBalancers' | where sku.name =~ 'Basic' | mv-expand properties.backendAddressPools | extend backendPoolId = properties_backendAddressPools.id | project id, name, tags, tostring(backendPoolId), Param1='BackEndPools' | join kind = leftouter ( resources | where type =~ 'Microsoft.Network/networkInterfaces' | mv-expand properties.ipConfigurations | mv-expand properties_ipConfigurations.properties.loadBalancerBackendAddressPools | extend backendPoolId = tostring(properties_ipConfigurations_properties_loadBalancerBackendAddressPools.id) | summarize poolMembers = count() by backendPoolId | project tostring(backendPoolId), poolMembers ) on backendPoolId | where toint(poolMembers) <= 1 | extend BackendAddresses = poolMembers | project id, name, tags, Param1='backendAddresses', Param2=toint(BackendAddresses))", + "guid": "a78b3d31-3170-44f2-b5d7-651a29f4ccf5", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-standard-load-balancer-outbound-connections", + "service": "SAP", "severity": "High", - "text": "Deploy Azure Firewall across multiple availability zones. Azure Firewall offers different SLAs depending on its deployment; in a single availability zone or across multiple, potentially improving reliability and performance.", - "training": "https://learn.microsoft.com/training/courses/az-104t00/", + "text": "Most failover clusters for SAP application layer components (ASCS) and the DBMS layer require a virtual IP address for a failover cluster. Azure Load Balancer should handle the virtual IP address for all other cases. One design principle is to use one load balancer per cluster configuration. We recommend that you use the standard version of the load balancer (Standard Load Balancer SKU).", + "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations", "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type =~ 'Microsoft.Network/azureFirewalls' | where isempty(properties.virtualHub.id) or isnull(properties.virtualHub.id) | mv-expand ipConfig = properties.ipConfigurations | project name, firewallId = id, tags, vNetName = split(ipConfig.properties.subnet.id, '/', 8)[0], vNetId = tolower(substring(ipConfig.properties.subnet.id, 0, indexof(ipConfig.properties.subnet.id, '/subnet'))) | join kind=fullouter ( resources | where type =~ 'Microsoft.Network/ddosProtectionPlans' | mv-expand vNet = properties.virtualNetworks | project ddosProtectionPlanId = id, vNetId = tolower(vNet.id) ) on vNetId | extend compliant = iif(isempty(ddosProtectionPlanId), false, true) | project name, compliant, id = firewallId, tags, network = strcat('vNet: ', vNetName)", - "guid": "e8143efa-0301-4d62-be54-ca7b5ce566dc", - "link": "https://learn.microsoft.com/en-gb/azure/ddos-protection/ddos-protection-overview", - "service": "Firewall", + "checklist": "SAP Checklist", + "guid": "1a541741-5833-4fb4-ae3c-2df743165c3a", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-ha-ports-overview?source=recommendations", + "service": "SAP", "severity": "High", - "text": "Configure DDoS Protection on the Azure Firewall VNet, Associate a DDoS protection plan with the virtual network hosting Azure Firewall to provide enhanced mitigation against DDoS attacks. Azure Firewall Manager integrates the creation of firewall infrastructure and DDoS protection plans. ", + "text": "Make sure the Floating IP is enabled on the Load balancer", + "training": "https://learn.microsoft.com/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations", "waf": "Reliability" }, { - "arm-service": "microsoft.network/applicationGateways", - "checklist": "Azure Landing Zone Review", - "guid": "d301d6e8-72e5-42e3-911c-c58b5a4b1511", - "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services", - "service": "App Gateway", + "checklist": "SAP Checklist", + "guid": "c47cc4f3-f105-452c-845e-9b307b3856c1", + "link": "https://learn.microsoft.com/azure/virtual-machines/availability", + "service": "SAP", "severity": "High", - "text": "Do not disrupt control-plane communication for Azure PaaS services injected into a virtual networks, such as with a 0.0.0.0/0 route or an NSG rule that blocks control plane traffic.", - "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn", - "waf": "Security" + "text": "Before you deploy your high-availability infrastructure, and depending on the region you choose, determine whether to deploy with an Azure availability set or an availability zone.", + "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "guid": "b3e4563a-4d87-4397-98b6-62d6d15f512a", - "link": "https://learn.microsoft.com/azure/private-link/private-endpoint-overview", - "service": "ExpressRoute", - "severity": "Medium", - "text": "Access Azure PaaS services from on-premises via private endpoints and ExpressRoute private peering. This method avoids transiting over the public internet.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", - "waf": "Security" + "checklist": "SAP Checklist", + "guid": "844f69c3-07e5-4ec1-bff7-4be27bcf5fea", + "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1", + "service": "SAP", + "severity": "High", + "text": "If you want to meet the infrastructure SLAs for your applications for SAP components (central services, application servers, and databases), you must choose the same high availability options (VMs, availability sets, availability zones) for all components.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/virtualNetworks", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc", - "guid": "4704489a-8042-4d88-b79d-17b73b22a5a6", - "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-service-endpoints-overview", - "service": "VNet", + "checklist": "SAP Checklist", + "guid": "cbe05bbe-209d-4490-ba47-778424d11678", + "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview", + "service": "SAP", "severity": "High", - "text": "Don't enable virtual network service endpoints by default on all subnets.", - "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn", - "waf": "Security" + "text": "Do not mix servers of different roles in the same availability set. Keep central services VMs, database VMs, application VMs in their own availability sets", + "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/azureFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "7e7a8ed4-b30e-438c-9f29-812b2363cefe", - "link": "azure/private-link/inspect-traffic-with-azure-firewall", - "service": "Firewall", + "checklist": "SAP Checklist", + "guid": "f2201000-d045-40a6-a79a-d7cdc01b4d86", + "link": "https://learn.microsoft.com/azure/virtual-machines/co-location", + "service": "SAP", "severity": "Medium", - "text": "Filter egress traffic to Azure PaaS services using FQDNs instead of IP addresses in Azure Firewall or an NVA to prevent data exfiltration. If using Private Link you can block all FQDNs, otherwise allow only the required PaaS services.", - "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn", - "waf": "Security" + "text": "You can't deploy Azure availability sets within an Azure availability zone unless you use proximity placement groups.", + "training": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/expressRouteCircuits", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant", - "guid": "f2aad7e3-bb03-4adc-8606-4123d342a917", - "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway", - "service": "ExpressRoute", + "checklist": "SAP Checklist", + "guid": "9674e7c7-7796-4181-8920-09f4429543ba", + "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview", + "service": "SAP", "severity": "High", - "text": "Use at least a /27 prefix for your Gateway subnets.", - "waf": "Security" + "text": "When you create availability sets, use the maximum number of fault domains and update domains available. For example, if you deploy more than two VMs in one availability set, use the maximum number of fault domains (three) and enough update domains to limit the effect of potential physical hardware failures, network outages, or power interruptions, in addition to Azure planned maintenance. The default number of fault domains is two, and you can't change it online later.", + "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/networkSecurityGroups", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant)", - "guid": "11deb39d-8299-4e47-bbe0-0fb5a36318a8", - "link": "https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags", - "service": "NSG", + "checklist": "SAP Checklist", + "guid": "ae4ecb95-b70f-428f-8b9a-4c5b7e3478a2", + "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", + "service": "SAP", "severity": "High", - "text": "Don't rely on the NSG inbound default rules using the VirtualNetwork service tag to limit connectivity.", - "waf": "Security" - }, - { - "arm-service": "Microsoft.Network/networkSecurityGroups", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mv-expand subnet = properties.subnets | where subnet.name !in~ ('GatewaySubnet', 'AzureFirewallSubnet', 'AzureFirewallManagementSubnet', 'RouteServerSubnet') | extend compliant = iff(isnotnull(subnet.properties.networkSecurityGroup.id), true, false) | project id, subnetName = subnet.name, vnetName = name, NSG = subnet.properties.networkSecurityGroup.id, compliant", - "guid": "872e52e3-611c-4c58-a5a4-b1511e43a58a", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-landing-zone-network-segmentation", - "service": "NSG", - "severity": "Medium", - "text": "Use NSGs to help protect traffic across subnets, as well as east/west traffic across the platform (traffic between landing zones).", - "training": "https://learn.microsoft.com/learn/paths/implement-network-security/", - "waf": "Security" - }, - { - "arm-service": "Microsoft.Network/networkSecurityGroups", - "checklist": "Azure Landing Zone Review", - "guid": "a4d87397-48b6-462d-9d15-f512a65498f6", - "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works", - "service": "NSG", - "severity": "Medium", - "text": "Use NSGs and application security groups to micro-segment traffic within the landing zone and avoid using a central NVA to filter traffic flows.", - "training": "https://learn.microsoft.com/learn/paths/implement-network-security/", - "waf": "Security" + "text": "When you use Azure proximity placement groups in an availability set deployment, all three SAP components (central services, application server, and database) should be in the same proximity placement group.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/networkSecurityGroups", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type =~ 'Microsoft.Network/virtualnetworks' | project subscriptionId, lowerCaseVNetId = tolower(id) | join kind = leftouter ( resources | where type =~ 'microsoft.network/networkwatchers/flowlogs' and properties.enabled == true and properties.provisioningState =~ 'succeeded' | where properties.targetResourceId contains '/Microsoft.Network/virtualNetworks/' | project flowlogId = id, trafficAnalyticsEnabled = properties.flowAnalyticsConfiguration.networkWatcherFlowAnalyticsConfiguration.enabled, lowerCaseTargetVNetId = tolower(properties.targetResourceId) ) on $left.lowerCaseVNetId == $right.lowerCaseTargetVNetId | extend compliant = iff(isnotempty(lowerCaseTargetVNetId), true, false) | project id = lowerCaseVNetId, flowlogId, trafficAnalyticsEnabled, compliant", - "guid": "dfe237de-143b-416c-91d7-aa9b64704489", - "link": "https://learn.microsoft.com/azure/network-watcher/vnet-flow-logs-overview", - "service": "NSG", - "severity": "Medium", - "text": "Enable VNet Flow Logs and feed them into Traffic Analytics to gain insights into internal and external traffic flows.", - "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/", - "waf": "Security" + "checklist": "SAP Checklist", + "guid": "5d2fa56c-56ad-4484-88fe-72734c486ba2", + "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", + "service": "SAP", + "severity": "High", + "text": "Use one proximity placement group per SAP SID. Groups don't span across Availability Zones or Azure regions", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Network/networkSecurityGroups", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900)", - "guid": "0390417d-53dc-44d9-b3f4-c8832f359b41", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits", - "service": "NSG", - "severity": "Medium", - "text": "Do not implement more than 900 NSG rules per NSG, due to the limit of 1000 rules.", - "training": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works", + "checklist": "SAP Checklist", + "guid": "bca3b10e-0ff5-4aec-ac16-4c4bd1a1c13f", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery", + "service": "SAP", + "severity": "High", + "text": "Use one of the following services to run SAP central services clusters, depending on the operating system.", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", "waf": "Reliability" }, { - "arm-service": "microsoft.network/virtualWans", - "checklist": "Azure Landing Zone Review", - "guid": "412e7f98-3f63-4047-82dd-69c5b5c2622f", - "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-any-to-any", - "service": "VWAN", + "checklist": "SAP Checklist", + "guid": "ed46b937-913e-4018-9c62-8393ab037e53", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-suse-multi-sid", + "service": "SAP", "severity": "Medium", - "text": "Use Virtual WAN if your scenario is explicitly described in the list of Virtual WAN routing designs.", - "training": "https://learn.microsoft.com/learn/modules/introduction-azure-virtual-wan/", - "waf": "Operations" + "text": "Azure doesn't currently support combining ASCS and DB HA in the same Linux Pacemaker cluster; separate them into individual clusters. However, you can combine up to five multiple central-services clusters into a pair of VMs.", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/virtualWans", - "checklist": "Azure Landing Zone Review", - "guid": "54b69bad-33aa-4d5e-ac68-e1d76667313b", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/virtual-wan-network-topology#virtual-wan-network-design-recommendationst", - "service": "VWAN", + "checklist": "SAP Checklist", + "graph": "Resources | where type =~ 'Microsoft.Storage/storageAccounts' | where sku.name in~ ('Standard_LRS', 'Premium_LRS') | project name, id, tags, param1 = strcat('sku: ', sku.name)", + "guid": "f656e745-0cfb-453e-8008-0528fa21c933", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery", + "service": "SAP", "severity": "Medium", - "text": "Use a Virtual WAN hub per Azure region to connect multiple landing zones together across Azure regions via a common global Azure Virtual WAN.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", - "waf": "Performance" + "text": "Deploy both VMs in the high-availability pair in an availability set or in availability zones. These VMs should be the same size and have the same storage configuration.", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/virtualWans", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant", - "guid": "7d5d1e4e-6146-458d-9558-fd77249b8211", - "link": "https://learn.microsoft.com/azure/virtual-wan/howto-firewall", - "service": "VWAN", + "checklist": "SAP Checklist", + "guid": "7f684ebc-95da-425e-b329-e782dbed050f", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-with-hana-ascs-ers-dialog-instance", + "service": "SAP", "severity": "Medium", - "text": "For outbound Internet traffic protection and filtering, deploy Azure Firewall in secured hubs.", - "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/", - "waf": "Security" + "text": "Azure supports installing and configuring SAP HANA and ASCS/SCS and ERS instances on the same high availability cluster running on Red Hat Enterprise Linux (RHEL).", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/virtualWans", - "checklist": "Azure Landing Zone Review", - "guid": "6667313b-4f56-464b-9e98-4a859c773e7d", - "link": "https://learn.microsoft.com/azure/virtual-wan/migrate-from-hub-spoke-topology", - "service": "VWAN", - "severity": "Medium", - "text": "Ensure that your virtual WAN network architecture aligns to an identified architecture scenario.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "checklist": "SAP Checklist", + "guid": "07991f7d-6598-4d90-9431-45c62605d3a5", + "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage", + "service": "SAP", + "severity": "High", + "text": "Run all production systems on Premium managed SSDs and use Azure NetApp Files or Ultra Disk Storage. At least the OS disk should be on the Premium tier so you can achieve better performance and the best SLA.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations", "waf": "Reliability" }, { - "arm-service": "microsoft.network/virtualWans", - "checklist": "Azure Landing Zone Review", - "guid": "261623a7-65a9-417e-8f34-8ef254c27d42", - "link": "https://learn.microsoft.com/azure/virtual-wan/azure-monitor-insights", - "service": "VWAN", - "severity": "Medium", - "text": "Use Azure Monitor Insights for Virtual WAN to monitor the end-to-end topology of the Virtual WAN, status, and key metrics.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", - "waf": "Operations" + "checklist": "SAP Checklist", + "guid": "73cdaecc-7d74-48d8-a040-88416eebc98c", + "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-operations-storage", + "service": "SAP", + "severity": "High", + "text": "You should run SAP HANA on Azure only on the types of storage that are certified by SAP. Note that certain volumes must be run on certain disk configurations, where applicable. These configurations include enabling Write Accelerator and using Premium storage. You also need to ensure that the file system that runs on storage is compatible with the DBMS that runs on the machine.", + "training": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1?source=recommendations", + "waf": "Reliability" }, { - "arm-service": "microsoft.network/virtualWans", - "checklist": "Azure Landing Zone Review", - "graph": "resources| where type =~ 'microsoft.network/virtualwans' | extend compliant= (properties.allowBranchToBranchTraffic == 'true') | distinct id,compliant", - "guid": "727c77e1-b9aa-4a37-a024-129d042422c1", - "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#is-branch-to-branch-connectivity-allowed-in-virtual-wan", - "service": "VWAN", - "severity": "Medium", - "text": "Do not disable branch-to-branch traffic in Virtual WAN, unless these flows should be explicitly blocked.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "checklist": "SAP Checklist", + "guid": "51904867-a70e-4fa0-b4ff-3e6292846d7c", + "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-overview-guide#storage", + "service": "SAP", + "severity": "High", + "text": "Consider configuring high availability depending on the type of storage you use for your SAP workloads. Some storage services available in Azure are not supported by Azure Site Recovery, so your high availability configuration may differ.", + "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/2-explore-disaster-recovery-sap-workloads", "waf": "Reliability" }, { - "arm-service": "microsoft.network/virtualWans", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type =~ 'microsoft.network/virtualhubs'| extend compliant= (properties.hubRoutingPreference =~ 'ASPath') | distinct id,compliant", - "guid": "d49ac006-6670-4bc9-9948-d3e0a3a94f4d", - "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing-preference", - "service": "VWAN", - "severity": "Medium", - "text": "Use AS-Path as hub routing preference, since it is more flexible than ExpressRoute or VPN.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", + "checklist": "SAP Checklist", + "guid": "1ac2d928-c9b7-42c6-ba18-23b1aea78693", + "link": "https://azure.microsoft.com/ja-jp/explore/global-infrastructure/products-by-region/", + "service": "SAP", + "severity": "High", + "text": "Different native Azure storage services (like Azure Files, Azure NetApp Files, Azure Shared Disk) may not be available in all regions. So to have similar SAP setup on the DR region after failover, ensure the respective storage service is offered in DR site.", "waf": "Reliability" }, { - "arm-service": "microsoft.network/virtualWans", - "checklist": "Azure Landing Zone Review", - "guid": "2586b854-237e-47f1-84a1-d45d4cd2310d", - "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing#labels", - "service": "VWAN", + "checklist": "SAP Checklist", + "guid": "925d1f8c-01f3-4a67-948e-aabf0a1fad60", + "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/optimize-your-azure-costs-by-automating-sap-system-start-stop/ba-p/2120675", + "service": "SAP", "severity": "Medium", - "text": "Configure label-based propagation in Virtual WAN, otherwise connectivity between virtual hubs will be impaired.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", - "waf": "Reliability" + "text": "Automate SAP System Start-Stop to manage costs.", + "waf": "Cost" }, { - "arm-service": "microsoft.network/virtualWans", - "checklist": "Azure Landing Zone Review", - "graph": "resources | where type =~ 'microsoft.network/virtualhubs' | extend addressSpace = properties.addressPrefix | extend compliant= (toint(substring(addressSpace, indexof(addressSpace, '/') + 1)) < 23) | distinct name, id, compliant", - "guid": "9c75dfef-573c-461c-a698-68598595581a", - "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#what-is-the-recommended-hub-address-space-during-hub-creation", - "service": "VWAN", - "severity": "High", - "text": "Assign at least a /23 prefix to virtual hubs to ensure enough IP space is available.", - "training": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/", - "waf": "Reliability" + "checklist": "SAP Checklist", + "guid": "71dc00cd-4392-4262-8949-20c05e6c0333", + "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1", + "service": "SAP", + "severity": "Low", + "text": "In the case of using Azure Premium Storage with SAP HANA, Azure Standard SSD storage can be used to select a cost-conscious storage solution. However, please note that choosing Standard SSD or Standard HDD Azure storage will affect the SLA of the individual VMs. Also, for systems with lower I/O throughput and low latency, such as non-production environments, lower series VMs can be used.", + "waf": "Cost" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "5c986cb2-9131-456a-8247-6e49f541acdc", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "Policy", + "checklist": "SAP Checklist", + "guid": "9877f353-2591-4e8b-8381-e9043fed1010", + "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1", + "service": "SAP", + "severity": "Low", + "text": "As a lower-cost alternative configuration (multipurpose), you can choose a low-performance SKU for your non-production HANA database server VMs. However, it is important to note that some VM types, such as E-series, are not HANA certified (SAP HANA Hardware Directory) or cannot achieve storage latency of less than 1ms.", + "waf": "Cost" + }, + { + "checklist": "SAP Checklist", + "graph": "resources | where type =~ 'microsoft.aad/domainservices' | extend replicaSets = properties.replicaSets | where array_length(replicaSets) < 2 | project name=name, id=id, tags=tags, param1=strcat('replicaSetLocation:', replicaSets[0].location)", + "guid": "fda1dbf3-dc95-4d48-a7c7-91dca0f6c565", + "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/security", + "service": "SAP", "severity": "High", - "text": "Leverage Azure Policy strategically, define controls for your environment, using Policy Initiatives to group related policies.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "text": "Enforce a RBAC model for management groups, subscriptions, resource groups and resources", + "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/", "waf": "Security" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "d8a2adb1-17d6-4326-af62-5ca44e5695f2", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "Policy", + "checklist": "SAP Checklist", + "guid": "45911475-e39e-4530-accc-d979366bcda2", + "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration", + "service": "SAP", "severity": "Medium", - "text": "Map regulatory and compliance requirements to Azure Policy definitions and Azure role assignments.", - "training": "https://learn.microsoft.com/training/modules/governance-security/", + "text": "Enforce Principal propagation for forwarding the identity from SAP cloud application to SAP on-premises (Including IaaS) through cloud connector", + "training": "https://learn.microsoft.com/training/modules/explore-identity-services/2-explore-azure-virtual-machine-auth-access-control", "waf": "Security" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "223ace8c-b123-408c-a501-7f154e3ab369", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "Policy", + "checklist": "SAP Checklist", + "guid": "750ab1ab-039d-495d-94c7-c8929cb107d5", + "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration", + "service": "SAP", "severity": "Medium", - "text": "Establish Azure Policy definitions at the intermediate root management group so that they can be assigned at inherited scopes.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "text": "Implement SSO to SAP SaaS applications like SAP Analytics Cloud, SAP Cloud Platform, Business by design, SAP Qualtrics and SAP C4C with Azure AD using SAML.", "waf": "Security" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "3829e7e3-1618-4368-9a04-77a209945bda", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "Policy", - "severity": "High", - "text": "Manage policy assignments at the highest appropriate level with exclusions at bottom levels, if required.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "checklist": "SAP Checklist", + "guid": "325ae525-ba34-4d46-a5e2-213ace7bb122", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial", + "service": "SAP", + "severity": "Medium", + "text": "Implement SSO to SAP NetWeaver-based web applications like SAP Fiori and SAP Web GUI by using SAML.", + "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver", "waf": "Security" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "43334f24-9116-4341-a2ba-527526944008", - "link": "https://learn.microsoft.com/security/benchmark/azure/mcsb-asset-management#am-2-use-only-approved-services", - "service": "Policy", - "severity": "Low", - "text": "Use Azure Policy to control which services users can provision at the subscription/management group level.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "checklist": "SAP Checklist", + "guid": "9eb54dad-7861-4e1c-973a-f3bb003fc9c1", + "service": "SAP", + "severity": "Medium", + "text": "Implement SSO to SAP NetWeaver-based web applications like SAP Fiori and SAP Web GUI by using SAML.", + "training": "https://learn.microsoft.com/training/modules/explore-identity-services/6-exercise-integrate-azure-active-directory-sap-fiori", "waf": "Security" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "be7d7e48-4327-46d8-adc0-55bcf619e8a1", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "Policy", - "severity": "High", - "text": "Use built-in policies where possible to minimize operational overhead.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "checklist": "SAP Checklist", + "guid": "f29676ef-0c9c-4c4d-ab21-a55504c0c829", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial", + "service": "SAP", + "severity": "Medium", + "text": "You can implement SSO to SAP GUI by using SAP NetWeaver SSO or a partner solution.", + "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver", "waf": "Security" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "description": "Assigning the Resource Policy Contributor role to specific scopes allows you to delegate policy management to relevant teams. For instance, a central IT team may oversee management group-level policies, while application teams handle policies for their subscriptions, enabling distributed governance with adherence to organizational standards.", - "guid": "3f988795-25d6-4268-a6d7-0ba6c97be995", - "link": "https://learn.microsoft.com/azure/governance/policy/overview#azure-rbac-permissions-in-azure-policy", - "service": "Policy", + "checklist": "SAP Checklist", + "guid": "23181aa4-1742-4694-9ff8-ae7d7d474317", + "service": "SAP", "severity": "Medium", - "text": "Assign the built-in Resource Policy Contributor role at a particular scope to enable application-level governance.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "text": "For SSO for SAP GUI and web browser access, implement SNC / Kerberos/SPNEGO (simple and protected GSSAPI negotiation mechanism) due to its ease of configuration and maintenance. For SSO with X.509 client certificates, consider the SAP Secure Login Server, which is a component of the SAP SSO solution.", + "training": "https://learn.microsoft.com/training/modules/explore-identity-services/9-exercise-integrate-active-directory-sap-single-sign-on", "waf": "Security" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "19048384-5c98-46cb-8913-156a12476e49", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "service": "Policy", + "checklist": "SAP Checklist", + "guid": "6c8bcbf4-5bbe-4609-b8a0-3e97778424d6", + "link": "https://blogs.sap.com/2017/07/12/sap-single-sign-on-protect-your-sap-landscape-with-x.509-certificates/", + "service": "SAP", "severity": "Medium", - "text": "Limit the number of Azure Policy assignments made at the root management group scope to avoid managing through exclusions at inherited scopes.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-policy/", + "text": "For SSO for SAP GUI and web browser access, implement SNC / Kerberos/SPNEGO (simple and protected GSSAPI negotiation mechanism) due to its ease of configuration and maintenance. For SSO with X.509 client certificates, consider the SAP Secure Login Server, which is a component of the SAP SSO solution.", "waf": "Security" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "5a917e1f-348e-4f25-9c27-d42e8bbac757", - "link": "https://learn.microsoft.com/industry/release-plan/2023wave2/cloud-sovereignty/enable-data-sovereignty-policy-baseline", - "service": "Policy", + "checklist": "SAP Checklist", + "guid": "16785d6f-a96c-496a-b885-18f482734c88", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial#configure-sap-netweaver-for-oauth", + "service": "SAP", "severity": "Medium", - "text": "If any data sovereignty requirements exist, Azure Policies should be deployed to enforce them.", - "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/", + "text": "Implement SSO by using OAuth for SAP NetWeaver to allow third-party or custom applications to access SAP NetWeaver OData services.", "waf": "Security" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "78b22132-b41c-460b-a4d3-df8f73a67dc2", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/sovereign-landing-zone", - "service": "Policy", + "checklist": "SAP Checklist", + "guid": "a747c350-8d4c-449c-93af-393dbca77c48", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/saphana-tutorial", + "service": "SAP", "severity": "Medium", - "text": "For Sovereign Landing Zone, deploy sovereignty policy baseline and assign at correct management group level.", + "text": "Implement SSO to SAP HANA", "waf": "Security" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "caeea0e9-1024-41df-a52e-d99c3f22a6f4", - "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline", - "service": "Policy", + "checklist": "SAP Checklist", + "guid": "c7bae5bf-daf9-4761-9c56-f92891890aa4", + "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration#connectivity-with-sap-rise", + "service": "SAP", "severity": "Medium", - "text": "For Sovereign Landing Zone, document Sovereign Control objectives to policy mapping.", + "text": "Consider Azure AD an identity provider for SAP systems hosted on RISE. For more information, see Integrating the Service with Azure AD.", "waf": "Security" }, { - "arm-service": "Microsoft.Authorization/policyDefinitions", - "checklist": "Azure Landing Zone Review", - "guid": "9b461617-db7b-4399-8ac6-d4eb7153893a", - "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline#sovereignty-baseline-policy-initiatives", - "service": "Policy", + "checklist": "SAP Checklist", + "guid": "e4e48226-ce54-44b6-bb6b-bfa15bd8f753", + "link": "https://github.com/azuredevcollege/SAP/blob/master/sap-oauth-saml-flow/README.md", + "service": "SAP", "severity": "Medium", - "text": "For Sovereign Landing Zone, ensure process is in place for management of 'Sovereign Control objectives to policy mapping'.", + "text": "For applications that access SAP, you might want to use principal propagation to establish SSO.", "waf": "Security" }, { - "arm-service": "Microsoft.Insights/components", - "checklist": "Azure Landing Zone Review", - "guid": "67e7a8ed-4b30-4e38-a3f2-9812b2363cef", - "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/logs/workspace-design#azure-regions", - "service": "Monitor", + "checklist": "SAP Checklist", + "guid": "59921095-4980-4fc1-a5b6-524a5a560c79", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-identity-authentication-tutorial", + "service": "SAP", "severity": "Medium", - "text": "Use a single monitor logs workspace to manage platforms centrally except where Azure role-based access control (Azure RBAC), data sovereignty requirements, or data retention policies mandate separate workspaces.", - "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", - "waf": "Operations" + "text": "If you're using SAP BTP services or SaaS solutions that require SAP Identity Authentication Service (IAS), consider implementing SSO between SAP Cloud Identity Authentication Services and Azure AD to access those SAP services. This integration lets SAP IAS act as a proxy identity provider and forwards authentication requests to Azure AD as the central user store and identity provider.", + "waf": "Security" }, { - "arm-service": "Microsoft.Insights/components", - "checklist": "Azure Landing Zone Review", - "guid": "7418ada9-4199-4c28-8286-d15e9433e8f3", - "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", - "service": "Monitor", + "checklist": "SAP Checklist", + "guid": "a709c664-317e-41e4-9e34-67d9016a86f4", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-tutorial", + "service": "SAP", "severity": "Medium", - "text": "Decide whether to use a single Azure Monitor Logs workspace for all regions or to create multiple workspaces to cover various geographical regions. Each approach has advantages and disadvantages, including potential cross-region networking charges", - "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", - "waf": "Reliability" + "text": "Implement SSO to SAP BTP", + "waf": "Security" }, { - "arm-service": "Microsoft.Insights/components", - "checklist": "Azure Landing Zone Review", - "guid": "5e6c4cfd-3e50-4454-9c24-47ec66138a72", - "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work", - "service": "Monitor", - "severity": "High", - "text": "Export logs to Azure Storage if your log retention requirements exceed twelve years. Use immutable storage with a write-once, read-many policy to make data non-erasable and non-modifiable for a user-specified interval.", - "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/", + "checklist": "SAP Checklist", + "guid": "01f11b7f-38df-4251-9c76-4dec19abd3e8", + "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial", + "service": "SAP", + "severity": "Medium", + "text": "If you're using SAP SuccessFactors, consider using the Azure AD automated user provisioning. With this integration, as you add new employees to SAP SuccessFactors, you can automatically create their user accounts in Azure AD. Optionally, you can create user accounts in Microsoft 365 or other SaaS applications that are supported by Azure AD. Use write-back of the email address to SAP SuccessFactors.", + "waf": "Security" + }, + { + "checklist": "SAP Checklist", + "description": "Keep your management group hierarchy reasonably flat, no more than four.", + "graph": "resourcecontainers| where type =~ 'microsoft.resources/subscriptions'| extend ManagementGroup = tostring(tags),mgmtChain = properties.managementGroupAncestorsChain| extend compliant =( array_length(mgmtChain) <= 4 and array_length(mgmtChain) > 1)", + "guid": "6ba28021-4591-4147-9e39-e5309cccd979", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups", + "service": "SAP", + "severity": "Medium", + "text": "enforce existing Management Group policies to SAP Subscriptions", + "training": "https://learn.microsoft.com/training/modules/enterprise-scale-organization/4-management-group-subscription-organization", "waf": "Operations" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Azure Landing Zone Review", - "guid": "e7d7e484-3276-4d8b-bc05-5bcf619e8a13", - "link": "https://learn.microsoft.com/azure/governance/machine-configuration/overview", - "service": "VM", - "severity": "Medium", - "text": "Monitor OS level virtual machine (VM) configuration drift using Azure Policy. Enabling Azure Automanage Machine Configuration audit capabilities through policy helps application team workloads to immediately consume feature capabilities with little effort.", - "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", + "checklist": "SAP Checklist", + "graph": "Resources | summarize count()", + "guid": "366bcda2-750a-4b1a-a039-d95d54c7c892", + "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape", + "service": "SAP", + "severity": "High", + "text": "Integrate tightly coupled applications into the same SAP subscription to avoid additional routing and management complexity", + "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-subscriptions", "waf": "Operations" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Azure Landing Zone Review", - "guid": "f9887952-5d62-4688-9d70-ba6c97be9951", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations", - "service": "VM", - "severity": "Medium", - "text": "Use Azure Update Manager as a patching mechanism for Windows and Linux VMs in Azure.", - "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms", + "checklist": "SAP Checklist", + "graph": "Resources | where type contains 'publicIPAddresses' and isnotempty(properties.ipAddress) | summarize count () by subscriptionId", + "guid": "9cb107d5-325a-4e52-9ba3-4d4685e2213a", + "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape", + "service": "SAP", + "severity": "High", + "text": "Leverage Subscription as scale unit and scaling our resources, consider deploying subscription per environment eg. Sandbox, non-prod, prod ", + "training": "https://learn.microsoft.com/training/modules/configure-subscriptions/?source=recommendations", "waf": "Operations" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Azure Landing Zone Review", - "guid": "c806c048-26b7-4ddf-b4c2-b4f0c476925d", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations ", - "service": "VM", - "severity": "Medium", - "text": "Use Azure Update Manager as a patching mechanism for Windows and Linux VMs outside of Azure using Azure Arc.", - "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms", + "checklist": "SAP Checklist", + "graph": "QuotaResources | where type =~ 'microsoft.compute/locations/usages' | where subscriptionId in~ ('','') | mv-expand json = properties.value limit 400 | extend usagevCPUs = json.currentValue, QuotaLimit = json['limit'], quotaName = tostring(json['name'].localizedValue) | extend usagePercent = toint(usagevCPUs)*100 / toint(QuotaLimit) |where quotaName =~ 'Total Regional vCPUs' or quotaName =~ 'Total Regional Low-priority vCPUs' |project subscriptionId,quotaName,usagevCPUs,QuotaLimit,usagePercent,location,['json'] | order by ['usagePercent'] desc", + "guid": "ce7bb122-f7c9-45f0-9e15-4e3aa3592829", + "link": "https://learn.microsoft.com/azure/quotas/quotas-overview", + "service": "SAP", + "severity": "High", + "text": "Ensure quota increase as a part of subscription provisioning (e.g. total available VM cores within a subscription)", + "training": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits", "waf": "Operations" }, { - "arm-service": "microsoft.network/networkWatchers", - "checklist": "Azure Landing Zone Review", - "guid": "90483845-c986-4cb2-a131-56a12476e49f", - "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview", - "service": "Network Watcher", - "severity": "Medium", - "text": "Use Network Watcher to proactively monitor traffic flows.", - "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/", + "checklist": "SAP Checklist", + "guid": "ce4fab2f-433a-4d59-a5a9-3d1032e03ebc", + "link": "https://learn.microsoft.com/rest/api/reserved-vm-instances/quotaapi?branch=capacity", + "service": "SAP", + "severity": "Low", + "text": "The Quota API is a REST API that you can use to view and manage quotas for Azure services. Consider using it if necessary.", "waf": "Operations" }, { - "arm-service": "Microsoft.Insights/components", - "checklist": "Azure Landing Zone Review", - "guid": "6944008b-e7d7-4e48-9327-6d8bdc055bcf", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor", - "service": "Monitor", - "severity": "Medium", - "text": "Use Azure Monitor Logs for insights and reporting.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-monitor/", + "checklist": "SAP Checklist", + "guid": "cbfad17b-f240-42bf-a1d8-f4f4cee661c8", + "link": "https://learn.microsoft.com/azure/quotas/quickstart-increase-quota-portal", + "service": "SAP", + "severity": "High", + "text": "If deploying to an availability zone, ensure that the VM's zone deployment is available once the quota has been approved. Submit a support request with the subscription, VM series, number of CPUs and availability zone required.", "waf": "Operations" }, { - "arm-service": "Microsoft.Insights/components", - "checklist": "Azure Landing Zone Review", - "guid": "97be9951-9048-4384-9c98-6cb2913156a1", - "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/alerts-overview", - "service": "Monitor", - "severity": "Medium", - "text": "Use Azure Monitor alerts for the generation of operational alerts.", - "training": "https://learn.microsoft.com/training/modules/incident-response-with-alerting-on-azure/", + "checklist": "SAP Checklist", + "guid": "e6e20617-3686-4af4-9791-f8935ada4332", + "link": "https://azure.microsoft.com/explore/global-infrastructure/products-by-region/", + "service": "SAP", + "severity": "High", + "text": "Ensure required services and features are available within the chosen deployment regions eg. ANF , Zone etc.", + "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/migrate/azure-best-practices/multiple-regions?source=recommendations", "waf": "Operations" }, { - "arm-service": "Microsoft.Insights/components", - "checklist": "Azure Landing Zone Review", - "guid": "fed3c55f-a67e-4875-aadd-3aba3f9fde31", - "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings", - "service": "Monitor", + "checklist": "SAP Checklist", + "graph": "resources | extend compliant = isnotnull(['tags']) | project name, id, subscriptionId, resourceGroup, tags, compliant", + "guid": "4e138115-2318-41aa-9174-26943ff8ae7d", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-resource-organization", + "service": "SAP", "severity": "Medium", - "text": "When using Change and Inventory Tracking via Azure Automation Accounts, ensure that you have selected supported regions for linking your Log Analytics workspace and automation accounts together.", - "training": "https://learn.microsoft.com/training/modules/explore-azure-automation-devops/", + "text": "Leverage Azure resource tag for cost categorization and resource grouping (: BillTo, Department (or Business Unit), Environment (Production, Stage, Development), Tier (Web Tier, Application Tier), Application Owner, ProjectName)", + "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/", "waf": "Operations" }, { - "arm-service": "Microsoft.RecoveryServices/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "eba8cf22-45c6-4dc1-9b57-2cceb3b97ce5", - "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy", - "service": "Backup", - "severity": "Low", - "text": "When using Azure Backup, use the correct backup types (GRS, ZRS & LRS) for your backup, as the default setting is GRS.", - "training": "https://learn.microsoft.com/training/modules/design-solution-for-backup-disaster-recovery/", + "checklist": "SAP Checklist", + "guid": "2f7c95f0-6e15-44e3-aa35-92829e6e2061", + "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about", + "service": "SAP", + "severity": "High", + "text": "Help protect your HANA database by using the Azure Backup service.", + "training": "https://learn.microsoft.com/training/modules/implement-azure-backup-sap-workloads-azure-virtual-machines/?source=recommendations", "waf": "Reliability" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Azure Landing Zone Review", - "guid": "f541acdc-e979-4377-acdb-3751ab2ab13a", - "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration", - "service": "VM", + "checklist": "SAP Checklist", + "guid": "302a2fbf-3745-4a5f-a365-c9d1a16ca22c", + "link": "https://learn.microsoft.com/azure/azure-netapp-files/azacsnap-introduction", + "service": "SAP", "severity": "Medium", - "text": "Use Azure guest policies to automatically deploy software configurations through VM extensions and enforce a compliant baseline VM configuration.", - "waf": "Security" + "text": "If you deploy Azure NetApp Files for your HANA, Oracle, or DB2 database, use the Azure Application Consistent Snapshot tool (AzAcSnap) to take application-consistent snapshots. AzAcSnap also supports Oracle databases. Consider using AzAcSnap on a central VM rather than on individual VMs.", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Azure Landing Zone Review", - "description": "Use Azure Policy's guest configuration features to audit and remediate machine settings (e.g., OS, application, environment) to ensure resources align with expected configurations, and Update Management can enforce patch management for VMs.", - "guid": "da6e55d7-d8a2-4adb-817d-6326af625ca4", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift", - "service": "VM", + "checklist": "SAP Checklist", + "guid": "42d37218-a3a7-45df-bff6-1173e7f249ea", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring", + "service": "SAP", + "severity": "High", + "text": "Ensure time-zone matches between the operating system and the SAP system.", + "waf": "Operations" + }, + { + "checklist": "SAP Checklist", + "guid": "c3c7abc0-716c-4486-893c-40e181d65539", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-multi-sid", + "service": "SAP", "severity": "Medium", - "text": "Monitor VM security configuration drift via Azure Policy.", - "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/", - "waf": "Security" + "text": "Don't group different application services in the same cluster. For example, don't combine DRBD and central services clusters on the same cluster. However, you can use the same Pacemaker cluster to manage approximately five different central services (multi-SID cluster).", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", + "waf": "Reliability" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Azure Landing Zone Review", - "guid": "2476e49f-541a-4cdc-b979-377bcdb3751a", - "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview", - "service": "VM", + "checklist": "SAP Checklist", + "guid": "a491dfc4-9353-4213-9217-eef0949f9467", + "link": "https://azure.microsoft.com/pricing/offers/dev-test/", + "service": "SAP", + "severity": "Low", + "text": "Consider running dev/test systems in a snooze model to save and optimize Azure run costs.", + "waf": "Cost" + }, + { + "checklist": "SAP Checklist", + "guid": "b7056168-6199-4732-a514-cdbb2d5c9c54", + "link": "https://learn.microsoft.com/azure/lighthouse/overview", + "service": "SAP", "severity": "Medium", - "text": "Use Azure Site Recovery for Azure-to-Azure Virtual Machines disaster recovery scenarios. This enables you to replicate workloads across regions.", - "training": "https://learn.microsoft.com/training/modules/protect-infrastructure-with-site-recovery/", + "text": "If you partner with customers by managing their SAP estates, consider Azure Lighthouse. Azure Lighthouse allows managed service providers to use Azure native identity services to authenticate to the customers' environment. It puts the control in the hands of customers, because they can revoke access at any time and audit service providers' actions.", "waf": "Operations" }, { - "arm-service": "Microsoft.RecoveryServices/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "f625ca44-e569-45f2-823a-ce8cb12308ca", - "link": "https://learn.microsoft.com/azure/backup/backup-center-overview", - "service": "Backup", + "checklist": "SAP Checklist", + "guid": "4d116785-d2fa-456c-96ad-48408fe72734", + "link": "https://learn.microsoft.com/azure/update-manager/scheduled-patching?tabs=schedule-updates-single-machine%2Cschedule-updates-scale-overview", + "service": "SAP", "severity": "Medium", - "text": "Use Azure-native backup capabilities, or an Azure-compatible, 3rd-party backup solution.", - "training": "https://learn.microsoft.com/training/modules/design-solution-for-backup-disaster-recovery/", + "text": "Use Azure Update Manager to check the status of available updates for a single VM or multiple VMs and consider scheduling regular patching.", + "training": "https://learn.microsoft.com/training/modules/keep-your-virtual-machines-updated/?source=recommendations", "waf": "Operations" }, { - "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "89cc5e11-aa4d-4c3b-893d-feb99215266a", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs", - "service": "WAF", - "severity": "High", - "text": "Add diagnostic settings to save WAF logs from application delivery services like Azure Front Door and Azure Application Gateway. Regularly review the logs to check for attacks and for false positive detections.", - "training": "https://learn.microsoft.com/training/modules/capture-application-logs-app-service/", + "checklist": "SAP Checklist", + "guid": "76c8bcbf-45bb-4e60-ad8a-03e97778424d", + "link": "https://learn.microsoft.com/azure/sap/workloads/lama-installation", + "service": "SAP", + "severity": "Low", + "text": "Optimize and manage SAP Basis operations by using SAP Landscape Management (LaMa). Use the SAP LaMa connector for Azure to relocate, copy, clone, and refresh SAP systems.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-remote-management/?source=recommendations", "waf": "Operations" }, { - "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls", - "checklist": "Azure Landing Zone Review", - "guid": "7f408960-c626-44cb-a018-347c8d790cdf", - "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel", - "service": "WAF", + "checklist": "SAP Checklist", + "guid": "14591147-5e39-4e53-89cc-cd979366bcda", + "link": "https://learn.microsoft.com/azure/sap/monitor/about-azure-monitor-sap-solutions", + "service": "SAP", "severity": "Medium", - "text": "Send WAF logs from your application delivery services like Azure Front Door and Azure Application Gateway to Microsoft Sentinel. Detect attacks and integrate WAF telemetry into your overall Azure environment.", - "training": "https://learn.microsoft.com/training/paths/sc-200-connect-logs-to-azure-sentinel/", + "text": "Use Azure Monitor for SAP solutions to monitor your SAP workloads(SAP HANA, high-availability SUSE clusters, and SQL systems) on Azure. Consider supplementing Azure Monitor for SAP solutions with SAP Solution Manager.", + "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations", "waf": "Operations" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "5017f154-e3ab-4369-9829-e7e316183687", - "link": "https://learn.microsoft.com/azure/key-vault/general/overview", - "service": "Key Vault", + "checklist": "SAP Checklist", + "guid": "2750ab1a-b039-4d95-b54c-7c8929cb107d", + "link": "https://learn.microsoft.com/azure/sap/workloads/vm-extension-for-sap", + "service": "SAP", "severity": "High", - "text": "Use Azure Key Vault to store your secrets and credentials.", - "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", - "waf": "Security" + "text": "Run a VM Extension for SAP check. VM Extension for SAP uses the assigned managed identity of a virtual machine (VM) to access VM monitoring and configuration data. The check ensures that all performance metrics in your SAP application come from the underlying Azure Extension for SAP.", + "training": "https://learn.microsoft.com/training/modules/configure-azure-enhanced-monitoring-extension-for-sap/?source=recommendations", + "waf": "Operations" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "graph": "ResourceContainers | where type=='microsoft.resources/subscriptions'| parse id with '/subscriptions/' SubscriptionID| project subscriptionId, SubscriptionName = name| join kind=leftouter (Resources| where type == 'microsoft.keyvault/vaults'| project id, name, subscriptionId) on subscriptionId| join kind= leftouter (Resources| where type == 'microsoft.keyvault/vaults'| summarize ResourceCount = count() by subscriptionId) on subscriptionId| extend RCount = iff(isnull(ResourceCount), 0, ResourceCount)| project-away ResourceCount| extend compliant = (RCount <> 1)", - "guid": "a0477a20-9945-4bda-9333-4f2491163418", - "link": "https://learn.microsoft.com/azure/key-vault/general/overview-throttling", - "service": "Key Vault", + "checklist": "SAP Checklist", + "guid": "5325ae52-5ba3-44d4-985e-2213ace7bb12", + "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", + "service": "SAP", "severity": "Medium", - "text": "Use different Azure Key Vaults for different applications, environments and regions to avoid transaction scale limits and restrict access to secrets.", - "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", - "waf": "Security" + "text": "Use Azure Policy for access control and compliance reporting. Azure Policy provides the ability to enforce organization-wide settings to ensure consistent policy adherence and fast violation detection. ", + "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/", + "waf": "Operations" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "2ba52752-6944-4008-ae7d-7e4843276d8b", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", + "checklist": "SAP Checklist", + "guid": "523181aa-4174-4269-93ff-8ae7d7d47431", + "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-overview", + "service": "SAP", "severity": "Medium", - "text": "Provision Azure Key Vault with the soft delete and purge policies enabled to allow retention protection for deleted objects.", - "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", - "waf": "Security" + "text": "Use Connection Monitor in Azure Network Watcher to monitor latency metrics for SAP databases and application servers. Or collect and display network latency measurements by using Azure Monitor.", + "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/collecting-and-displaying-niping-network-latency-measurements/ba-p/1833979", + "waf": "Operations" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "dc055bcf-619e-48a1-9f98-879525d62688", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", + "checklist": "SAP Checklist", + "guid": "73686af4-6791-4f89-95ad-a43324e13811", + "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/QualityCheck", + "service": "SAP", "severity": "Medium", - "text": "Follow a least privilege model by limiting authorization to permanently delete keys, secrets, and certificates to specialized custom Microsoft Entra ID roles.", - "training": "https://learn.microsoft.com/training/modules/implement-azure-key-vault/", - "waf": "Security" + "text": "Perform a quality check for SAP HANA on the provisioned Azure infrastructure to verify that provisioned VMs comply with SAP HANA on Azure best practices.", + "waf": "Operations" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "6d70ba6c-97be-4995-8904-83845c986cb2", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", - "severity": "Medium", - "text": "Automate the certificate management and renewal process with public certificate authorities to ease administration.", - "training": "https://learn.microsoft.com/en-us/training/modules/configure-and-manage-azure-key-vault/", - "waf": "Security" + "checklist": "SAP Checklist", + "guid": "616785d6-fa96-4c96-ad88-518f482734c8", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones", + "service": "SAP", + "severity": "High", + "text": "For each Azure subscription, run a latency test on Azure availability zones before zonal deployment to choose low-latency zones for deployment of SAP on Azure.", + "training": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test", + "waf": "Performance" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "913156a1-2476-4e49-b541-acdce979377b", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", + "checklist": "SAP Checklist", + "guid": "410adcba-db46-424f-a6c4-05ecde75c52e", + "link": "https://learn.microsoft.com/azure/advisor/advisor-how-to-improve-reliability", + "service": "SAP", "severity": "Medium", - "text": "Establish an automated process for key and certificate rotation.", - "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", - "waf": "Security" + "text": "Run the Resiliency Report to ensure that the configuration of the entire provisioned Azure infrastructure (Compute, Database, Networking, Storage, Site Recovery) complies with the configuration defined by Cloud Adaption Framework for Azure.", + "training": "https://learn.microsoft.com/training/paths/azure-well-architected-framework/", + "waf": "Reliability" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "cdb3751a-b2ab-413a-ba6e-55d7d8a2adb1", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", + "checklist": "SAP Checklist", + "guid": "86ba2802-1459-4114-95e3-9e5309cccd97", + "link": "https://learn.microsoft.com/azure/sentinel/sap/deployment-overview", + "service": "SAP", "severity": "Medium", - "text": "Enable firewall and virtual network service endpoint or private endpoint on the vault to control access to the key vault.", - "training": "https://learn.microsoft.com/training/modules/design-implement-private-access-to-azure-services/", + "text": "Implement threat protection by using the Microsoft Sentinel solution for SAP. Use this solution to monitor your SAP systems and detect sophisticated threats throughout the business logic and application layers.", + "training": "https://learn.microsoft.com/training/modules/plan-microsoft-sentinel-deployment-sap/?source=recommendations", "waf": "Security" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "17d6326a-f625-4ca4-9e56-95f2223ace8c", - "link": "https://learn.microsoft.com/azure/key-vault/general/monitor-key-vault", - "service": "Key Vault", + "checklist": "SAP Checklist", + "graph": "resources | extend compliant = isnotnull(['tags']) | project name, id, subscriptionId, resourceGroup, tags, compliant", + "guid": "579266bc-ca27-45fa-a1ab-fe9d55d04c3c", + "link": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance", + "service": "SAP", "severity": "Medium", - "text": "Use the platform-central Azure Monitor Log Analytics workspace to audit key, certificate, and secret usage within each instance of Key Vault.", - "training": "https://learn.microsoft.com/training/modules/analyze-infrastructure-with-azure-monitor-logs/", - "waf": "Security" + "text": "Azure tagging can be leveraged to logically group and track resources, automate their deployments, and most importantly, provide visibility on the incurred costs.", + "training": "https://learn.microsoft.com/training/modules/analyze-costs-create-budgets-azure-cost-management/?source=recommendations", + "waf": "Operations" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "b12308ca-5017-4f15-9e3a-b3693829e7e3", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", - "severity": "Medium", - "text": "Delegate Key Vault instantiation and privileged access and use Azure Policy to enforce a consistent compliant configuration.", - "training": "https://learn.microsoft.com/training/modules/configure-azure-key-vault-networking-settings/", - "waf": "Security" + "checklist": "SAP Checklist", + "guid": "04b8e5e5-13cb-4b22-af62-5a8ecfcf0337", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-test-latency?tabs=windows", + "service": "SAP", + "severity": "Low", + "text": "Use inter-VM latency monitoring for latency-sensitive applications.", + "waf": "Performance" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "25d62688-6d70-4ba6-a97b-e99519048384", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "service": "Key Vault", + "checklist": "SAP Checklist", + "guid": "07e5ed53-3d96-43d8-87ea-631b77da5aba", + "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage", + "service": "SAP", "severity": "Medium", - "text": "If you want to bring your own keys, this might not be supported across all considered services. Implement relevant mitigation so that inconsistencies don't hinder desired outcomes. Choose appropriate region pairs and disaster recovery regions that minimize latency.", - "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", - "waf": "Security" + "text": "Use Azure Site Recovery monitoring to maintain the health of the disaster recovery service for SAP application servers.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations", + "waf": "Reliability" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "4ac6b67c-b3a4-4ff9-8e87-b07a7ce7bbdb", - "link": "https://learn.microsoft.com/industry/sovereignty/key-management", - "service": "Key Vault", + "checklist": "SAP Checklist", + "guid": "abb6af9c-982c-4cf1-83fb-329fafd1ee56", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring", + "service": "SAP", "severity": "Medium", - "text": "For Sovereign Landing Zone, use Azure Key Vault managed HSM to store your secrets and credentials.", - "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/", - "waf": "Security" + "text": "Exclude all the database file systems and executable programs from antivirus scans. Including them could lead to performance problems. Check with the database vendors for prescriptive details on the exclusion list. For example, Oracle recommends excluding /oracle//sapdata from antivirus scans.", + "waf": "Performance" }, { - "checklist": "Azure Landing Zone Review", - "guid": "4e5695f2-223a-4ce8-ab12-308ca5017f15", - "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/overview-reports", - "service": "Entra", - "severity": "Medium", - "text": "Use Microsoft Entra ID reporting capabilities to generate access control audit reports.", - "training": "https://learn.microsoft.com/training/modules/monitor-report-aad-security-events/", - "waf": "Security" + "checklist": "SAP Checklist", + "guid": "c027f893-f404-41a9-b33d-39d625a14964", + "link": "https://sapit-forme-prod.authentication.eu11.hana.ondemand.com/login", + "service": "SAP", + "severity": "Low", + "text": "Consider collecting full database statistics for non-HANA databases after migration. For example, implement SAP note 1020260 - Delivery of Oracle statistics.", + "waf": "Performance" }, { - "checklist": "Azure Landing Zone Review", - "guid": "09945bda-4333-44f2-9911-634182ba5275", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/concept-cloud-security-posture-management", - "service": "Defender", - "severity": "High", - "text": "Enable Defender Cloud Security Posture Management for all subscriptions.", - "training": "https://learn.microsoft.com/training/modules/microsoft-defender-cloud-security-posture/", - "waf": "Security" + "checklist": "SAP Checklist", + "guid": "fdafb1f5-3eee-4354-a8c9-deb8127ebc2e", + "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/configure-oracle-asm", + "service": "SAP", + "severity": "Medium", + "text": "Consider using Oracle Automatic Storage Management (ASM) for all Oracle deployments that use SAP on Azure.", + "training": "https://learn.microsoft.com/training/paths/administer-infrastructure-resources-in-azure/?source=recommendations", + "waf": "Performance" }, { - "checklist": "Azure Landing Zone Review", - "guid": "36a72a48-fffe-4c40-9747-0ab5064355ba", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/plan-defender-for-servers-select-plan", - "service": "Defender", - "severity": "High", - "text": "Enable a Defender Cloud Workload Protection Plan for Servers on all subscriptions.", - "training": "https://learn.microsoft.com/training/modules/understand-azure-defender-cloud-workload-protection/", - "waf": "Security" + "checklist": "SAP Checklist", + "guid": "33c5d5bf-daf3-4f0d-bd50-6010fdcec22e", + "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/announcement-sap-on-azure-oracle-performance-efficiency-scripts/ba-p/3725178", + "service": "SAP", + "severity": "Medium", + "text": "For SAP on Azure running Oracle, a collection of SQL scripts can help you diagnose performance problems. Automatic Workload Repository (AWR) reports contain valuable information for diagnosing problems in the Oracle system. We recommend that you run an AWR report during several sessions and choose peak times for it, to ensure broad coverage for the analysis.", + "training": "https://learn.microsoft.com/ja-jp/azure/well-architected/oracle-iaas/performance-efficiency", + "waf": "Performance" }, { - "checklist": "Azure Landing Zone Review", - "guid": "77425f48-ecba-43a0-aeac-a3ac733ccc6a", - "link": "https://learn.microsoft.com/azure/defender-for-cloud/connect-azure-subscription", - "service": "Defender", + "checklist": "SAP Checklist", + "guid": "d89fd98d-23e4-4b40-a92e-32db9365522c", + "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot", + "service": "SAP", "severity": "High", - "text": "Enable Defender Cloud Workload Protection Plans for Azure Resources on all subscriptions.", - "training": "https://learn.microsoft.com/training/modules/understand-azure-defender-cloud-workload-protection/", - "waf": "Security" + "text": "Use Azure Site Recovery monitoring to maintain the health of the disaster recovery service for SAP application servers.", + "training": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations", + "waf": "Operations" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Azure Landing Zone Review", - "guid": "24d96b30-61ee-4436-a1cc-d6ef08bc574b", - "link": "https://learn.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection", - "service": "VM", - "severity": "High", - "text": "Enable Endpoint Protection on IaaS Servers.", - "training": "https://learn.microsoft.com/training/modules/design-solutions-securing-server-client-endpoints/", + "checklist": "SAP Checklist", + "guid": "5ba34d46-85e2-4213-ace7-bb122f7c95f0", + "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", + "service": "SAP", + "severity": "Medium", + "text": "For secure delivery of HTTP/S apps, use Application Gateway v2 and ensure that WAF protection and policies are enabled.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/", "waf": "Security" }, { - "arm-service": "Microsoft.Compute/virtualMachines", - "checklist": "Azure Landing Zone Review", - "guid": "15833ee7-ad6c-46d3-9331-65c7acbe44ab", - "link": "https://learn.microsoft.com/azure/security-center/", - "service": "VM", + "checklist": "SAP Checklist", + "guid": "fa9d30bc-1b82-4e4b-bfdf-6b017938b9e6", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", + "service": "SAP", "severity": "Medium", - "text": "Monitor base operating system patching drift via Azure Monitor Logs and Defender for Cloud.", - "training": "https://learn.microsoft.com/training/modules/create-log-analytics-workspace-microsoft-defender-cloud/", - "waf": "Security" + "text": "If the virtual machine's DNS or virtual name is not changed during migration to Azure, Background DNS and virtual names connect many system interfaces in the SAP landscape, and customers are only sometimes aware of the interfaces that developers define over time. Connection challenges arise between various systems when virtual or DNS names change after migrations, and it's recommended to retain DNS aliases to prevent these types of difficulties.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution", + "waf": "Operations" }, { - "arm-service": "Microsoft.Insights/components", - "checklist": "Azure Landing Zone Review", - "guid": "e5f8d79f-2e87-4768-924c-516775c6ea95", - "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", - "service": "Monitor", + "checklist": "SAP Checklist", + "guid": "a2858f78-105b-4f52-b7a9-5b0f4439743b", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", + "service": "SAP", "severity": "Medium", - "text": "Connect default resource configurations to a centralized Azure Monitor Log Analytics workspace.", - "training": "https://learn.microsoft.com/training/modules/analyze-infrastructure-with-azure-monitor-logs/", - "waf": "Security" + "text": "Use different DNS zones to distinguish each environment (sandbox, development, preproduction, and production) from each other. The exception is for SAP deployments with their own VNet; here, private DNS zones might not be necessary.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution", + "waf": "Operations" }, { - "checklist": "Azure Landing Zone Review", - "graph": "resources| where type == 'microsoft.operationalinsights/workspaces'| extend wsid = properties.customerId| project workspaceResourceId = tolower(id), name, wsid| join (resources| where type == 'microsoft.operationsmanagement/solutions'| where name has 'SecurityInsights'| extend workspaceResourceId = tostring(tolower(properties.workspaceResourceId))| project workspaceResourceId | summarize ResourceCount = count() by workspaceResourceId) on workspaceResourceId| extend RCount = iff(isnull(ResourceCount), 0, ResourceCount)| project-away ResourceCount| extend compliant = (RCount <> 0)", - "guid": "a56888b2-7e83-4404-bd31-b886528502d1", - "link": "https://learn.microsoft.com/en-us/azure/well-architected/security/monitor-threats#centralized-threat-detection-with-correlated-logs", - "service": "Entra", + "checklist": "SAP Checklist", + "description": "When configuring VNet peering, use the Allow traffic to remote virtual networks setting.", + "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess =~ True)", + "guid": "a3592829-e6e2-4061-9368-6af46791f893", + "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-peering-overview", + "service": "SAP", + "severity": "Medium", + "text": "Local and global VNet peering provide connectivity and are the preferred approaches to ensure connectivity between landing zones for SAP deployments across multiple Azure regions", + "training": "https://learn.microsoft.com/training/modules/configure-vnet-peering/?source=recommendations", + "waf": "Reliability" + }, + { + "checklist": "SAP Checklist", + "guid": "41742694-3ff8-4ae7-b7d4-743176c8bcbf", + "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide", + "service": "SAP", "severity": "High", - "text": "Centralized threat detection with correlated logs - consolidate security data in a central location where it can be correlated across various services via SIEM (security information and event management)", - "waf": "Security" + "text": "It is not supported to deploy any NVA between SAP application and SAP Database server", + "training": "https://me.sap.com/notes/2731110", + "waf": "Performance" }, { - "checklist": "Azure Landing Zone Review", - "guid": "1761e147-f65e-4d09-bbc2-f464f23e2eba", - "link": "https://learn.microsoft.com/industry/sovereignty/transparency-logs", - "service": "Entra", + "checklist": "SAP Checklist", + "graph": "resources| where type =~ 'microsoft.network/virtualwans' | extend compliant= (properties.allowBranchToBranchTraffic =~ 'true') | distinct id,compliant", + "guid": "7d4bc7d2-c34a-452e-8f1d-6ae3c8eafcc3", + "link": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/?source=recommendations", + "service": "SAP", "severity": "Medium", - "text": "For Sovereign Landing Zone, enable transparancy logs on the Entra ID tenant.", - "waf": "Security" + "text": "Use Virtual WAN for Azure deployments in new, large, or global networks where you need global transit connectivity across Azure regions and on-premises locations. With this approach, you won't need to manually set up transitive routing for Azure networking, and you can follow a standard for SAP on Azure deployments.", + "training": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about", + "waf": "Operations" }, { - "checklist": "Azure Landing Zone Review", - "guid": "d21a922d-5ca7-427a-82a6-35f7b21f1bfc", - "link": "https://learn.microsoft.com/azure/security/fundamentals/customer-lockbox-overview", - "service": "Entra", + "checklist": "SAP Checklist", + "guid": "0cedb1f6-ae6c-492b-8b17-8061f50b16d3", + "link": "https://learn.microsoft.com/azure/well-architected/services/networking/network-virtual-appliances/reliability", + "service": "SAP", "severity": "Medium", - "text": "For Sovereign Landing Zone, enable customer Lockbox on the Entra ID tenant.", - "waf": "Security" + "text": "Consider deploying network virtual appliances (NVAs) between regions only if partner NVAs are used. NVAs between regions or VNets aren't required if native NVAs are present. When you're deploying partner networking technologies and NVAs, follow the vendor's guidance to verify conflicting configurations with Azure networking.", + "training": "https://learn.microsoft.com/training/modules/control-network-traffic-flow-with-routes/?source=recommendations", + "waf": "Operations" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Landing Zone Review", - "guid": "b03ed428-4617-4067-a787-85468b9ccf3f", - "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer", - "service": "Storage", - "severity": "High", - "text": "Enable secure transfer to storage accounts.", - "training": "https://learn.microsoft.com/training/modules/secure-azure-storage-account/", - "waf": "Security" + "checklist": "SAP Checklist", + "guid": "facc08c6-ea95-4641-91cd-fa09e573adbd", + "link": "https://learn.microsoft.com/azure/architecture/networking/hub-spoke-vwan-architecture", + "service": "SAP", + "severity": "Medium", + "text": "Virtual WAN manages connectivity between spoke VNets for virtual-WAN-based topologies (no need to set up user-defined routing [UDR] or NVAs), and maximum network throughput for VNet-to-VNet traffic in the same virtual hub is 50 gigabits per second. If necessary, SAP landing zones can use VNet peering to connect to other landing zones and overcome this bandwidth limitation.", + "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/?source=recommendations", + "waf": "Operations" }, { - "arm-service": "Microsoft.Storage/storageAccounts", - "checklist": "Azure Landing Zone Review", - "guid": "159aac9f-863f-4f48-82cf-00c28fa97a0e", - "link": "https://learn.microsoft.com/azure/storage/blobs/data-protection-overview#recommendations-for-basic-data-protection", - "service": "Storage", + "checklist": "SAP Checklist", + "graph": "Resources | where type =~ 'Microsoft.Network/publicIPAddresses' and sku.tier =~ 'Regional' | where isempty(zones) or array_length(zones) <= 1 | extend az = case(isempty(zones), 'Non-zonal', array_length(zones) <= 1, strcat('Zonal (', strcat_array(zones, ','), ')'), zones) | project name, id, tags, param1 = strcat('sku: ', sku.name), param2 = strcat('availabilityZone: ', az)", + "guid": "82734c88-6ba2-4802-8459-11475e39e530", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", + "service": "SAP", "severity": "High", - "text": "Enable container soft delete for the storage account to recover a deleted container and its contents.", + "text": "Public IP assignment to VM running SAP Workload is not recommended.", + "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations", "waf": "Security" }, { - "arm-service": "Microsoft.KeyVault/vaults", - "checklist": "Azure Landing Zone Review", - "guid": "108d5099-a11d-4445-bd8b-e12a5e95412e", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/development-strategy-development-lifecycle#automated-builds", - "service": "Key Vault", + "checklist": "SAP Checklist", + "graph": "Resources | where type contains 'publicIPAddresses' and isnotempty(properties.ipAddress) | summarize count () by subscriptionId", + "guid": "9cccd979-366b-4cda-8750-ab1ab039d95d", + "link": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations", + "service": "SAP", "severity": "High", - "text": "Use Key Vault secrets to avoid hard-coding sensitive information such as credentials (virtual machines user passwords), certificates or keys.", - "training": "https://learn.microsoft.com/en-us/training/modules/implement-azure-key-vault/", + "text": "Consider reserving IP address on DR side when configuring ASR", + "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/", "waf": "Operations" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Azure Function Review", - "guid": "4238f409-2ea0-43be-a06b-2a993c98aa7b", - "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans", - "service": "Azure Functions", + "checklist": "SAP Checklist", + "guid": "54c7c892-9cb1-407d-9325-ae525ba34d46", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", + "service": "SAP", "severity": "High", - "text": "Select the right Function hosting plan based on your business & SLO requirements", - "waf": "Reliability" + "text": "Avoid using overlapping IP address ranges for production and DR sites.", + "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations", + "waf": "Operations" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Azure Function Review", - "guid": "a9808100-d640-4f77-ac56-1ec0600f6752", - "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans", - "query": "resources | where type =~ 'Microsoft.Web/sites' and kind has 'functionapp' and tolower(kind) !contains 'workflow' | extend aspResourceId = tostring(properties.serverFarmId), managedEnvId = tostring(properties.managedEnvironmentId), sku = tostring(properties.sku) | extend sku = iif(isnotempty(sku), sku, iif(isnotempty(managedEnvId), 'ContainerApps', '')) | where sku !in ('Dynamic', 'FlexConsumption', '') | extend aspName = tostring(split(aspResourceId, '/').[-1]), managedEnvName = tostring(split(managedEnvId, '/').[-1]) | extend HostingPlan = tostring(iif(isnotempty(aspName), aspName, managedEnvName)) | project functionAppName = name, functionAppId = id, HostingPlan, sku | join kind=inner ( resources | where type =~ 'Microsoft.Web/serverfarms' or type =~ 'Microsoft.App/managedEnvironments' | extend HostingPlan = tostring(name), zoneRedundant = tostring(properties.zoneRedundant), compliant = tobool(properties.zoneRedundant) | project HostingPlan, resourceId = id, zoneRedundant, compliant ) on HostingPlan | project functionAppName, functionAppId, sku, HostingPlan, resourceId, zoneRedundant, compliant", - "service": "Azure Functions", - "severity": "High", - "text": "Leverage Availability Zones where regionally applicable (not available for Consumption tier)", - "waf": "Reliability" + "checklist": "SAP Checklist", + "guid": "6e154e3a-a359-4282-ae6e-206173686af4", + "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-delegate-subnet", + "service": "SAP", + "severity": "Medium", + "text": "While Azure does help you to create multiple delegated subnets in a VNet, only one delegated subnet can exist in a VNet for Azure NetApp Files. Attempts to create a new volume will fail if you use more than one delegated subnet for Azure NetApp Files.", + "training": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-network-topologies?source=recommendations", + "waf": "Operations" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Azure Function Review", - "guid": "5969d03e-eacf-4042-b127-73c55e3575fa", - "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-functions?tabs=azure-portal#cross-region-disaster-recovery-and-business-continuity", - "service": "Azure Functions", + "checklist": "SAP Checklist", + "graph": "resources | where type=~'microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant", + "guid": "d8a03e97-7784-424d-9167-85d6fa96c96a", + "link": "https://learn.microsoft.com/azure/well-architected/services/networking/azure-firewall?toc=%2Fazure%2Ffirewall%2Ftoc.json&bc=%2Fazure%2Ffirewall%2Fbreadcrumb%2Ftoc.json", + "service": "SAP", "severity": "Medium", - "text": "Consider a Cross-Region DR strategy for critical workloads", - "waf": "Reliability" + "text": "Use Azure Firewall to govern Azure outbound traffic to the internet, non-HTTP/S inbound connections, and East/West traffic filtering (if the organization requires it)", + "training": "https://learn.microsoft.com/training/paths/secure-networking-infrastructure/", + "waf": "Security" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Azure Function Review", - "guid": "47a0aae0-d8a0-43b1-9791-e934dee3754c", - "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro", - "service": "Azure Functions", - "severity": "High", - "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3", - "waf": "Reliability" + "checklist": "SAP Checklist", + "guid": "91a65e40-be90-45b3-9f73-f3edbf8dc324", + "link": "https://learn.microsoft.com/azure/sap/workloads/expose-sap-process-orchestration-on-azure", + "service": "SAP", + "severity": "Medium", + "text": "Application Gateway and Web Application Firewall have limitations when Application Gateway serves as a reverse proxy for SAP web apps, as shown in the comparison between Application Gateway, SAP Web Dispatcher, and other third-party services.", + "training": "https://help.sap.com/docs/SUPPORT_CONTENT/si/3362959506.html", + "waf": "Security" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Azure Function Review", - "guid": "17232891-f89f-4eaa-90f1-3b34bf798ed5", - "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on", - "query": "resources | where type =~ 'Microsoft.Web/sites' and kind has 'functionapp' | where tolower(kind) !contains 'workflow' | where isnotempty(properties.serverFarmId) | extend sku = tostring(properties.sku) | where isnotempty(sku) | where sku !in ('Dynamic', 'FlexConsumption', 'ElasticPremium') | extend alwaysOn = properties.siteConfig.alwaysOn | project functionAppName = name, functionAppId = id, serverFarmId = tostring(properties.serverFarmId), sku, alwaysOn, compliant = tobool(alwaysOn)", - "service": "Azure Functions", - "severity": "High", - "text": "Ensure 'Always On' is enabled for all Function Apps running on App Service Plan", - "waf": "Reliability" + "checklist": "SAP Checklist", + "guid": "5e39e530-9ccc-4d97-a366-bcda2750ab1a", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "SAP", + "severity": "Medium", + "text": "Use Azure Front Door and WAF policies to provide global protection across Azure regions for inbound HTTP/S connections to a landing zone.", + "training": "https://learn.microsoft.com/training/paths/secure-application-delivery/", + "waf": "Security" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Azure Function Review", - "guid": "40a325c2-7c0e-49e6-86d8-c273b4dc21ba", - "link": "https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations?tabs=azure-cli#shared-storage-accounts", - "service": "Azure Functions", + "checklist": "SAP Checklist", + "guid": "b039d95d-54c7-4c89-89cb-107d5325ae52", + "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview", + "service": "SAP", "severity": "Medium", - "text": "Pair a Function App to its own storage account. Try not to re-use storage accounts for Function Apps unless they are tightly coupled", - "waf": "Reliability" + "text": "Take advantage of Web Application Firewall policies in Azure Front Door when you're using Azure Front Door and Application Gateway to protect HTTP/S applications. Lock down Application Gateway to receive traffic only from Azure Front Door.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations", + "waf": "Security" }, { - "arm-service": "Microsoft.Web/sites", - "checklist": "Azure Function Review", - "guid": "bb42650c-257d-4cb0-822a-131138b8e6f0", - "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/", - "service": "Azure Functions", + "checklist": "SAP Checklist", + "guid": "5ada4332-4e13-4811-9231-81aa41742694", + "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", + "service": "SAP", "severity": "Medium", - "text": "Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Function App code", - "waf": "Operations" + "text": "Use a web application firewall to scan your traffic when it's exposed to the internet. Another option is to use it with your load balancer or with resources that have built-in firewall capabilities like Application Gateway or third-party solutions.", + "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations", + "waf": "Security" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "d7941d4a-7b6f-458f-8714-2f8f8c059ad4", - "link": "https://learn.microsoft.com/azure/api-management/api-management-error-handling-policies", - "service": "APIM", + "checklist": "SAP Checklist", + "guid": "e73de7d5-6f36-4217-a526-e1a621ecddde", + "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview", + "service": "SAP", "severity": "Medium", - "text": "Implement an error handling policy at the global level", - "waf": "Operations" + "text": "Use Virtual WAN for Azure deployments in new, large, or global networks where you need global transit connectivity across Azure regions and on-premises locations. With this approach, you won't need to manually set up transitive routing for Azure networking, and you can follow a standard for SAP on Azure deployments.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/10-explore-azure-front-door", + "waf": "Performance" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "0b0c0765-ff37-4369-90bd-3eb23ce71b08", - "link": "https://learn.microsoft.com/azure/api-management/set-edit-policies?tabs=form#use-base-element-to-set-policy-evaluation-order", - "service": "APIM", + "checklist": "SAP Checklist", + "guid": "3c536a3e-1b6b-4e87-95ca-15edb47251c0", + "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services", + "service": "SAP", "severity": "Medium", - "text": "Ensure all APIs policies include a element.", - "waf": "Operations" + "text": "To prevent data leakage, use Azure Private Link to securely access platform as a service resources like Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2, Azure Data Factory, and more. Azure Private Endpoint can also help to secure traffic between VNets and services like Azure Storage, Azure Backup, and more. Traffic between your VNet and the Private Endpoint enabled service travels across the Microsoft global network, which prevents its exposure to the public internet.", + "training": "https://learn.microsoft.com/training/modules/design-implement-private-access-to-azure-services/?source=recommendations", + "waf": "Security" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "a5c45b03-93b6-42fe-b16b-8fccb6a79902", - "link": "https://learn.microsoft.com/azure/api-management/policy-fragments", - "service": "APIM", - "severity": "Medium", - "text": "Use Policy Fragments to avoid repeating same policies definitions across multiple APIs", - "waf": "Operations" + "checklist": "SAP Checklist", + "graph": "Resources | where type =~ 'Microsoft.Network/NetworkInterfaces' | where properties.enableAcceleratedNetworking =~ 'false' | project name, subscriptionId, properties.enableAcceleratedNetworking", + "guid": "85e2213a-ce7b-4b12-8f7c-95f06e154e3a", + "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview?tabs=redhat", + "service": "SAP", + "severity": "High", + "text": "Make sure that Azure accelerated networking is enabled on the VMs used in the SAP application and DBMS layers.", + "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations", + "waf": "Performance" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "c3818a95-6ff3-4474-88dc-e809b46dad6a", - "link": "https://learn.microsoft.com/azure/api-management/monetization-support", - "service": "APIM", + "checklist": "SAP Checklist", + "guid": "3ff8ae7d-7d47-4431-96c8-bcbf45bbe609", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-multivip-overview", + "service": "SAP", "severity": "Medium", - "text": "If you are planning to monetize your APIs, review the 'monetization support' article for best practices", - "waf": "Operations" + "text": "Make sure that internal deployments for Azure Load Balancer are set up to use Direct Server Return (DSR). This setting (Enabling Floating IP) will reduce latency when internal load balancer configurations are used for high-availability configurations on the DBMS layer.", + "training": "https://learn.microsoft.com/ja-jp/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations", + "waf": "Security" + }, + { + "checklist": "SAP Checklist", + "graph": "Resources | where type =~ 'microsoft.network/networksecuritygroups' and isnull(properties.networkInterfaces) and isnull(properties.subnets) | project name, resourceGroup | sort by name asc", + "guid": "6791f893-5ada-4433-84e1-3811523181aa", + "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works", + "service": "SAP", + "severity": "Medium", + "text": "You can use application security group (ASG) and NSG rules to define network security access-control lists between the SAP application and DBMS layers. ASGs group virtual machines to help manage their security.", + "training": "https://learn.microsoft.com/training/modules/configure-network-security-groups/?source=recommendations", + "waf": "Security" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "a7d0840a-c8c4-4e83-adec-5ca578eb4049", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor#resource-logs", - "service": "APIM", + "checklist": "SAP Checklist", + "guid": "45bbe609-d8a0-43e9-9778-424d616785d6", + "link": "https://me.sap.com/notes/2015553", + "service": "SAP", "severity": "High", - "text": "Enable Diagnostics Settings to export logs to Azure Monitor", - "waf": "Operations" + "text": "Placing of the SAP application layer and SAP DBMS in different Azure VNets that aren't peered isn't supported.", + "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", + "waf": "Performance" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "8691fa38-45ed-4299-a247-fecd98d35deb", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-app-insights", - "service": "APIM", + "checklist": "SAP Checklist", + "guid": "fa96c96a-d885-418f-9827-34c886ba2802", + "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", + "service": "SAP", "severity": "Medium", - "text": "Enable Application Insights for more detailed telemetry", - "waf": "Operations" + "text": "For optimal network latency with SAP applications, consider using Azure proximity placement groups.", + "training": "https://learn.microsoft.com/azure/virtual-machines/co-location#planned-maintenance-and-proximity-placement-groups", + "waf": "Performance" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "55fd27bb-76ac-4a91-bc37-049e885be6b7", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor", - "service": "APIM", + "checklist": "SAP Checklist", + "guid": "18c8b61c-855a-4405-b6ed-266455e4f4ce", + "link": "https://me.sap.com/notes/2015553", + "service": "SAP", "severity": "High", - "text": "Configure alerts on the most critical metrics", - "waf": "Operations" + "text": "It is NOT supported at all to run an SAP Application Server layer and DBMS layer split between on-premise and Azure. Both layers need to completely reside either on-premise or in Azure.", + "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", + "waf": "Performance" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "39460bdb-156f-4dc2-a87f-1e8c11ab0998", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#certificate-management-in-azure-key-vault", - "service": "APIM", + "checklist": "SAP Checklist", + "guid": "b65c878b-4b14-4f4e-92d8-d873936493f2", + "link": "https://me.sap.com/notes/2015553", + "service": "SAP", "severity": "High", - "text": "Ensure that custom SSL certificates are stored an Azure Key Vault so they can be securely accessed and updated", - "waf": "Security" + "text": "It isn't recommended to host the database management system (DBMS) and application layers of SAP systems in different VNets and connect them with VNet peering because of the substantial costs that excessive network traffic between the layers can produce. Recommend using subnets within the Azure virtual network to separate the SAP application layer and DBMS layer.", + "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", + "waf": "Cost" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "e9217997-5f6c-479d-8576-8f2adf706ec8", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-ad-authentication-required-for-data-plane-access", - "service": "APIM", + "checklist": "SAP Checklist", + "guid": "402a9846-d515-4061-aff8-cd30088693fa", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel", + "service": "SAP", "severity": "High", - "text": "Protect incoming requests to APIs (data plane) with Azure AD", - "waf": "Security" + "text": "If using Load Balancer with Linux guest operating systems, check that the Linux network parameter net.ipv4.tcp_timestamps is set to 0.", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations", + "waf": "Performance" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "5e5f64ba-c90e-480e-8888-398d96cf0bfb", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-aad", - "service": "APIM", + "checklist": "SAP Checklist", + "guid": "87585797-5551-4d53-bb7d-a94ee415734d", + "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration", + "service": "SAP", "severity": "Medium", - "text": "Use Microsoft Entra ID to authenticate users in the Developer Portal", + "text": "For SAP RISE/ECS deployments, virtual peering is the preferred way to establish connectivity with customer's existing Azure environment. Both the SAP vnet and customer vnet(s) are protected with network security groups (NSG), enabling communication on SAP and database ports through the vnet peering", "waf": "Security" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "f8e574ce-280f-49c8-b2ef-68279b081cf3", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-create-groups", - "service": "APIM", - "severity": "Medium", - "text": "Create appropriate groups to control the visibility of the products", - "waf": "Security" + "checklist": "SAP Checklist", + "guid": "ff5136bd-dcf1-4d2b-ae52-39333efdf45a", + "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about", + "service": "SAP", + "severity": "High", + "text": "Review SAP HANA database backups for Azure VMs.", + "waf": "Cost" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "06862505-2d9a-4874-9491-2837b00a3475", - "link": "https://learn.microsoft.com/azure/api-management/backends", - "service": "APIM", + "checklist": "SAP Checklist", + "guid": "cafde29d-a0af-4bcd-87c0-0f299d63f0e8", + "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot", + "service": "SAP", "severity": "Medium", - "text": "Use Backends feature to eliminate redundant API backend configurations", - "waf": "Operations" + "text": "Review Site Recovery built-in monitoring, where used for SAP.", + "waf": "Cost" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "03b125d5-b69b-4739-b7fd-84b86da4933e", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-properties?tabs=azure-portal", - "service": "APIM", - "severity": "Medium", - "text": "Use Named Values to store common values that can be used in policies", + "checklist": "SAP Checklist", + "guid": "82d7b8de-d3f1-44a0-830b-38e200e82acf", + "link": "https://help.sap.com/docs/SAP_HANA_PLATFORM/c4d7c773af4a4e5dbebb6548d6e2d4f4/e3111d2ebb5710149510cc120646bf3f.html?locale=en-US", + "service": "SAP", + "severity": "High", + "text": "Review the Monitoring the SAP HANA System Landscape guidance.", "waf": "Operations" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "graph": "resources | where type == 'microsoft.apimanagement/service' | extend compliant = ( sku.name == 'Premium' and isnotnull(properties.additionalLocations)) | distinct id, compliant", - "guid": "beae759e-4ddb-4326-bf26-47f87d3454b6", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region", - "service": "APIM", + "checklist": "SAP Checklist", + "guid": "c823873a-2bec-4c2a-b684-a1ce8ae80efd", + "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/oracle-database-backup-strategies", + "service": "SAP", "severity": "Medium", - "text": "For DR, leverage the premium tier with deployments scaled across two or more regions for 99.99% SLA", - "waf": "Reliability" + "text": "Review Oracle Database in Azure Linux VM backup strategies.", + "waf": "Operations" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "graph": "resources | where type == 'microsoft.apimanagement/service' | extend compliant = ( sku.name == 'Premium' and isnotnull(zones) and sku.capacity >= 2 ) | distinct id, compliant", - "guid": "9c8d1664-dd9a-49d4-bd83-950af0af4044", - "link": "https://learn.microsoft.com/azure/api-management/high-availability", - "service": "APIM", + "checklist": "SAP Checklist", + "guid": "2943b6d8-1d31-4e19-ade7-78e6b26d1962", + "link": "https://learn.microsoft.com/sql/relational-databases/tutorial-use-azure-blob-storage-service-with-sql-server-2016?view=sql-server-ver16", + "service": "SAP", "severity": "Medium", - "text": "Deploy at least one unit in two or more availability zones for an increased SLA of 99.99%", - "waf": "Reliability" - }, - { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "8d2db6e8-85c6-4118-a52c-ae76a4f27934", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#service-native-backup-capability", - "service": "APIM", - "severity": "High", - "text": "Ensure there is an automated backup routine", - "waf": "Reliability" + "text": "Review the use of Azure Blob Storage with SQL Server 2016.", + "waf": "Operations" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "43e60b94-7bca-43a2-aadf-efb04d63a485", - "link": "https://learn.microsoft.com/azure/api-management/retry-policy", - "service": "APIM", + "checklist": "SAP Checklist", + "guid": "b82e650f-676d-417d-994d-fc33ca54ec14", + "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/automated-backup?view=azuresql", + "service": "SAP", "severity": "Medium", - "text": "Use Policies to add a fail-over backend URL and caching to reduce failing calls.", - "waf": "Reliability" + "text": "Review the use of Automated Backup v2 for Azure VMs.", + "waf": "Operations" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "8210699f-8d43-45c2-8f19-57e54134bd8f", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-log-event-hubs", - "service": "APIM", - "severity": "Low", - "text": "If you need to log at high performance levels, consider Event Hubs policy", + "checklist": "SAP Checklist", + "guid": "347c2dcc-e6eb-4b04-80c5-628b171aa62d", + "service": "SAP", + "severity": "High", + "text": "Enabling Write accelerator for M series when using premium disks(V1)", "waf": "Operations" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "121bfc39-fa7b-4096-b93b-ab56c1bc0bed", - "link": "https://learn.microsoft.com/azure/api-management/api-management-sample-flexible-throttling", - "service": "APIM", + "checklist": "SAP Checklist", + "guid": "b96512cf-996f-4b17-b9b8-6b16db1a2a94", + "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test", + "service": "SAP", "severity": "Medium", - "text": "Apply throttling policies to control the number of requests per second", - "training": "https://learn.microsoft.com/training/modules/protect-apis-on-api-management/", + "text": "Test availability zone latency.", "waf": "Performance" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "graph": "resources | where type == 'microsoft.apimanagement/service' | join kind = leftouter (resources | where type == 'microsoft.insights/autoscalesettings' | extend targetResourceUri = tostring(properties.targetResourceUri)) on $left.id == $right.targetResourceUri | extend compliant = (sku.name == 'Premium' and isnotempty(targetResourceUri) and properties1.enabled == true) | distinct id, compliant", - "guid": "bb5f356b-3daf-47a2-a9ee-867a8100bbd5", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-autoscale", - "service": "APIM", + "checklist": "SAP Checklist", + "guid": "9fd7ffd4-da11-49f6-a374-8d03e94c511d", + "link": "https://support.sap.com/en/offerings-programs/support-services/earlywatch-alert.html", + "service": "SAP", "severity": "Medium", - "text": "Configure autoscaling to scale out the number of instances when the load increases", + "text": "Activate SAP EarlyWatch Alert for all SAP components.", + "training": "https://help.sap.com/docs/SUPPORT_CONTENT/techops/3362700736.html", "waf": "Performance" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "84b94abb-59b6-4b9d-8587-3413669468e8", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-provision-self-hosted-gateway", - "service": "APIM", + "checklist": "SAP Checklist", + "guid": "b9b140cf-413a-483d-aad2-8802c4e3c017", + "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/sap-on-azure-general-update-march-2019/ba-p/377456", + "service": "SAP", "severity": "Medium", - "text": "Deploy self-hosted gateways where Azure doesn't have a region close to the backend APIs.", + "text": "Review SAP application server to database server latency using SAP ABAPMeter report /SSA/CAT.", + "training": "https://me.sap.com/notes/0002879613", "waf": "Performance" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "1fe8db45-a017-4888-8c4d-4422583cfae0", - "link": "https://learn.microsoft.com/azure/api-management/upgrade-and-scale#upgrade-and-scale", - "service": "APIM", - "severity": "Medium", - "text": "Use the premium tier for production workloads.", - "waf": "Reliability" - }, - { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "1b8d68a4-66cd-44d5-ba94-3ee94440e8d6", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region#-route-api-calls-to-regional-backend-services", - "service": "APIM", - "severity": "Medium", - "text": "In multi-region model, use Policies to route the requests to regional backends based on availability or latency.", - "waf": "Reliability" - }, - { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "46f07d33-ef9a-44e8-8f98-67c097c5d8cd", - "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits#api-management-limits", - "service": "APIM", - "severity": "High", - "text": "Be aware of APIM's limits", - "waf": "Reliability" + "checklist": "SAP Checklist", + "guid": "62fbf0f8-51db-49e1-a961-bb5df7a35f80", + "service": "SAP", + "severity": "Medium", + "text": "Review SQL Server performance monitoring using CCMS.", + "waf": "Performance" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "graph": "resources | where type =~ 'microsoft.apimanagement/service' | extend compliant = (properties.platformVersion != 'stv1') | project id, compliant", - "guid": "46f07d33-ef9a-44e8-8f98-67c097c5d8ce", - "link": "https://learn.microsoft.com/en-us/azure/api-management/migrate-stv1-to-stv2", - "service": "APIM", - "severity": "High", - "text": "Upgrade the platform version and follow lifecyle. stv1 is retirng on 31 August 2024", - "waf": "Reliability" + "checklist": "SAP Checklist", + "guid": "35709da7-fc7d-4efe-bb20-2e91547b7390", + "link": "https://me.sap.com/notes/500235", + "service": "SAP", + "severity": "Medium", + "text": "Test network latency between SAP application layer VMs and DBMS VMs (NIPING).", + "training": "https://me.sap.com/notes/1100926/E", + "waf": "Performance" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "10f58602-f0f9-4d77-972a-956f6e0f2600", - "link": "https://learn.microsoft.com/en-us/azure/api-management/self-hosted-gateway-overview", - "service": "APIM", - "severity": "High", - "text": "Ensure that the self-hosted gateway deployments are resilient.", - "waf": "Reliability" + "checklist": "SAP Checklist", + "guid": "9e9bb4c8-e934-4e4b-a13c-6f7c7c38eb43", + "link": "https://learn.microsoft.com/en-us/azure/sap/large-instances/hana-monitor-troubleshoot", + "service": "SAP", + "severity": "Medium", + "text": "Review SAP HANA studio alerts.", + "waf": "Performance" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "7519e385-a88b-4d34-966b-6269d686e890", - "link": "https://learn.microsoft.com/azure/api-management/front-door-api-management", - "service": "APIM", + "checklist": "SAP Checklist", + "guid": "f1a92ab5-9509-4b57-86ff-b0ade361b694", + "link": "https://me.sap.com/notes/1969700", + "service": "SAP", "severity": "Medium", - "text": "Use Azure Front Door in front of APIM for multi-region deployment", + "text": "Perform SAP HANA health checks using HANA_Configuration_Minichecks.", "waf": "Performance" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "graph": "resources | where type == 'microsoft.apimanagement/service' | extend compliant = (isnotnull(properties.virtualNetworkConfiguration)) | distinct id, compliant", - "guid": "cd45c90e-7690-4753-930b-bf290c69c074", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#virtual-network-integration", - "service": "APIM", + "checklist": "SAP Checklist", + "guid": "18dffcf3-248c-4039-a67c-dec8e3a5f804", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations", + "service": "SAP", "severity": "Medium", - "text": "Deploy the service within a Virtual Network (VNet)", + "text": "If you run Windows and Linux VMs in Azure, on-premises, or in other cloud environments, you can use the Update management center in Azure Automation to manage operating system updates, including security patches.", + "training": "https://learn.microsoft.com/azure/automation/update-management/overview", "waf": "Security" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "02661582-b3d1-48d1-9d7b-c6a918a0ca33", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#network-security-group-support", - "service": "APIM", + "checklist": "SAP Checklist", + "guid": "08951710-79a2-492a-adbc-06d7a401545b", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations", + "service": "SAP", "severity": "Medium", - "text": "Deploy network security groups (NSG) to your subnets to restrict or monitor traffic to/from APIM.", + "text": "Routinely review the SAP security OSS notes because SAP releases highly critical security patches, or hot fixes, that require immediate action to protect your SAP systems.", + "training": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html", "waf": "Security" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "graph": "resources | where type == 'microsoft.apimanagement/service' | extend compliant = (properties.virtualNetworkType == 'None' and isnotnull(properties.privateEndpointConnections)) | distinct id, compliant", - "guid": "67437a28-2721-4a2c-becd-caa54c8237a5", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-private-link", - "service": "APIM", - "severity": "Medium", - "text": "Deploy Private Endpoints to filter incoming traffic when APIM is not deployed to a VNet.", + "checklist": "SAP Checklist", + "guid": "1b8b394e-ae64-4a74-8933-357b523ea0a0", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", + "service": "SAP", + "severity": "Low", + "text": "For SAP on SQL Server, you can disable the SQL Server system administrator account because the SAP systems on SQL Server don't use the account. Ensure that another user with system administrator rights can access the server before disabling the original system administrator account.", "waf": "Security" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "graph": "resources | where type == 'microsoft.apimanagement/service' | extend compliant = (properties.virtualNetworkType == 'Internal') | distinct id, compliant", - "guid": "d698adbd-3288-44cb-b10a-9b572da395ae", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#disable-public-network-access", - "service": "APIM", + "checklist": "SAP Checklist", + "guid": "5a76a033-ced9-4eef-9a43-5e4f96634c8e", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", + "service": "SAP", "severity": "High", - "text": "Disable Public Network Access", + "text": "Disable xp_cmdshell. The SQL Server feature xp_cmdshell enables a SQL Server internal operating system command shell. It's a potential risk in security audits.", + "training": "https://me.sap.com/notes/3019299/E", "waf": "Security" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "0674d750-0c6f-4ac0-8717-ceec04d0bdbd", - "link": "https://learn.microsoft.com/azure/api-management/automation-manage-api-management", - "service": "APIM", - "severity": "Medium", - "text": "Simplify management with PowerShell automation scripts", - "waf": "Operations" - }, - { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "c385bfcd-49fd-4786-81ba-cedbb4c57345", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/app-platform/api-management/platform-automation-and-devops#design-recommendations", - "service": "APIM", - "severity": "Medium", - "text": "Configure APIM via Infrastructure-as-code. Review DevOps best practices from the Cloud Adaption Framework APIM Landing Zone Accelerator", - "waf": "Operations" + "checklist": "SAP Checklist", + "guid": "cf65de8e-1309-4ccc-b579-266bcca275fa", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", + "service": "SAP", + "severity": "High", + "text": "Encrypting SAP HANA database servers on Azure uses SAP HANA native encryption technology. Additionally, if you are using SQL Server on Azure, use Transparent Data Encryption (TDE) to protect your data and log files and ensure that your backups are also encrypted.", + "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", + "waf": "Security" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "6c3a27c0-197f-426c-9ffa-86fed51d9ab6", - "link": "https://learn.microsoft.com/azure/api-management/visual-studio-code-tutorial", - "service": "APIM", + "checklist": "SAP Checklist", + "guid": "a1abfe9d-55d0-44c3-a491-9cb1b3d1325a", + "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption", + "service": "SAP", "severity": "Medium", - "text": "Promote usage of Visual Studio Code APIM extension for faster API development", - "waf": "Operations" + "text": "Azure Storage encryption is enabled for all Azure Resource Manager and classic storage accounts, and can't be disabled. Because your data is encrypted by default, you don't need to modify your code or applications to use Azure Storage encryption.", + "training": "https://learn.microsoft.com/training/modules/encrypt-sector-data/?source=recommendations", + "waf": "Security" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "354f1c03-8112-4965-85ad-c0074bddf231", - "link": "https://learn.microsoft.com/azure/api-management/devops-api-development-templates", - "service": "APIM", - "severity": "Medium", - "text": "Implement DevOps and CI/CD in your workflow", - "waf": "Operations" + "checklist": "SAP Checklist", + "graph": "Resources | join kind=leftouter (ResourceContainers | where type=~'microsoft.resources/subscriptions' | project SubName=name, subscriptionId) on subscriptionId | where type =~ 'microsoft.keyvault/vaults' | project type, name, SubName", + "guid": "ce9bd3bb-0cdb-43b5-9eb2-ec14eeaa3592", + "link": "https://learn.microsoft.com/azure/key-vault/general/overview", + "service": "SAP", + "severity": "High", + "text": "Use Azure Key Vault to store your secrets and credentials", + "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", + "waf": "Security" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "b6439493-426a-45f3-9697-cf65baee208d", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates-for-clients", - "service": "APIM", + "checklist": "SAP Checklist", + "guid": "829e2edb-2173-4676-aff6-691b4935ada4", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json", + "service": "SAP", "severity": "Medium", - "text": "Secure APIs using client certificate authentication", + "text": "It is recommended to LOCK the Azure Resources post successful deployment to safeguard against unauthorized changes. You can also enforce LOCK constraints and rules on your per-subscription basis using customized Azure policies(Custome role).", + "training": "https://learn.microsoft.com/training/modules/use-azure-resource-manager/?source=recommendations", "waf": "Security" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "2a67d143-1033-4c0a-8732-680896478f08", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates", - "service": "APIM", + "checklist": "SAP Checklist", + "guid": "2223ece8-1b12-4318-8a54-17415833fb4a", + "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview", + "service": "SAP", "severity": "Medium", - "text": "Secure backend services using client certificate authentication", + "text": "Provision Azure Key Vault with the soft delete and purge policies enabled to allow retention protection for deleted objects.", + "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", "waf": "Security" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "074435f5-4a46-41ac-b521-d6114cb5d845", - "link": "https://learn.microsoft.com/azure/api-management/mitigate-owasp-api-threats", - "service": "APIM", - "severity": "Medium", - "text": "Review 'Recommendations to mitigate OWASP API Security Top 10 threats' article and check what is applicable to your APIs", + "checklist": "SAP Checklist", + "guid": "e3c2df74-3165-4c3a-abe0-5bbe209d490d", + "link": "https://learn.microsoft.com/azure/role-based-access-control/security-controls-policy", + "service": "SAP", + "severity": "High", + "text": "Based on existing requirements, regulatory and compliance controls (internal/external) - Determine what Azure Policies and Azure RBAC role are needed", + "training": "https://learn.microsoft.com/training/paths/describe-azure-management-governance/?source=recommendations", "waf": "Security" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "5507c4b8-a7f8-41d6-9661-418c987100c9", - "link": "https://learn.microsoft.com/azure/api-management/authorizations-overview", - "service": "APIM", - "severity": "Medium", - "text": "Use Authorizations feature to simplify management of OAuth 2.0 token for your backend APIs", + "checklist": "SAP Checklist", + "guid": "a4777842-4d11-4678-9d2f-a56c56ad4840", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", + "service": "SAP", + "severity": "High", + "text": "When enabling Microsoft Defender for Endpoint on SAP environment, recommend excluding data and log files on DBMS servers instead of targeting all servers. Follow your DBMS vendor's recommendations when excluding target files.", + "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/microsoft-defender-endpoint-mde-for-sap-applications-on-windows/ba-p/3912268", "waf": "Security" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "2deee033-b906-4bc2-9f26-c8d3699fe091", - "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-manage-protocols-ciphers", - "service": "APIM", + "checklist": "SAP Checklist", + "guid": "8fe72734-c486-4ba2-a0dc-0591cf65de8e", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-overview?tabs=defender-for-container-arch-aks", + "service": "SAP", "severity": "High", - "text": "Use the latest TLS version when encrypting information in transit. Disable outdated and unnecessary protocols and ciphers when possible.", + "text": "Delegate an SAP admin custom role with just-in-time access of Microsoft Defender for Cloud.", + "training": "https://learn.microsoft.com/training/modules/secure-vms-with-azure-security-center/?source=recommendations", "waf": "Security" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "f8af3d94-1d2b-4070-846f-849197524258", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#im-8-restrict-the-exposure-of-credential-and-secrets", - "service": "APIM", - "severity": "High", - "text": "Ensure that secrets (Named values) are stored an Azure Key Vault so they can be securely accessed and updated", + "checklist": "SAP Checklist", + "guid": "1309cccd-5792-466b-aca2-75faa1abfe9d", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", + "service": "SAP", + "severity": "Low", + "text": "encrypt data in transit by integrating the third-party security product with secure network communications (SNC) for DIAG (SAP GUI), RFC, and SPNEGO for HTTPS", + "training": "https://learn.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit", "waf": "Security" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "graph": "resources | where type == 'microsoft.apimanagement/service' | extend compliant = (isnotnull(identity)) | distinct id, compliant", - "guid": "791abd8b-7706-4e31-9569-afefde724be3", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#managed-identities", - "service": "APIM", + "checklist": "SAP Checklist", + "guid": "eeaa3592-829e-42ed-a217-3676aff6691b", + "link": "https://learn.microsoft.com/azure/storage/common/storage-encryption-key-model-get?tabs=portal", + "service": "SAP", "severity": "Medium", - "text": "Use managed identities to authenticate to other Azure resources whenever possible", + "text": "Default to Microsoft-managed keys for principal encryption functionality and use customer-managed keys when required.", + "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", "waf": "Security" }, { - "arm-service": "Microsoft.ApiManagement/service", - "checklist": "Azure API Management Review", - "guid": "220c4ca6-6688-476b-b2b5-425a78e6fb87", - "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#ns-6-deploy-web-application-firewall", - "service": "APIM", + "checklist": "SAP Checklist", + "graph": "Resources | join kind=leftouter (ResourceContainers | where type=~'microsoft.resources/subscriptions' | project SubName=name, subscriptionId) on subscriptionId | where type =~ 'microsoft.keyvault/vaults' | project type, name, SubName", + "guid": "4935ada4-2223-4ece-a1b1-23181a541741", + "link": "https://learn.microsoft.com/ja-jp/azure/key-vault/general/best-practices", + "service": "SAP", "severity": "High", - "text": "Use web application firewall (WAF) by deploying Application Gateway in front of APIM", + "text": "Use an Azure Key Vault per application per environment per region.", + "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations", "waf": "Security" }, { - "arm-service": "microsoft.documentdb/databaseAccounts", - "checklist": "CosmosDB Review Checklist", - "guid": "43e52f47-22d9-428c-8b1c-d521e54a29a9", - "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/pass-foundations-playbooks-CosmosDB_v1.docx", - "service": "CosmosDB", - "severity": "Medium", - "text": "FTA Resiliency Playbook", - "waf": "Reliability" + "checklist": "SAP Checklist", + "guid": "abc9634d-c44d-41e9-a530-e8444e16aa3c", + "link": "https://learn.microsoft.com/azure/key-vault/certificates/certificate-scenarios", + "service": "SAP", + "severity": "High", + "text": "To control and manage disk encryption keys and secrets for non-HANA Windows and non-Windows operating systems, use Azure Key Vault. SAP HANA isn't supported with Azure Key Vault, so you must use alternate methods like SAP ABAP or SSH keys.", + "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/?source=recommendations", + "waf": "Security" }, { - "arm-service": "microsoft.documentdb/databaseAccounts", - "checklist": "CosmosDB Review Checklist", - "guid": "de39ac0e-7c28-4dc9-9565-7202bff4564b", - "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#slas", - "service": "CosmosDB", + "checklist": "SAP Checklist", + "guid": "209d490d-a477-4784-84d1-16785d2fa56c", + "link": "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles", + "service": "SAP", "severity": "High", - "text": "Leverage Availablity Zones where regionally applicable and ofcourse if the service offers it", - "waf": "Reliability" + "text": "Customize role-based access control (RBAC) roles for SAP on Azure spoke subscriptions to avoid accidental network-related changes", + "training": "https://learn.microsoft.com/training/modules/secure-azure-resources-with-rbac/?source=recommendations", + "waf": "Security" }, { - "arm-service": "microsoft.documentdb/databaseAccounts", - "checklist": "CosmosDB Review Checklist", - "guid": "0d934a34-8b26-43e7-bd60-513a3649906e", - "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#replica-outages", - "service": "CosmosDB", - "severity": "Medium", - "text": "Run multiple replicas of the database (>1 ) in Prod", - "waf": "Reliability" + "checklist": "SAP Checklist", + "guid": "56ad4840-8fe7-4273-9c48-6ba280dc0591", + "link": "https://blogs.sap.com/2019/07/21/sap-security-operations-on-azure/", + "service": "SAP", + "severity": "High", + "text": "Isolate DMZs and NVAs from the rest of the SAP estate, configure Azure Private Link, and securely manage and control the SAP on Azure resources", + "training": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/secure-vnet-dmz?tabs=portal", + "waf": "Security" }, { - "arm-service": "microsoft.documentdb/databaseAccounts", - "checklist": "CosmosDB Review Checklist", - "description": "Multi-region writes capability allows you to take advantage of the provisioned throughput for your databases and containers across the globe", - "guid": "bad38ead-53cc-47de-8d8a-aab3571449ab", - "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#multiple-write-regions", - "service": "CosmosDB", - "severity": "Medium", - "text": "Leverage Multi-Region Writes", - "waf": "Reliability" + "checklist": "SAP Checklist", + "guid": "e124ba34-df68-45ed-bce9-bd3bb0cdb3b5", + "link": "https://learn.microsoft.com/en-us/training/modules/secure-vms-with-azure-security-center/?source=recommendations", + "service": "SAP", + "severity": "Low", + "text": "Consider using Microsoft anti-malware software on Azure to protect your virtual machines from malicious files, adware, and other threats.", + "training": "https://azure.microsoft.com/blog/deploying-antimalware-solutions-on-azure-virtual-machines/", + "waf": "Security" }, { - "arm-service": "microsoft.documentdb/databaseAccounts", - "checklist": "CosmosDB Review Checklist", - "description": "Span Cosmos account across two or more regions with multi-region writes", - "guid": "8153d89f-89dc-47b3-9be2-b1a27f7b9e91", - "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#slas", - "service": "CosmosDB", - "severity": "Medium", - "text": "Distribute your data globally", - "waf": "Reliability" + "checklist": "SAP Checklist", + "guid": "5eb2ec14-eeaa-4359-8829-e2edb2173676", + "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide", + "service": "SAP", + "severity": "Low", + "text": "For even more powerful protection, consider using Microsoft Defender for Endpoint.", + "training": "https://learn.microsoft.com/training/modules/implement-endpoint-protection-use-microsoft-defender/?source=recommendations", + "waf": "Security" }, { - "arm-service": "microsoft.documentdb/databaseAccounts", - "checklist": "CosmosDB Review Checklist", - "description": "Choose from various consistency levels such as Eventual, Consistent Prefix, Session, Bounded Staleness and strong", - "guid": "9f8ea848-25ec-4140-bc32-2758e6ee9ac0", - "link": "https://learn.microsoft.com/azure/cosmos-db/consistency-levels", - "service": "CosmosDB", + "checklist": "SAP Checklist", + "guid": "87a924c4-25c2-419f-a2f0-96c7c4fe4525", + "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape", + "service": "SAP", "severity": "High", - "text": "Choose from several well-defined consistency models", - "waf": "Reliability" + "text": "Isolate the SAP application and database servers from the internet or from the on-premises network by passing all traffic through the hub virtual network, which is connected to the spoke network by virtual network peering. The peered virtual networks guarantee that the SAP on Azure solution is isolated from the public internet.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/?source=recommendations", + "waf": "Security" }, { - "arm-service": "microsoft.documentdb/databaseAccounts", - "checklist": "CosmosDB Review Checklist", - "description": "Maintain business continuity during regional outages. Azure Cosmos DB supports service-managed failover during a regional outage. During a regional outage, Azure Cosmos DB continues to maintain its latency, availability, consistency, and throughput SLAs. To help make sure that your entire application is highly available, Azure Cosmos DB offers a manual failover API to simulate a regional outage. By using this API, you can carry out regular business continuity drills.", - "guid": "a47e4d1e-bb79-43f9-bf87-69e1032b72fe", - "link": "https://learn.microsoft.com/azure/cosmos-db/how-to-manage-database-account#automatic-failover", - "service": "CosmosDB", - "severity": "Medium", - "text": "Enable Service managed failover", - "waf": "Reliability" + "checklist": "SAP Checklist", + "guid": "491ca1c4-3d40-42c0-9d85-b8933999590b", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", + "service": "SAP", + "severity": "Low", + "text": "For internet-facing applications like SAP Fiori, make sure to distribute load per application requirements while maintaining security levels. For Layer 7 security, you can use a third-party Web Application Firewall (WAF) available in the Azure Marketplace.", + "training": "https://learn.microsoft.com/training/modules/simplify-cloud-procurement-governance-azure-marketplace/?source=recommendations", + "waf": "Security" }, { - "arm-service": "microsoft.documentdb/databaseAccounts", - "checklist": "CosmosDB Review Checklist", - "description": "Azure Cosmos DB automatically takes backups of your data at regular intervals. The automatic backups are taken without affecting the performance or availability of the database operations. All the backups are stored separately in a storage service.", - "guid": "3499c9c1-133d-42f7-a4b1-a5bd06ff1a90", - "link": "https://learn.microsoft.com/azure/cosmos-db/online-backup-and-restore", - "service": "CosmosDB", + "checklist": "SAP Checklist", + "guid": "9fc945b9-0527-47af-8200-9d652fe02fcc", + "link": "https://learn.microsoft.com/azure/sap/monitor/enable-tls-azure-monitor-sap-solutions", + "service": "SAP", "severity": "Medium", - "text": "Enable Automatic Backups", - "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", - "waf": "Reliability" + "text": "To enable secure communication in Azure Monitor for SAP solutions, you can choose to use either a root certificate or a server certificate. We highly recommend that you use root certificates.", + "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations", + "waf": "Security" }, { - "arm-service": "microsoft.documentdb/databaseAccounts", - "checklist": "CosmosDB Review Checklist", - "description": "This mode is the default backup mode for all existing accounts. In this mode, backup is taken at a periodic interval and the data is restored by creating a request with the support team. In this mode, you configure a backup interval and retention for your account. The maximum retention period extends to a month. The minimum backup interval can be one hour.", - "guid": "a6eb33f6-005c-4d92-9286-7655672d6121", - "link": "https://learn.microsoft.com/azure/cosmos-db/periodic-backup-restore-introduction", - "service": "CosmosDB", - "severity": "Medium", - "text": "Perform Periodic Backups", - "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", - "waf": "Reliability" + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "Service Bus Review Checklist", + "description": "Azure Service Bus Premium provides encryption of data at rest. If you use your own key, the data is still encrypted using the Microsoft-managed key, but in addition the Microsoft-managed key will be encrypted using the customer-managed key. ", + "guid": "87af4a79-1f89-439b-ba47-768e14c11567", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/configure-customer-managed-key", + "service": "Service Bus", + "severity": "Low", + "text": "Use customer-managed key option in data at rest encryption when required", + "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/", + "waf": "Security" }, { - "arm-service": "microsoft.documentdb/databaseAccounts", - "checklist": "CosmosDB Review Checklist", - "description": "Continous 7 day retention and 30 day retention backups. Azure Cosmos DB performs data backup in the background without consuming any extra provisioned throughput (RUs) or affecting the performance and availability of your database. Continuous backups are taken in every region where the account exists.", - "guid": "d43918a8-cd28-49be-b6b1-7cb8245461e1", - "link": "https://learn.microsoft.com/azure/cosmos-db/continuous-backup-restore-introduction", - "service": "CosmosDB", + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "Service Bus Review Checklist", + "description": "Communication between a client application and an Azure Service Bus namespace is encrypted using Transport Layer Security (TLS). Azure Service Bus namespaces permit clients to send and receive data with TLS 1.0 and above. To enforce stricter security measures, you can configure your Service Bus namespace to require that clients send and receive data with a newer version of TLS.", + "guid": "5c1ea55b-46a9-448f-b8ae-7d7e4b475b6c", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/transport-layer-security-enforce-minimum-version", + "service": "Service Bus", "severity": "Medium", - "text": "Continous Backup with point-in-time restore in Azure Cosmos DB", - "training": "https://learn.microsoft.com/learn/modules/create-custom-azure-roles-with-rbac/", - "waf": "Reliability" + "text": "Enforce a minimum required version of Transport Layer Security (TLS) for requests ", + "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/", + "waf": "Security" }, { - "arm-service": "Microsoft.DBforPostgreSQL/servers", - "checklist": "PostgreSQL Review Checklist", - "guid": "65285269-441c-44bf-9d3e-0844276d4bdc", - "link": "https://learn.microsoft.com/azure/postgresql/flexible-server/overview", - "service": "PostgreSQL", + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "Service Bus Review Checklist", + "description": "When you create a Service Bus namespace, a SAS rule named RootManageSharedAccessKey is automatically created for the namespace. This policy has Manage permissions for the entire namespace. It's recommended that you treat this rule like an administrative root account and don't use it in your application. Using AAD as an authentication provider with RBAC is recommended. ", + "guid": "8bcbf59b-ce65-4de8-a03f-97879468d66a", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-sas#shared-access-authorization-policies", + "service": "Service Bus", "severity": "Medium", - "text": "Leverage Flexible Server", - "waf": "Reliability" - }, - { - "arm-service": "Microsoft.DBforPostgreSQL/servers", - "checklist": "PostgreSQL Review Checklist", - "guid": "016ccf31-ae5a-41eb-9888-9535e227896d", - "link": "https://learn.microsoft.com/azure/postgresql/flexible-server/overview#architecture-and-high-availability", - "service": "PostgreSQL", - "severity": "High", - "text": "Leverage Availability Zones where regionally applicable", - "waf": "Reliability" + "text": "Avoid using root account when it is not necessary", + "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/", + "waf": "Security" }, { - "arm-service": "Microsoft.DBforPostgreSQL/servers", - "checklist": "PostgreSQL Review Checklist", - "guid": "31b67c67-be59-4519-8083-845d587cb391", - "link": "https://learn.microsoft.com/azure/postgresql/single-server/concepts-business-continuity#cross-region-read-replicas", - "service": "PostgreSQL", + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "Service Bus Review Checklist", + "description": "Microsoft Entra ID provides superior security and ease of use over shared access signatures (SAS). With Microsoft Entra ID, there’s no need to store the tokens in your code and risk potential security vulnerabilities. We recommend that you use Microsoft Entra ID with your Azure Service Bus applications when possible.", + "graph": "Resources | where type =~ 'microsoft.servicebus/namespaces' | extend compliant = iif(properties.disableLocalAuth == 'false', 'No', 'Yes') | project id, compliant", + "guid": "786d60f9-6c96-4ad8-a55d-04c2b39c986b", + "link": "https://learn.microsoft.com/en-us/azure/service-bus-messaging/disable-local-authentication", + "service": "Service Bus", "severity": "Medium", - "text": "Leverage cross-region read replicas for BCDR", - "waf": "Reliability" - }, - { - "arm-service": "Microsoft.Devices/deviceUpdateServices", - "checklist": "Device Update Review", - "guid": "0e03f5ee-4648-423c-bb86-7239480f9171", - "link": "https://learn.microsoft.com/en-us/azure/iot-dps/iot-dps-ha-dr#high-availability", - "service": "Device Update for IoT Hub", - "severity": "High", - "text": "Leverage Availability Zones if regionally applicable (this is automatically enabled).", - "waf": "Reliability" - }, - { - "arm-service": "Microsoft.Devices/deviceUpdateServices", - "checklist": "Device Update Review", - "guid": "c0c273bd-00ad-419a-9f2f-fc72fb181e55", - "link": "https://learn.microsoft.com/en-us/azure/iot-dps/iot-dps-ha-dr#high-availability", - "service": "Device Update for IoT Hub", - "severity": "High", - "text": "Be aware of Microsoft-initiated failovers. These are exercised by Microsoft in rare situations to fail over all the DPS instances from an affected region to the corresponding geo-paired region.", - "waf": "Reliability" - }, - { - "arm-service": "Microsoft.Devices/deviceUpdateServices", - "checklist": "Device Update Review", - "guid": "3af8abe6-07eb-4287-b393-6c4abe3702eb", - "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json", - "service": "Device Update for IoT Hub", - "severity": "High", - "text": "Consider a Cross-Region DR strategy for critical workloads", - "waf": "Reliability" + "text": "When possible, disable SAS key authentication (or local authentication) and use only Microsoft Entra ID for authentication", + "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", + "waf": "Security" }, { - "arm-service": "Microsoft.Devices/deviceUpdateServices", - "checklist": "Device Update Review", - "guid": "bd91245c-fe32-4e98-a085-794a40f4bfe1", - "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro", - "service": "Device Update for IoT Hub", - "severity": "High", - "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3", - "waf": "Reliability" + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "Service Bus Review Checklist", + "description": "When creating permissions, provide fine-grained control over a client's access to Azure Service Bus. Permissions in Azure Service Bus can and should be scoped to the individual resource level e.g. queue, topic or subscription. ", + "guid": "f615658d-e558-4f93-9249-b831112dbd7e", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/authenticate-application#azure-built-in-roles-for-azure-service-bus", + "service": "Service Bus", + "severity": "High", + "text": "Use least privilege data plane RBAC", + "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/", + "waf": "Security" }, { - "arm-service": "Microsoft.DataFactory/datafactories", - "checklist": "DataBricks Review Checklist", - "guid": "65285269-440c-44be-9d3e-0844276d4bdc", - "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/pass-foudations-playbooks-ADB_v1.docx", - "service": "Data Factory", - "severity": "High", - "text": "Reference Databricks HA/DR playbook", - "waf": "Reliability" + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "Service Bus Review Checklist", + "description": "Azure Service Bus resource logs include operational logs, virtual network and IP filtering logs. Runtime audit logs capture aggregated diagnostic information for various data plane access operations (such as send or receive messages) in Service Bus.", + "guid": "af12e7f9-43f6-4304-922d-929c2b1cd622", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/monitor-service-bus-reference", + "service": "Service Bus", + "severity": "Medium", + "text": "Enable logging for security investigation. Use Azure Monitor to trace resource logs and runtime audit logs (currently available only in the premium tier)", + "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/", + "waf": "Security" }, { - "arm-service": "Microsoft.DataFactory/datafactories", - "checklist": "DataBricks Review Checklist", - "guid": "a0e6c465-89d5-458b-a37d-3974d1112dbd", - "link": "https://github.com/databrickslabs/databricks-sync", - "service": "Data Factory", - "severity": "Low", - "text": "Use Databricks Sync", - "waf": "Reliability" + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "Service Bus Review Checklist", + "description": "Azure Service Bus by default has a public IP address and is Internet-reachable. Private endpoints allow traffic between your virtual network and Azure Service Bus traverses over the Microsoft backbone network. In addition to that, you should disable public endpoints if those are not used. ", + "guid": "9ae669ca-48e4-4a85-b222-3ece8bb12307", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/private-link-service", + "service": "Service Bus", + "severity": "Medium", + "text": "Consider using private endpoints to access Azure Service Bus and disable public network access when applicable.", + "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/", + "waf": "Security" }, { - "arm-service": "Microsoft.DataFactory/datafactories", - "checklist": "DataBricks Review Checklist", - "guid": "89d558b9-37d3-4974-b111-2dbd7aaf12e6", - "link": "https://learn.microsoft.com/azure/databricks/security/secrets/secret-scopes", - "service": "Data Factory", + "arm-service": "Microsoft.ServiceBus/namespaces", + "checklist": "Service Bus Review Checklist", + "description": "With IP firewall, you can restrict the public endpoint further to only a set of IPv4 addresses or IPv4 address ranges in CIDR (Classless Inter-Domain Routing) notation. ", + "guid": "ca5f06f1-58e3-4ea3-a92c-2de7e2165c3a", + "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-ip-filtering", + "service": "Service Bus", "severity": "Medium", - "text": "Backup your workspace configuration including ARM templates and secret scopes", - "waf": "Reliability" + "text": "Consider only allowing access to Azure Service Bus namespace from specific IP addresses or ranges", + "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/", + "waf": "Security" }, { - "arm-service": "Microsoft.DataFactory/datafactories", - "checklist": "DataBricks Review Checklist", - "guid": "b94ee5ef-47d2-4d92-a81b-1cd6d1f54b29", - "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/sharing-metadata-across-different-databricks-workspaces-using/ba-p/3679757", - "service": "Data Factory", + "checklist": "Azure Service Fabric Review Checklist", + "graph": "resources | where type=~'Microsoft.ServiceFabric/managedClusters' | extend compliant = (sku=~'{\"name\":\"Standard\"}') | distinct id,compliant", + "guid": "182840d2-9ef8-4238-8fd6-0d76186830ac", + "link": "https://learn.microsoft.com/azure/service-fabric/overview-managed-cluster#service-fabric-managed-cluster-skus", + "service": "Azure Service Fabric", "severity": "Medium", - "text": "Share metaData across different Databricks workspaces using Hive external metastore", + "text": "Use Standard SKU for production scenarios.", "waf": "Reliability" }, { - "arm-service": "Microsoft.DataFactory/datafactories", - "checklist": "DataBricks Review Checklist", - "guid": "769e3969-0e78-428a-a936-657d03b0f466", - "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/disaster-recovery-strategy-in-azure-databricks-using-the-hive/ba-p/3684581", - "service": "Data Factory", + "checklist": "Azure Service Fabric Review Checklist", + "graph": "resources | where type=~'Microsoft.ServiceFabric/clusters' | extend nodeTypes= array_concat(properties.nodeTypes) | mv-expand nodeTypes | summarize BronzeDurabilityCount = countif(nodeTypes.durabilityLevel == 'Bronze') by id | extend compliant = (BronzeDurabilityCount == 0) | distinct id,compliant", + "guid": "182840d2-9ef8-4238-8fd6-0d76186830ac", + "link": "https://learn.microsoft.com/azure/service-fabric/service-fabric-cluster-capacity#durability-characteristics-of-the-cluster", + "service": "Azure Service Fabric", "severity": "Medium", - "text": "Plan Disaster Recovery strategy in Databricks using the Hive External Metastore", + "text": "Use durability level Silver (5 VMs) or greater for production scenarios", "waf": "Reliability" }, { - "arm-service": "Microsoft.DataFactory/datafactories", - "checklist": "DataBricks Review Checklist", - "guid": "4b1d944a-3598-437e-b79d-6c6d3a364a5b", - "link": "https://www.databricks.com/blog/2021/04/20/attack-of-the-delta-clones-against-disaster-recovery-availability-complexity.html", - "service": "Data Factory", + "checklist": "Azure Service Fabric Review Checklist", + "graph": "resources | where type=~'Microsoft.ServiceFabric/managedClusters' | extend compliant= ( properties.zonalResiliency =~ 'true') | distinct id,compliant", + "guid": "2363878d-55c4-4cbd-9bc2-94523c85f12e", + "link": "https://learn.microsoft.com/azure/service-fabric/how-to-managed-cluster-availability-zones", + "service": "Azure Service Fabric", "severity": "Medium", - "text": "Backup your data with deep and shallow clones", + "text": "Consider using Availability Zones for your Service Fabric clusters. Service Fabric managed cluster supports deployments that span across multiple Availability Zones to provide zone resiliency. This configuration will ensure high-availability of the critical system services and your applications to protect from single-points-of-failure.", "waf": "Reliability" }, { - "arm-service": "Microsoft.DataFactory/datafactories", - "checklist": "DataBricks Review Checklist", - "description": "Download the blob using the secondary endpoint in RAGRS storage account", - "guid": "7abae48a-bd54-4cd7-ae2e-86768357c559", - "link": "https://techcommunity.microsoft.com/t5/azure-paas-blog/download-the-blob-using-secondary-endpoint-in-ragrs-storage/ba-p/2403750", - "service": "Data Factory", + "checklist": "Azure Service Fabric Review Checklist", + "guid": "5ba74cc8-3ca2-44d5-9a67-bdc8e102e7b4", + "link": "https://learn.microsoft.com/azure/service-fabric/service-fabric-api-management-overview", + "service": "Azure Service Fabric", "severity": "Medium", - "text": "Backup your data to Azure Storage RA-GRS", + "text": "Consider using Azure API Management to expose and offload cross-cutting functionality for APIs hosted on the cluster. API Management can integrate with Service Fabric directly.", "waf": "Reliability" }, { - "arm-service": "Microsoft.DataFactory/datafactories", - "checklist": "DataBricks Review Checklist", - "guid": "675c5ee8-5b85-49c7-944c-e3b1a28b875a", - "link": "https://learn.microsoft.com/azure/databricks/dev-tools/index-ci-cd", - "service": "Data Factory", - "severity": "High", - "text": "Backup your code with DevOps", + "checklist": "Azure Service Fabric Review Checklist", + "guid": "ef17bb8f-4e2c-488b-8ceb-a07c3d750dd3", + "link": "https://learn.microsoft.com/azure/service-fabric/service-fabric-reliable-services-introduction", + "service": "Azure Service Fabric", + "severity": "Medium", + "text": "For stateful workload scenarios, consider using Reliable Services. The Reliable Services model allows your services to stay up even in unreliable environments where your machines fail or hit network issues, or in cases where the services themselves encounter errors and crash or fail. For stateful services, your state is preserved even in the presence of network or other failures.", "waf": "Reliability" }, { - "arm-service": "Microsoft.DataFactory/datafactories", - "checklist": "DataBricks Review Checklist", - "guid": "a1bf1038-9f03-4a4d-8ce4-63dbbbc8682a", - "link": "https://learn.microsoft.com/azure/databricks/administration-guide/disaster-recovery", - "service": "Data Factory", - "severity": "High", - "text": "Plan for Disaster recovery using Active/Active or Active/Passive Configuration", - "waf": "Reliability" + "checklist": "Azure Service Fabric Review Checklist", + "graph": "resources | where type=~'Microsoft.Compute/virtualMachineScaleSets' | extend vmssExtension= array_concat(properties.virtualMachineProfile.extensionProfile.extensions) | mv-expand vmssExtension | where vmssExtension.properties.publisher matches regex '^Microsoft.Azure.ServiceFabric.*' | summarize arg_max(id, *) | summarize compliant = countif(sku.name matches regex '^Standard_[^d]*$' ) by id", + "guid": "4da21268-f775-4c89-a271-eb80543c8df7", + "service": "Azure Service Fabric", + "severity": "Medium", + "text": "Avoid VM SKUs with temp disk offerings. Service Fabric uses managed disks by default, so avoiding temp disk offerings ensures you don't pay for unneeded resources.", + "waf": "Cost" }, { - "arm-service": "Microsoft.DataFactory/datafactories", - "checklist": "DataBricks Review Checklist", - "description": "Migration package to log all Databricks resources for backup and/or migrating to another Databricks workspace", - "guid": "5abc92a4-eda1-4dae-8cc8-5c47c6b781cc", - "link": "https://github.com/databrickslabs/migrate", - "service": "Data Factory", + "checklist": "Azure Service Fabric Review Checklist", + "guid": "1890b796-f300-41a3-a8d4-29738c1f4ad0", + "link": "https://learn.microsoft.com/azure/service-fabric/how-to-managed-cluster-stateless-node-type#temporary-disk-support", + "service": "Azure Service Fabric", "severity": "Medium", - "text": "Use Databricks Migration tools", - "waf": "Reliability" + "text": "If you need to select a certain VM SKU for capacity reasons and it happens to offer temp disk, consider using temporary disk support for your stateless workloads.", + "waf": "Cost" }, { - "checklist": "Identity Review Checklist", - "guid": "bb235c70-5e17-496f-bedf-a8a4c8cdec4c", - "link": "https://learn.microsoft.com/entra/identity-platform/msal-acquire-cache-tokens", - "service": "Entra", + "checklist": "Azure Service Fabric Review Checklist", + "guid": "5247bb32-6778-49c7-8b40-e171c9a3ce1e", + "service": "Azure Service Fabric", "severity": "Medium", - "text": "Use long-live revocable token, cache your token and acquire your silently using Microsoft Identity Library", - "waf": "Reliability" + "text": "Align SKU selection and managed disk size with workload requirements. Matching your selection to your workload demands ensures you don't pay for unneeded resources.", + "waf": "Cost" }, { - "checklist": "Identity Review Checklist", - "guid": "503547c1-447e-4c66-828a-71f0f1ce16dd", - "link": "https://learn.microsoft.com/azure/active-directory-b2c/deploy-custom-policies-devops", - "service": "AAD B2C", + "checklist": "Azure Service Fabric Review Checklist", + "guid": "6028759b-446a-41bc-8b0e-7728e61ca704", + "link": "https://learn.microsoft.com/azure/service-fabric/how-to-managed-cluster-networking#manage-nsg-rules", + "service": "Azure Service Fabric", "severity": "Medium", - "text": "Make sure that your sign-in user flows are backed up and resilient. Make sure that the code that you use to sign-in your users are backed up and recoverable. Resilient interfaces with external processes", - "waf": "Reliability" + "text": "Ensure Network Security Groups (NSG) are configured to restrict traffic flow between subnets and node types. For example, you may have an API Management instance (one subnet), a frontend subnet (exposing a website directly), and a backend subnet (accessible only to frontend).", + "waf": "Security" }, { - "checklist": "Identity Review Checklist", - "guid": "3e3553a4-c873-4964-ab66-2d6c15f51296", - "link": "https://learn.microsoft.com/entra/architecture/resilient-end-user-experience#use-a-content-delivery-network", - "service": "AAD B2C", + "checklist": "Azure Service Fabric Review Checklist", + "graph": "resources | where type=~'Microsoft.Compute/virtualMachineScaleSets' | extend vmssExtension= array_concat(properties.virtualMachineProfile.extensionProfile.extensions) | mv-expand vmssExtension | where vmssExtension.properties.publisher matches regex '^Microsoft.Azure.ServiceFabric.*' | summarize arg_max(id, *) | extend compliant = (isnotnull(properties.virtualMachineProfile.osProfile.secrets))", + "guid": "4e98c903-14cf-4c72-9c45-b8b23bc4cbd8", + "link": "https://learn.microsoft.com/azure/service-fabric/service-fabric-best-practices-security#deploy-key-vault-certificates-to-service-fabric-cluster-virtual-machine-scale-sets", + "service": "Azure Service Fabric", "severity": "Medium", - "text": "Custom brand assets should be hosted on a CDN", - "waf": "Performance" + "text": "Deploy Key Vault certificates to Service Fabric cluster virtual machine scale sets. Centralizing storage of application secrets in Azure Key Vault allows you to control their distribution. Key Vault greatly reduces the chances that secrets may be accidentally leaked.", + "waf": "Security" }, { - "checklist": "Identity Review Checklist", - "guid": "5398e6df-d237-4de1-93b1-6c21d79a9b64", - "link": "https://learn.microsoft.com/entra/identity/monitoring-health/reference-sla-performance", - "service": "AAD B2C", - "severity": "Low", - "text": "Have multiple identiy providers (i.e., login with your microsoft, google, facebook accounts)", - "waf": "Reliability" + "checklist": "Azure Service Fabric Review Checklist", + "guid": "001cbb6f-d88d-4431-8434-d01333397776", + "link": "https://learn.microsoft.com/azure/service-fabric/service-fabric-best-practices-security#apply-an-access-control-list-acl-to-your-certificate-for-your-service-fabric-cluster", + "service": "Azure Service Fabric", + "severity": "Medium", + "text": "Apply an Access Control List (ACL) to your client certificate for your Service Fabric cluster. Using an ACL provides an additional level of authentication.", + "waf": "Security" }, { - "checklist": "Identity Review Checklist", - "guid": "604489a8-f42d-478e-98c0-7a73b22a4a57", - "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/", - "service": "Windows AD", + "checklist": "Azure Service Fabric Review Checklist", + "guid": "4b74b7a5-bb1e-4fca-948c-037ba95fb73b", + "link": "https://learn.microsoft.com/azure/service-fabric/service-fabric-resource-governance#resource-governance-mechanism", + "service": "Azure Service Fabric", "severity": "Medium", - "text": "Follow VM rules for high availability on the VM level (premium disks, two or more in a region, in different availability zones)", - "waf": "Reliability" + "text": "Use resource requests and limits to govern resource usage across the nodes in your cluster. Enforcing resource limits helps ensure that one service doesn't consume too many resources and starve other services.", + "waf": "Security" }, { - "checklist": "Identity Review Checklist", - "guid": "e7a8dd4a-30e3-47c3-b297-11b2362ceee0", - "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/", - "service": "Windows AD", + "checklist": "Azure Service Fabric Review Checklist", + "guid": "cd9233ba-f3aa-4353-8d2f-7ea4a64160e6", + "link": "", + "service": "Azure Service Fabric", "severity": "Medium", - "text": "Don't replicate! Replication can create issues with directory synchronization", - "waf": "Reliability" + "text": "Encrypt Service Fabric package secret values. Encryption on your secret values provides an additional level of security.", + "waf": "Security" }, { - "checklist": "Identity Review Checklist", - "guid": "79b598de-fc59-472c-b4cd-21b078036f5e", - "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/", - "service": "Windows AD", + "checklist": "Azure Service Fabric Review Checklist", + "guid": "44b989d4-9f72-42b6-99da-ec2a79f83299", + "link": "", + "service": "Azure Service Fabric", "severity": "Medium", - "text": "Have active-active for multi-regions", - "waf": "Reliability" + "text": "Include client certificates in Service Fabric applications. Having your applications use client certificates for authentication provides opportunities for security at both the cluster and workload level.", + "waf": "Security" }, { - "checklist": "Identity Review Checklist", - "guid": "6b4bfd3d-5035-447c-8447-ec66128a71f0", - "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill", - "service": "Entra", + "checklist": "Azure Service Fabric Review Checklist", + "guid": "28e66ff7-4a77-4b2c-910d-0335f141208a", + "link": "https://learn.microsoft.com/azure/service-fabric/how-to-managed-identity-managed-cluster-virtual-machine-scale-sets", + "service": "Azure Service Fabric", "severity": "Medium", - "text": "Add Azure AD Domain service stamps to additional regions and locations", - "waf": "Reliability" + "text": "Authenticate Service Fabric applications to Azure Resources using Managed Identity. Using Managed Identity allow you to securely manage the credentials in your code for authenticating to various services without saving them locally on a developer workstation or in source control.", + "waf": "Security" }, { - "checklist": "Identity Review Checklist", - "guid": "f1ce16dd-3f1d-45e8-92e4-2e3611cc58b4", - "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill", - "service": "Entra", + "checklist": "Azure Service Fabric Review Checklist", + "guid": "f16c413c-00a6-43aa-852c-b97292c33a56", + "link": "https://learn.microsoft.com/azure/service-fabric/service-fabric-best-practices-security#hosting-untrusted-applications-in-a-service-fabric-cluster", + "service": "Azure Service Fabric", "severity": "Medium", - "text": "Use Replica Sets for DR", - "waf": "Reliability" + "text": "Follow Service Fabric best practices when hosting untrusted applications. Following the best practices provides a security standard to follow.", + "waf": "Security" } ], "metadata": { "name": "WAF checklist", - "timestamp": "October 24, 2024" + "timestamp": "October 25, 2024" }, "severities": [ { diff --git a/spreadsheet/macrofree/waf_checklist.en.xlsx b/spreadsheet/macrofree/waf_checklist.en.xlsx index c087c2bddc1a5b054d05ebe73932c8dd9c9b42f0..b36ee21089b91966e11bd004e6ab77447279cf72 100644 GIT binary patch literal 236447 zcmY(qWmH_zvNak!c!C7C;O=h0-5r9vH0~NaxVt-zYvb+?!KHBs?yiq}?l`&c`>}hC zJ;we~YgW~qwQ5x>%0NM5eERh1^CxyYEiLgOImx7tw~3GE%g1A4XRPRGXYa&lXm8Kp z4zQ7%l0)oeLW14wQg&@h3nwf@5#4Dn$*qe}FsH(uqOm#PF@2dpDTyO7&v+{VQIo7l8GpP4V&|iwg&RimNV5_j{0PkBUBx zTE3b-&21&Bnp)v^%-bSCSopa=L^G@jt6UBS{xC`|=+vyBE~l5r%$=QtG$*XHA|wJd z66&e+WUs;6FC#|lCCfFI;FWW=qi^vD=04-@;^_;ClE=M|Q-ZvqQ)NMg(Ei>OQ`^N! zRO|xQt1Kb5bW<11BL+6zV&Rx<1Jh@S-q4;ZW?s=MjViLNh^AaHjf-$lxahmwRWUU7 zmwXL5zM>y|sV|1PzJHt%XepuVuTf>1 zZphp=Uj93^EJIQZ8cyEz9583##5#y+7nVmtO%4$H0z1E;+{HQD6?VMPI&bR&tp2pg z6{6M#o5jwEu)l<6;c7h%2D*4_^rhT9<2|US`mwin^}^vj=rL+9*FdL(L+~DIz!q-K zuUiQE;O@mtb;?r92gpRG^eB#LdCl8`0jrc)2=kQ43vuilt9ATN;pHO9j1luAE{Bxu zwx2hjesbZ`rjxJ}BtS$9QS?R@uke`KIAvMuZ~&+^P-q6a*J-J6rHDh@wmv2L&l;3LCPq9WQM z6-F|0qnbZyl`-xiC!%r=&F3f(yaYAB|?e#AeX7>E{b|s*zUS&e|k?5qyj4ZPU$M8a=J-X1W^2*#ss^5)oqz= zK2CTh4!$Ljn~{{)8-tvS0FQf?j@p=U>}wE}IA=3U{N@wN$m%9sCcxz$AU(GVIM#{v zABTvKkqxqx`BHU0M2%-)q`Zy>OxD#2z%3}?$Fa)m5c%9E(X8;f)nz&8udywK54nGZ zV_2$<6U=dKdK2q+cp5AGKx5#Xuxkv`<2Qk}*~Wg>0j=->j)_Ha&td1SMAqUz$8?02 zz{GIx*>tI&DbxbV3wZDgy)GdIFWE^44jy+WQ6bEag`N41$-`4TVFVFRZzdr$A~_-a4uP zvR!{)RGtX&JcGww%gpXmZ!2U@jOJ#EfO5uC={q#O5NfbdNM2?+p)}h*+9;KE`B^?v zMqyjK;IRvMpillwx79qV=~6yXI0yT2<$}7xZSqmXf?_g!Q1G9f1S+}WgbQRctG7$Z z=1Hkq3vA6f@M3L^jGliW!q&^92lhC&(1DQqy_4X?F4j7~gMuAvai`5xO}n_gQTBpl zVy_&f5<(v|O8o5^`khOGp=+agp;EcuXZ_WT7JpMuM1r2|YY|2C9fw)mZX&8?xuINz zeJ#X#!-WPTcFvnNljPdivOrUoKunSP+Y;5U{@8LP3uCqh%i$Tv^O*`MKl>hU=*+8m z(~w}v)O9@7<*+lTnWH-?x$G|BW7lP#Bo2Pb^~)iJAXwYlb_*m~SxyLG7H#TjIne7) zH09r+nKg&+;ERJLy3FP@{PICyizT&Z^Vj!f8aCi))uQ&9C$6Af3e1!%jC& z4vrs?72BFF%{%uOvdsXyjx)`DOcOUd&(7&!`DV(hA+t;5Ugcht5rJD?2fb ztY15|tBwU#t9_fnww!+Mk9Cu_1L5r-Npi;Rr@|b=5V3W zxUHJjenYEpE5|H9^TQasdM+o*Bx*$!z~XGux$PMfe0Auv?Z>Kp9TVq>_3N~ue?N?A zkNuGS>PqR|YG3!$7sIV)`B_Py!$o25>X^4KwT?^y}w^94!wX?5D|)G1w<-d?nfPk{qsldfZ@TlMbm%YUz)74m%ydK#-4 z5|YNWU#)%YI?p8WmaEp2%R&5nC#U>tCC`D4Gz&)wn9m(vM-l+t`;{o~A=IBl?As0E zYYV@<%*Z%Ew=1A^%hgo9=e$#HsKs;J01(Fk5IIJVcaE?%crs`s{X#)*xP1l=7JK=DwI}(eSciWoN`NIIbA&9~A zg8O>+)RBbT!6Elt|Lha!{r2tgh2ZM(d7-QRuawKw>>|HHnOAnJ-Q=Xt0sr4uk>?o= z{hLW!+{YKdwTHdy?C@Wr^eJ%mm>_Ix#Ly!$Da7R6lddoG6-v#c$p()E121wk1oUG{uJ&i0 z^z1`a-X)e2c%(<8((-9x`lfz(GztI0o?USk+ufY$LVZq4%_er?JSux5tZZrBI^CCv z9b9)R?=~iw=1bwy*Ggn*X7LD2^s%d*l#yE%#9J9@PSuJM%b0adq(X?Ph zNdtCzvaothS=N!OSCC_!68B4!HN#C0>B7eCq;7;x&8ULgF_dfTpR3XYG$3Pzga~$= zaUKPSm7azL9{cyxTWv$#MKl4mTh>SQ^;8$k9Y~EuTUZ2jzR|GkX0W#JqBcE#5wORO>A071Q znv%j*7Z(`!)HPRiD7xHq<{T4iex7x$r^eaArcz(;pKB{?q?;T&deQ2ppbGmc+AZ^- zFSbsb+CNf0@*MPjyYo4$hUsBogkBV@T;Gdsn}xl|q!t3QdoEzTuR&f?U(~{7>PHpT zqI=njZ}UaK@5xJRVl4L~I_X1OW*5~)N9N$xSNSa58+YSFp&@Bn{2~PIFc(JWM9;y_ ziWG8q6j3(j&9~itElF_HG6^OdnW4HqVQ?8Ibo&b08CZyK88p-Sv{TWR&+x|xUV*No z3EErcE_!HkO>i#h9#(^C(CEB1td@Cj=>c+Z5Zl-|vi6e6xW&#(0GYLy8W|olPR3{` z>N6t2>SR`=ssGuTzyP)}vq3ZjJS-jCkC63Z!sy)3uKV{GfQ9G#?S7%UhRT57@AbNx zk!~4$X4R7ynB4XI1+w1i5aZ%LDe(#HQ@$bgBU7e3yfs&y3l&Z$Gz{3$E|KT1- zH5IZW{R=LP#^DCdxio%MaRNuesHfi)_#Sg^#*Czfn-!L9}}kL+ThB_K_#SJof-);E@&abOH+J-hF| zO4UiWI{rpo(PX=IsLg6%H2#gx&p;BTXgdehlNToc!wa*us*>oujeM${!;F}N#NhNC zb^A*s8}^!0M=*YI7^Vv=mPoX1vpSaLW*;f{+hCI8XJNCB)#0rZ=_n7}Y92UZSq=p? zSW$+0>PHA2!U7prMjD?VEPU$<0a$HG9At+6ec18%Y-HRiL1b{qQj_+Zae^u>}h+c)H6y_%F$Mh4a$^SZnT-M6DPBQ2OCsNyIz8PZgg#EF5|R)xt{?+opg$j0}QqlG}sGM(I=n`vVL4*BLp)v=~%w z#J4nxXc$@tu>wgQN~(9+ zv7;X`qRR0YthhW~k)fiS%o68cxc{wrUQtx8lC4nXBdtdk@{5v^`$DXHewDXOT6fYc zTr8!^R(Bh<1i~+`9P!XeCbiDNUe!N=*66vBU<}(!DFUFoK*Th^h4*ar$Lx#%Qr6u* zkl#7h#eO9%ttYpi1;i&mz%D9n8`B<&Z+lT)cF6ob&+EUZFc&EI*{>(k)Cf$Ad5W92 zdjUQ3dwC#3Nxr$Nv7QfArZDc&UTTaCo27TYmdUPJThl{-l$~DAi}7hO(r(%8kMbEW z?Z3uK_cY3f+pq|6@ATS5tQxxhsAY6xvIwr!;kgT69qTM-0p`v7aN@UGN_xNPkqtri zMu`X$P?7_&+{uh1iwrY)9162MtWS@6X+p-8$b{m8Q4T}ZcxWpAP$HFopk+A!kx}Y$ z6ISe$w>;&<)U|JvI)FEgYmJmF)jefLIoKbc^&Fd9K(;iG2*ATr5ofxy)?bJ~`HY9P zF%4&?6c(-~{gPR6!_Q3>4)4QCjpGZt4QWn(*ULO6KYuLww~uaq#nn5UyO5r_kY&d#9lh0>MBS~MZ!NncnQ%9Ds;4v`?{V+`L>96q5>p#C{5 z(p$$zOlP0A)6aHy8&OiJs~g!9%Nou#>=7*nzsVxo zK;SL~$Uy4+f(3obf=3K_BpfEu+GkGLT}$#-&=tz3Y6$DYUvyJRQ`&pV{Ql!Hn&iJE z>WwOK$?q-PiD!d)1>VK#brY#?GODLLZxa(@w;s>c2R1=2Se}KK{UnXwbRz}i9HMC( zjm4?b*dk)P_pm(@toGt#Z6pSh3DW%?A$!^!)3!0hD@|^M6;xaZQPIN7uR#8~{fZ;z zd-esHyw6a&SdWG!MkU^BEDOBHY&yUr`OWt?2zN}#W5fKmC9@=>U)i2 zXX)vjY<=Yk5vO6_MYyQ^m#=qY=YY_*Lm*{i%x=fXyg$i+s+_}nJU@zlKF!&Fd>GxKP8HY60lSGVopnQr-6PmbBZVP8d<|Dzt6p$IG-ClEEkS zBFgV5caXzE7OY~=C&tv(t3DK64DZQl96IZ?O_~Yp=4e%9)h)kBb`2{lZnfp|sz%wD zQv3q`)RZbT1kqP02bBFhTU-DQ5WM*QA^!O}K#{W>6b_(IZqaKscBg<+GA^rX@f*>b zYZhHzOPd!(R$X0_V541(6jvIA8L`0la#XBU?|54H9m$FFOXu|8POv6S=WWqpak%TLJnr9-a9Zw~?D6qspeu6a@%+a2XW5j)E>18rA@v%tb?1#dhBVkK z?5vs9i;$XUmrwa7?i#Tbr3A&z$7mHe&Ug|V$M)@t$ZD*jFY1&j+BvRQ%w>p*MIsJb z>>E!Z5w-YXG?;RZAj1Y#JlwL?ScNr+^}(t~Gw=ypaaU6|Uh7AJ`VM^_^5tR2NE`%6 zK54hLlx(p>H2ye0{^var$p`>_Z42d{W!UG!z@S$uM7wGSX~B zR+bnv%oc~H!HDag(4~OB^@*|EVWPnkkNYnRaq&rWoCxIEESY#Qp(rFEXQcaUqnfEt zx5a0w;4$7EE;x8MWD_~4v}sH@znZ0&5U3NN>-zC~gBP9i{A>8ss7~^Q4e!zNY9bJV zbp!DqnBAm@o7c_~mn04fV&S^5U!;$m*tSmr?L0wu5IzXlbVsi`xe<<)Vk%Uud?kDl ze2jNgVaiyrIUhuM?X=Bnd-B8^xw=DOpJ<`Yg3@g_y{#5(^-?*Vzbl4 zd7Zd1H>GuyLKHg`9UH@JYCHs&i`O==vhU#B+numZ%3pAE$;$P%MM3q8%nN{$bOr5O z+_5d)swA-O@MLnnz7goa(8<~IP&@ZpOf-#VGWg>+LJ3$VXqJH{)71-decj>@*{SIo zBKO$mTjfWESa>uC?m`oXqd(onY~iwTs6>#D6s3J6xW>tAwtl)!)=Fq%yOW`` zf8ogN^L3&ZQF5UQ|F15yIw$hX`3Sp|j@%K8lmJEKCJZubS7QNEzu0RU>VkW>Zj%~K zjxz}CZxF6J0Pw;3n7}J(GtaWZmgEjnhR<4M?O$xJlkEf&VXF=Ajd>elz4;wQ^q$4_ z>|sRbTby0C6S6_DB}|o}ylS3D`F~WfRASyfINQ}Hu>rQlRO3^?FHnY}zH2#<)af{q zH+#&Hs1U6EC*M)#A1_j#QneKEO54KUhF9LRw5O;IDT{3B2QE(uqqwA}%V>`ZEYZ>j zBC87s4@i_w-n|`LduX^oth&{E(Q4IsQTh3)-i+7--582#z3m*0ayK$)97VIzT2g-F z>#FV^@I$pk+TwJfwdwtf-WWpYFSN7pxV+;)q&st&K{X~MMlmNKy0E(?m#W{zl0}A z$xeOho9-Ecb9l*N8iF=75Kb)HaAKm|+JSlL_)V|Fb#`rXtV*ws35}TLQPOmHQhjib zQw%=K6ECIW1D>?D>8B~l$x*4j=N*T|a8KPpN0GU-G_SC=8rJeHQX0+^(!W@dVrLgW zMEjj!kWhp1ad_m#zf(#Rn3bfRb7>3YJBs{s#@`*Pmb?#VJlG51j;B977*scS)6C>lVJqmWcQO$}*D*TgB@1=*N6EGuxbw3Xlb>ygofeFKWQw#WLEOj-SG=hlway8*5#}Hl`|2`O7lpeI^wDS zYjPUvRCo7vf(dO7*MCTIk~BtcYVP1yLc>9@SD;ZdYT@(vfXmhN9#FW0qE44rBVboLobEvG zNP8~Ml{en*`@AlF7pU2Mm&d@|kEYj4xXM6bzvSnJ`g}YWK0-2mf~QN=2>129^RsSK zCIV*-7N4dLj)@g*pii@Xez&@u>d5gCg}q!;P(^0`8izQt>hfRR{F7@%)11G#N`1NS zM?qhqlNAjm_(>x@sYe22x%fqkHife6rHKZm_Askqt?hg2>jZHzhD9_eVR5kWnEEJijfXWm*KT;9UhB`^FeM8aq#S$O*qWkD>jfQ67U{s}o z|Amr}VPgC!Udf|}yCTyPJ4|qBTM;rsF>YMZE~Il#cO7jme`=io0>vy$d`eB2{JK48 z4Jax|yXfIiUp`&grIKx?BM$``r)Imt-ySMcFUR>>34+v-*;`#ND!vhac2V;!z|qNk zTBoYmM6y;6V7gV@m!l`AEtonIY0wIz4-~B0n;Ku3kP?&7?}*U@hw>Es0K!P?8OmMS6`vXWXkiys8NTz^GtetQ_EI>dRdbVnYoDgF~^rkFo19tF;} z=#ce2Rn$y^YxDpEj?_nO8lQ0K1Y7LHKLB{7S|t?lu2|K|w6RZoL6H#@W#fntAvDQ! zj_Wv7R>ZJSBZU;g+>@Rw98WFe!NMR0fGy_&J#${|=(~ZNAd}!K8115c4M0Mhw8IH| ziw_bb_nfH$PtjkuS}kS*KRqq$VA|4mmZxW>AK7Csk?PGMojs3gf7_UQgX<|fJ>76+ z0jlOzrENW}R#`+3Q>V1O`Z|K_z+$90brGjk1X|ZSzbZM>ZN=(?$QG=w=z<-%gX$|r ziudry7+cQdYy9oXMaZ*96y33(%PMX!tO*c)H0i?gfgyQ__sq|+)^2=-d`kNZ{fOFu zR>E_;<86gYC7}o?{Hpc`IMAU=n}yUiKisI$gX(^m)eFRYj!7GG-{*<*rEUHA=>G~G z)o3()&jRRBbm5{8990EAa4co>oKcdZ_&x+Pw|a$=J9kQM-3?|(vdT~`E^kF4I=3S3 zqUq5QK8UTI-5~M&pd2Mr$&6jHB~DA2O=QAl z+8!Vr>sxaY*3d!g`S|KzwLO)o#Ph?hef!LCyhZjiR}VeC6O!3_-(YQ-;wiI#Qr^HmQ+YRYAb6e~Lt^$TUOWfGhRUG)l@IYAL-$P@>GB?rxR(`KbEYjx( zQ5xR_K3ba;?wOm(93bp*gP)?kL)2p#TYH0i><0ECL_+E4?A`UQcM0sBH*d3cuH>Qf zIx=$0-;UcHJ>Xn^)_!HGFa{R)Zu5fpA~WV~iBhc+bJ%u{Y%~bUq|_&Z%*YF749#5W zQ+dR%n2<^CmXS})^?Tq^fn4J?pcxCMPli_GsOzf!lva-Wy5BEO#;qW~&|I95wx-F% zD4~e0YDvOJ5r1l7AYBVPU4qyAau7p#qv%ih&*N~pN{|Y6?TJ^05C<&5f1#TiAchTK zAr%GByu0XkyK}RgcaT#INs2Q%c(bN#pym{=1~kHxZhS?>jW49L1bk||zNH-*snKc8 zJ8XO*jR_c2G~uo|I62>`X;r2nQbThlEPhI^`mv&1YB?|8RB*#)1qYbG67>=1Kxjx~fS^p}u#YAa6PdogO9=mA!TQB@fLYMi0`dB;|TCZ66 zv`+QbO$-K)Y1y;fOen@o<5;#rOD$2la&ADc2T>6QfBSrd-X&!`IvIX1f()!m=uj$* z5Xw=xMIVo|`*xK!9cm;S@Z6J8b|fY@*)F5nk)0;mSKQ1?Mse4 zF>}!@GJEbQo3h)pLp@yiYf@$V_j>U$g0@-a_V$X`V4$_djhxb|i%}50B@$!RwQ`@$ zPK|aY$z8o~Q_U-5$kN>Pi?R!DS$o({zK`UTn>8jO?Vau;#LxjMv>8h!ft4Ho zKB9}gP>JeF4t~iUJfR0I*kySs6qswgKW?bM{v>hmsFCuvMGD z={|SU{Ir@=e1}Z+E5|cBdH2{JY5zVr)0zLEqEJLPiodFJT=OD#N`SxGkEN69KZ&^*vLWN4o zPs${3^BZ;C0~1m8G~vUhCpO`m-l5u5ODGrt9{$;|z{XL`^R~!Fv}tC1$6&+(Y*#fVq`u;{0oBzFGxU>1LLsE^pP0IBwp8A<`86_oAW}HWESboZl@)S*K(I*&-WYI;qNV z{+Z}w7V{@^mhw+z#z}hWD_6QhLK;zU(z(GAIj!Boz=mNg$q?7ZyhY(^JPfORn-RPY zkEgDE*2o!uTL@%W=;G)O6d z)iX?XY0jN*;{I#$+Iop2v1qHv_{hBxedsm2QpOoA|D}=~3%f;p0o!D7j?(rL#weCj zMn9cnScV5%A^s@Pq9lQ;OzL0%!)H6@5813zz|x`w?WP^M>HKs{rFylX>7hiz*5kCt zxt(m~h6alcXg#?o`#fZ!(&C%?UdG?=p-W)Ucr{U%CJx5@R1##h?w*~3>au?0auUMh zLw!t{*+%`2xGqGOHM?~jyM9IZ6JAh~IuY^p^O>`nhh?gdActZYdnP!43X-Yu$ZOVT zhj-*q^^oppJW}s_R#B;QGA?u-j(!Y}(i3tDX;9fX;%{chSjDhY2eC_hU#o{Ab9-fx z4w>WqVVKfmfIhYE)46HYn>WbrZF}G?e8`-askHBN*v9R84Ckr!{r*J;>5%3z@`y%> z$GIe2NTi4=k;dMXLyNPz)JHYO5crvGIR4G zn&D!A49+a5XeFL9@FJqTFORFvt#WT8i;`&9z}u;pdNmfU#>p z9?$VH#0Tqe#?fd!JGJDocIDAMW)sXkT8=339HvETj1;u`cz z^CaSMZX2tH-t7j3{oBF(jETmSgF@xINBygQa^-fyWc@cm-zyqxT-kV}EtQ~;p%OE( zQS!vc$o{;~@Db1@KyyUKKkCKB2Mp-{PS*#U`lT|qx#r-pI8~uGGEi?uuN7V3i*9+I=PUu$JVa*c2_`eCF;aDIkHsbR#Z%3hJ~X{m6r#}tkvE6NXK|`I4clykL#INVW&2k6sgCx&G*iNLH8*i77lQ~VJY&pTvM_{Onv17HpcX6R4U(X*~*j}wluCXF1R*Bvf5*;K{O5+?T zyHNmhD(73^V0AQzHJ60bVX`A*u8v-Uw5s!#(NE1MirJ_M0NoFvC(EI89dA;qJ)OZs zQZ%R(>&kjTxD`D2rU4ToE1Ei&y&o+sXW8h@-S0YwO;r)GYXOXuY%br?_HZbv_r4~L zsP7+@!>c%3fBgsi0I%QN!gs$p!fg1z`auiaHGE`%QfS2<4hWV zj2*$%24AP;RSm4-@o&`VgwUdXBV@P&fvyLR97}@ZF)ry znBD=ucM%@2OYxZh-I%(Nl+x{e^oaY~`g!NT`{9CQ9%96*01ak`cEN9-r4X?SjJS`1s;@2gCaGPTV5 zF$LWtg)LcM)9s8${*Vl_-KdN14`d^9f)EJr)t70-i7B((JasSV)GkfBpkn^XyT9VtKUd;?qo%=oe<~QLva+Z@0XPtbBTxein&H8H1kdc zWqtc2C(f}O35e%|L4tqAm7JDF@xGN3u&7vAGue!uAWa}QuxC#ZSLCdB_Ve1pdcG6SHaa_J3+>_nFc2Mm*MK zoY|g#?n}Rl9&Y4VvXD<30T++zA6Dh(R;#aIf26^f?(M;t%mTj|_K+SDhlNfd&-meCvS$?`1NBRyQTeE4>zQttoK0FJ9x5-dOSVMc;`5JNqxDB07k0|LIU~9<&hUcjNs{p@mS5kSsBTzvD+odvu~@2fm)jJnvVDtHGN}@ln==|MdNned@+z2BiNeUK zqvl2coyWqy=8D&)Iv#{hvg_tP13TMi`Ss~bnC&qOc)R?q0X%Y5Ay7+AmgF zS+#_pv9f^C(Q|slf?Q zHGs4v889g0_`15I*(&DkYx{F4V=k{qb)xixlg_8Bhc^BnId)mRxsKoG(Z1!U)2mEP zRj=6ODQ|eeK5D#c8;G1>TFz4TA`5oW@?{j!kqaP`3TH8q#w7&&=r_znIQuN$xP=Yw z{q;{yx7_Ex!M+1QOsPnyAv+Ntt9JQeL$yBo=h%x4#%F|*XW{q1agQ=y7V0fF(c9Mf z_MUzgtN6cKmBV*#*K5)d4~aNRWBL!0p=VE#OypFW$Z{vgUt~aJ&SvbjOEt8cIkgYH znvtQ?h~G;OyD>7DkLokIgksU9S*5qv5G8T#^-+}5WGx%j5PY0z;ro8h>Yo_Elg)bQLPkA>ArV~Cl#S{ANp*F^UmGTxZi#w`1mH*z=! z#xA90eUArY3$)_(RzBe`->hu-(3XbyshtOB=Ia{Q6psVo*LgE(@AFH+>xbpJBhw1|M9z>T`b~ZP` z2nwruGJ=T7=jBoVdRg;SQA`%Tkp`%5lPaKvLq)TXu_`j`N49cRwH!~fm^^egIsK?CRsp^^oYggn3?VB0zGhi{ip#k^V1zT# zL4}hxx9Y<+9JC*cxa zDcg`WtUC6oS~9@#YGcoLv-@mc?oREUmD4y&0#C}MOA`_|u}M4**{fMWGeneMa*s@A zE4QpEdsO{dj>bQb$i>fv-0K#jw*E4C6>H8XV{CNIm0TeH_^v#toFDyI1A}E)k(G<8 zxJCCbB~)A!?K#|Owkk$0h)o&eCvfe;oDfks>XQe`ERre4{12a|I;zV|8rQ2Gq|M5t zZ;xap)bcD>W!cJ54T$`CG~(6lKdm50{-piZgopZr7nTxMO^54SVJrdDui+NGb4XQv z>()I88U?kb{K@eE84M6aSq(B@;wbE%IWAn)shEHR3&UrZ{LKDn{H(g)EWE!-ITukS zpj02j{-ug4VbKdxw)CSV3!mg(gmX^u!t^tX3t9dV5_v-M&o-Ir!_a%#8B=vU`n-`Q)Y}S&f69rU7Lsfpdg`>jIMueQ1;QZlISga#-2M4QST3AZ?VHJ+$uTe=TqP-F!!vnFe*Uj|5CrTws zv4Y4zDk<)nZL+^*AB1&|8Gc}f{4;85>f`@LAJG`{5sfeHl7<%Tb!2jJ8|9H+O>dwO z+`*~$(+xe%c#{eGvN}3A1VSe_zq%>`4ZEX*+jvJ^&dzhs`6M%Vo6XX66<=1^p{WwN z&lbl&54EDK(Bx1Ja(A-Iq&{xzVNxv6pi~pEp{Z(-dpTFlaAGuN1GsKXS>&D2W|l~7 zX&|Sf3zlRWC2V0zFOdJWUc>mMAHMM=T}+s`yW=GT8~s;87VMV9>6;nGGWIpslVZU} z#f9Byno!7F@`$eW45n9^T3&ha>^kOS1X$0cgsM^7yf}G@jkLt<_=4*%Gv!k=+gFaU zyM6kL23RPt<}yl#=*y+QCY@8DUb1NNME=K6$pc7LVXPo3Kjb>fba-*V28E$4lrWCu zyYbi9IoB+<8L?T-lfNsMF%l*IFYR2>gqaTgh%ahSpqf>VBTO@520!I6tw87gd31|H;&{58aMMOrp8{m|PN{n|j4R;xVrhvG~&a zXj!H3A}d-;@CdSRgqwjaRfYct%Lu!483tdH>WImbqQU6gS~r8pF=vx0aKAh~p};QJ zt)1S(>$7%!QJw%l??PDW*OApm`lCM z+!6X7Wfc5l*stmyw!8VQqf?==3BN=O2Wqd`#kvxDX>5kr!6O14VZdj#`Lg<-<%lDU zRhljvC?zqd-<2r8Hgp1ax`~%gXfN1UFB)U_AC$aYs%%H=?CMwrT^#$4o|eWq_h{&~ z_x53{Mp02)DnlX4osUm^{Y)Ue8!P`d6KVb64)kn$w>tLacjpj(FF7CJ?UP~ta$bxu zplEK^LoQr9SwXR$CtNF#kF!?-ocNxDMgsR7)EX_LObEZd=b9X1crsccjCZb>hy9P# z2HNZs73sWb@=`}?NY>NRQHOX{j%_uFC9}za{<4nv_G4!l^ljIKtJ3K;7z=ZHfHKBU zf9FFkX4q53+b(ldz9{+7r_GiJNYJ+8>*X(uAsk}FR zs<=|zeR^+5BF-ff6vgH{TIqv`T_1!?oWw%Hsx zwxseF?uNT(K|`3vc(M~QT~_4-XZIWU;KLcL@R!H0(}Z~LrA%#Ivd@x4&cp{J*K;;7 z{8vrfPg7}~Fmn(4UUW!CLQ=^+6rLG9Jq!?}9+_rzE=F;O5`Rc&#{ciCYtk-}iPf9N zuy~{fc-``p#2D_(>oB##ftC1e=qkAmjjG~EWtt8MG)5M zZbdRE8C8{yU-0**(~B7Os&YmO-)x9CDwxg3>gFp5!b>%Q!zArQdwl@paUFKjChEmT zuA6WhYIF;=I~kum6*o5qYpl(Pc8w>{v8-C?x|KoqPh;VYh>zK$*%*JyW|cE z7xl)?-=6(~nG*tgX^B4+cU~OO9E~Mh8;y;^aq-*SDfF)p!>(V011x4v{(lqIHxuWh zX3dfIwqmgfXT>^HkgME4&^(58%_{2pVupa7GRD^g)Swuuwm#ewP^7w|)|GZ?4y_^> z7Z`Tl;~1JMI-bvbP}8*sVJfvfSZptH%%<$ z(#wX*w?UG9A=H%2ONKC;XrJT2ThzNFT#k#X1W)rXM$z38q1nA@;LAoXrg58rmHv%` zw6rW?`_M%?E=v<092d8D7S37`M^(Qf^<9(N$V17k?g&H~Dyh8vzRh0lF8DYxpbz(p zwXH(YT$rRS*|1YWm75tzDj2K!TD5{9a21krJ`}fCX19cdMi5!)(b6I|M|n}r%S1DOB5_sPJrt#7ihnpbStiIDIhC_hN#TveMsd6nv2EnG7*tL*qa=czV}SrH#>fIBsg6{ zzjnbmq!#3d03RVOb#y~MD>!CUQ#VP&0+rauAP*sV$i=CGX;h#6W4Opt3*3J|c?~J$ zA6@`OXDRyrKccQWEXwX_OLup7cP|Y~BOtMK2?Em6NGjdk&5}!Z3rKgDbfdI_w8*#m zem}e}{^8kYuQ_MV%suzanRB*pg7oiJ0iq|*I zVKPf0ij5d&%UyY~nG++;>C}KlVBxKD=JfQLJ+8y~QVfyk%MN$XZ_BBW2Hxche?yC_ zv1_#ZGt3m#EXvPPJEGcxF(Q0uTnVaS5PK0>%Q>*LAO@2zycvFcv}>5UvTy_+t4<=u^M&soNuo|M82O>PulQ%W-?W zab&I*Bzf6wA4W|zg}3mJ^%RZMuv%hju((<$@@k2W$t-Jm3npb>_+{0CekTohQR^Kj z>UDDmDrY>mIOJ&+7L9LfDP^dJVtj?o%p_B^oY#04MX;Cg_L%m=YEPBGh?#4;EMJVP zLuc9t`@O!8RS$*`Ma;sHDosT~A-nhDajWHR^8^o%-*{_1YuRRLVj>+OE1s{BdJA(I zh96dBWYLKgvDU zLGEXX+Ec7EXHKx@mlqGDtYhU$b%OAR5ur!1svGFo4&`UW?pA~*1)|Vq^Kj_Hhj7NM z<~jA-E^4nqO{GR^YL>Ua-)}nVa*$N4H{)N?l#4#^XNecc6}k=0XdT8vQ>F$Rtz)y? z41@EyT@wPKE!o2K6)ca1@69B9AMWnB*7>V5Z?xBZ8iE}Vmc7!Jb=CvvwrzhIZh~nQ zQ8Ssp1m>5&FTPo1(y?qwwd(+<4n7)+l++zs@%TCMYg0wH^G0#bAbDC%DXr1O8IE^5 zPQDV6NUrBA8tsyNz&bWfMtCom86@Er#$R@{HZceGRa`4oa~No7A~MQ70aCktm$qU z@5eqGQh}L$JJGOfC5lx;ebvYJ&B-h%pWkl7o0v1Y-UH>UF)EsG7PDHq-7a0UZ^D$> zT#CQj&qh|V&U-1xv_`GhnJ<@h9Q|z^SV|Sd1(Uv4O4{!ebIdu7H3{`S17*&P+d{FSuI~% zhaQk#H0i90q^1Z0qD_q8c$*iJs?6=mXhoNyszB+2TLdg0kRTnW{Btxq>NvoSPmNE_ zNU{km9{NKc?nI{_F~<)4GQmwx_P(???xm-PDguYr5^GgR;##V_l6 zv!g6k&R@UeUYg1@=x-cmtoDAqp!8>3B)1xXBDd{vY5fMHc3CU@t^;EgsGJyk@1n!t zfwntJUAkz5O|~6JRa>SYcf8=`d^}EhXtcV3g@w9I{rrtD6IM8pSG2n6XYw@ih*Hce zO{OiDrY1Cf=v&W>!cRFyQ$~JwKE5xS_Y1emTM}a_Vgcao?PW(xjoCM&)5UT~oQO%( zcV&;OW4NluZ0V4=l4JAijB;;T@eH{%2qhipiWpozG@S2k;b?KmexqdnHvjm$Z~~lC z*n6*ROO{gU6I*u*9O(Q1YY*_7jMfyF-v!0>W%GRD9#_c_lVaxEiN0*HFHALtPx`>m zN2FTt)_Ek?vMu0I&|okhR(j5oXHbOz`R^>@194cfqkWTkO5n2fpWXa>V45rk^2seMA)OzfG~rIWQi_D>Zg=L zvNidPujSN5smzeZVK*MPa6WB4X!$OR6NgX^Qp?Oc9EQnPT4O?SEOpc7h!e4m1kn>}DC$cpLNt{L(^7a3<9t%N?>N52&2#i6 z+q;fx!27H~lj+$kzMe6cY4NKa@sAq^Vc>bHa#F8RfZuu>&M&A%*i}(^{z8oXb+q?A z>pB};NULiEIW1Id`NauDP-E1s<#Z}AI91yEHi6l7}1d$!uqg?b+#~FSK=jdaUs{5%yW5#RBHrujn*^CKf%S7Yx ztNo{_N2yw?GNUmTP~P(fqjz?s!lCPq^L@6oT891WY+e(?DHbihEl>{6@(kpv>gO`2<2rc%A48%+(9>oVD3;WTNbZw zSp-;@l=1|>V&!;02pFd*kSekJBPQ9|cU4jOB^Trr=XB^1Uh*Fx5+o?;?vfqEDddeM zPI2x>BneYlgcX)Br%$0!an<2Pd#}bT`kFt)l}bxIMxEqet#!^iIhu}=X_vSpp$Ac! z4muZ7lFSLrD2;J%wlfp|5ZcL8vDAVEuKGTuQ5O`=Y1@a3vF0`FvLI9j70%b|Q=lC9 zqYrOZV`>&d12f3bVYfOG1jG;-jdIpw7l zsJQ$V#{!p;Oh%b$_X_8XI8%CZu{Af@<%L^KFs|fSz^f+0)e?(jy$aG%ioEtaD z4&nv5bTN`|ekICu(A@I}!)!QlihMsJOh4VL0ivt+wQA3?eP;p0L9aGPPv^1jt(J92 z-t|BPJL%JbyJ6qfLWM&U9#-a-kazL@#uP>k<3?ooU0$vZjO*?DJi(ed;=(G}|e zWvPFCwFc3NAN%8|VR)8_qY3AJQXRY;jmDREQkY|K*OjbZt_F>mcr;kp%_!2EIqq5d zahdL>kX{Q|`ZgxOX@{kMA`K_kLZF4xm|NTc#b{Jn^C0xSz+vacAh0Qt+`>zZ?xBiZ zh!fqSp<-(L@U#$^^y>6uLecE@g?QJVyF|sQ37qSD6e?GEi{P;thAYiq;@;ma}8e zSjW0>qA;$sdAt6sF74?a>p5-25Jo+J7Wc zpGg)(6ilo;vRp!}%DSaenbbKV4lo1Reuxsyhi?)`f1#W41~1ZWW$TmO@DWdPCtoGj9M?G)cL=kM3XumdK#<@B-3|~Y<4UgVWDO2c zdoQG1U(n?td>%bCf$_sJ(`Dex+52|_yGB>9Rn71ij?TX@H2CDtLa<#bgzw03yAVEPe;)I&1i|k^)fse*KSOa<@ zBJ2Q=yfqC(%i*?7_LlQIb&)q#ckVxd8HC`lrp9XMce_lJVgG6oCnR_8T6U1rosoLQ z0va}VgUi6tJ!QN=S*UlL21$TzQ^kvRlcc9;>lM|djm>?MagT}wl?p#I)$MxIMm~P@ zSs^%@tWA9dDL@FrB{#4J<4MG5HbFH%S&HVyVTHvlL9&tq+Vo~~0Y@&vz1uiRQ@#2r zEyq4sfqA8-Wz^!-aTXjiV?f-w8Wgj4@B@Ww#>- zsV5*|PB=67fI|pH%%+)(!|qr1(c7ht&8}a(nGUz5s>=Or+fJ2E+#;33P8?>w^fic6 zJWt&wYzE1_=z=!WRzsw%EK;iR^iXL4w(Y2A|rdz$@sC6|SN?N`6#?MHqXvCKdWD9Gg!r9KXBK^J9G^x}K=4pjPT1yjGIIiUxM@I1~C|1r8 z_&SMb#{~Xe<{}^hi;toLYZ86PLGF17iL)3f_9!1j>o7DpL@gJMX}>w{r!s``pOeJf zCUgIB5=~=jRp_)5M%_N)kjH4c*e$ADt{K*3HJ)25y=&QIVHPdhToI`WLv*nKpOGm2 zRu74sX##iImCGaCyj_&mvI!jpUB|~-A%amoLnizvaUpRE`9R7D3PTS||8z}xE#|n= zQj&5|4_FwJ0nj)N^ve|9ooAhV1JPEIN3^l}`2w6#w*JtJde?4*m(Ez0e$sdr+{C^B z{vpLfY+5FX5q)G@KE#|v1Q+eXc&x7e!HR-EK_kZuqfkV#4xb?2(RO=ZyWl#oF4@JhIOnA3MNP6G)m#%p?dbvG&nsPozJ!ab720=L8Bt+ z;R(YQ0@AI7;<;}gG0eG1?*Pzs;WoZD=$~nk$ zXwHnq5Cn@mXrl(1+GbZ=Wy%P@V0Qy<-`;Cv2OXRLQ)kBDp*d8Y15kA)*%WXNPOE)j zUpq9@T9?*x3JU8h!7R>tC*kK+C0=#9ci|VQD$1nLl%>dH#J+1ppX%&X7cJu)nGwuX z&-Yy~9p}J{5=>hhEL=^#g|fZxcw*@si+=31je`0=00e&lY)4!Y_u?fbm_@4M=ccdp z$fBHxR9y>%sL{{Za|s0;J{EsDdrNzj-OIqls2e)ym&CvX`2)7fY(_3Sw}2}2L`)_u zim;I6_tM`+VN!Au`IYHOk!s%;+wPND7B3U^V z8t?qg?c-|sW7c3St*I+SYkHX!lk@R=mJ0lSe)k!o?r<&Yl54szalyQWIMUG{DA0sH z0JP@z@q81mPgY=eB{8F&*aA4on~#z>zt8j$3o@8osn5tU<0y6#M?(GUA56)lrC*&W zWv0w{&5Pz`mBPx_S3_lN15`G8UYT|?E`D_>O)WHaRXaFlL-6Q5d{ei_MP=3f>s`be zi2GvY{I`TeY`(23k4?Fe>G4Roos7yxVbqsN3rpmqi9Z9v(G3M4-VN=hZID-Xcy+8h z#!mJ+nuZajj@wawIZ%)0dpmXy<|_^@h24)zM;1mwPz58WztW4BgFhm2*EamAflM@z z{~Q#U`PJ~Drp7#I(eK1tv5dlwO0v=^N$N(4n9a&;nK2$O?K&71Xa2#{CBdJZ$LIq@ zD~~-)`Vnf_^NN9EW+IA9Wn_EYW~026B|IbcOKCaY<0zMHFOBk$Y!0-z4is~v$ISj& zT+ZN#S@uwTUwSmL=v71{u~x?!wlW|hpdr$*M)J3{_}eCJM?p)Dj7AQE-1_$6N*9iJ zOK+oF^NSbf=}coL>hGY~k)qamQXKSKn&R@$?Mia)YkW0X=}V`+fuC>b41pi3yL?wW z)n+I4IY9zyfGewSc%8<9HRrxs;6BS3!1j3lNQPdMA=Ee`o0O$EZTf> zvGh2(D+BihJYQ+b80}ZL;<(!?;y35|tt|XFP~{9u!?~Ul`RWh2|9N19R9YbIl;o8` z^wwE6kYAgi$QbvIhb~rTu6j5#H?nmLG30;5OWiqpYtRq9CuSs^psKQ;_c$SX3W6*JfIZ@hP`Y)LVbI*E4q$?|^ z?2%AA7o(u>2ZyrnnUiya^p-~0M?CVH3bOQxEl= z6)WIxqQ6gC$u_k(3rExH!juws6HD;2skpQgkS#imUy&$uX&_;fK{AGeSTWYbu=?)Z zGNJ6mckR1Ao=GzX;}jOrJEdevbT#H0UI1^YaBpSC$ZFMAD5`Mu;qu3XNq^dHADZ(n zT;H?^lTRUZQ>zK2MSKcc7^#kRzdL_$dMe!UQ?v0+kgT6{4l*vC(8(3hXFNXdeNNywE-#?gw`JXefrg<)8IP6o|`My8a?i&)Hs(}NegYqfRc!_EmmHk{R--LqAZatx*(-#g8wt4-W+F5)*GH85F_27^R+BX zO4+&+%eBXlTK&s3IYbIQA^l>^@6v*!S2Z)GiQ5;DHRuUI`S%&T8pN`@A%bEM{vS;X~$2WAGR(3jBnv zfhhmOud9r2F=LNUy}Ldl=kt^IF6hc-!{QOzn^GCX=u*K~xvhg_)4CAGUl755 zCC&;2=16_!LCKb-y$(P3!gbpD66?#+B4*Sb{7m3l1=PCt#6$f@Ec%D5B5)bCM7I`K z9|R0Xe#LWuF*SrtD;R;6nR+^(4llnL>woW?XDLeBxiMs^5R;wxY_<{axqqg_G}Cv<|rjUwC{TO&OL@2>JcpEjrRgB^q-xu8OJuf^9ew@OAAsnHG(?s?iRk{acX$cy1)?p6R60)5WX~!>VcUgw zfU0N(s-nJ8S?MfrPM5^Gv)79y5A%hJw&vqzgb``D>(G(pvbFO%W#v1j>|10n4OXeg z!7GMiF%{FF8}E~3Y-TJv@%|E5d1|BcJrY^fr)Vjvm?>sFvoqkGgiz|!G&dUZZXgcf zp4Xn77zV6`GCq+%_?ZqO^Q+zNi-&$6v#lG$5``eM6NmTD$`1EH&{svYsg07nv;_{;8R;{ANQu;jy6`+-8Et={Fca(XW zQ?AIw2)Z+Izl#$dyz`(nJu@#+klpk%Dk`B9mr7q!$^=>Q@{+?b+D@ySzIJkzeR`yv znutb%+!lbp8kx{Ji065;K4SSW^V+tU?_Iq-#@|&agsIlJbc)G*I}MTRaxz}R zQ+E*wX~ItH7X*!6xiSq?NaE(I*<6+JRqhj3YsmaZFMmdEMK0$EO=*@e=fusRduoCKim&-axg$TWVVpmXqYqEJJGr_>!MjNQKIjA%ievNdfwA7Q$RMSc> zl^c`Je2)DV8O6STSBqY-9f=unMj9l|kI4k}X-4M~~Dx3}sJOpXs#^z#j;B zTTZU+{UD?32dJ1ZohwrA#kxZ>U&!h4rVcOl zNDMZ`bT?bOlJW#YvaQ~k{#4j9Z(81vJST;{UBXqflR3Kr(7bcaPxG8OUiiJ-A(tUx zcUDjGv3s8ZeWc~W$K{*b-o^HryQ#190$|lgNxX=iCS@Xiio{A9L zu4i_I^P|9z9COh4UyVTtM8(un97oe4Ktd9GgxAzu;_*%mEAY^R5L$Ar80?GQ?77Bv z6d-pnV^(T5^pv~OeF&<$@_SL;CU7Sdzcx3LY4{heP7$3ZI0gh-=JVSKocA8qO5jo9 zfEhLEwbZH+S;E!3L+D4aM{S{Yj?a=&mIiGc58qfjs>&abLAEf9^U)gF=nt*>1ZjuF~zTKLwlUZ9}s9| zd^J}dH4Nl*Rk-y@Fe$0Ot{ka!Zs zcM@Md6W`t{=fs!y#ECDHaPV3fBRN%14IE$rQy!~{7Tg}A+R|JvF$Ia+v7&ZpU(N|= z+^a0={atWYKc^UmVt^m|EHJKa`WlW*M-`a=N>+2*8MhT@OkC2P@6^x#2;J^5=p~xQ zf7Mv<6u^eY58Vbl5*{IeHxN?dAz3G?=VSlCn6CBBcH~r0h+x-&;mfj zzX=&YlR={{Q%}urQcfVLH@fALc-?%$zlpf2UmvdjvC_ov&XixzVF3zM3QsO=c%YVuTwn7 z1MpYCI)xwldJc4ixp*m_B_6evcMeMwz{fhhbN_eB3ytKOSqXg8Yl@lWk>L|FA>1jj zn{)$_>nGh+Z%M0%_`JgS9O@~t{$gWB=54K%MY_d3_|UkNcVG9EY*oJ&&1V@tTeGO4xGqG!ZYJgpf))VO)4-PVXY_^a=%>}->H6{ z-#uj15zlk#S$i7WSmkbup|c745c1%xRV{?7{p)vnM7yYGhj^i3u65tp0rYVBH+hMNh_t3d#Cpp2+i+@_X>tz<)fS6FXOs(3Q-tdp_I~t)njG& z*yfi?zX6mr-7uAL7f`^jiqOL)G)}28FKv3#Ube~NU>uGpGi0foTIJU^k`LZtayVgP&ld>Fe=f=PPhj_qQ7q1NQqHDZld~d{%I$# z)s?1uS|II%L79Ri`re5h9S^*lC1K1#Wd5uQI=>EubG2fys~l}4n`WE)KvL#iuCCPh zyWUw^LiB5jq;1tgr_Q(guj`FMGN{b>Xa#|0v6NkTNB2sG1wV7SfI&@-Eh@IKTIgS`D3al!F^IX#-Qt zW1C5`M@Ld#AJ)_2<6QOvRM;egWrRDLw<__U=QN$VtH&}Utj7YKQ**RMvHIz6=KiG1 zV(rwATRGuVzop%-Qwf*)&0?NVB9RUM#T~6QIe!{I%!NEt9~|IFp}-O`Da`^F0lV4J z7YEyVBH4v0RL9N|Ry@da9Z}bD{&GjjV)uT3t~+*T)f8GNw11}bp_b5Yt6&&S6h}y{ z!N6W4lYwFKmFwB3jLV1O`7N)*wFnIQU`O%|F8pwtE5i#!$WiP8L>8dHAQDlCyG@>g z{1qY#ufV`skgjVs3KXi+XU5I5lt#Y$vJ?1FW|-0>j%FC_3R1U@lo7_9sGOE^kK2XF ze%*qo=lF6->U7M;T9m4vw%1M7iohY^?!3*h8p+EHBWV8BE6g}gq0vO5$|D_;L2O;Q zvW1_7T$(NmKR}Pk7FTLE9-QYw2*g~7MuG`O?w1C6HOEWn)diWh0*pvMIl$oMR{S^>f?e<@TfQgu>yfk*k&sJ8W@+^t(h0i% zgsN?e;leGuMQ$Y|EC3Q(g` z_~Y;Mij*h|j-^`E{#mTj6@<(w*=3`z)as1;2roO0W1Q}h-QR&?4mXlEM!qEG7nUk0!&AYAq zaZm|EHOA{{EA=vi#ZcyGW9tx@)iRz3qpc zWLK<{zZ||}(+eL(pusl|D)ZraqNhHLv%jHkR=o8xP0Wn}2g_nz?9O~51!YDA$di)H z)eQ_25A*8Y&=^|FkQR}=(#yGbsnaV8{L$z}l6J;*Lq}Eb^|fVpFlnf`kG*FE0jQJn@!Yxv!|k;iDG8it8eu8!q! z26R^*Es6HEem28+6e?H5FCem+DNaAY7&)W_ki0uRj*3w^?(7D>C3mAK#~U4uE<)2d z9dG>Y_nYZTUp#VX;eL79@gVAMN<`<4_WAJp>n8W;hS1^FUAKVu{LaXKG3Ef433EU~ z!V*uG951rxbq+_V{dNOv{h3b$6_YdL5n%FUG#JnMpS@?q((UwrrQT7`Q6J?`43}wI z)s|S(ChT&dG(>oil#0vMNhy~@x47h}HOX6n$aa`)^OGwl%6JQ8h6auPiFcj7HUJ*A zz6cc3*r7iD@b@G2(>MCaBsXn}#yao)w@N7EfK!wX#Jl|D&z3)3v1<+ZA#4qRVvk8o z(YE^OIK4n89MwV6<+)*(W8$tXhUxSxb>_V)Usx*|hU+--F5I8N! zLfCVF+?1 z&<@{QgA_in;iE1L8aPlY0UqXZ2ZH`yADKugf_T>mTI>D)7{QG)J$Stq9pD_ zJK3hBqt>a6nN+$OZD*HTux`AsB$80c=;ve4O<~P_olF*=o9!zFVS$>2-7myU)Eb(U zvu!iv^q^d5^g1G+l#X=9)KqbbFOodA(vGid-vJx3F{12(sp>~Bcj#l3yAM2QWujf< z|E=WL*j?&@uUpg_IqD)pi9xbW9jk;f*(7K%a~T;VIY>Q3nyW>ENAQlU-@64x2UtOO zQX>7tZ}vYi3aVt8;d+ML-8(0UX&{WS`M3nm_Igg*XT1T?Qi9!iEl?SgW? z8YjPQ*~M7E%YP=Dd<;lc_r*-bUO*`}qH6fN$0OPp z`VKa#sx$KtID>!`GV44J^^b9=e<-KO^M*k@B!{t(tV-7Lug+H&LRLLBrs$ZdRDWoF+*(g_;iUr-3#CZ~m4#*f~bOZR(;C`zK)^ZFIv76F=aH?9)) zXZcX$9w!Nm|4s0SP0xiqk5L#YFZ3u_om&%8wg=+j^Wl8`SA$;fZ-iT)+HN7;58_q2 zA=62OrtB*}ZL!7~epHIE=}3m_TtCcxAE;Rx zOoW5ByYfbk+?BCj`8#_oFgE$qE2l;D{|P6BEI3zY?2%WJlqVUz^$0NH_UI&4$^x%E zmZ=&(`i&(8kgM7H*Plz$17u=DAz+=*?RmJVd~jo7sXzbV2W&RZuEcd3mVn0#^k&G(J{ zrD8D?VgjPcVQIwFC?HAM6rN<)CX<^Idbb`MrB%qfp_-G`v!Y3vADzcD_sGXd%keZ1 z6*TRjQODq^&sO}2M4~q&siu7L1T#cBt;6YM$Ly{z>CtuA!TpRc>3{AiK3S^dB%uoY zZeu&ySqVWHD_0a5QP+=0vK;2+Vr$dAO$iIuVFctMKF_c55FnxIf+>Lkou4WliU6p? zn4H)Y*z0JMxa6uxQE4?HuU4gd!iE1*p(e#kKN5j`LvFtj;e%zG zu3DY8K637r-yW!*@RI-)g8F7olhK=Z?o=t?@?R@SK^_E5f#NVe+6ygvuYVw1Sr@1V z;yENHg$tsnH7Yq3r~ zT%l2EQo0cu%pC?4OE4B3HAUmTBREhN)rA`^Ii#ewD5SV*eMM{xBf1QkC!H?Y=Pu^` zl3AV^l*PG_PK!tnI1WuDzM59ha{P~V_yP7Adsu`}q}xzt=iTMTNrOrKDNOHhV`t~{;wDMV;{P6 zb?>_~*L#TsH7S4GN1#l$fMul@Z26ZF{~DETNRk6?wtW(|MHahq&}`Kk!j3W{HN=Z< zKpdLR0t#ql*r=wqK>;t@J_x8qKI&|36@qB%PQDEF+GVKMf+`a1$;v74U+7g9u~xN= zF+k==vteOE3@1T3hc=RNWtuRtzYd+d#PZDnXkoZ$+I2JZ}tPPl5oc&E|f zs~uJjeUda1v`&Dz%^*TllGMDT@sdgCxDfya>DjJ8CjeYE7ff7Cs9l-U=>tF=ju#aH zOpu`~!~&Z6ol~re6274AZSqIMYk{bE#D&V4`Tu0u5~@w`#H%(S+p3X7QvV42xL`th z42m}bWw@bt(tbbIYyEPDp*Hc%)8L@lNM=%YP^OGK&~{PL5fhq(0dF2?9JX)^cmT_x z?Py&QJel@?!ACEpXG9S39syG%cd_CF-hHMuiZB4WoWOYRgQJX zoWdj0T`w-BP z1(vHkOx)i*i>I2x_&Pmu);vem%h`rt+QWZ%Qk|>g}dWJYbyfQacCS|Kz*xI zOj)f1Z^kk_${q6(Mq9>~u)U5;w^zIWQzLUhyK+6G{+(bkzzpTt$mWj#y_(*bz0l%B znGPMwON)-F3a@=%+#QsIMk_cz-7MLBccz;8wM9s@DZ!@G)@)zkve(u9SJ5heU6%!4 zAs^3u-)>trrel`YRa%_s~!65 zlt!nXMd-;j1BJh?rE%W9raS60+>h{J0#c)X>4Wzt4xiO+|FKr!#^3TEXI2h#jnd3E zOvYWKl|+A3!AH4#1Xa@o$+8-QQrVRwCB;fe1~C zBYjJ_t&n2im6gJh*JD~qp=bPWd6UK{0xdRxFq_NQuM3(ru$zxx4)!#nI`VX)P77}x zs}uJ=rA_!hyp`BgOuIVuUAOOAB57JQuvw~@x|A2G@a|eTt2pt&cn7@cHege@<~kr0 zDf^UA?6nhwz|0Tir>c3B6EBy^l+0ua{!7FshBAOGllaOgCF-OW8l!WGcRcuGY_NGh zXqEN!)0~Mz>WF05s_y_=|EL@P6QD%h8(-@i#ZpH8Z&=eK8ayWhN6PX$te0)04XZB- z7*5ooS9Bn~rAw_%LSZfO&@i(W5gwir*$mi-53VZNhXroZBVS8PF;<6c*?EmTdcZ*Y z&ZV8vYPp<@J0glkNy;{)4KuooT^*KmvUOxJj^dkRtq8#ve+w27i&$9`T9>O?WbeDi zj?V^fb|(;(H^y4rE?di+FJjidZOJtIXjQW4zPiXWH;F7I%X3JZEvh(Cwx=rnVq%eS z7T006ijFAlsJu2C#cRVh+8?L?Ee(ZjjTL%77rittLB{zCR=sBS+CQT~+y%I3dE>Vo zS_e5BnA4Qs!30S+!Uz2@u{l?8U^h9pR>{mCA44)$?6Q;G$f{`;;7<~o910qZOUh%0 znR$fF>@odCYFmk!`}hO2_pw6pM7~`(4C=M-+T~M}@@yuq<@UZ9nQ%GCqHrAzRv!X3 zSs8A1oVTnpj9_Z#Z(5D;L6mIutZ$Tz7fp`tLyW+y0u)~j|5;TD)liFa+>Rkd)nTcn za6u;3v|9m#wYMn#dw481r#`cbv$CfLzZ~HHFE$T}5BQn`JnMt{y2*;SB$L)F1gsNK z4^PRm_ET&V7Q4VZ2IGz^_@X5i#6Aa#n6T89T^BM1 z%k`a25)BoHTJ!+Wg#HXoZg&7%eQ*4x6Ki8e?+(0u!U&m%Tzg-sypdFq5K>S7UuRc0 zu|`Od2(m96$T_=fif0d-$tP?LNv`?r(|b~uCMnn-e^#5$4I|Ftf5xB7St58+JV)Pf z$5k<#6IHV)91N^@vZf{btJsA+sA3-%-U+?(y_{Yfr^+MrMisL2xPJe{oVIuRHTd@E zy?MEWg>W_I{?Ahd8a6+G0GeOVdkv>H#W?6)LA)jw!{y{mfzONGg)tmU7ig(~(-YeS z1A2$#@M3|u1qL*B=<=hI(b}o&ju3b+=n!Z+kmmOLlfefU(AFj#zCdcjqwVThzw{vM zrI698k?1|X5fz41+{1v64_N#B0eJm0H}UDSzp-FucE}%GP@E_=n9F=8cw98s72jfx z@a}-Y?ydqOOZWS4!6}tatPU9N!Up1x5y1f2%8I~f6EsvtM?!wS z*;F`6c?-b!r*-tt&iu6}%%opt5I?dacuv2-j=>^+QT{!L=f#b8IijS=)WIuk*ad#u zb`KL>^_xKP9vE*p1|ARHpv-fR1D)xt-fS-p3be<(hk=qgv9YV3Le|f9dNLVkfO;Q; z@3{In7R2CV4&i#45;OiD^uKkDk^pPJO0E37s}1bW9-SryG>b3Z)?9(pXhY<(3Dn=v zZG8&d_Zxkmje4N1L_QQ@M1p_qW=Jw=BJ*s)c249z9HNn(9*qLj-lFyx;e$w(Fw2@; zDC}8hn>DEqt^S<{9}GAS_Sg1mj95kM7k#|!j0-hakRFZtFD`vM4a(6ud>Ix#xHCH((Jntznpi~x;&L*9!sd@k0HYvRC{ner$78C7d6d3880=0EoV$4Zy#`Ul%U#_OY|!+#*!JK$Q>XhtK|8_%$FZ3(XrC`VkR%-%xpD6{hhyo<-2%A%!K zbk%7rVR2o>Gca-HK5CspG{`S*6|_#(y`Y50jy!yE$OraFMM~s_{f%|SBkb$$TVVE! z?8P*kMhULy!bVhD!eVy>?QY*xOSw_ssmovG*LXD8OfO2Wp8X|&1`xZLmXormaOLp@ zJDTxIgM&$+a!`PaFj8VzxXah+=;}yAlN#pgnH5x z#PRC+6gr8^0YX}H5McaBgH!vf18$vm)in-H&8GPP+qmgx62JLyOp=h9Xooj-C6HoZ4c%ma}kwsFSCnLX)d4P4?VKCUPa`wW{!T9&BpLtQ}LRbQt%H1kM+VS?J1NB53?w3|+M?w652v zp6Q>fj=?2}IvHi#j8;2rAChmZxu$FEJ=M&FgyFTE6jVHZ_boI1baH%`qo#~CSwZH< z=USuId~yBI5rlQNcxZ9@4YtI!%jEKFH&_3K|K;~`*Pi0btbqg1*iEGo@P#u(mVEM4 zdycN|Way?)%XdlL&q>>Hxk^jUb?1lc%3M?aKF$j%CpBlA)kGW?QIEa~63i{-K%57h zu~FdE3d#&o0CLc}Rn`p+S?iYy-2yvJfQ&G&bTwccv|f zK8EU$M+S#p>b5C}jW?*=6jW<{W3h5^wDc(11mhs&MB_a42n0Ati`#ez9ao*C)aV-O zbyl6FOgNx%R21xE53;M)9bKZPo3T!8+~;yZYY^JzUN5NvEWGnn17Y^rB~a@QLp}M| zMN=vUfXSI;)gVu}jWOGZ+b{r6vUg+H$*r|5^IukbdW$kY-4i?eTb$Q;g9u`gMKIlY z)lxDc@;>@|2+wV=f$N5#cK51-uo~$E@+?Gm(J?_Mo52x=K1sPfj;2Q6z*1j7EuICt z&IDkC{~Ylumz;}cPAZEu%3Jyt?f9LOt!-{7n5_I@GXOLsGo3EiE2p&KFAULsN33%J zPAF}z!+FW-qXgwj&3Qir;G>3y(lSlHsyIDZ@p`&;&k8VUM_Ikn{QRRyOYD3Wi3Aqy z#G+!hLrXZ}p_^aJ9#7V9|OE&6Jya?(bTgM;iV?B$%OZ213$ezvSx1h?YUOmBW-TeUH7t}iPS{_$I zTcI$(c{5fgxm{|gSWJB)gA%n~I!I#dlU{X+7p{WXCGPgJ@K2J-4!LL0cYRNOE-1=& zo_cgzD@;DoQEbqqU)D=zNFdo!I?q2frU~*vD^%%u`3|e=TWUdJHlv}G1D&5_S8fe| z7LjcPTVaEq*tu){gittJNRm@o0EJ7j{G8K&Ze*!evVBJPcH7}Z=!-{*9Or#eakoNx ztCfXdg%po7osgnzc0Kz?@#fhmJsf&Ui^cFywU}e&@|CcY{m%mwuh{BP;Bj8CeA|F( z@h+?qcA2>8|A@NA_`15M+cvfuyJ>9OYU~@^w$-Fjlg74jV;hZa+qRv&X`c7re#)1d z-`Qu*oY`xywPp^q!61mcsr;cfFA(n2HqqAMv~taG?ibsfdzF62%o}}@o-!Vcvz0^Bc_VZH{=utI(SiW zqR0OcOF6troK9%=(rU`S_p6s~W9hd{``kGZi?TO@?B(iwp@!BXLHh9l7tKh+3tQ_m z-S7&?g_aq2*4xQH7H50!f6DDeHe2ICB_jpp0f00DbmmuEgavy*vRYf&Aw^PO0@x>r|X+Wzg$sL$!c8> z{o+520?ZqAzw}i>h&h+w@e!QSr`r8*-7}k@Bc~yqb!o1viIG|?2u(=*{jG0H_7IbE zGmPjSLLj_h9gznJi4A|M+p&&q%&nU2rQM&^k2K z(_&#nMwt}i*?Ru$@SD+|CtB}<$cblkHkn!*1FAGtjQSPZL#x#*E|n%}Ir1eL!I^U( zQQa3gxPRB@_*Y>75jB)J8OxZ8gx#miJC8WfTzCY65Mp5AT*&kHa{_qPKE`;%tSw1D zAXy<9RZ&-x@NWl;ny+Mz82_*K60-+$6w`2K6BD`-EhA;MOud=k2^WB&FeL?au-P}b zonPAW0*Q-x2mmIz)E%)JL1Y(U9933}9%zGRHLWHokH^ivnh-+sa=~=uM})n)RKghV zd2tYCw7JC3Lj2XFsRNxnzUUL0P+^)x41Lg&F-2a!bXDQoWRzX0UI4L>Y199UYB6VI z3#E-mzrkFXB!%&BQ1ix zHe1!%ZF0W6-Rp4{^|BN>92{RFz+4df3QS4(;m7+Lmp6I^UABqJjUbX1vHPX*kYfD*b_d z2MSqFCQ@BewTr|XCxv+c)sv+=sB+?i`&rHFyc0uNE0vLnpfA}&D)JH~SJRhpz2+P7xf-n*sip+8R~$g;ByFQ|LFuztY`(swXXCSVYVC0uJ^}q^NyC;} zmFBf}!%NqVP92_>QhV{FR;B)i6Lzb@XLXa8ub#8YntKBc^$qn;MYna!AbZgEhZ+T= zs@}uS&<%V8hpJYPOe^ZWG8y%6Y#oc;coBq0xfHYojfp=~974$8A9)hQ>l1#hGu>obvcYKGH zA4~qP!a&VDAo@VA$`J`MOiQJ~lI5u3WMObt^~ez#h+*@_U&5#R8zidg`GlfhWCGdYTaSZz**(JMJqJi}m3&}X%tWlP3lWSIjO!%3<72e$hl;-R{ zJ^7Rtlr`xlrM&=Q*%2si$7h8l2*s!}r>%$8G>yH1DC@$(@@PLOM| zJXp;$P9}qbpChqmvi$t#EE!q*)9kruj)bw1@rVtGUc5qU7P~N-Y3@HIv+Df=?tn=a zjV!2b{F9s@JcX%a&b96rO5}zIWH8FYMk60m%~}<#=8h`spYCjMXn#=|m8|jVA}8f+ z>_KQXpZl6o{45VVnk05y^a;a2Uvw6Bq#l)wQvnqVpF# zm%DiNZluQENnDGlab-O>p_Zkb-hHaAxAa$AiQxXe&*)g1s^vVgjQ^T*TjUt2S&KFe z&?4n+^PKLX+?6gkg1*o_YV-+sF73Mb_yS^Pa{^99U78YgYIvJ|@1g6pRP`Md#5KKn zSKMjB1iPuNWkpsQ%HZmnqw~iG#%!hXoPC?q%U4nA_~ljpfJaJ5O*8iX(0Qpq4_)a@ zKc%1GhNMM}09{#$-IHbWuCUEw{R7}zLjcn*#`~GqX-O0)h{u2XOmYZKn`y#}VW__N z#-%rQJt$q877eZCUdmK96as9N0rfjX&p*SYX8tjtJ2oN2Q zZxu-^Kcp#BxDu~Ida|$qx0I4&pMrCAmP530LbOJUJU7K&(61d=oeWz5+Re>IQKR8| zH>T=TJKJBqOTq;mUtjH+wWU`aum-iA5o}hdat|-=s$IR9F@#Q&j`hw9X?Ka~j@Ql==6uyV^# z4?F?6#n4lY7g}G_kISBS+ZV0yCz?*(5cs^#hQW{Qdzl;3c(3u!nd^CI#yTj^9hDT6 zwU%_s4mK|2d3vF^exV~=Adm3AI1+A+Eyg<>J{1kncrLTldz|+tDXKS7siPmDyp~+* z=90SJOTK*KtVBOXeW5{^T?7ajM{#l!65`JK+mFvebd7(3H3h^f9f{I>-SE9q2Rbyk z0Llx#buz#oP83;+E}g#Zw4yNK$$bA=Y1T}@a77P`+mRHlbFzi2c{|3xL}#&5w3?lo zeQPUN+a|qpNCOmgQv&rO+icaw2B8$Ee68`Ru9FO4rGUbTUn2pEMa#YVluq&Z~GS&=IwXoKGya2Dg64FY0TZVMaBGT4-s>Na1 z%dgaX+w1wI)oWY;y2f;n0f)UDH`|1>*^JPF2hM5X5Ym z;agvQsjDeV8#RL78WwY(qc^^m^Adyz*W7X^yG?eRGu?*B>_X;o3dw->Dh%7L=>zt? zC;yE#f~Wd&S_}f)QD%`)YDm+=4|D4}=O+cMGGnK-l?QRm^4|J&2FS#n6N~nDClS5f_T3a+qI7#cu2pMq3VJwzv>vG#!(e}gxj)8 zC8B?I{JOzFW!~lW_KUw`Qu8nl%0nxCFwYZRw;fGA8g1h?G7M zcXFFN2E-!0ckc?vjChL1PyK|Q!4z-2;?WlDh+!JUanCGhjj~`c2^8&ex~SLa?zG+k z2Jw)fK!5akMmJX%2mHTk-<*HFKKck&#~-$fMz)6eTN5AJuB^M%VC=*&n75lRy_8-4 z@`IxyyrFx-PoC!k0~BUrPy%4%0K5v}!>`_Zxr>cQ-fWQP|7gl#QqYIgwBLgvwy7i? z{R9sn3>Wm@`g;Ym3+)e-nH9Qg7TlJcQhPf4|58?b`JC$pE2^FS1uO7}S92;1g@ia` zr_AW$TLMtjHk+XgAPw2Wxive3kF~+2i9ZOTUe&<#TOZDkZ^PnU$pubs&SYuD`vg%g z_GD?_xwOKw27#6yARSVdBLy*Vxx=I_jI;d83_IUV%Wj_kcBsUCcsnGo$wZ^ll9x^S zROKW=j+;H#0OVmx~UzT9l;nd$KZ?C__htye0YQnAxkZ^XmxQy^YDE2 zHCng=SdWCF>!aa>A7yv-YL<`NdcN}_HLIk(*Qo|=KkHjw+ur5}46k19OwynTo=y~b zl7NT!oUptOKfiHn=<2%x>!0Zo2p^okBGb!SGeNSIeTl4Oklr?%D?)C-3PVA2;YXT5 z>OvQG%Kjy)m-QFI%AE-5xfzFc<+u^eqw5pV0|S;nVcx{rjOuGCEqZ3sNua5jQqf8C z;$evO2dS@&>qh>!ux3)_MmjO%jJ(6TZDG0}mDHX;=YDfQD#$$|Z2`qIB8o?YtI067 zssbElFlmomk+`^65dQ~_u2JVsyTBieL*a7VvOg!7rBfad?k%5mO%{#{@!mXWb3=35 zjPkqdb{+NNzI|esl>?AJ%%%C8=1!~d`Cws+fGKjKNDV#1`mvS4!cmDs6f2(i5!1v+ zS^6=&n#i;AsRqq(83oK~!a*sZ;Xv%PlfQ8>4i2{Y)+oDwZ!{ny7vqGQ{SdnL!%UV7 zc-6IQ>B_~A>aPP@H7TyTv@gsq1Kj$;E#Ib8?z1<)%Drpz#RW5gA>I{_8{3%6Ctq)J zhl3NH_7d~vEALUv+bHIJrZW+NWGFhc9=Ii}(r*3=$~^`<$>XohILl}og0+-z(eKelLf zyw-BdPHCQTEVgd%dBcD%;VLafICIWAWXtd=D1p3GrH1pjFx0_Db4co=iQ0nQ4>QKa z`3wpX9~69ZMT@!l0>y*(Dfq8Ejv_@0I>l=aNj8lg`909=W#fJwynMI(!Ijy3 z04n*ltPrz`DphU3bw(iPY!4RNBVWeYv~;1B?<9+&05J~4Zsnu|wt~`6|L>F2EOuf_ z3Ybf$N>$YOI%y5E8sE(`AS7xaU>tocKHjOY?W$i8;>>kjiw4GLy`Kvj(~BYoAeE0h019 zxLp33SlKr|CeAsYd#U;GqjJ0Mg1QseCK8nz{jN3FH=rpqTqTA-tbm_HyJ=f#l$On< zCRF$hf3!6CgoO5gY|}kgt?G2RfaP0X$r^9?;FuiSm_?b@kgGy8sDY2*nuE7ac*wx9 zhx9Hm&1|Rm1Hkt+iVQm!CfRGPR#Ekg&%`Ntkmx^)XU8dJ4t`3zr-B{$ZYZWgKkL{M z6Hh1Gf0dE_`tenx=RH$_JeF5sJ~hj}YvY;UJq zL50qK^7FVHcLCiSgF1a{A0tSb^p52Tjae@hkWUPSG4Ra7l-rEl3Hi`xvmAd4d4H|6!2X?x8>Q5m>M zE~;By9NkCkCWCca)g&{)MMXvh?9QYRI41+3om*Y}Vl2+CwgL$I)?oOKcJ{mDV0g5v z4KH_x4Pud$ZB9!quary!EtkhQ6QTzBu)shmsnKd(*$Zbbgz}yZ0{egU3vQ~pv;Agt zpgqrxvsr@diIaK_$Rs647n( zl)#)rpy%Vd?uY+gUWbA6$>_EC$>>dGAc;14+MTsN-ib1)V~wYnkG(Vkll*v(+7F+a zk7|I5a-hR+FXyBbyp_&Z=4s2Mheluil1Lje4RE>+49CArZqn?(ujN8IjSUpFpdWF| z19$2}3*X^>e3*4&)=e<_ zm4DIZ(eMjN4B#pjIfsh3JMwQ^>u|2GdQoktQnU_4O*8pL!8Hxfh4%KI_Qhgh@-?ohudOQ7+Z*Cw zy)AnaRxCCHG}kU;KSIZUX};S&7Jf0(JGCtvtvM|77_2X%w~i9gq=H7;?0*dkHUuj# z@U4b5^oQ&7C0W!zez z_YzA!RCT+fG(5~v@&P9?n6YAg7|k?hEfDp?3j@ubuX^9RnQ#;jwORTGUxA=&hWv=6px>0g4oH{qdzE43KQ)Tti<<^F=C43QrP<3jiNcJSQguQMQQ5BR)-}V zh%}1ce4dVyT-MPaY+V9VWe87;{3m^b| zoSWJfuo!xS^XpODiBbMw4njvY=+QVIv8J?xEaf=*iDrHMvw8bErNaP3(1&KHJc(Ut zE=$D#QBs>SoYiY08v(OcO^ch`NnOsQQtDP%GdU`P@w6)&7S6bQwb*YEAZT3Jll4dW zmrTcsv1n8+(%%(mfxADGlgGOx-VdQk$@a*!2!4liC2%8ku#l~W>)^WkZWD)R8vBl2 zAB}|(VH%8}I#h(jjvsF@)<5j3|4ZST{WIzxRTtE6a;7`3kp9w?tbPGS?7m%t8Ouaa zHQ4VM?{U6+z;;M+w?MZk72sCw-0`T_3YRdGRDx`sa$4o3ns$51)*#|8^h3V7yng$% z2h%F@J6~ev^=b72RtrqJ9TpPWXgwA<`XfoqFsfBZ$v)2L=O{8w#}vW<6U-3=#z*P) zf05=sm8JVpB~SOZphNa?w!lz9^+{HPNlmXfmIL2I%|7Em)(B^%@yeVTWxaa~7}%HL zHkXRWCh=~qK1@#{W^fv7^FsDh^`7mT&EEnd9&b)k47Zz*kh~jhhTGXu_D_sGJ%@@{8TFuSu#EV|=zcJ40Fwd5zZmpVqaad&EiyPjUf4=RZX|-#23@>S6FN}@cFzQhxL(}%yas|PXeBCVD zT|nq`Van*u)Lk$xG#iufDj^OzFQUk_iwn|=_N6+_&kIhY!qF*iFXX$p(ZP-UIhuOk zWyK=sK92W|AZM9mA5g)1dqdce`%^YE#-s<(S#|AfItJ{w^%NZLGUm5IA{PlBUqL5J zCS~T|4TbGu8cK!NWxBIAGiH3{fJG3+^mcYAnDv~m{?SongOcnY+(F&GR{{P(v{FZv zqIOl)qBoLfRiHZm_^n4klk8K&l#$YmEHO6&z0UHAH3#Ms_I?JF+q_&K#JQmsKN>U{ zK{b9Dd$Q7EVi0}j&$5`gz!(pvbJTb6CGKSxwKf_1qyl}!N}9y9+U0LLubW#tCmL>sN#-O(6PI8cP#wSe6Q8pd1*ENUS4jP@fX1oRdOGmFB-2n{t{f zZC8DpPi(zfhP4>|nr88BQKj&QG{>rze_l!Rm2E2$YSCSQ{>s;shavNAk5VvN{Dq0+ zo|8hWSIb3<-{s7fieBUpAsCt|>*Apxt6*5e*8fqu{oFpQZmo9WMlQyXTze}+9@rQV zZR#_PJK>kzm$@w40&eSBzTw9L`4;oq5OMO_U=p$2-4VqyDzthTKMzHPF&>J;gh}FC z9EYGsi&PVZ#S&aA4!diX-PWfx|M9w7xCd4?fCHLoY^#=_fa>ck$im-Ej6jf;_PR_D zp@y}?dCKmrlG@x>_#*_3EWr02`xdj|xf67SDbqTRm3T-%e2c-|tpOh_&PaD|KrnXw zxPiudWy7jR>8m$pvH^X*!G_fcENhUVn75t3sb5yc5mHzloIjtDx4CM()>>4UiUU32 zryi%g)ciudZfN{e)Y|GgcMpg9tSki z@{P(WRN|_<1ZMA#zBfKGO~37vy7$&SH>-oM)@m<;QHtzJEF;~AZ5qE+E;``~{CTg< z)Z9#mnhCZiq8@181TKS)5Ghk(_qVSD?PmO4h7a+v%~)rZ-57ACfE!TAZ7CMs2iZ(p zvM|_Qr`=NrHA~#+z%_gCd7c9wMPa%x-i>j&ggxq*_$em5SSE@}SQ*Ja#C{0)5r?5J zTXpAsY0Pz`RYNkYb!^kk2&#aA)*uh0Z;rPEQT}pj<-Y>KF29VT=>E=*Sv-{RW1GhL zTY#oo1ep;=#hLTnh^A9bWQsV)eK;tz`gT7^jvC%C4bKz>b6DVQ<=elWRWGj@r;ls` zN;6>gb%Ej^JUeZ+AydK5sI6JpQ_csBx-U_zlhAirIMFSY59N-TJNoJLNNw!cm@fpK z^q9DD-d|y-4N$kch9gjEWCW-vm;FaoKme*lFyz5lJ@H@`nO=qVqcA}S8GQY+^x9Y3 ze<_QC8|C5xh+><@Zup($vT+a5_Js z=(`70AsRRRd$#Qd<;$H_mCL}DZ$E^qMd8rK;b8%*0N@_LraUR_^dh*Z@Du9;zS75U zuOGsGKA|&8veBj@A4lk74NHo?_etq;kTO0e!=a2wBS1MdYWQ{8D&-d!E9m53{zCOX zdmBVL0Ta!1$-wE(+%>=d7mQ^z;5xav0Gv3cvE5umnR8~pC?>5n=3=STLjBI5O?D+l zM~^eVB3}&iAIqzfHSYXj&yKPRZtOJ&pp{n07x|vn@1HGp@Qw$S&b+zAxVyv-2>In@ znyaZg2z33in})(Ce&w2eX4E$L7(T!TAMv%FP+DH}FYIDIjhO1Jikf-@0|D7`p{7c_ z0hv~8)0ajyW26Ty++EL3`qnZXQ;*+KZbbN0Ib%nSWV@Ui)SSHb0CISeIcM^y4Nkxic}z6tudTzTnjql_7Nt_ z^%9Da)g@2=fE@3FOr)y!KjV$f%lXkcqH%a2s5_UVU~FSJ{|OHoiEu|{$1Ud8p|67` zu;2(4UND6_?C*IOJiikUVRQiR?PU;;kR3LS7OW_L>oON9)Z;xXQ2NS5A|1`QXz}GR_hCye;0GqiolK_dHj+ zL2((_mB0C{?BqLxjp~>JFzorni%caM{TTb}2L!o}*`pzBthpI!O4)~mDn0+oVpTuEUe@8?)< z9(LA~eYYp=s1S9pRK>ca2u@6?K4G;NXul;Wfj-aKLLa5l+Au&V<6PNgYuAO|H!}pYraOxaw4a%rkNB#%E(*e*221q&m z%u}&&S}AUDC=^2NFG2jI6kJiBY?H6z64h5RouU*H_*{ibku zi(iWr-U6Q#3V-~B$J=hIS6G>`TO~tQ9bC31)zVzv9dO-B|2}HH0e}mUWS(m1)#=zg z+RFc zMZr37{RSLlrRZvKt?cw9JqB;*xDEkN$JpdfX<+>DX2E-d`xf>T4E!dJ7E8D^fpzd$ z&vxxVqKQ}3Gxq0cgPdyKFZ*^?GQZvlhV@^{tyh=GTJcMGMcC`G27l`}-5oBtodW=z zVH(@?OvaEv0ar!lxop8fGF6Jrer1NMxHbfOu4lUH>1lV{dN_xGr*lEO(YraB75YiQ z(WZ`GikPhAw1tlAqbtO5qeF7dbWf=EUbFgnq5bKOPm$!T8)JovC7v5<^Om^yF^NE7 zGtKDUz zv0Nhgun%h9)y>6fhmSOB*3-;s{*#6Iw{7d%9zN1Re|RT%;;g8+eB?%_hJH@xax^=? z=uDs-j+$2(iQs>{)3JBE~6eJA6VX37h&{kAWP68c_9 zi>^o!Lq~J3*p}J8?Df=~H7E;x3^~lw)5Rn$4w4_4C=lP`=!%6wL-v zMq39!BmFcs@G8GD3<$6G@Ox0DOS)ew;WwcijYr?A)6SfT_@LG{BADA1#(IjrxYtq{ z{xG}9yS<_Gb(6gpX@orta>N$L*#A^GCH4!f3dUDFiNpGU0aji4UfrFUo37ippZqJJ znx{5l*;RI7z!k_^#OV}(W7dz;VbEo2&+OnulZ(>t23pqUr}NY8CKz-*)5Hc28A^Hw;RzLBLNFJOT7O{aOZMxko- z{A2kGoQak3YRz}W%j}dltrmN|dO0ZLSj3A!iKRdlNfZyJrBDy3?k4$iL@XBRntSc~ zr(Ln;?SHfW8#gny0&mI6L1`KP_T;s)o&%F-opOm6YQz^I1q+tDKk#cV?&@)ufxldO zKuu}nR>0ewu=*-1Bl`qL<{1rFDo#_~?ZX=-iy$?j|?g z6jd&jV()*jaV)wOfm7^H{gF3DZsOt~2H++xN$5wn)Fw)a)Oe1Fa<=U24j zV+8S1z#qPQkPFEkEsvjgb~;waN83$xClH9fI5;fKri%U-b}BXt&V-JL&*ZvsVyucX zdvR(@pgUKTQ{E#{X>y}Y!kOH1+f+FPGgIktlJR+iox2|);PdXVI$wx-TJCyCDLdZ# zuqG$-h8R_qjWB3iTv0qtYoxE1%-njIesWtN5CE=Ye{F8#t!*6$8}7vpCHas&@u!>2 zScc?7y1f4c?4S`E*@Kb9xPh!NpHj8a5`th}6uiJldza|YC+XF{G=XOoqVrzzx$1uM zTj$O2r|G*4)eJ1}GP@t_OAXq^!I~N`BSO`}YPXr9%?8I(>YbH5qIQ3HLV+cdAmqZKn; zoG2;~Z#j@vABZ0G$aR;owHARR66M(G4yJfD(c^g(D%7Bp%;qFaB6FWVTbOC(6yv0yUB;tDHMqvU_g=GCyhhYRcG~Nb zARdv^{4$O9zNL9(C(>hGBDDqdrWy z3sXGmd*k%Y+SU}1bRLAu+zh`mg-A#aG!X$ahsPk|DdN0bJaK>x9IE$;qIMA^r7Gxu zJ39DHMyKkp(E-(*x1Jn?pq{|vkK-6KEEJh4P0r;3+;n4#Ef+2g<&m?BpAvW<9w5k= zKjmnqwi;L~`5uJ3r?Q~46@!MOg6VqIkhShJTMtBRi z4`f(6sbHmTbG~*^51IH9y|0XVXuhhY7PE9g0X_RJ$e&%iaTW=!C#GKZoaUJIGSq*u z;A2dhx^P;7YN}zPLvdCxDwuO(HCZW{f3lyhUL7SH2+H3#^GH0<2Qxj^N9@f|Q2N%f zwTPN^?v=@0PJ@rHv--`II;8ta3w1LNE5nyn3q)VALCCu6LbX8=cXF~cd8~5246qFVwB-pu05?9op&R%4QuFm>%L6%1I9KTxU7{h4`;z zDr&Jvn}&(gV7tO(M@X;qBV&KxLy+t-U6USTLz6eXj|Ez2vs1(;&uAgEV@t}buIf{^ z1OBeMyuf-RZ<6)TcPVL^*T>ow-22Cx!b{~2Sl2R({0y%7>%+N!;y#-0*CAN?gfB%) zg#iMyN~o3P#qx1^S$c8@t`)mzUh723&1~%d8YzY(197m@V{yda!ZGv~j%3WjiiP0u z%zx8Pb7V(pL zpBI*QYx>p0Rp?So#6!{Rbh1tJ{!`9%=ucV@aYkPYpKQoSc5f=JJ*-dd@^jaRDw~iKkcrW&lEX;^E*!416 z@qW=W)eab!JR)@I><(dB(;L#Jt?@GboJ<2K9o+DUL$(AUEM|pb$f1nCBv*LJFT0Av zI838CdE65^3K6xD57so+i?ceT!@f<`R6bzm8`q@fPi`u@ooTd7N)PR#(@4l}T0Xu( zR~mpa7p=Q&^vdNSJbyF8&HNmmvM*>J9JzytPh6#K@=bX44LBy9jT}CaFF3Ta<`+-x z>(D6kc0VUSJr!a5?03Jx9~F?8Tuud-0V=gYKXUliHTPM_kwTocMl`OQO&IrYGUEip z3v=^O3a1`~2C-x&;X9ERL@Fw=_T-q>%{Xt966|di4!eI0WFTSwWp7+hysSX9t);Qg zJR-p&k!yxe=>)w&u~zJ4h7*YKC0q6Q9VIxTNgLIqJAD6vvY_ufmgXWC3(nu&(Iusd zaW8+Usl`xsCeS9iL`QLSeXf@>_U~-jxI$RnYfN1IrlmGYGw~K53T@tAJ~GoSDst`d zv9@V{KrgXCu=a_eXdUR^K!$C9`5-K}in!d(z7?ZUpUj&i6!xCk!^CQ@9Z4aVQ;!jr z&h$=)3^XczFzNnENR0OqJ-%Omak0x7JBFIjj41p&m=7PHO>I_P{5hD@KFX{E6+%(t zI~&gR_br0mUX+H*D6j|leuf%bD9fhMOGAC9+%xH6d#@{~SD-z2m`=!}@zf7z@~<(D zp0wl{lbX_)WV5UDct=YC%Bbaz3ldHekyf3~daiA*-*?QQ7W}saE=6dVTH16mp)Cj9 z4BGXZwo5j9S5@?)-HcncyEEgV09`y&pa8;pv2G38B3EQX{v?90h$#c%|Eu>8ag6)2 z_t91I_iqFl0Z-vG|E3tcVatw0pJ6sma@++pWg^e!Gp2wWU?lv4V)t=cZ#-{Qj?*-0 zh~@iLc+!2XJom`#L>2ODtI~A8as(CPJkoKrax|!)Gm$}u-#bQB&}}kPW-;gkHN0YUKmW|A%+D3G z;b8xJT@%GX>9mwsY3XYbvnldlc7?X2;ob4~Srqq;W{L|c`O8Q#SfDV`toT~q&5O!y zPxuF8HuuHI+eyvU9CXL7s}o&g5`$$Iv;91DxLxEcQ;_icYbH^w?>dI#Sqjk59VXG! z)x4#Pt_cy2A#h{f5XF~QGe8$}wp2$8=YeXgqPIT&^U$zITb!A;k&ovjVf+2$-|Z~p z9QVb+4)DVChWyX-WefU~%N(-~IDw(kt!ma=6h}VR)8rI5Ku5D_pag-C&;rDMs3!Xc zqqc=(0y!Uva4Ng@nC*F?e2I80_1)$t0X|8~7<1#SA7hH?g_ZDrRmIB99*7*(PW0X> z)}<-;JAeAjv@SRee-b1Cqxyv0mv5@|I#}i*u@~z6pfm~FE5_flH3jVCeY+Iz+oh)W zKSMK2W1ux_3$62sJ-D-z9~#mqs}d>JJZxX`>{Ut4eh7Tp!SJqfONvhz4ULWqF_G_V}>;5*I zfs`DKSw>e)SibR>B^>^?67acls-K+kny$)|;vPV2GqhSlQ9tZ~ZTyR&X!W?En|p(~Ir;j)mvC%Xth< zW^HzBPA8Wr38VXbSTmrc#d6NPIr-U8=KnFglPHkpoZPX4caB8YF|R{^+%Gg)p`Z|O zn}FAR`w9sU*JoYC@Mz}^TL+^5T2rSQY*}%7t4(N>K5F-J6Oy)j3zUwQxFC^zOZlcC zLjZHg7bIT(YmnJ`FOPiC<6c`h@|-Mesd(q6x)N%n<6i@L_N4AQv9aO0TniEvSK+;G zl^|0<2KI1gRj%lGTgxn``7uc%gTk}W+3mn&#K|N06d*TB{o-weV50>bXPA&2ujoLrbYq_p^U-)X7(v!$uvhA<&QkHaNej z!)k$MsFa+*{}oa2;AO&nVq@ZcxfZ!#PiU!dGcNkXZlxJRHm8;ID<^RveEe~6(Bx$S zcDDJ^_z~B;dEsE4ea;n^`)UbsR*=ix9KX`#Ix_<61R5>IYN&$=xj4eDUtEsZ5yRiG z{W$XuO8Wlq@CQ$BNzRzEtKt~iLe@eR% zl4ISFSVU2LDH@w9=hU*o%g6ka_t=^L2*vd^^XdrVx_Rs;7p@e!;2-WF=VPW?`sDWn zevdIna6$>xtLzh&$DQX?8VQgH^I|hy`ghher*A>?8viWFV z=38_$5^VUuDjAPq{FX(S%UEA_6EAha&?A_`V1GA7rHBg(Cka5zL@HDfoxX62A(e!X zqQ8lV<?d+FxjXiH?KkWXg*uSsQR&W-78Py)-X!dITkNV^k{f&A2a5LN&;##z7enmQ5Z9 zl*Zuw<{3a8^Z1%hDMt z8J*>AGEX%01P#HsX?xwV zEMBTV%Zid(we=^yYUr`Ur&zlwDAkzVuzZ0)ZP?@1!2rCj-&~?Pq#qBCIE~(RPx|0b zEhRcAB;3FhKpb# zcI!sEUqb4uN6Y*sf~H_V1OOK~LE=c=wuZchlD1~le|OHIGF&rD zH-H)SpIQPbAM<>l=IO;9rlvlee0^i8Ur0umAlj7y{@H?jFLIZo=y74n_?0!aTGYSd zZ2f5d2&%!%cRS3zIT?&D!T=;mlBhC?a+tl)wItO0`|q3k3$ zrAg|YV{)EKAcZ@N-QZ8U43>Ps3TEW(XPBN$xoGc(lq8Aj7e}KjIn%Id-$M`Jr$_U0 z{b*?->F=GbF*ZYH(4G zmQbUqT>FcXd`$Tu&D|gfzhnZ>_Kw8zeNZlB)2*?7&+m}8v&aZ_D9HI2LuwFe)>j*- z9vf3#KXo8%WPGl%>_1<5>wTkVTg37IZ-(;E{qo_-s>I)K`)}k_YT?IuxGBfe-Xdp6 zgymiT*s`2~bbPhoK%Fx>o(A0sUqv2cHIvD~I?2<2B-8REeHqKC6LnV!%^bN}Neh=sp`qbG^jb@MCnoUrSq-UP(I`=omu6wGP%qaPnwY`^{QJxWYr@tYf-w#*tsqmac`c^6`$&< zbX}@Lf7O2l;c8q#I8eRv{;0Z+9$oGk|J-u>`G%=rWz=jU$z+frA={a8^tkAmjG$hy z*Yz>V`SZ(~f3L4So| zywB%6s&*6T>Wk$3c+<^`^u^B2F!Ch|bn)c46lyA}>puVfg10RbQR38ixco=2O@aI% zamOG%7$b*z>oTwiH%(5VX1AE~=Lea5;$zql6V*7aa4f-4d@mw2Q;8yDoiiDO5Oq>yCX=7@-IwpMp3CXwT7B(cWW z7C^g8>cC-BN5_KH2lvv?e?FOuN^LM?L&|D7i+l*b4%(_oXqz81JmaCu60%5f(9{JI zGL3Gb4T->z)#Kdf79PeZu>EHa=`|1G$llk(&|aKBvw>{c90M6|5l5Cf=gL$7u1E^K zC$^uBOhZ%P*Xc$77x{v+8&%RBGEVa$r0GTentUvMGnpFmXvhMPkvf~!ixI!&nNQ+- z+(DvJ{f~2IyXHZY%R>@|kl$0_MTH_#O2=nSNkSE^P#+&_-p2SWpGYiBTACq3IB;U) zetI9w_H8*&EuF8DUc7bG!bI7gv9`))4&jIvq^e0{G+pP*N3;q(Cht+~^T~+q;{5~8 zv|1swtQCyB+NZXbZx^p&83@&{UhB#7S_@0R;~@yQ-5OTTeVNX47{De1%ArTTALL!= z4s_p&td`Bk5gX7&P+o_zEhi0nc+#@uEllOee^rFswxO{a6E#WLV6`mUp|7nxWxrEP zb}GF4fhnN;$)vg|tM`I+bZ_)wzPX#$B3){?+f#AV?fe1$*AsG2){7_y$}6<>^+UI@ z&EeA_mPKF9Gf!ZPnUqUiE!UPnC+ST5rrB%8xUnRAZ;X*r&DoC}h=x}2_qK*%)ganC@Ph&@~GIyK+#%}0CO5ImF%Yzb+4zfd8#PgMKVOI1H( ziK-P?T#dXL$|K!t|6x|id8J1UHioppMqQtiVyF0%2hIj=yL42_G`QaQMpCv4zwoiv z7V*$gI0n|Ms9<4!;`l?|*orR&f`B~JwORfc)XY?g^z}^E|7DAbP9#Sr>%6L)D{kGOK;*Ffmb9zi9d=$6VZwFL{ z{J4U?C3Lz#Z6&Iafr21$-WyN%{(RW*@P7k3Q%|~j4U9v>Gu^VIoaB#fb4joc)Lb=V zJ?78`^2b0lLfn-KoD3mBAN>egHW6I?uY9*148x=whaDB+lrvo`s~)=x*YXxDcV~ib zHrwf@*5FNF_jEA+6S7`utiJH}5>AsDDSsf(&tvcFC<+DXFF8g4JblbQZtm7|_z5 zeXfY*$7n<(w>9hOb_{JOBunDk{l`=XPPsbx!M<;r)Ay1{44V|IM%e=T@aOF7v0tit zo^|#AkEv@6ud8d?QDZhX8#Qcn;>NZcyHSJ2Zfqw_W81cE+qTW`w0)oS`<Ryi=?@=z^!y@NR1&>1Q=EXB|s^aFIJ-OUZ|Jc*k+1(EwqK4SFJA=bkbouFwzYB-` z)diNc{)S`Kns}2Z8v5yzu(U=G1L`}BYR05JA@o6C4Mjn&;7blEfyjl%d!K~eX9uwqEv805hZR>up?7ZNkgCZwrIZ_(n*teM1%=31N zUa5G$87g4+L4i4-_FMv1vGHfqv8xoQg^VtlisdS)cbkLLfHE@p?Z5@I7Jmn63KJCsZBCN&{GGzgZ8 z__jdHH{~4$3wJrVt863|gdPP4TsUgmf?q$Mpnkkp>pt*mmiV3pg2_h=YmM*|eEU|= z`50aV?EtTOIdHXRx`bCYS@7luj6~qE&;~Qx^hEYb@2?%>f3w7gh!s{aMGFP zspmX=_=4L=`Uf=+?}2r=tOB=Nm=;6&W2b=LuNg_Rg-RV;6UN;c1tV%HBG_j9Os0S*sRKtw8)jM+)Y??nl{% z%llE5imp4l9jnAHbMLlVv`>Dgwl~Y9{%NS94nCXxikCkdNR7F$e`|C0WRJiExuuY^ zgMB;SKy9x}P2SMD%S*PzI-}}Z4Z}K>MQ%yZ4%O!cwj3}*l{ta)Q(R*~H9N4ob2?VR zuXS~F!@$C)yZ<7-d%t&2(fvrwGjI$d9zd8A7W<0fY^-pE^s|=&T02wEvok4k)V!>6 zmn5FW;7GqBbZ*#8X{^87(F_Ro`goe>aQpK!1BX;ajag>5h(MVGHr{pp$TQSUlRj)c zlh6)@@Q;mt87VJl8S;*=g}bfeCdf@hNkg(FzhE&asJBF-XHAx>G7PP8W@yBp63)p+ zRinD=pFHr4Tdt#G^XDdl*Z-4UjeaNGx!lDj%fLbcs>wh%Hgpu{<1d;AKGDickxITo zGcT)!h+9W>0UUI|s6{QcZ3V0bmv|T1&4ro!9JuF$PRG}MoS^5MrdZTudJgLf5+q`) zcm8Puy*w^N6U*siRQJq|4!c1~8^u&1TMNr>P&VQ_rb?-0&+^k}f~(TXMp3?-d6zW# zg`V5)dzF;ZfI%-x!@z(G)-YGC#m$Vwpkh{$b;KN-c9iXevTfB%GD!LuspE4>?;sc#U(Zo>ydSCyo;HUnDxMa!mBsl4ujARGndignf88|xb zLR5LX>vOdQ=x>3^h!eP@0&|}3pHC2Rsv_uL3pO=z6u^0{Gli@0NT~CM3HB8- zl&_q9LRSwB%lKKRxG~W~Jsd(18saW<6;)(0zbCltv>cZ|ZGAqcUAC6aF_{)rU6Z}9*Ox?*L^E4rDKH@WuOuvf zy65WZvBASz^)bgNVQ<&~+)$w*Gq3h@+rDALh}3vK4Tii$mo!&_xj}>9cots)MZWuw zU=HK<)W%u@jR!AgT#a0=%sITWs*Cc{^x6Q>*8{gxBb z8jVBB;H!(12F|1(WeF=9z*>&4^n;DAKyUXk6LV9#B1gXixG$b>PIG?xLYdsM*Z40;A4*lqSvt!!0Kr<%_5qguI!ACEi8=`0R_<}|`v++&CjE*g>{B(a zOW}BQ_zFyu2POO@x%~ztE-D?phE(g#5i(eVD4ALVR}~^u%ijTUa}~AEHS(Nk=?-FP zZ?}*Vt}>uKKO;$a8hy})*T6l=iZ?(Wpjd@V=!c+reRPzm8 ze4z_UphQ+vI_C&2HZhRwRz}LaBKeyvC?GwOI*+%0Y!;oa+0!jJ^YYKnU>JNgXySBA zAa?DXTX-G-r8LSDgOVe->wU1|$e*L9p9@W5wc7Yva10lAlUy!b1!NICd<*Iq*7PAF zwGg&g8i%L~YUn2h9VH04;b^69$0?s8lS)RLEx0lJeMdj)NUT~Ek(xNfW`wRWvsTsYhyQP z!Zy{qo{Px4Q?6bLgN2mmsM;fxg;jcT@w+seb|e(>8RE}?p^Gv1x#P_w9O~l#vD3U& zSN^@j_Eg?NoVR;K_hSIQJ;e$d7joWNGFFH4=dtfH@3NH~h}Nu%pfn!@#gpf)SKNHL z39Y$qp-ffIs#>LTQRfjv_DZke++Q{u30JvjN~HwFRWiepByo1PKH|3kAX4K^!#*f)i%bUIep3l)7|sbs~-o%!`OKnw3XzL zf4Y|uklMBu#S_aETwv8rf?^ahsGGE%sW@`u4$-^zrn@3SY+b7tO-4Wg>p=p(l6yHR z@xTk&fdy$At}L;jVX8H@1MTD-KVc3&e8?fP+n5gycizRdm}jNGPPR(08Kua>;3L?1 z2VL?lC1N;*yQ|kCLry~Nii;Mn$ra+uMHgo{n^g#TFCKhxFx+nlJTw>fN%2tO4=)H!sFG#8k9)wO zep$2Z?c6WQrRr3Qm#JWl&y0`Xk;fm#GkRR99#Fh0oO452QMuoaNq#rvQ!_gHvyud| zp@r4W{`eVoSM?|@Y|*fGs?2y!lNT{y4fq+cD+5E1Ii~yey*BZ&-ZrEZq)^-3hsc9N zG|oO}lFz;>yup*0VHTb1vP9Qn>G6@LlJ7G91um^s0e||5i0e@v(H%_tElVTB~ij@TuoKU2v)EqP)U?I3e2UrSt%gLLEp}$?7 z!m`O%%QYjQJD}`a1nA8+zVqNNScY?R+k?;@1<~dbpg7;-hO4icvureGQMvnh+yW|% zob#Tr=5f$+WtFFZR!#|ZLx;J8WWMJE6lbOFACWljI8`~CU+VH!Ats-%_Muc2J8BO+ zqAS}@klZArjLk5BXS~fJ$sHRAa^X~$$UuXmX!M<;OXi?+D<}JTMkdq$OL~9(5aCMp zP)P|Z2>rw$hsVSqcN7N6qcMVi^b?+I#gYH~M3Js=>5h2=7@8oS|hC= z=|!f6u@l7&S11VgE@Kun-6g(Uns6VGq1dCWYsigM`rqvugl)_>O3@xlcc*KAUZ?<| z?|NXOi^R5YU(Ux`u)yFv#x(T_;)rbKL~U=$PZl$J$FtLT<+0;s?1bzoZ*_r+Y`*cq zR7pE@DBMX{H>#%B?H2N1e7U5hvPsUp^ol0aOs~k(FbBcNArPLox zn|{A5+f3g4iB;d!La5w8b5i*B9%L6W+$pPjxff+bG4^;^E^rPFDk zVPpT4$|nM?X{F-xTd9;nzi6>zC?AXY?xmAPI)y%+${juSv@<)p9xJyZGt!I-xTMJuKtNG2jvk&SN8KNwG z=wGLU@yYXswquxDzz<<^e)FlFHIz)urP%RI(@Z=`P*Vv+@`0DZ=($_CNy6=*8#%(S z=#TUl!4Sj;?(FAZ@cjh7jh*MzUR*Uc@Mxg*k>=cYG*P^~8%s{ko8B%PL=pZv4!`?4 z#@APqS1_%Xf;ZpnP@#Y4yfUM2^_lo&)?w?J6Y-a1BmqS4bDzxjbSUed=RZI><~zYY zN1SNH^8@31^1#h7ebw}Uiy^sdF+@b6nj^ylV9t+YsTvMBv!%|0+-u0FMh|L(PqueD?Ir z*ic)B1P$K68L2g8cgfp`d1pskP&P36Wv(<43IP3&0%iz*c(!ZueJ-dGDoLddF%MJd zE}4Aph4X2`Rn@GcTM5UYR=&PI`Qq{to7#2d`s@t(QX9_E=FH|(&Eg%NWWKW}$|#V(s+BW@x@o;@ zx|XTrl90bqWzrF9PD@q)l@7tzhsnAALyLZNVX@ z&%XLifcWnI3#ceov$}D{Iu1lG;oA1q=O#DT$F<^ZJYB&qt`P90R_yJwIwLRHet)U9 z;Y=-C$w$28SX-OC+;3QXR=kt@d7I7W*QBwS*QD<&{hpG6XQD>FYI$ZlwL7FcDefoc zV61`xiR@9rrn4!A0HnKVG$uIpu35lmk?QaLvm+q* z3%^t5mKI}%2F@ewHBrsa#CFbP;aFrnI&w>pG;sVQL?t{v)7pkCdKP&30&m?kv+#(9 zwGvT$C0s*`jJwvR$LQtRDFJ3HgmB&yq-AU`{e*cQ!66@gFtyT_y~z~BQB<^+$U}GT zy2OB`#$#h9le=gQl%(cV!~y{Z80(c#@mIC5o7Rg`%WV-zDhFxKIyZR2lm$&@mEZ#k zIgc3!`w`=NrI|C%N*WA~&j#iv` z^9gh&WZJ4*M9@<}aO^S4&bS9_fAaF~&9tjRv!z})hT4CM(1P%X$saW~(b|AV&G?;v zE`%?Us#_5nmKwF2c0c$GH-JY#jL@^T_R zKv_C~vdrfR>UQL@A^Q#2SP+*zIek+LMbX?I7fegU!@-hNtrQWkGP_S+a?lvwZ!X#4 ztf%zUS=gCgzOV9K*Xm{SI^ny85he5#2%Zw4gI~&<-O~c`$LKuu!pNT}i8*iCFTGfr zBSu!t5Ss(x+uTazC&{&LIpclOjiGe~h(72>-L6fy3iQB0U+vj<*J< zzTlTcd^T?od-2I|if=key=OAO_s?2=J$XLVZM@~Nyd5UA&)_DcE6aUesA^6$0=#wt zI_sYtuW~bA3Ktey*|tz-vAc7N9XH!=T`w}vA6-_LJx?y4hGZgib|2QYv*=&fsJ@S#UV0-5^R zn6EOy#T1^uvW#+*XK;~ApBfAT!c+8`TTL=Zwoh-aqR7b~&1W|rQon~X6ab5nN>KbDqHpyYD&#~^NuwI@N;-)2sERV3>vwljPK7QBFL>87qGZ2k=gAv^CpB#+xzZcNINzG zJoM~XNE@Qn#{KOhMU;Pd9PtI}gM)j%gS8$rS%BPk+E`FJ$e$zMmAfNO>%W<I+xka+AmTTS^#4l)8ssQ>UxpwkuT z=ddjZRD=si2E#b`5=f92i&P1$Q52~MDou}bwrgD|N%1oS!RqyaCjEA^gt3=^<*f~d zHZQ_{JaJ6-8Hi}9=VbO&C+#)th%MD0^)z>I@5>{$7PZ2CWZ{9~&qPMbl4!f1h**<& zu99OD#`4UeDRAntL7|`tUnGL&M@-6Z2L4_CA5z{6yP7zvw8Q|BA^}8-CYam>#8! zh#*h`Z{{lk$NG`JuGubIP_vEbNhxUyV#{h!w}1U{P64Nm10m87vGwFp>Vatq&c(0J zdPVCY`+a5`^Rp&{sx0Lo+XloBvxog%^-=}}rBkv-98t>6cH;KT6U_#1M7PRiq-S3a z40FUs6=RtZA_F@DN$2#5&TX33C)xdQ8GmqdB>oqidG>r-$Yj5rzS>+fu*7|-+8_Eq z9DG8%jR7`4zZ2i*^o6eM=dvA#F6B>*{i6Qk8r5tKP)g4J#V~julf~mQyI-0-+h0h6 zw=#Urxr*aq%cn&us~q?N%0d4H;+$kz<__`9M!jrBi{NBrCC7Ty3~~Ao%}uHi3eT~o zO&$+d=PqZHCY9tTIbWLAPWrGv|9R2)vf}=0>XJpu=*G$KxKFA@p%gV^BTf7hQ*LpG z232jKKna*XXDLn3u@R6a3B6&D$st^IYOjQbT4}MOF|gyHX!+y_7ofQKt2vO1bMV}T zA(FnEi#un6N;bCV4Cb+HeeoY7f-vblx(6tetzoH0ULh$vhzX$H`B_{eK7CyvBl zFkAFq!Fg5)==Q+cIXJ|+-cQFAWn5v`o@uj>@Sp!X`8)|Z2)zJ%V#AVXFJe_-JJa^O zsJ@TDuLb+xZk||~a7_}Fa@kThPV}14V5#CuLhE$30h&ds;hGWOvsb!&{XNB6xJ@}) zA*#%IO)kT6r%*v9ygr4nW*oT?f*7m?)4{Y_7F};Z$;updOQq7Qg?c`s>rvx*1Nry! zfbHOufeT>L-WX5WbflMIb*jg6d)|6QtkrZeuoA~v0=gt)BZX88s-tiw%)5DqKh3{1 zI&y~pC;f77p>TEhp$%o;#`>J(Y-EP&>#uqKwQC*_hl!%96@SLOCfBo2gKpy*rc5J~ z8B^?tUK&LivN_;B&e>7U^-qc$=)vHVpzYtKL!u;R^Oku=nVV~m>$0Z4FajHomVs4L zb0$s@?$WO&0rlUEySB==@(hj;M(T+2V-2`KqN|v>F7G2&>wS=QyIGHbR<5q-Vi}!j+6V0o()k{D8cz~MqP?)pXQqf4n-(P3c zOkuzlyf}4TX=)b_NmzY#gu#Hg!s%fi|6$Z@IHqh8=BHsB? zKW2s{F&Stu+^)9c7 z{C<<#rC|pS;%kfT?3y`)@ttDR>s~X#3W%$%a|^%A!I66P+lZ0SLjw* z+YEyOdR2EL0{+8roFu64i2w4sinVjI#Y#NG2U$(Rz^&`xgn7+Y3|@G%M3o#e#S`xH z5f?)Zl`A9`=l5Bm6=t#a9u_#9&hiq0Y?g6^4?TU9H3_<6=J)rnM_5!JT|&?fIQurq z1}ms_^842E4AILABAL3V2crOe8%kqy^qPVIoxuOd(5SN)x-8@bR#m>57Ku=B-FMxa zvc8LDzmI|=ZYFZ@bw>LddP2JtM-}G2ctdq+&;&eZxt22(i~Tb2Z?(C`zVc&pXic$V zSwqxyU4+UkTD2@sZM&%8z_VKJeKj8?*bjW$wIQN6q&`p+FnXVB{^A2R6tv}ht+nMo zSf0gVt8Q-;ylCLNyF?b}obr~VPglKD?;g=1`VEV)8sJRS+>k7|IA@~vbRL3d)H_Yr zdU)HELX;i2yR?kq+a&dwdaLO%rk5Vx%)gpaJyfUpuB40r$h*aP9X9A6DIDzeBhykp zg?~}J(pUJ%J;hXGRX$1NusIIT$#H-S*f0S#KfEuKX=djt|0rT@zNik#=zX z98Q36Rw?Em7v$^7fG9aAii$aBmQceG5mVl_TlTwI8)OVy`R52MB72&yDp$W9AwhBd zgV~Dk$}~C6E?GrNKQ8b0eCf5Ul2%98fHa3NFe%E*P1J%D~6^@DqraAbGFB3e$R}kQ?%H7BCF#+&p2YJsCD4R8AjrX zFrid%i3(sSso|(BjehYkyhRQx`e!76;l3}fs1^3!{sGQf8^jINQv!nHgpZ5s0u^bb zys6zLt0F$GDj0;^SOX_mcxYYU-Nt7&Zxf>4@kp6_56bBTc5g(U5KlyY!s`bB!5p+ zTu2kJL3!i*Y);Yx%JQZwrX6V6U`w#6Zwx!d``(reS^Z5zl+-9Fp3Z{$Qs$dTph>zcikxweBl$Hx)ao9S(y@mS_LF^wEtp zF``+mDp;FF2dfLXx8_e16G`hvVqYn4(|5CmW!xqK6<=q6ur@UQz4K&^(tNx17ou4U z?dHn0QT#5>Nw%;4hD56_4Dq1F={IIXfg_k{Y+GkrCIsa_NG$?N3W!nfn^vI@z-Qh1erdeAC1LRP4Ca0T%U5{ zchBQ5Hh+!LIp!2faN>539Ks=51=+iyDjsAozf?- z$Gh2f^$hHh*;?ZAymy|cK-Yd3IhvS*64)%z$jKeYEBz0HRU3&q4;i=0g#LyDh z$kMoPtoX{#mH1<71 ze}H;SWHmG-TB8QW_iDf;KG_g?c|aMRb5WSEt#mA*5J-l?wkQ2-rw;@~5dMhOY9&}x$h7uPnue2*oV52P0 z^XtyO^Qeg`gGG#7@3+?FltX_2qWHHA@2{(J*G+8>Y>K}3VbrD_czO8>gjEBNCWC~x z{?eM&481wgy(hb(mdzPT>xhjKi~JQ8&-c2})|4W`vAcaPM{JctiVdToni!eLl=zaV z>ahaq(xnuqA9|(Y?^XOSql13j!B-#98o7ZVS+VmHtohr3ImKAg8Jwo=hDXSoxbUbK z-?-n5OBTtvnGzz_tlp<8v9qma{%(KoxhRwaj|^Abx&IzlTTEBUX+lXto4n+Sp~g+8 zk0ua(TPz5APq3h}4HHKHj|Wag?&NJyTWq~g1A#o?0_1^PHVFKWK)AO0m}z7YE2rXx8Z-RCU~pWvd1_e=RqAe=lBum(~$ZLwwK z(e|x2?xTcoY~IiLAJd@0rk~K*8MouI&hn&O;L7=yt4A!Xim5P2_f zQ5aAnA>AfZWhWy4QrR%0A5Xac@JVWTIb31S93@9x+Q3KNh7&uvD4sD(5Jbysx$5JY zxWY`pAFiobRzmOUz!-S*aI6Ce|H0if7&xol&I9{0x&AI@y6)Bq3ABk2iPMDD?y(Hj znB8t^!0AAtb+>Vukp7uV;lsJNi+@C&+v+o{oM00YKMtt9CpjO-wn2>|(-bc#DyYI< zi|<#-R|w;nJpbP3!y(G_-(y%Hf8Np~B7K11LJQ2ht_0}u#j(-^9r{`GimGas@~75X zZ<8{(d36f>lYJG1D`p9XAmf0l)TlghCK-z)$hnpK^rf)D<<9@rH6~hU?&W?|h2qdn z$z+lEM@@^iYaJJln8Xc}Y~xR>fBLAX5@DF$oM&hL&GLB= z-Ni2W~_dv zg6}!8YeMhi6ZFdDnR3~@u@-jw8>5iI9>@R((a3p7$UJHvaN-oLoU%$j#R=IMfOYkz z!P`Hs3zwk=|L}KU+$xM$h*E$v*TFipo#{3$+iY}+c@KV zaeaC&1BFqL?Mty?4|Z3FIMFE(+ZB6SG<2D8NwL3OFGIdYt9wk+CH@l~mi;^VVG!Xy zK+tSGI>ieG+G?lF&=l~C{usNP2;ti_7K1ZB`twh3qSRYLzSr@|I$$@- z>m(Ahll+Tr#gAZilZLIe!c}g(k07~jUM^gPUB3wU|C~luY1>aH>vnnPRmZ4^050w+ zl&?XctQ1q;ReDfX;N}T&)C?xQl=fdgS*?_TfUDb>M?$8j*!g?N0}JV_QPMyE%Jsds6?dtOe)FP=fA4eHD~+Drgdh zGolNI=%DjUMLiR^&!2P1!`6^}qO6Ii@Db~-M1o8{21urH!9;qx^2Hqt`9H+U7V(Td z|DkV(6cUI&aKUMTg(dtaAT;CNL#5>J(0XzKGsC#6OjMwsBk5zFoY$ z`#N=Em&BRD!|0lDDvAHsRc(_vK1B`hL)bx3DP=Igt4@h~i2OP|{8~nx9hBO`7e%_8 z3b1?Qwj600ktsQ6ii3axe;W=Z_x61tc;3D2H_dL-dnnB|h5oG0WR}lrfF(EHEYdb? zeaU{hGcw>{krt5j$AAQWHi*at65!YTUJUtR-AeA4+%?=9#hSC)VqJxHs!xk5(P9=R zX|i(&>ee?*(YF2lUPf!cwHR&4PCk?FAH8PwN_As|Ner@zeq za!6fu-mZBm+J131qfc=pMYMpMRrNqGTi}Hq=jvmx!iyU<{jM`-bhyvE$IJ}zgbO*F z3-~6;{hnhfXQb{g>nL|wXQK6n%7d}J$G+`k9aW9n@e~n681yDHRGT0xq?S40s)o{* zv0j3H%L9r49ibDP>%xlMS?J4wqy>At=kyFS?N!)h+wJEs=#J6}z23=|_AN)l#mb%} zQv=sxqJt?qv+&5P=Yt?&a|cq5ISzN$=X|T9UpQHa&WR*4)0xu$;_sa`KUFtOb_`LB zq~AA4s)ip{eb_%ge!P38(+x|%- zN=~GRb$n^)ure^-pQwS(_G3_H10`_j%KZjXVHWu`l=vW@3C)M~cS>w%MM>G6o)+Wj zrH8U(fp?EgQD!6;og3nB(oxWm-@&YP4hxDcj|a>D-&BHWFeEMQN?I0K3CRT8fii&l z3w&RPSlb6Hx3UMayOSrf*)P|-?iGOGhzTfuDme8|8Ml=V$q#+8(BjE~M1Pns)CZN1 zN*W>?0!6X7qiJ2NbE6J4i+E72Co$;0uqv>VXvad2S5eBEuSxTjTU}N%)og$wuu;|R~2d}@VB2Gy|6U$HIo0hVBr(Zr}#aN+F~_&;3mdfQa#S^My9hMRHAF# z@d6_T?UbSLFPgxyy?5ZiUA$j|;f_>%-O|3ZpRH}A&n3xCB<$BMQ@+b*fztwkrS}Bf-k+wA17pyHnI@SaJ8Pb{LLaMo9_*) zX5p#{SJE^HK&)Cg#Q9O0w#u<+Jnup9PRj_m7F=QgrcU;)=2@t-GdLO+KcWc};=4Ya zjkvd)E`;URYplmkVQcaI=|p}3H0foX1{vmh5cBTwN)q~aR~+(auM`w{zlzO_r}#K# za}3G_G`1j}PVRH3c)UWH#m40s+3W%D2>RN9CT5Fudp97IffDY1 zdvoL}l|JDmDSL_&zXD^%6A&fGbcwW}m%2?&sCCxsJK9!8au{zfm2DlwTyO4NX9QVU zEoswy^*{`oPp~O4hl=MKfsh+orfWC9JmSn$ViES&l9eFm<_k;O8>Sv@&$tPy1^fvo zXpd2x&03k<=EPbB+z{uiMR$fK(|+gcbI0*Pw98?UG^7uT6^?A$_r&427&9b#ayTqD zpc*VR5=5t1rKVwc{ssUU@3(Y$1^=9RKG_kcAjR;sp_5s0{PywT>e_K;rWxcJ7FUS3 z^|8`^JXhw_?%*>wAyxpS;ZOeORXf z05KW`AUValWLXgBD@FRV*&0=hBAaEWZc(sz_z zweAb#4G%%59-H;YA*6%?v5zem;4V)o@VWZ`M2jTl0E&kHTQpGzWzCG$wDkslv4Rb6Dm?7x0I4m)bamW zafBd}Z~iwcrWhJG>hmd%x29|ZZXLc8UQmn&xn)+Wbo!d2&yR!zh7Oo4*D7QSuDg+O zK}S2VhfNaiQ&NN=9xRw*D6Q&~&!G`0ES*AF|j2RL87O$qUO$m?++p z_`4>_C3*KNCZ!ex2+2@cy}VS;q|`D9rtps`6Czsm!SJuFln7DRjmqdSLKvc^-z zbI&-q0;?B*koDpn2J`C5l{7*Qou+ZX+NjGWE)(XUZO0R{$tPvF-L+PA%roe)*C5c` z?1fy=XLtYTu04p6@9HJ9fo-&TtP2GynPcHaw<9aCJJ#3zlKpy;1Z zt>Cqb-zV$*_9@GTPM}ZmH2mcEZ|#Gjj{gSLvga3?4C4gox|XMEUZ3`kthG^kQ1_rk z^b^($51TgWpy0}LC`4~6TDdGcg)7j*0W4|eiwV1(o^hDS+ zeF+>$n*eFA*k#~D|F9uV&@K-Y`ZqQx8asj5&_)~KgiZXI>=FlV30&a?C+6M8UQ%;3 zCzd?s#8rAz56Q{M*eta%cDu$-S{Sex%MiSh{EGm%o4#*s3SS7ppp3&YiiOIm%UpYr zHgHpMYLi}V0z2=ocu@e_*v%?M=`ne}=^#pJ66N9qNoiM7lM%}3I7$9UW~quGHv_9~ z6RNicY~@x!+`y@zgxoca`b2VEM$ik*LFXnxPR4<`Vb7`u%Jsb!j>3&8wJQt7Q9x3P z3sdUVK?Q0f{lw4C;1%aqE(?TPfClVFG0i-5@{^?QqmhTi_Q6gWG34Nv;*S~=-g8Y9 z^}t;{s1*5mNT8{g9MOtj&4TzU=HK^b+2BPFz(@x9i^UjQbR-0^O~n1uX$lljo;9I; zBHvD0%sko#kpEL;4W2Ggkqo~TsotP3Z}6yO0Oie?@SG%_AeWF4-sI(|q>FaFPT2yA z1}fz`{fjXAUe5+kHzOe&cK}=Gk7HY(vi5@J;6cUPfa$<)PKA@Oa~4-9(Qs4r3al8h zn;lfab^>>x)Dm`V0owk-E(I4<@;(`a9QfkVdT>d_aYBEZ>w`Rq3xT7=P2I&_R|3#Z z>ZZze&*9?P6=jCz7$&7^&?Zdd0A~XSOld?pgzn{SNyNW3K3x*t01Ov&@%D=#yJ+=q_Z70uJXTB@qh?ur*(Nb||KN&I-6j&mYT&d3 zrG)xHSCd$PBTV|O7FWCd#GiY?nXaJ7J-8gq$svU9R(cBQ zF*yCTRb$#r>3Pi~O8>glwN~NX%fsZTbD9eA=5_MiD$y6+RHuXT){j{&S$%t93Q|+i zYtP|KlRh;$SY(T~*idmcc&Y<1I)Ss;rO#Z(8D9D-sS@fe_d(Md5O&Fi?(rnJ5`eOQ z+Fro{mAFs#{Nv>Hq(CSC7&?ViUpAOkk%~Y;_k6}RhO|liRrY@ul=2s8YGh#ymJmlujivpgX_MdkX3VbY7_A{==K2T&@Oa51e+<%UwS? z?u}F=RN|q(ge^lqM;00O2MEg5xjIaJCX!5-<}VkZcGgX0l505h)~M8)YEJIm6yq4H z`S9R=qpaYKT&%kA6}a-?Pw|sXvUvua70{8arB{V|aSTI9RN_#6CirZwnYvxL1l;md zNnW|CF>LMluWHs{_VT~rY!?6;Ei;~z3)n%S`dp3jSVD7^rZ$?n*Ui0D&)&&*y+slGQvJbr1?Zn7L}N@%m%i_D>ic-{L3}I=%&$)!VR$5Qv-Y? z4$}mJE4s(=yF4gGAE~x};sfvwC?4Z)(0@ANDw|&;BVRh{U4h3VtyZ+{8)u&}*AHczPtPfNWLW?{ge_@(oOItplD;{&`|#lZ>p;9QJ-Q03n0&IxRx!jCBLJX%GJ1!pR! zup@oXM*?U#zLXH?R63O!H($PV&A8+hp%rbH5puh5PaEodx0<%lL=j;cBuvsfG%*SX zoS5|G_8KD>P%4DEoPy6 zVz5po1kvVnzg3Zw52TYTP_ZP3YOKXf)Iu1~_V`>4VucjzlaF;aNvm$pjaXXWSktDe z=bpEWil6$KR^7f2W6bHz^oNXT7T0>j~5*4Yi3_th~6&d--mKnT9~jQNpvF@OAjl${$Ee^mxp(x$0@jI4P2;4x zB!s@3ex&&m;h0d8RM-B{5_7bb6uk)ZZ-VoAd=>SPI+^gV5X8gVUlWXJ2NQ!T$%i1u zut4i)Z)wbNs@)$>>;XTV*n?cJPBJ(bAD9qRhNaxHsWRc|3-4>`b6uP( znt&Q(8~>IpUVpxAY_TdHs~V7=Wr^)CGa)eO{=1j>ix=nDD-Q&Q+Ni|P>5%^N9ka@% z%Z~cYYNj{wwOon!>$il4-BE_mv;NPR_%>j_S~Eh>=gF#2t%QosdVq87V+h$U(+G1? z>L04v`_z(xG^+AK=)r=h71Ub3G+`49NSRgn$BY@k3#SU{0qFnRPNC3Es;~@IPIBlJ zn4k3HW5u3~`b!IM zMyi-X9J0i0=%TOa23*&RaWI4@g%8%91!bD$H4q6=4#ZkWlSAF?@Nb>Dil{tQ+uy%U?ED8x)yRe=^-CBmQD=ab&ADbp+x zkwL8&d*>AG!KIyo?pwbcDAKKeVivorD)MvPrH{!#HLP|9>r*Atw*?dcm~=s!zKAE7 zG*FY!vXG_`FP*7Op;rAbAMZe0s;qjT?NVhhe+)GSQd~VZgiTWGaTVyS9G9x1`?3c! zrA+fhY%6_zv~y!dSAS$e+wS<^mA};N%$Fk`%Ku~P8>8dwzPH=hb|z+%G{(eMV;hat z7>$j_Xl&bdV<$~x+qRQ;p7#H1-!ECS?lqHhpM5s3jf1T*Veh>gZa;Yj?*e!f9rxO8ht& zMT6o_#A0aX*8;|7DY#a#XEQ!_qJuu{6+?u)%GO+?_j{IvvkWyMyF>#gTwt(@oo1s` z_a^YuI^BXPPXPW8yTKkVscxR?0yt2q3~$8d=l|>I;7O0*@g(92FEd@38dt{AxK6Jx4ONeT7 zCJG5J+oQyY1DPL35d{IJiKU6X9@BI;WK!mgbyc3x+YQt7YuQW^&6g)ei!#2jz_C&# zQ+7CFhKdyf>Pb;{w8kXb$-v)J3;N`9ETgTk$bM3<){#okc8Nq6(rG?KU$Y~rLq7GH z>z3CbBvSdinU4E)e42LrYi+yQM5wY=KlqM2 zIW5_;rk&p^DSzHSj2=zcla$*-FmY;N>Z)Znh&zowJ$k=gAB_2PXnr3NtS)_e3I(j` zX7CO5CQl3Jj9;feQ2mE31JccD8h}$0Sf-%PhBX$r5*0;Zt0LA3jqk$jet8i%y>e`h z^)tzQlDRi;b9gNTa^ zHVBbEK!*)$s-Yy#qdufijdb$b{XqWDSC|WtyFBZq0;TiUpLc^wkQ79sOyS5Owl>F*RT*g1>e*{o}d&?(A?wuGEsevu?L=LcAeLOexA*RzJ zhcVdSwH4p)$3IVQ83-2s%>5pea^h&2OlQpr^}}zz8}(LljEv;Tn<8}oZ@2@t2TCY5 zWfDPnSbMAVqsUo3-GldCO-iWj@CQPXG?^A-bldAOt*b$|wv%Z+q>P`r`>MwNOBYjQ z0=~f`TX7xDP#SuTBgOcpQQS^74w@V))00C$l5KBnlI^X4=*)H5f}bhm#i=TIjH|;G zd4MjD{#qVG9;BTRyaJ63($-v{=09*)mN1(QB=aC}IPrM3$)8<$(thC1a9phG#K+3j zTPa3lCc6#ec()4{>(DcCbZfLK>%ZP93&OO|7j{8?R5%HY60tNe1_@ohLcK2mJAyM+ z1*kk*3JJ5bxwBEAaU`y`L6GskhXp0OiXnt~Qw0T<>{0C6QE7sbA~Y4K(HoLFO$mnc z+o+ZA51YBBrs@{3y%g^X2R>+5_@av~=n_s7OhB`IU~4vP89`+hDaOE|@=|O&KD)oV zxbvBk@JC>pSastHI1ff9nj5fo;{x@xfCv0iB|EfU3VpO}N6&q-IA<(r_EwEz?%s-) zWE!8BC)!rDS(je;y^}@!_3sfeR_*Tv7nBte?o|kCN^Y|`P%r@jZtd;Z^PufA zv9sfbFa6=5jEto?)4ww~fb9~qYAbJVx~2Q$S2edhzEWcNDQU$O)h}TFdRj0N^FQEK ze7=K7RzUMo)|ho*qk0{PkzcYmJi1jTrSz z-^$h|_^QnH*5Saj$FtqR08p2m@KDT{OKzZ#DW9-#LQG3}5G)eDahWP?sf8CFghJX* zd@L5}b1>5N=@Izr%P*oskl|1_p(B8Dm42>Wh$^2~-m5t7BmH21bB-zfd8M|G@fbnT zen}8jxOkR+jB-e|&qibSsxp`<9d1J8RQM$s7-6y7U4#$Z;{C7cmD6oZ+3F%ChE5mM zK0fu694^ixzJ}3!8;m`Y1YJ9$N(D5|W~Rj7Bh|Kx z^dv7DF-JH`Y3pq+obDl8Sc&KG1(LtCjF|@I04Vw3FIkUpu=Z6)Z`)DBIM)3TS###w z;VD>d&Po^%MufLN7CT+x4{Y5Yk}L2&5)2Xo4rBPhSc!rUUXfp40j*M9R|QqdH7VF5 zzP$T~mjwDc^}pPrt6cyXq>GR*2sPalb-@Us;R<&jcF8q^wGftcJFVf4VxH8#YC6#J zBiuIiz%u1rUN{Lf$bhu;0%Of z#kH(osZ@}O$FIhcnP@)Pp^tDw5G%5q;k;fVauW zcRV7q{Tf!CtvKsu{~uwT0-!*I`7i0Zsp7&1B21_azw^)EnFs-48uGPTk8d69Jj|A* z>JAR%-@+Y$2g3DML%QQ-$iLIPx7`|V_;8Sb%9p3S`(WxHb-|4>8EW zaklK{jo9Ole``^a+r`S{Y^i30OH42Np;W#O$%{;8lH7-^PcU%Vz}UhByLD2e0)>Hp z`avLqZNUKDurM$KfQj1a%J<(afm==^8W|AFQCHMaXixDy?}Bar5uB0?21M`x5W!;= z2Ge^iBTE^+Q;Ml#-T3A9C063-BE*<<*L4|6(5Kf3$<_ku zU$Fv5j)@<)0*f+lBf*VAJzaC8m4LT&V>4jf!$X@dt)lZr-*4U{a6hX4&gRfbzezKV zxMk+XeyYlfTjm$w9XnDbYNsH|M+aG|cKF~|dt;dD%X`_1$4CEWyM>cx^j0h+1bmn@ z$Xdma#Ow;540k#LFXjhN0aaLGIWc^oUX5o@{1#3G_MGVZO zw4QN7Rt-ieEf^wxi`9N8CU)Ecb-Myq3dui6Ul^+f^7F>aX z4&IO{wxU0?z<7W;mVVrmY|6a+VJoWQy#`K&=A-kmfs0ts!^$A`Wsz z=exYmLdF5GIqF5~TdBA4rDM2M#1ay`KlLr8Ao#xdh!l!*8dn^0@$B(cRZ=cXYQB?8 zcwL6Tyu#Nds5aKrimrbF@9;|d5H{`LPrBb7EUkhmwj6Y0O$xpnm^*9fyF$yqtXW3| zBkm~km8vDEB=``v=n|gyy^8W4=`^~A(}76k=b2>?p8x;MkG@gfri|(Xoxk2 zQhPh0dFClQxh{ThLdqQ&!R0Abof%$s&fKU&Tv&w63I05B9Cjd~ohzlP{67#R9*nSQ)% z;6}PU02J(8iI<$mmKHT}Rgt;JgmszP;X%=3#(iyDOoN={yh(<;h<`P1=G`Y1eNQQ zM2Yj###h9d zSBfRhEw(>84Qaqq$S?chw9Ngdu-EGFn*d>qR|i<<+|^t@sKqxT5!uMlW*_GGAyf!( z|5r9^BlRJk16;toirf;o!CclsvI%~Q($_SxK9!mO1Ml1;0g{kt^dO}11gX^$?yEzu z{dV+c2Y#gb<)@A)xH?Y{F89qwD*E7CNi$+6%CKuBpo$3ZwBp&iH0JMFPK(^@$_gP$ zq9lTtE9;_91d%9(p?{foG>oi-x(!`LWX1u1QDCOV=u^(V9M`!Ip_5A0$DQQh4U3vc zTd#%cNCd;UC z7^~kTK~dCX)2TGticf~*FT>@Fy7I9Iq;nfIADFU-KfVRb4<32r==Rl z-Dpj3Oww!KSKB`y77%9FxA~;85hesU5t-T^u}ie#{24#+NuS7=GEQf6G|_LJ?kplF z^JvkCtLM^NvG?>K#B?hc$p~Z^txcvkwx$mp6_(><6^S`&4RWyd7e;R8Z9*)P#NE}d z_14ANMSaEKij)6+@p=em<3yauA*o=hL4+xMFvTHm*B@*?y1ueo}|)!Y%G7{~`Z2kHA*+`e7}`nwvMC z3S{&qx&UqjSCMBdgQt8E`B|GOOeQ%$;Z4*A4dAW2k(qFgP(0TUap6xWIxN3XQc=RQEwy&>XiGWH(Gf2>|pge2Uok+ zldvD)HTU(?m>7QBNNya!6?1I4KM7+cJ{QjRInF@azkT`Re%9ScXJq(qUpOxFVKk4m zU!ml5Z?V^@J69Yzm|{A*A1+?kPmrF(o7QQ5xG}Q5Gx#LRu4FFI`1ELhXw%?!nGbz` zgiel^=-mKTO*F2mFs4_N$)XkbyMFY=wqaO;{R!1-2Ju#S{JUKP-2V)*%n5eHe96A7 z6{gC>m)l$mjVhvrckRmwVxU_YUS_?hPJqiair;fnGTxjCN&OEdJu#}(=oj<9Ese09 zpJ|<~RN#}|mVBb>I&(r1!jx`0F(2|e(xZe0yI{iC`FWw4* zu$|dr`zn-%4CeT}aiwZo3>3P-6E2{vskXgH(K6T;a%U<~BQ^iwAUfhjDvngsp(T5e z*yz?pa5r=c7!8vSRe)CDSvN@UL6==Xrb#siTWT9lW31ag2FWXJD-I zG^rcM2ANF6`h=Qow5{%>7Z&JiRkD zMfV27U-ZS{6y`P5+OKmR>0sc>!Vh3i%X$ zAAKl2JE^1OX?+KpDf(mh+@aD(Xc_IumW^|0~~kFoO^iAv=hDZKo)ws1D(^^I)nlCFP;@zD5j61t zUWnA&4;hX3qW|`*D0{vY!cb+9`hDHBBj}r7L@zTZjUX zrhWZeRlpJ#5mLBM3Gx>yTiG(u446wei-tn{0$U;rP7R4%JSy4Q*6GJSGmKY#DDIj6 zv?gF=_LYn6$$jR?BQ0zvzHFy05Q2v0+<#x}LjSm;$Bv?8L8`)`KmNDDb|Q$R6$Msc zpf)KIn0WPHB~jR087h1iqZ>&{`DPWbrts^WvbvA{#f+w*1!*8&{?DM*X6pc2QI3sI z47Mxfu!AUb3S)vg;us#CYI_&_UmmsyBexF6pUB4kC7fTAB&%k@|~$R zq>*MYSlJb}rMG|kyoY3IgWqgPsYpWr8SJHWns%zDPQ9ctf#D$E+-_`(6dF`Gl0@GIsodrvlX!bc4cqO4U!U z%;RMEf-|<8Xl`dTPD85SeBS~yARBJvfa;rWBzfA%6M)D+ImoG>!9pnV!BTW(TLZm6 zqUe~uyBhtUFigU5f3xnE)mpdG0h+fP}EqrHI;)VmV*l8B)2rc5m!*%O$Grb&_j&aHJ2GgE4JCHVsR_aAt3{zC3EtW{ytP zpQ{;#$KY(j|GS2dHKTamfQRhAxt$%J6O2)@Dl^KXQJx?@FE!OsCXeLhF z{h7wS{`p!LV#neh=ua15Tc|f5@uMsdEO>JCUAfX`Ru()xzXlP6kvL2eZX3;S|1g{!Z*5cpF5n_2_9_YmvVECYwmqI`*ljRUwRe7_jEwtac!_;d(Pg99` z#YW}zSMdcss!qT@!N*4D-q>yt;72yU_dbcaSP;HQCx1uqFBv$feRs z15;S96-;F3%HDl?%`iFb2kRO^Hz#qpONnYs(~H;%lZ63;BUj(raZg<{8KI!(RhEDo2(;+QA|vI3sQ)6FnwK;3S+< z%zybxifc;p{IjAXvp3SWgs+LG5W-%)=7G!eS4lWN&mFFngcNYkR<=A z5_%#{{YH{;8dWu;bL{G^@9BCYeZ?LqEXd|MWIv7o`CB0;^x%Tdox(bFyFY5lk~Ej- zu}BN0NaopjmL=3OykSoF?%~oIc^Ow(@ldZe@_zSA>&r%4=dp9;XUuo*T{-R}sV1d1 zMjpUx*q7C|n0SupAv1ntaMOo(e9>|mu=KxxiSYdeG40|w@bO9*Xl5jgyvet{}ee{<@s6 zIvtO4NX(!FC0P@sh;mW&< z+57BZmQ%m~@;;VSK3nu+HDfa$mh)j#Xi#xSHZ>!wJ2IIFq1oaLZM$>XC9Y7IkRn_E zNw=L?laz<)a$rdmYb5QN5GH^g%j#xPO?I5;wBFv#IGRF#UgYs;g6Q#`{f*LuXpc2I z`Fd=n3W?gi_1wbQi8MZwQ=&Ug{5)=`;D6m$GkQP_L-N#47-~v5(VCLWkbKNM6C~Fk zKpRcUMGH(e$-!KN1>Np!oWI)sMvd9eAeLL0N!hda7Ht7As;k`f`l(BIUtXlOhfLZk zb32+T@?%kDq;qaa(Amt%iFb?gOFSoc0jKBPx5}a*PvAV?Ab+X7b%78*=mjQ~3k<@F z!;P3`lxq+)eLFv0wi#=n2Z9<1eT>U9Yk`<{+rcqukM*ib6u@)8zvYkxc<&j8(tWW@ zI_#OacB35K<<%4*qXt&y6pYS~A{rMKHeWBbB{_yD*2#0VsJ6q7Q8fIf7?ew~f=YUm zz5i@oMdYCH>S6w6j>s!I?0o9=1UUS5g-kg&gggDBnZ0~611Lk`%kS&y}j@lL{qC%(eqw9Y!yht#;vsyPmomJ^18XZ;TFoTEyQ z2#mc{>bv?ky(|TrM#Q!oZ_chI&!}A zim6JQZ-!?lsY_xtjuVxB5$(JQ?BCfhkgfx^f|eL`(r8k%cARBK+c~(<1cWw|NP!UM ziCkQ#rfWRkAd-A8&j+JH#TBQX#TCDV$I zyj)QDn{`EB9xnlKL*krQQo7Z|LFR%q5K=iwRHs%6d-v%NG#_n0^yKHO;E4)? zM}%hJM&vA#<*qApg|^5u*mD@@Fi8lxm0_%z&DBL|&gS^q|NL@k(2l!{VJR_Jp@inb z;;8R=GIa(cUQpzf5gHg5^P!IaN;U-#-p+`oJEk~9pdeOYyxldUmN5|hrP;tOF6qHO z1x3^xg`#`>S`5e>_z7Nn*w)-UUW|_=x_Cc1=0gdug=^R`@?otwqY|=nW@!WCN5-J_ z0-~E!{BUZb;%Ag0z0ksOKU1H7g62m+&xS7pN@IEUtp;<

#m z81$e72D+FOEYJQbFC2}qikjw!laKNRt9}QHISK^Jfh;#1>IO09Us^v*yerNzg(@z( zm3WhZEG~k7BOUPIU!TrPgAyiVNMZlL&b-riL3Jp$PiVr5>m}s=-zw}~8->)}UxZME z1(nA(f88Y)>0j~ttc=pgsAFK)veI`me~6}_NW&4zhom=ds;m1%mWtCWe?8iZGDBz{ zSKN!@w6WH}!L57fo8gi8<2%wTFttL+NTqV_5?-^CMq#^rUI>WnY_-y?$ryiL2&zXi+l=(XbthGvP(PR4UFl1SckSDN z5)9&rbnE+QvQRQLO^xh{Du1{3Hze^<=THUNhV&BTSwS>$#Fq#Psc zQXUGmudj7{U!>W!g%NxF#;vE;`r=!eE@yyj88hCe_F$8!`h;M^QiVL@kAC}&N|@iw zdpDhRl24}x>&fxgn?qB}4bI5jZDWDAxy_hx1HXG(pj%E3f>8V$apW&t_)U}=_z8R9 zRP1;t^+%Ixf~p8RRoK70u5DBG>4K&9ld^lE4nL-H4*hh+nwcR-3%U+vK$zT|cl&Wz z8hfy|mwaVI;bJ`g)=iwt0mnmPCeJ?@^lXkz$py-d+LK`uvZ3hL8zygbl9RpaN|8$5sIJ(j}U|(#_=hI@cnUnYm4d&;GUnZYr2z<&^(I3b zWP0M%1ai_SOieADFF-(L0C#8n?Jo3+@ zJRoVX0|Xxt)seqBLkQaVpREV~Kx$}96izuAnz@h=Jo#COXKVsxW zfdt8IUgEuQ8}#)z7|9{!CKB zI~=d1L2}qF-BPTIYeBN5sKcqJhDb-FcZR%E;=C$^YP&nYzVhe`V$hxHVmsR7&^H6}AiK4kosLW-MAZ*d1|+IT}(^!l)tNrl2*c1rCnX zTzbr%0{%l2{->|^a6~{1DDocz#(yscj^~~(Cg3?O4&Mcmei^MHHt}*guxjwzs+K>Wln>Uf888aM~~01m0>W-Qr_ ztiSv6Mu4O8GJy-WIIHt6AO%LX99;xt>Y}>mB-*|UJ{fdmFg`e& zURk=>Lwtr?hrwNbFsr(3d@jD$hZb;_@A&!Sn!m+@(837MgLNY=Qnx%WuW{`V2ps&+ zG}MD0kON`jP>7{*#y3d^(fhY(V%TZPd}MSUY$RhStGQD#Zw-FHB6a_x`xpXfn4}3x z5Qy$$1%8avfh)x>K((dgbcRlyyMb(sGg9`xQ!n@j)#=P>SsNEYza4@#*3uWL!X=1G zWOo(2>hcblssJ;*j@Dpsj;EHQxf274>cv$dW4f8=2J4jgwt1v+av)Hc7rR9xL%QGO z=jwm_L1AY_d0{JsCjU(hjzoVuxsYX0RN*UKVDGM|;$!rf?5N_CqJ*C?MN!?4e1yaV zRdXXra2m-BT$=1f?k_{d@~}?XuFS=#eMkZmVGZXJTA#Nsmv6OfB3V031P$&0wn^J#4V<@NcEF2cEA`VV#FO6o zY0oR1Lli3iRrrIqQ2DVuEcrqpi*&1mi+Lzi^@1GZ62@%tRjb^26B;xLENpGfqsj5| zl$sI2e+?(|sg#eJhwsSDg%2rB-m`bDB+d@KjsxWH9=ZcKByE?;No>(4QZWU)$go5O z6#Es%?HQ1hJyI`$s0#5^)hoI{YrnrL?v~j$ZriSD$oWY7$k3;-?WVVv)yOn*rRrl= z8yP;(I@}?C1=cZs1prm>C6C zY5#lLxZ2r_8qv7KSgKpON%0zQ{AT$_NY)k`hk5HG0{b+7w_j^5nkN2Ypi3ZqYENp0 z5BVg%6F^HmzKa@=IrL@(lACNJ5sDAmu_MetgP)Ufrcb4IUu0{23-nH zS63{^*2*ml%e)6&cG7K!!HpCH=kg7F$_~!>e(E8_O7JC*-jD<5;&{FtN!nIWbv0)M zth?E-q0{f#DvsW0yjwtu1>FrA27gLXtOZHPOfk?*_*Zwp89;%47s#TAD9iG1dPj~=nLsM~LT=6L^BLHXjIyW4yuA{dc(tDoIa713n(R}hqzm%zB%vcE$KT&Qe!bVC_$bkx*0g0br zC=V5q6Sh-T$Fh4XHd|YvQpE*ZEN{X9d96YG?n?V!L&%X+C`xpjf+EpR)~I&7u$=~i z8qIX5_Wki#e0wB!o4vKBbrQBs@PAcPcj0>%iYWh9LR`LY{e$O{PC*EnBH*47ZiYyn zufmu{R&UI$(pikuJl3++KTXVTCQ9YfB5v&>Fw&o@h@tjS>M;2LEOBn86?0u>+s&qryex%07!b2Zf7>fDbI}m#zZP=^Sqzef3DWn_s#khsfyr`qrpbkj=E}0UvEDJ{kTnYK# zmV-zb+4lRd?HsqZgotNwFu{h#GX1t@|Qer>x!!36~w37wnr^Lc43Va>0DU3IS6 zbW}Ru6r^+Lwl#Zsn~$UKnC*XlcR&>}doRx070j+ynO_^o=K_~oVm)rblNsti2(Hr^ zth)xdm*o=HCzz9)krNk(HGFK~V|OfMTlls%!`P0tjcPS%$OsRn!U5cqn|G)~>R&^Ep^IS6;t6Pc7(5qZ z6$`>{u_i^;4S|XzD+``54#yNbZTG8_I`Zf0Llg#$L+#KRib2cz_=FefIFda&V>|DV zuMLY%u-CL6DT0}^byiLB_^i7VusGz3qb2}Y<=_oc&dE2dNzZs<-x$jh41FOMly&A;|2Fkl_A->ff%sg+i0&dZcre!&HP&V9@H(q*B$$Ju z;;1Cs=X2>lIodO010$;A5m*tGF>HQY6L)E9F=flpiTI$xv$loE{1w<{&H|-9IM89$ zC;-u^6;{A`Yg+fiI7+&g!|#N!AkKFc1KMqh>V5kMr0W9U&r~!48(lY^Z{2=lX#61b zf|72c2Lh{GDRJaN@pNfKz7Y5`?0+mK<~#JxZEE0sdlZ7Sh@p{w4wo<#WsWbj?+^gm z>1ehg`5SJ23v<(r>eBUNBZu3)1FIDg^{I&62uJBIlE%a9gPwqnN>xP~k?Ikz7UHaD z3piIqerJLp8h?h;OdfdW0&MnP)VX?MKed@RE#BnXXU5eS-%<^>DsQ;dLLIp00m$@X zpaU1KsjOWZrzhHY+9uE;bZhiOAj?y}S~ID>{W#{}hWu!9I2#Fi1_DqQRYlig4^IhT zD)vA7pIcbLHmpw6FE1b$b|4;AjW2)WJ%L;wzjS(37eV}g$xj)|9l9N+h> zHZ)pCI%zi@vwZJX!F98-*r${pbS#tKOS+Bt0!lp!;lxBikzp_3tY89$9w{iO3)&S9|&npTrooGk}$J*UyMUpCjUtb zHv%P>Cjk9raQ>p#BE!gZa9)t2Wy<~YtPDfC)@EYnycbvdRsaNCXawPMr<||%5<}X% zxGzUZs!8bq7h9XM!o1ymT)ROqW8WWN^5k+vzNoy*#Fb5p?BobCzY zs-lMVyf4eXv^xZ&-+Wd( z)bJningxXrGa8~j?$MDl!Z~t(qi)b!UqQz`_Q96}+wLH&>JzSu(!qM~od%dV`*O{o zX+usNn|nCG7v%AtfXZbOI&Do`1QXL14Jd_b#L52rZmE$4Y2*%(D?OjiO;)C_cSiQZqngGL5GpAPR zIK0k&D?Jr(XcSPd(07#wNFsWg2%e}ob6D`xi8pORHK3+=3F<}85m^-p$l6?WMzt&W ze4BTa4w_%?UTQj)(jqxq7k}A|ayh_y*TMkHF5~zM?dvh$gJ3GXpf|D(X@Fa;YU&4V zDm*ms0vWHytCyHIm9>o83LEQ3&z0K(o&N8y1EJ@bCk$4N79D~(-|v*gqaGGfy{#}@f^SYR?rQB`&raJv!)Ui(xd_*P_eIy@`n*cg3>x=TBGF5Vbu6}#GFqO(~ zmZQ!_Y1?8UNrUR96$arlv73v) zGT@)=CNRW}{wj51KwvEyDg4{3)kcWbu`)2nT_}L8=Dn3VJB~cHc>SwF^HexOD_$zE za}S=;K7(M?7-3z9ThhHGcO$1N^4Qr;mb~%%1f(@PAHhf8n1h!KtV<|G{UQm28u|st`YgeY1^+E zE5gY~608&-%~kBNdhH;N=;)>3=ZrrCf&;0(;_S}ib?WpaH2F#W5A3$u0PslXMY5X75T+9cNOI=&zDF|v*BP4EZrLn*~QfRQjHpd#2}^ipfwGRxD2w*Arr zTwolkLyY`bW}LZ{J{{*?p0zQq0E!P|?1VyVo$TjwNTMLxC>o{6@zDMrbU3u#p#3SO zO0wE#F4|*XWKjpZzZUr1Rczf|j5X2f*m2#RG*OEEyh2r4jN2No1xG*532~rEiZiJS z8XFDygx;oqAC3;TEB(osq}`ciU(i8|Xg2>*dzETV`NM}pu{OuFFk}>%w{@SD*9F(R zy|)McC2k=l@5f7~rzwifqanA}L^+kABUd^7p9cNFN+d`7qwPoLOh zrqHB?I|t5^1aZSt_CV{&(lk;k$o0gR>e>3P)1SimL1KU@fv~pT)Dd0=VQt3#T_di` zTavze`y*vqpQ_b%?vdY)ggR-*xYB2Hnn$jd14cStNY4}ehCm7oPXbBgv*Z@@F4N`# zIPBq?;9~u6_}g?hFEwym0vM3Y%L0>X+JCKqlrL&R2C63oJ~u%^#$bCaVw)0`EkNB_ zg|?`lrP#h^dEpFc%#Jn7&%c@_C?I=avf*7+33qC9omhKx_PSU(mdnd~FK4yNxq+SJ zF4gqsjqIktEB56Fl3B}H3fkFtsK(Or;gX_6vlf)8vGNP%cz9;dzxF7A8Lizu*7xY_(SP z@m==wu|y5PFQJEo69+B{fFMd2olDZs`J4(sZvKF6tf_ui+Y(g%9%jeX?oSE}GV3Rd zz{KDL==6{T?&HfPZW$J6AKohC4M8(!@T+xoI$uJ1Gp<&uKzDeQ z^7!{{EHwknzzSx7(k%Gt6TEu|MF zSDO>fen$YNU-0(7?>7ApaKZ2*C41%}i;-e?=6dEq9iYJf(J&REbB&&Hs)SCG9n$o0 z7Ckyx7HFG~r9#x&{#IppEI2S7P{eoa?luI2VIQeFghK2;QNjyDPNmg?zjCQ01+T$A z8R;XR3MBmp(G4Z}*xPNv!cqge&$qaT(n>cZf>{Xu~*BM(c>0ScXuFAGHvnoz!=W-3<;34B;-{-EQt zmVn^GLCp1ehVgJaC%wwu@7TVvx0C7*}Qf0bv+q~fI=StJ<1N@?cF9Y`C(@y@fc24|I8PbQQi7x zXaqXy_Lr+AParKq6bG4M|Fio3u9gWQL( z=wQrnekRN#+v8FRJs=}#WDK_%{Ah4|+P>BI73%p*avVBsa6IQsbi4vQZqNvw4EZiU zi}iALY0r7u*O7&gmngTpa{TS6Xno#@`$x&+rz_P%isysJ%CY#XMwiT+&t(9J!ku zD&HQq!?S)`bufrMkHQQ#TgajJ2$tmOcRrpakw*F$cThs(8T^3(v#* zWJAMgU@HT&ER1OCy1t#uZ+K-q#mcHx%To=S`jP0?Ql`qQ!ohin0ZAlpW4s^`FL=rlCtDmlUc1voOSAn%oK?j?QkOB! zGk@EvHS6+9cW^kKC~e5lvHba3D1qXk*?9RR=<5I8=Kgz!^N#XZiYIq2MWDinWU-s@ zc73=J3SsLpq4tFQ=ZTliCJygn_H`2ZuF3hAXtrO-(+NK1qv2;$qY4LaYkhGVR(Qf!)epKXB7RgM}{wC5~&wv8jsxI+xVMxa9Ru zY2<7(^9MfH%CRXH?+VNTKhgxTGLU-=w*57?rVkVkBkh0W$KLQ}kwu~CV+XYiO=sb7 zEoc#lw60D14<8Kp=DHQQIJF;<#aLyfPYP~NI`E3VTL#PmcI^j@{0F9mjVCaQR)F*H((w%7-2mPnlCFsIbafkCAsag|~h$D^Z?7c%EtcE(wILnw{+ z&o9DL3V}@*iG~UKPFGVTLVc;)MVc}#hHAEW$Em}!re||@%=hz5$RaQ!S$ibeMVGIH z*pbdvwko%@s*fXW%#kxLLkW)Rx>rvP9v2M}<@x;C|F-{$2-Ydq zR;p1oB4wH9I9*rUf*W?hZyExoLOH$OcS@%!nxuGjIYh_h($QA+$apR&rlFip?a4W& z!$vAIf?w6Ja#52p+9bDmXH6tEZ<(4FG#-5Q#~iFA?##heL2+2TQ29*lw50@CmYlu5 zaPAOn7|6rSMUND3mFv#c0Yo{&LM^J6UAbC1d1-&?C`+w8soc`DzI}Vte0~3_TrPV_ z;=}E;OpFlgUqw6$o^Z*m|Ble{DdHB?j{WBhV5Og5V23i z%?2z>ym)38fNx#9lqCAfcz`2k9-E+LuH(xI@8r*0!E$W{?tmEe z(%Ei!i9-IAJw#Uk!}DbkOIWX{^CrxO_F-bKG98;4tJ6oX>cO9O;cz1gdwhq2z})8U z=}T>N=gwT^U91275RMcN;yPY*P=FvI8dhGd-;RPh^Ez9LgU2mSnE$~);us<_u6W8a zrh|wR?n#p*%bwLRxrnHpzB5t~(V8FdUavk4n-S5#1-j1)Db+e1bhY*>;fK}bqYT{-N`sl@ zcr0Fm^x&K++xFd_9~zOT;#5*S)wNR`%{B8Qu?NXQQQ02osCGs|CE#VIFdCnNJnWi^mxE*aQe7^*DVsUK zfn&mU80v*+L)$ZCaW>evZNdnyB3U^Tvq%8Qm@>6k@{J%v)V&ZI%wGC`OnqfooK4Sm zDems>TA=9SUW&VwV#VFvin|pri$k#@#ogVD+v4t0+`et^=Y{VtTzgC=$z(FgnS=mk zElT+i1=i2=_9p7_)*V`9p3L5ekgtAT_gw@0D$QnEGxGaZvTi|Q-W#JsY`b&sv}N&ze)}HyAIjv6H%SQ z4nEX0@f4w%QOS|*56Ynh)&drFF|MCtX!#Jr0a4JLtWd6dfvQ)#T0)3p}7fL6ybQl+XD;uIYa2tg%^?yex4%DEPKk&WLO*; z{Uq}g?LjE^8|^&7nU$Y8sUfz+-cwCC^HwL}VsgDYwUFrYHih z8XI{5l|bl6WR1 zOFDsO(?0w6S?rpu5jrqEa(JrTd(tSHxk(|E*RKb!25A$_fK4z1oTfY&927Y975uW2 zQb`HUjZC2KvEmw^tD)d>B&Ck05zwf_zb0naF0MG&HJ!$iR&hmUU)tQ~>}WK79|76- z;kLCs4_!VC-M5+g-XGPqjS02h9^ALFw6;D!T$g7q`??#9WwGJ~4UE@3lXufWSM;j5 z_9dY78Q%-yHXwzcW*?F3K|cKQgJX=Hr@R!%3|Eamb3^UhXrWy@BZ=q(ZK9h;P&B-PT$F>t0V>FPqdWA@xT zS_U|pLM9KF*(oO!Hl@0aJyn|K7Z-}@LMaz$w=M#&59CtRgj12zmU zjI@+INbteld&ekMX>r%tZ^L?*7A4FKYZ{81a;#6fU2m~VmYR6yZ6p(1oaKYf)6^@7 zf6$i-Rz&7TKPWzCP0==_$ayOibPgDO2X&ddoJjp6pG3aO6KZ5Rf7rOfxL1ENGQTK| zEpbzu)TlND6KEp&66Lr1GJd%1IB}?I2!_h5n7b51v}d7c*Ouc0>c@hqN*lM+(jaAx z%OYiO5E7Tp_#oIZJk@dbqYW*v7%(`!Ycx3X#(NBmBU$e#`RplAykNQNE{`mxcsM@; z`rmiUq}X@N47jG=BO`yYq9 z#}_%F7EH9zD(#WT=X(MYkCjv#<-Lcw-Tq$G7ld;u^g5ZSN7)py`UjgAPJebRm!=}O&LNK z>>}=AnTl1tYSc?GoXMktkxWC&E_;Sy9uJaDNYulK+mozAV$uWE7D4+ka88d-pEI|P zE^w?|{S$dhB7ELxW|-5zNsn5UUz%>ZV$yNcE|5|w0~{5R0%}46 zllSx+xbc~;?JAZ$F*J|Y^c!&3A%fd$aD6mIDAqN-r= zh-P0iF>ef47nU8@7gP<6zPdB~lH(lDcML%K#yghhb>=Sz>q&7TN2&MY95eQfFZm9qh@H35X0crbI{ zeUraG>AYdeJBAu!2Kh`Eo1=*4n<~$5b$i5$-^-sO2Q;-;pk56bS6z?x^s(p(Qf|!@ zvaG3krOIk}0(6c9!pg4f8W$o?Z$z^ODgKC~HA1Ah^Cv;3bQ|-_LCJg*t#3#RWv!-U zBZ+2svENEw?-h+tc$AEbf3;oZ^B=8k6;+&562x+ulhPlcPCFO8k6bEk^uYH>K|!SI zevC={MY{Z`*?Bn^Q=$Yhr9?|o$z80KGTu&6!fImRjd#Sp=YozoI^m32#fU!?Zp-!t z+(q7{Yp#>z2iI=}#VgL08O!@QRCs_v@3eU@6#MLt}qA=|RMhU#>DRzx*KZ)aK?2-FgQ?WLrf; zcA^Y2ATz%jA!~vCqp;I;axehN*K8~Fvk(7cKe>k;5Le3bGe{sV8gPX8h5m zZqjz{uDipo4lN%#+tpoLp*9{G^?(%W9j-KG>LGQ?w4>HieUJ~tV_}ix7ZgvPh2NYc z*L?2uIIM+|AHJ2i$M0>d5r>?uOZ~A2=lyl5+?vTgF1KU4$Evb#Q>*p(b1-WjW3%IP zFdVC!f1`m*-&vz#dD%t}V!-BQM*L0iIo!g}`qXE3oqX5IJulj8i1wrM(MV z#We4iE`64-NnofPK2$4hp>W?{g)$DS_NFJ1@1tO3bOcyW{ZfTv>1@FDn%#9;5(<>w z*Q}PzKd$vExc+`4uz?)^Xv)or!T)2jW!b3F)os$?!3_hn$Y~Wp3IOpXFiirejf+hO#X%$@KR7V+YJe5xuKVWjJ^n&jJ+uje`NB`@0uzur@{HR3U} z!6vSvUCtp%_u`m z~W&SX5BST8ZKO2XDJ9F$ZA8%5uv<8Osq&CtV$?5voE<9F2-A7@yr@RD~8j zbqi45!ThMB00R`sEF9D9Th!OI8wG35t?!(Nh?mdsCCOED0`0{Ytg)czM_54{f@C)Sr|$^t<}| z8gg4MbA*Pm_8vga_o>i)9|nT!AFjWRhyxV2H-u9a-Wa=oy0afx3zTJkM#rX>83Y*f zkF=0|v(2HBkPU=1eo`#jiZPoLSIFWM%H5tsMV z$&fB>XNT#`t=|nRBBdY)$ld9!@MPgko;Xgvw*4*Ec^KoY1g?{HNoet z5$&Ba=AK4@lHWGOwFT@84`%n;w>A@~kB=UR_!fui9d^^@g-7#wex1~buZ#{3~?C+uW;T5V{qzb<&raAkp$!F;<9O=n-qH&mlp zd3RH`4Sz7cSBC3k^-V+!B$FUS#VNnN3aLD@ngjza-vl4OyvcA(v7)#;czoY2IVr5> z>-u~!?dw7a`l+kLIiShqY~CREkosdk*GAsnnGg;~V0Gr3TWG8wu`~gyZ7d5+48@g+ zbZU1ujShL^#+bEyNV%+nv8Z2BH)+_(&1}Icc!7)J<@9Yt59(AYm|X~I-5*;dt6mjw zd_X;6WW!mqw+n0+CiZ8~Mp13zC5D!Ejeis!7SrLj z{X=kNQ-DyZMLNbbU%Vq7rCH}GsS{l`4e~<#MV*8&W|@;DZ3R><^NE zkX8zVDNd_jI<#6=+zBMh?AVFg!4w9XtL zensy{ZHFrcNo0;r95;rUftywP7`HqdB5HkJptzin)T>hHwfPoIvX2~}`7NOD%4^qN z){RMS&W5Fhl`E&(WaT@u-HhKpz@~K|5Av`5(b6?5{A0;750r>Sp@;$DUmL1#1`YXZ z;Z^1_iS?=otxIL}Nf`TPgWD^8eX)R}Y#&2bW%D4XnYVt1{e*PZ(fjn2jgNIPUV2>P zj8L7%kvFT*qVH29vK*u{(ZHv>H0W7Ewc6)qBv~(R^tm3o&&OjEa_iD@4}3W>R-Y zkEEIDgy~+CDIdFl-EJDFuU4^++y}@&4tMvl|kY%_Q*XBNaH6(=avkr{Q zgf&L5`YJ|}MHQpDe-BJ#&dj&z&ZQI9^#;`Xy$GU~y&`H=b`ECxcwkGqQYB?C^k6%R z0j>qyr4z6*{Tr|M*F-Buwyv&uGW*FYq|W{qkCWA#qMyr0TM?(C9{8j2^oq+%(c{K7 zhYylpFG!~X)&+sXzW*JO5Wq9~>Vu^4DQVmRb%jK`evI(jj_L5{VuVM6l#HTO)wy8Dr^B5xO zPH3a5hiAuSA4_VneYGXX{Q1j@6a67jkE|e|`u01nbph9(~ zA1Xc@>#ws^IS&=0%sXI$`Bqv=S_%7nq>sPukJf4u2^d^Hx~?@W!Qe(Rd^oQ0RgC^c z21b~W((t2D`Cu8;4v5nQH6E9a3QxVIM}V*_uwf~^c(|1cwIbVEGb1a_r%p1b{2_A13xfKgvu*_J{ zQ4(6B@jHlXDBnN!a!gR?`JOrwZ<;ls{79wJz!pY6hu5Q1YR!oCAGew0MgKaC>tKg* z-hoku1+F;;bC1Li@spO{xH1_%ZQxFfA?<;@g3Z zC=;d*1!%0KBeR+-?J7HHZj2Nt}x1%;KU4y~U2iNWv{-_*{obe?)ijn{Q`5K0VU&>bE= zaPr}cE4;j?A_#D~pDOE__0KV)1stKTS4(~zC$Zn}v)4^vy53Nf4+a?d51PuJvV{i{ zCi$4Nc!NKIeesrWyR!s3*?*I$HWhfY#a(8V-M9G0=(C{IWFqzT3}V~$J7^XZ8`c^M zB~Sa+(mck5tN$jk#r?Pl|4abmNxA1OSacLfkv^bIm=@n(40Dx5g zS$#acJnmqM!bl^mmWN|e?N>4CNC{u7&9mIJjp%JZTAx@U%j#62GaK1|ZdAzn*N>r) z6yy-0Zbhd-bo|>i6%py(K6~kPZ;Rfgo=e9s-3eXJE;Zj2 zI9{g@X!#S|+peHklr_U}s2yhUZVmmqQn(R#q9t;%@>RJwzihR+Li1zk&Ga^}p7gof zDsDc!Yqr>olvuL9zQ)y2QNAA|NJ@*@GasS#dc5n=dG<)T6W5t#_DNQZ6(JW}q)f@f zhu&)OZc?|4Yq@A@Ewuf~WY02N`Z z8&(Nyj26TNLmQ91(}eHjZiyZ66GoG@$;dY+o#JkCe7lB7)xSXA%d<`^F~xPY+3$>8 zE)M;EnyikZ1v2MktS5}nTuA))Zo?nN1y}T%Kt)0^oN!L^G@`9WGDZ#`#yQA?a!?#%hg7RN`8FFJ^P^n6~!*%Af0GHXUo@c)>C z)AKuDzEUeeIN3idG(tR@XVSlksc`dv^>QmMHewvn;TYEV>mkaU2EhXU?e7ME@ zcNSeX`bWe+6jp{~y5RnJ+@@V@f$oQrM|-XhxHDnSb+O5z zaIb~^tsKIIyRu|hVE*aJLuD5pOcm`c3k0*@b&VnCO}|gHU2o-~F?vv2;#=teR8&^k z*E&!B+$0=5rXcdkxeIGFW4jM@`Rn1~t{tibRw<;ga*PExomolMts4s zM;BK@;PgBy*+3r^e0_39AYIY(V&03_crHj_&eQHU*44b7boJ3ik8)b=h_HOvrh0zX3aM}{^o(d}rlt3i^1r+vZt#f6p#w^&D+IE2HSfZxTEeW^~ zzeI;-%^4WR{1^B59LTPa4sIIN!GD_*?v9Vk#PFB`-O8e;Z-CCOyGa3e{#l&elO!6> zG~<;H378A4^f33F1!^4*aII$El~<%_}ifAFWjLz zB}FQxD2LHzqwNNfl+h)!%6mB2)K?-TVfwMs;f=sVcyq)V=ajK~PbCY@nq_&-hsuG` z#?DU%iYE<%Td0O@Pw_z{(t|O}{pBjtj11|nCBfWwvgcKF`uG>Ed`_rt2_Qp2q__aY z@vi|ojDJkw56=CF9!((u6|PESz7;(8d_=k0s7YB|2IFh5DW&HXK0A*An1deBehX8u>trWVQuy<-o?#JLU}# zYwQVDR7tZ7VydC^EpNayikl&Pi@)BIUeTBB@IBDSWGUp}WXq1NwswTp!Tp(5(ls%{ zv#$9m>Tk3Ro#yEK2J*MoZ14WNaNE|ZKL$=xpo>H}X-~7-B*a%xNNIh;0XC?q2DcJ+ z>ZXEh|Np0g54&01?!Tvk_U(?9>pz;x#@={Q>ZzSu(}0{@hmoh#Z@Fo8Z=%^Jg+fAD z*=4c4CezJoJrO0v3y(9;XN<(5{`37i(c|PR-6Mp>8wE^Y2z4FCckd#1jEB#?wmsB< zT|UVmZ2-lqtFg?623|N6ZkqYHG|Uao9aPpO<|0bHskTFT{ncm>TliytQzA?5w2=5g zOYQ1b+>;xU0q0@wxS%-dZ&2yLA*PrP&D0)h7VRuHci zEiOty&(?A(U8*v^+bW3i5OFmOu}Yu{SjYp#biT9gFj`EUe|L>ND#PP~49+zYb%f`i zCzgP82A=8*{-m38;!WCPrauq(R;pSc%#A?k7t7wzN5-_yj*g?+q^k42QZL1iL}Lw3 ze$KUlEoQH1t4&y*JslI0Y38))I4D0%q$YgtA$K`6qPLY3d&3NRn$M|$C1Y6qzh|Kk zKpTC-N+HXo%UIC!vQ0rNdnQgIgF>7i^F^?*xK zRG0KnnXg{K5q(rrF`a)aXCM#?TxiWQ|2Ys7@9{Nvzp2Yd(~EzuW$J2>&wQEBEp&u}Q0fVWB8N~7!D?;Lc)3We!% zz#qKYPXU-Uw9GKOtcCm~_Bgw&vPnjm-V94ET-bC(De7BR2TBo<>8{$9#2_bZ5bjrn zNV9-7BgpA{6__+xuK(Ue`ha<~4I?qxIAp0$Fb2a~`#sQz4;&`udyQ7x*v*ju+_DIy zZM#Z{m$(^{Ni6bNYCjBEW-2*hpCO%zWyAWRgP3Ea$%mVboG+*1Z{A0AW9_g-@2hX$pVvm%hIYQPz7+XfJ63rz{(}L_-{L5X?HGxF))QJ%^a|@1n2|d}L4F(Q^ctu@&sz*&BnU}1ZaVT9405?%jeR@a0B!<=ME~EO z1OR#9faEn=tZ1BikQeF}Q%roS*E81PTl3d{x1qw?sVMC{zeGDCw5l0qSYK8*eFDCVmSD+e^-~IlMFi`9 zMbr@77fFt*gh8-Snfl{`H|!C9h_z0C&U=eAsPaAgzyjS#0y#b62Q_ANkdQ79DCR3e za#fj*w$J_q{fvK|)=2c^`;yGy7J{3web)T~Bev0h6ySh|<&?J=olPoM{yf~XXrE9} zqzBkz_L_S2p8qdBG^cTeL1g+`f-i&*5Obgb`dM68XVO$6O*!Z09@`2%?SF1o3j%G9 zeVVHd%tN!DU~?uzV<6!zktT-2Lfuy9>qzr({QY?WRg(%ZC+vLL?Z%QC`9JNF0W8F> znu&>KAv*vx>h000D&Z(`hAH;)=a4u1S(v2jN|lVSF`~I%Pf#*aH8~IFf^dz@&x<%v z=aM*ev>791Qgg$IWviu1Y@K%X1SQ|kq}o(korSY)7hAn98M~i;`}j`;-;p@~vvs_H zsn}ITF;QXUJGuDEoInGePjE?+4MXc}3eBuY6dH551Q`v=bQ|JRmtZ$D-z%L*9?v7A- z59x5n+mKU>#kV~cx3HDpOCHu%)YHx{KdIi|Rp2&7^i^}tDxIk{39LNXBUR>cOSE8j zHLvW`Zkw*6O8G=BJ*Zw+C405#sy`H2JuTv?jXAr1YVZp8 zitrW|eM^c=T(goPR0hY*c<>uloTFtOUDpJ*L3`Xy#0KljVZ-u8CZgd1&;PEG=~)Q_ zAUUTm=NtxDHd;?GWD5pEpG*S*D{HiVFl|Lo!g_XwJPsU zK{GDqZ9JY%Jt74A?@xDm@$>$+-=Wq9|KWRJmhsc`?%i|EuJnUQo>B^eP?RPcrsA$P zioJW>9aCgyJ<#1qolM@MI2Mz{le7Q z4Z191*um|Xjb-@Y`}yh8X5Tw=1Syqh9SVDzkKaswy8xVt0Au1g?0p!>$>=G^FV}K; zHlvVO_n|pijvyxDo_93IKRji^`kiY||40M2?e7Pd9uN}0TV#wf)3nVx)Nip*pN+;x zZ_2DAM{gO9PbOY;8{obMg*XFLuD#3mPG(VbDGHjc%K1JNemH#gvAVw`ex`Y1_H{8> zQh1p4D<@w@5j@ZmJaEpm-dIe`-Ct-=cBQ_jhg|Xcd}DH>-9R81c82&>d*yulB!@be zIT)0bt=R+~(H=3>F$1i$xZKS7G z($CWZCcYhKG1<>dflF()V&3$PQ1h$Prc*&;0VkF>CCWi7Tp^ct>ucBZuA>iYiR|%0 zCvBqIguUh7Hvv}*PfFIaS8c~?Hu7Es+^Ql%lX*QMQHcac@H&@FVw(|A@rp>gz=qUR7=`+&a-@8b z7}n0~tfRqzvG{9$RPxC3qsUbIkn|JdNzzKW^QfjST`m#hRqHeJv!E}}rp2hEIN%VI z0H|5e=xb5p#`Y`vZ#J`*9$Ee;E#OxMTDJ$u88F$W6Tl*db0g6)p<4e_His_!k(F80 zs05F8<^@XEZvgWv0~n@Ru#iv06{l5DmZrhB9bsL!hG?mHH{Ysf>kL05*wUSu?!Mvm z%v3RA%El{&`^~wLx`m5WIXP6+*Zdh|!wobn$bcSlO#s)`{vQ3CW8x(G zqF@&)Ku&hW5gtH+MJ?0$xpkyd)#Kfj_pS7WL$aqmNnigWQpnsZL6$Jx89?|iV1k;t z&PVGT0U42Y^60-v6}o&Kc>NDhpk?$!rZa(l!UOoE4`oB)-E!yn zIevM>G7ybKc7s*grUf{Z6=mnU;|938K-{u#_5aQHxh;n zQ5XyC0_!OZ5UyKgR-n*II>|BMxxQu0wM4lAmcazf|mWyKW4C#jgA)p#4<6ETENhXfN|5$!evM+3R)OcJSy~KWE)z$3$Wkl zN5@~lUvUt~!GZ#qVhS}f_;wUx3Od{)UkT(0-EC8fVQ?B2GkvXutX*+Y=2dirw#o)l z1pc|LOF@QL^wIMLP$rok*{JSswFXppTK{Z(JEJ(&(iNB3OR^tS@jM^F>N|Yld%q5h zNoEFo6qpTF&?B4^$Et4$3``oaAT;gCX;uDp@I}OM|O$ong&ZnlF`#93In$+PW;JNly@z$$ysV_ZRd^9eZ8~2yB_rFGZ zr8-yl{whucnE~YG1bXOmBW#y0c)B73bi!qjz0Dz!@aiV~{`OFeux3L`PF+&n;X(b z^ts*_>bB8qyJJ{g(QEa(1Wj+}>;GcQo_3kbD3*&Ujy4Cq_e$Ks%oHAOgA(y)$p21g16&_B@4z<2+m%9- zL`3{4JS*X<_IF}Qw5@&8ACaL`voW}THG#i*<&OkRE0{kkfBC}^w~|$+!fe5AQRtw) zK)=YDT>ie$WGmDKx1lWf$G)D62FkN;U79{@|4c`kEiw}32};kqhZAu7F}2nYA3^}r zB9}xGxf27ju>WFm%|YzM-~bFxhm+G1OhAhx>@3S==j|^?%2#WxCYJwPKY6{f!{=b#ziUj3{3gX{X32;h&G|g zWg6%-*YAr84h-g*{z6I6UaDKQ`Z<}LNEiaFlB>r#m;#znm^P)fRTF`d)>pCi9T+S!X7Bs}VHcZ^mhCEt{`q2iW`1|_-ML(S z2>FlB6E%?SL0r=Bcob`1{4K>~c@BnfhdqpWZgV$%r zsFw_JVx5ala%|2EWLglFziqA`mry-45w}NuDRgHu)K59%uZNvyHt#iWhILP8j-BN- z@7_%dYQL;j7`>6lGMi2X0pBhLkT{#}{uq!AX>`g-Q~Z&eY-J;w8m(K|5T?(|Ym-~b ziM3hrMfn_9#Dknv z*|^_eqc=ms)9EDJnP!7yHC~ zgkr{Eu}JTk@Yh9da1iiqX0&%1PP(UF^qypYNN*Oj?B9&eckHC?1u#@&c+CDC^mB?MsSK%2x_!p z81Zxcn<<*j=8yzO4kgEl2*NT4vR9C5ht}UZfbxcg*W>a<61HFUbv8fvU{uU8_DH!b z4aPBc)*Fx{iM}=NcI4YHvI?@OYK(Uw_{mv~coqAWM4fH{LC@tPs~KjVXNq6N9=Vwv zj5SGx?coHAl>}inR7DMxBI0g{lh@kk_NgOfY$Q9n1o&C2N&?K=k$`oA|9Fc$vO!QE z>`C)Ez#^Fyb^cv9|CBTB@Z?yw1sQwR&pbPD3Z%p#fpJcxEZt;m@sqeUPLYc7CrJVP zl+b-D6AD+h3ctVUFdWQ(;hy)u6+Py(khc(E)S|V}VBQ1SQBwRJbU4$Cf6_SE>qEYT z@nntO5FV#~MFvB?#4+8G_j!lKHKKRF{j%3*npx-5sOZsOEl8qlY-IPi(3mElrEb&5 zwwq-PFihh8Rp@201Jh5RxIJ?$NVJ}nf#SSk6byMZ432CZcj2SpngTxiuZ^?X4v?iK z0G)&U?N{O{J1B=OsZpAOOaFeM`d^FhV|F~0Ygr^%F!HT63=Y;A)SRZuQwPg)?|@=g ztkjyymCqmn@4mDcseJN$gY=`Z)V0L7y7i9cc)B~HJUb;`w9pMQkyt-`MvZJw9c4PC zE(BC-(_JDKaD!C9TDT+Z&4u3~%=gzd7_)=w>On_J7G@39z%ti_VWQXnB_OYpgzME? zTnLxTDkXupfV-$e)bSb=%EX5Q3k3=+l=FGb49JKRm&G2>?{J<&o~3QffY0IALY z5d>?0o)d3Hl80fvyIx_pPx|3|EKe~5hDmHk92j8d{&EF=AmQjoyq4XB2J@&RY!%uW z#HTcnNhBFN!D1Jx=ONX$K~Tt2r~4>oJTh(>QWC|!W2;R&h`ZUM^cDd}z)AOh#)HA{ zijhB4H~_9#zLD7n&eP#w8iW8-oz|tZoRRAXSD_nGqjIg6USn~$%ZIm+eB+^bFaJSc z{O_~NM33mw&VH(kS}}$>|4jhq6w}u!RflCwwg9f$_($ewk5^~S8+ocr0COMgtj)Vp z?12N{e42{Mrs^n1v{7B9oaV_2v(KZgANf|Q(=7KD30%oQX+)DgT4BVF>4ffks6M{X zCu2Te>I19;xaWzyRt}+Anr0T3c=__@qe7}ErUJ5i(~!cm{^p!V+yHdz>sg^PUnz9d z-@<4+9i|i)7lardFGhs~P`o}h_#v_E$DqO$k4*X&HeGh)puo7cgbP*bEahYeh%uta zf?9|aB4yno0v3zkKh%f4n+7L{7-f0v4UV&$tUTOxXk(4W9dcvRg46+S{`YsmDR)o$RP3;090rXQB z!1E;|uK$p78C~;OxTY$f{pI#tI`I#0eznVCCSC9wz!*ikp_rh8Ojaok>JS*> z7<0ki4h{Bn=y6{jfZJZP3%_g75)wpOph>zqer*rY|NYtXkEWOghJx2%V*EVzfBq$g zsRr1;l=j!ztDVEQBCmYIcE1@r-?y4vnpzF+$WqolkNv+BU&b+qeJy*4FwML-7i6gXSU{<;#=(8=zFZ-ZjqRFgcK1jS@c_I=j|eCNrjOoGDU5 zNS&1V@GZA`upJJzOR2Ib00z<`>;Em^BlQme0pv(v>XNig3Q z)iKuWAG@9V!W=MjB z2v?fHAd6(){SQ}&j%0~NP$ml2Ey*zv3KqtJC8m>Z;XXkF&la1E)+5(ml>1_ow3eV{ z|LU#Tm?%eb7FVADg_3I!i|sS$mbAlao3$Xw#APdSV{{7DXM=C<{jN&P1Is3g+b z#!PP1y6;OF`7HKWWwg&{<3~x8yFz+h&g6Yl;|tJ6B7*}`$QqW@L8>QYFq%eGrQ|!@ z^)mpT2sYLBl3g?xyWn4&Qinsp_-&+zwS$j|VY@g~NTUrA_`v`AymQf%{jhG{x?kK@^GzB0W7D-Nvuu6y z-JY|1k2v}Uzra2Co3RH1XJCBJ7xqkArqgENmdIvRZ7?fKGe=Ek&86LU*q6Kb!D^g; zIn|7$SjWMG7kwui96VbXS-So1z0V#wVCv6(0owl%lU`1w3&xd|tHn>o=snS_oIRsi zlpDhG(H(g5NpGytAy3z+h^-HBApd)42X_PHHr6+K?di!nNG0J(q{0QA*+GlCOY4&-TO^UN>+vNJKT>5ZLdY^p**<)JSfD4z>v zF{BO7v?}IS-FP{k^4Ipc8?T1(>cOoFo^sdt%{BLVP$Ot)t@6jG`;H2bJwQxMV1&L; zuGj28oH&3e_slM`my(qLy+H(vhMF;eHCSr*d1QH!t0BtJy;U!$s!G7T4~#&@@Y;_K zM@c3v=1{Xyl6SqnTB`pAfuT>+C#^&&?PA>5>vI(WiH6bBO`f1S)4G5QGQMZ|n#K0) z_OJ&0YUGm=M}h3+i<1!9*Z(!hkmK*2K=ikf^=duI2h0a~yr>f09VjP?4;u{E*{+#; z0DfophE!hb!rGAlhnP?Op&^aX{fj9dj&2@|&$e!Ux!y4xuR)f(om3cpK_VcAo@_v~dJ=`(5l!}WtjHJLv24H@x1XM!^okDpva zzE*f69Ps(*8;v(F&W3!&^0;bfDpxyyYa-Y`AHBCoED)S<OBInC%Hc_u+!QC~jA;*W`n z(jzuSMrVHn#F)mBF64GV0hIpfpFMcw3(SuLbk2?w@u~WK=kGQYN*fHb+#pGw@GUD> z)a?nvJca^FS-w&d{@(D`rBHz8hDX4AN_iN|@vGq|j_FWdp^!X3{lMl{){S&3GfeVdh=_{Lob@QKy-4|klb8m^ z+Y?oDI#SC0$pnv076Ok=c4ZLoHc7ZaA5kST|7hK*GWTPk{*NAda1b0q=DcYpx%}Y^ zC4SEy-SRhl=zL%;cuEUBtRGB25UTinRBlTiJItL3y~ejG?v9pIW%3*y1P<4^ZCFs+ zR1eG{FMJ1!mH?U7Q4}}~Pi%zp&YS@EJ*|0%jHs#72Td(%Dhvu^AHdMW6bUY6_rO2n z7yY**KkKKMVR&C!wm!A;Ni)m=B8>*eD0L188V|M;rUUB+SPRLJJat$c4@OCzlg-Z? zK6-Q4TB5*K`x>IU6{9;C>k+VMk3vH7;qB>YoP^(NB^dEXZvm2}P$#;};UZ*UvMiD$ z&@+Ee2#z7y)BS6-zX6`JgM2s}@TGGFKHPr#pn64|u2=0C`p^}1AjoN*CH=ZYn~5U0 ziw9pr+rCR~+h}~|uT1USkiMf8sEfkZC{IM1(u>a{Hz=6li3h$HBC8IC-l_sb{XDrH zP_^PDk}u6t{%>!eV?KfRX3+!Qn;m8mwgyjPcuCNojgaBeCKKw~{hKmuK7iv1hUMOB z;CGRuogIdg`Ma`39iEXsH4Pmq-EL37?{zD#{gwfK#DDztK$X-LC31%+?nh*iNHQ`Y zm#kApaS3`**^cms%K1}-#)K31Nbn()lI7LRw2+)*WCS&PEtPYsb8gonRzV7sQ`aU= zd72W}StN_o`XsiEG;KtHxJyNK$buR)D%5SAGCm!w%yn%mI26?Z45dO0naa4B#(DAjFZVS@($&d&&i_L2a#FP6r?~5RaOiu_hQ@|-=gh&{_6?y z{GF=PZXz&B%^%^&Gh~AM?cJCq{1*a*~uiLvGxvca8T`b!MAByk_# z>2j0xWbI~^JmKvVJJa5r{L&tt>{jivR6!|!{cwc^o@6gGkk7uxXmj%&a5x=oX2HBj zw>zflZipZ6NEg=vo@vpAeumQs95oY05c>ELBT0#>lP-+m9^Ea}@m~?cKf|wIK;nv# z(UT4|EHH66`vdJKHZl>*sy%QZC$0jDRrXT6iwh(Z<2Mq(h9OdA@>maQ`X+* z;d#GSb3Iavd1Wx3q0+|lJsedx-VgI17n})EfOrGjT(EYcm|TWvEs+HtWxMf6UkoFd z@;-;Mh7~@3u?dBIC1SOf#110^8VKB~MMVEgg#Ds>{lK&~v5fhz*8MITRx6S1=B`EQ z5aJDp{Wj8oFGDqHAOnERx&_H`#Q+ujKXv3qqLl(q>P!isI*TVmQZ_GQ7}<2A!K1{d zDnN>e#Zmi~|F+?ZV4Vv7{|q^=Gu}}g)gPvBn?xZE77jdz?(cr_4Xa6xTBHzMy@N7L zY&?AO_HO^x*zU`{oP0#t%{QT?50B&!5VH$lDM(r>U*keM{K;S3RZnbHUg$maXcCkM z&1ZcR_D<)7gY9=-JUV8z0NC(x`~Z*Xlm(CJbZ5{CZpB9oC`9_GEV|ty+f5baE^~;)RWC@#608UL1-$oL%~Vea}^Hb~`+oOlD28lAO=I zsGj?+WAcdhs#il%9kge5dfw?CDMKf=N72-u2W=iR+G?==V^+ztZ0Q#&7LdmOKk( z3c+DQQ_jxXrxTIlUNwT8jr)egT*LBX9Q4XE~VO{ zNlN^8G-UZrLvli+xY}KaiMDCZuM-NMpL!~#rqYsN0mW>(Z|Xl8c3XT@3zC+$QbnhG z7DF8(dx$D;qtdNd5P}*l>G^<+4njaN@Yk#fO5@ z)UjD$dYzE|kgNWBNfkt>Jc}(N1y((1{~yD=W7n%q0eTjm>oZM(VCpg>qkmyi$Luixh#r`zS|HClOtB1Qrw-RI#m&x@LKz`yjJtWC+8Rxn1qj06`I zi2r=~8Joth`2qNge=0n{@-9c<{~Fi4_Fan3TEpBn(1*Bkhi1bjtli(|c4Y8XLfjG} z^$x}E7&ok}z$kOy9c>UDWj*oTeywixY zK)_Td`SX!K$MH^vRwKhEUINMr-HrLQ9m+)YzbD%xt3IF0N*upXP3=LhmyTGA>k6hqOqk{D zi7Zk!2O@c*v|938A(z#ArNcX(jX953zozRr)EzK@)@dH*#XqM)gqiXVOfhog*Ss+u z6sKt5;@tDPO!KBlRQbCIK~@$^!Wch-b6MFiSritfnzGbgVO;h>rYV!{?n*tkjR+wSLnDaj=zQ<%t_C(!Wa$Dj1Wm2}x?Tl6<*b%JT&lf4lLkx9 zqP%9+TriGZih1>tn^zBM&Yer@+7>;ZqBCqVR0WtMXB&>GYS%T~qQx0qC2km1pRBBVzt9z1Lq<><*7ghX7|Nko)e$jo_5yp}DR zMqL@%{1(mx8A0^l$p~!q0{&ABc-P8S2Ge}qz3emRq;OXahhPysPxZSVknrUc_N+#? zC^XZaX~jg9cD+=!0z0)9s-CpNFBt5FfNJ|MYf&+^;Uk$$ZF+~CHm&{Ng&-nd zA$MHSUX$0vDy!reeiO8}`i|Y4MGg`C9xAlBlwqgl7tk&rd4g(ufjuER&bQuTe4JVe zVy;psZXn5;k7USy7mnJr&Xd}F(8RAao5*v?k%G)W0Bw{vt-)I?VT~JZh zqpwuCt+x*|S1(}#TCRUJ4{&W{&{ewvZe1H~YDje=x*%B(a2frlC5i(qf9Qf36vVX$ z-P_I7Z`W@<28jAuyZg_svm@e0JdqPFpENn<)B8m)5sTV^JWafYU{YQ{M^|(CeylG%^n%wujJd)2a??mr-FV5mPDttdOZEEE{`&+zij156$I?;S?SF4G;OaqlM^Cz4!+3DRSg@AQmXdv5c>VD zyuL&_dN!c22+xahUq?Km9y06EyI9tW8|{+ z25^P>Js(u@Q~b|nO%Wo_oZ$-d52 zAQ2tSS=nu}6J22I&e@{Xm3Fm@LXlD?#X=xDuN%vtc#T}HT^wko7_RgH}6* z4~$}Fo?B2g=EAB|E2DO^s@jw2ZH+k(2&VjpO%l9-uMA-C!V!eQ8N_i*E<_p|7RB_7 z;&+2Vc5}QGF=%GlT9Slgd0si(EfBo_p8UZ69|cV`gqa?4xZ!*Ms2R9Djds8I;( zFy^Z~d-)iLk1I=!F#ed3tP?*ifablNjNEAN?d70ODnkURBrX@=~J z;2z!JlXleuBCYZ%h+~op_mvVi?=th!x6|K;&ibF_UTtsD*9V)?vqbKGmDt=)j%EH% zNe_3mYq@Q)?wGBm7KHz0FX8bKROFSH?cvv9=F8@bJ3829vBpgz_UF#B(;?P3@dgb- zVcn&YJanC*WEBSiPTP>rZu=wztx?w@DSQF?o)VfoaMIHwQV!?IPTR{(`%35 z0xMgRPXM6d=Jd6oy%z9Wv+9Iu3y#`g|v3Q}3Ixc5Hc@OhPCpmz$h38yY z=o_#P#U$W$o>zY)h=HKe=8O%pRAAz!Ail$mCmu_l0);e7DvE*RT{x03J0pFWqKmTp zG)#>mA5w3Im&hiCE&aSyekr>(fagS}K$ibMun|b=EoSUO5Pwf6+47@XS+WH-mU~*c zQ724rB4NkXtCPR{b0iJOoC?6qk}B41%e)gLuOEJabnrkQeraqoZvN^1^* z>*7pe^_Za@$2(vJ*41o$5Rq;HoUHvE>Vi`O%EXp1Z3s?HkWcDqcyG0a@yBiN*qXdM z6IF@vq{b{f0)5rZxW&W4p{Qu0r)DLTPFk7g?W+k-BDTCaiz1=dvcGPxX-1^o3)Hx2 zj!cTH`regPAqVAwRNW{(_Fckp2ImRa! zyo3YQ{k9cl7VbhQIk5bMq>&kO^ReuhL*d%W+uu>puipfHbiu~gN9lk!GP~!gJ)F8M z=EGd56ssUpti9YQnQ0Icdy+mI_7R`&ZfQGX5RZHxhxd-se(CjfI-9BTaBTvFa7I_Q zsX{G@40LX?6WSElcQEhjFz9feKg_lFctL6V4#6yTE|jalzG0c8#nbja&1Ms>&|mg*Se?TSgPod#&Z4__Tp}1bURfXp ztv4s|87=YFx;CkDrO}^gw2T#Qwe!{Rk1)Y2j>c!QLo+XpXeQ!=MiJq5tQTe`b;7>q z8>)@!o3*#VD;EDBZ~^DNGhDvsOS{!_b0e-PaC1W^sH-bDF-l4)*zqeVk3L7w(p#F7 zS(V;j=cM(61V2EBASLFZpHfF?vte3IZnD}XLNE$L&_NrRQOBw_8eM0z(-EzUQftWE znprqf3{UTFSP;HdBmvu}<+cX&{IU;obS=MwMXNEY-My2T#H#sn-43#-Q;j}?xBO=otpO_Ewp@cQfUo*?$ytkilUvm@>lj-Tk zeC5QYTirPR_pL#m&nRK_mE-$f0$UdMIRQvcyij9n`($>~Jv zTJb5#KAj=beIBorF9r6#7yh>m4{2-|b1)H}WMb+dI^qt4dm}V7p~l50wyfSi4GrJn zXs|$qr11cwqH${(-uVmzQH`FNTA^$W2OQ>HgJ)GtHr#WM%>yr(L&+07K13b(uibJB zM(a zEgFzj-!zXIJJ&mutDY$rC#-Psx37fF>QzhA%%ED9&fyzgUKs)~1V46H{l%v1a(e6v%eyvtMmnC+` zvKRkBV+756VKb@{=5wvd!i}Ez+0C$8MGv3I_m7GK`ht39#4{BtnXT4mpBdG0=gPyq z=nZyq^JQ&T{2&ukFQc!`%bOAa%)J{kQwts}k2pIAHa^JjBC4RO2HY1iPUd%9q7>wI z94ll(7#ne0)V5Y!ZEw|yaIrC-?|%m^{BCmLes4-cBY6j*6U5gw`Q_U$=w)2T=$f^z z1DMXdBb2&rg9)A6D8a#w6VROY&Sq2Mz!}xR+j4MajG?Q+;5f$pi zC^Z+RBpm%;7Vk;kg$D_;_i&*bAo;9wv_{+0%U$}W?J1lQaO?0Ge)(9fi@pBrd8wS1 z(B6{J3G?~}Us=ijQu6!g=JNt~45P@sGd*e_wvnGUGEN^bMbaxx{XEFX690RUK$5B- zTlqg%*5MUp`Ft7m9WZ=xb_^yltA-)Mjz|57c)XV4d39&5VBF~2IuzKx;cS#?d3xIZ z#Y(5f;p1o=8e!0A%Ce0e+kM2+Tf?1F%!e)hS<^_ie(LFal6QesB4q+4P7{C@%|&U% zzB66t=+C&BbWalH+eueYC=?Uo7>V}pKH*y_klINtk-`>M?dlwh0bg>5(ikl;XLK}ryWG0M@f6L|dpL#vdxFXD@G~mv zDyT?H(v1WI!Zo{t>p<(mPy0-C1`FtF?iGQIig>7o=5H$gKR0Y1s>)xM*FCJ6i!$66 z`}h%hyc%k!24-@G&1wyL7%F&%k3MDaRjavUOL2&qX`H#y8g>QK85OG(U6__#U+0y) z!1RZ{@-nf#YQy{6KD#70UC&aB$_wzPnLpFu_^UYCC#;c{yHJ2tiOKep~tJR1pa| zb?m$xO_jWdkXij(fM6M(!aMpG0uS6Al$*3?eao#I7z^sqD>zG7J$d0Nq9o_iVC5!{}>B3bs_9v|Gl)vF>_UKJ%z zt$n3*F|lpklYHes%C}*>N*!FJl~o#=zy;b|6T4#XsKm3N(TTQ(_S`6xEcGl?@?%BB z8Sf{qs0ToX;oRfyi@qOiStrjf!BT|8>pl*_9mK9tD}zPgGl|+d#~k<(LcOZNS+qNC zN%$ocD6-$C1%-~svov08J37c{$1rw=PfXU2`Ha`Z^OZMh_ZjYaHM>)2y-rC>$uv0% zcSSxj_DaT4rV$7!DG^BEOe|p`lyP4iG*%GeiXPFRtI>b4XC}UDk6*ic zp5{Og)YAjWR|hyDqR8-LN6jR7gkOv0s6Dq*r`yWnEa=K5|WDuHT<3ezi3R-O+^ zO}wn8Jq{vY?~cR89{nd%|L*y-C1Nua^m8)YfS%tUky6e{$zi!#%m$ zjU8VgTtb(nP#J?!UX}wiMIXC!Qr(S|_R3%fojLaJ-wvmD_%Q)%q}d^r zEB#<^vPHi*=XuohXoRj3E9e%-37aL*PjXelfb#jlM8BlKgbzDeD%y?w?3JY8%lo7 zEgZR~eIp@wD`uf-OL&`2ah~g}$ZTAx@>hCT_H45I0qA3%ZR8I2wB!6%@Z~eZX3q6Z zVorYe@}WF3hi!;H_O(52_lBaM59fLt&*-lwyHmU3w5fK^oVzoaHelaXy%n!qn~yYU zOFhWsJnA>gm-5H#FuLAxv@nJNEwFKOJ*rXM=~2v-T>V+PA@8Es!+j6L`y;dz2nb2i zBdgR#W;~Ud70g8uEZMzHQ1E+u-}fBiq~6WX_1(QLeW1Tsn}am0YCXXyKBlRf;n(dJ zpc~s0Yq$5{l-}R%pzdlLfW9o9XuM*?D>KZn(OXgbo ztNX)o^>L-H)sGgBS#tRW7#Z#mk7wtxeSh(_V<)4+F-u_>~3ba3?%P$I<=j zT8Ub_GvPVQeC>n3xGHVQGRN?Lu*ieuS_sR?5Ej#u$4VW2jZnfcrQ0DHW#NTS+x)@u zFBr7g7EVja7)uL0vP}<=KWYIdPRZmS{aW^{_?Fg;1d2;|&y6Rc7V4N~u(d%`@7E|~m@B`W-hrvk&tx!k(8pEGGb$)VQ(;&`kI=|d2W}i>%4w?=y?0Dd#S_J8B zY->s~rNavN9#}~_BBR^VG`d1?q5J%yh4dwoNHyc_^-vu#P<#*<4|yh~H|P6U%8y|m zq|)`jGkjQ2D&?)}_;{&W4H%w^`KjemNa~p6D(3lVC4*)#F#}tcwTthm1y0I}6v{<=cNtzJ;l#co7^bD9X!};!@9BH8ROE4p z5+VF^v`41PHuRts)cNDLNnLywNNDY5FYPAl@q!eAYDp8YCOrK`AKdV-3eMw&3i{|o zP`Nb|bh_u!MTLr#1q~&Ne24N;rp?Oa#TZM6}cj5&t4Q!WvVgVl%0fVn8_Kj*f|xKVD1Nx$8gM1P=A}9H0gcvm0n? z=?ZUie?pvGZXAy;U>!9}e{U47LcYkCG37_LZJi-Oty)Agz)yD$OpuF@@J{Rfe1CNIGmweavs3%rs?- zH)0T9@!a}+y+zS~!Gpopvy0s5uAW_562wlwq;p+po+WB8%_F&j+)%x*rwG4=ED^I}e=d{#a%?!fKNg&NOy^a`XiZ#g2zXl@m=5fl$8Z(!5}xxK!{q4l2Nn7KZO1UAYGs!IR4v+z*H{~i^ofl62Pz%qaKJO&&HmP$}y;J z42QM%n0M2?kN0N!NeXwBaDRA3<>lNT#)fH4#rdxFW}Vh>4>~1xedn3+_HaB#P>pBu z4W|Boi7aLW&?GiJ(cZM zBDSi5?qiKFZQ+!zT@D&0%4Bh_U9*ezho-$OeaIu%B<})El1>H6SSyld^phZPqMdUe zQVOI|xf~4b3mvL>{KKf9GFcz8?0=dh^NKKgyo@LUYEoevtan=Nmfv=lf6!mm#-rUw zW698+-+UYC4%>V{cih|k*IDnGAFXL;zQz?(Y#-PcAIGM`H(O}I>c??{m7TiQ@6!+* zLf6xf)3KkW+z>Qu$Kc=YJ=>|j2_V+ppBp!{T-e7Zr^OO{-55bQaC8Xk(rdvVJ^W%M zz9}<8%RsY9uiCARZ>K)L@YEZ9S9xc6g56g@Y2C1U#7w%@2y`?AOzmM`9TU zYtb67I8XV#ykdp4X1bzU^*c_)3gUufs0=Mc(>JyAMH>xw(ds+bwL$;I;|KL~x2wY{ zUrh4Vg!IAI6;|jkq!5iuEbK>iJn8!KPG0Qo5$~e!aBfz(DvU2PSq`F*ZYD`dP)-U* z1BTkdtcwQu32jI#Vf&iqpM!KMex;khRF-MPtQ zqazZHWG$&wkD@oCU@du1+gX!kamzdXVsm9Gq26bc5t9h;BVwcfl<@c(1wl@0(gpDo z(T#L#^t~DVdxi?DbReskaU!dw43Bdfa&QPMixqG`wG_w9DF1Yd#u z%Y~G_Eo6EGLh_LeLV3|w#1rEuStpU-P{B`3WTX#nj9Wrv|NeT9QYf)vMno~-|9dwL zDO6Zcz9Te+2V#5ce530othg}tcmWC)@G%y0c61tzJM8!{Vf}ZaZF*0=_u^2&u_UwY zD0nc_*GutD{d?vzh+d1%i`Vs5!zEe8De^tfOXErXACosf)x$IF`J^Oa0r5RQb*2UMi{U08lNlp5vPHbN*&O|1KGzyj^GvEebz7e z21`{7{slGme>aoWW(C1TS_j|7LD}?S1>84DjiulwzaaXjxBGI0GykBsjGAarpf6@)&z2CkzKGb=Z)Azwp!Ln>KK84 zo@|DI_&6_iX`~>wl17g|2=J^KyGdnZQ0@~V9-ftPx4q)}(}dg`oa>*yg>)WCrowob zMZRsrj+P()#e3*xgXe2g!{>F?c<5a~n|{$e2`kgB)A#Q9RVDmf@eKmEs-%p1FlC7g zd*=rUbOqMKLrt?l#q|e;sKYbW=O+jZd5~Fnu*wWq7pCVXhZ-zucwr+H{+H2K^b*qk z71izDREb{dL%Z16COAVg4jeZQ;Hy(}o8Y23ed>dUdSrSAi1> z&A=1IUBM5VQX$Mf6<+XNGEISdCyc&?*6Cu8JDVY-e0|(x=#q|CWtHk1lGetEQj)0C zBHPWU5q}2$C9Q8Y3;;Ic6o)(-K*jZhQ!!rfiHPDu$^1v z;=n!^Uio8HxmzBJVLSZk;OEjF7=7pyQVGS=deq4~n(=CdS)nc|WcWJkw^fpy44qy@lCj)HBGSsf)H8MvrpAz&8 z5o&z>9dFBW7u;wLBwr!)H0Q$a`>{aXiBdBb&`?2VhJxn#V4(Di(WI)GX+rKrO`%{9 zIi9_<{olbd-u#Xqi-k|4G{WcEBbP;19W(c|f`nLW$CepS_@}ltbwHd1 zP2>=9dRn9?=1*)9_qFpgq@;!?>$Ks1@YKk84M(VN55+`V>|&Ib1VksTcSLS?AH$D* zvSrnhlGIbf)2=#&g}@i-t=f5~R_&I4buf(eoW%4$kS=gCaab$-iv3G0nBnqI+Im+0 zwHYfTAlsdul{Q{BOj$35lE7?r5%8ea?MW6iN}wpv^FaE~%744W3J&9y4~Qx9TDy8Z zrdQN@FDnnF_S+CH?7cKKe%Yz8jujY!{)+OaH zG9QZ?T{>;GAeAGp9|DJ!)Hudc798`|d!K~yLRFY5_hY%OS)hX7PfJWUHx}s<-rlC+ zv{Z!La-^!V=CE2())fZH<(CLZGdj7l$mIeLQ!c3gi0d&&PE6^n+VfVEp=@=l!Wb1P!8t5#fHXsEHN0x(gt0ON zA#&;vLAZn@F=^_OTDn_l8ZoJ9I^+EBV%W^yww3Tus{a^MU(^zpkd*=jbL}GS_1$8$ zvTt}sdGho)T6qB6wqU-`m-A0rk4FQ=4`mb?7W|t%o1nge+_}++eq{$_l3Ra*02u`c z=z^}Z!d^$;15NXko>{Ukh)C4b$U@YaNyRC!OtFy6unN@@C^#h3Bk5zh|CfCMmwe!t z+bh}Hm z6t!chm{1R2nw5eq$N(mi$dyD}D}&TI7)dqqBkf|)9xsW%>)#?f5d1q_N|8hT&G16$ zlMJm+cyrIt7jT;#BdzA`fCX=^=zuQ-x)#=fDbIAn5@yE!H#@C&xdw#O8ZOwuYBaq3 zQ@XajkEg3_1NMSwR!$sfnNVdxsAJ(^^gwM3pjmQDaa?f+q>yFQkQhRyhhm3&5>aaP zqJApY`suMXfimhtH5v4$BK$o(_Y2PZm-h#rOS&t)uzESm)HR&JrmR`13q>Nl|0 zgwA?;zZ`+@H?v}iGkj(FsCFUFw7_LZlXQT~;5JY5eLw~nb3f2x7lpv$^qjT?KnM@Y z#AAdKYAQa-^{M0Lt-}7zY=PrWtE}J#Q12P^m-Oq2>jUlf@uRj~D zNk1?FTkP^B8lkDV2+JFw5wLd6K@$1M*XD9;K)9#p6r z2G1Xio+8FUO`A}Mv$+VP#D>)OD7;|$6r$MXWU1VMk$!z=LrSA83R{Zs+>i(KJS&WZ z^3AA8CU{Hq$=SP#aP4AaK&sLS#Q&AYq;BV=u3CW-j|S_iw}l==FH5@J>4s(S)segH zbCqFTJQnxTLuX9=Y> z8cz-6=6e8D{s8{@%f3ylEG2tvr1tb2AZ^GMQJdulsYiu1(P;F5YGp9zqae>k;bZtm z8=d62id5=5dxK!&(+7eNb^`2$JFbqR3Xp8S-wP??sJ;Oe5#|DdV>X0UF&v=U7Po`* z5j+7SRM&%?q}Yjqs!4PRsCr^$A@KiGJ#k$Q@!H|&IQy=dQa`JXF=t@`EY^a6y&3=d z(+99HJG<(c#wF3q1BC<=S>WD6>giDIUg4-kV zTN##x6+EY)e22RGLs;w)=u*zR4UY%cz-lpPP%{e$#IDl4|{|K8M(nOQ_f^q*Kvp;db63-cD25#T8xE5B2UfGx* zoFJH9F7%FTtF}x-V-wLkg3AMRTg$Ux5|V^z77WZJYN=wRP)39D%T#d`S{EE^-y5L5 zV}Z7LQd%F%uHST3dV?xiD>$tSx`-RO<)tmSv(avdtLn;`M^&$<_IH#U-XCeJeO4Cz z90cJBT#xdHlm%6%z6f*^!@QA5bq^535QdZaK#?);Xh~^F!H|`bIYY=wb?sn(d5#OM zZespgq1#%zctnbqAoPE=a0LWpTf9agKz54=+n-PN-KFxusuKuIAGByszHtBXW@|yL zi+<$QLXYeki<3|9Flycod$LmII8l8c)K(MaZ{mCbRcZ!cfU&!(us8FR67gl!uyw!7 zd{MyX6a@QWbW*{ojNnZl{*ljNIMf>!i;DXy{w@R*Z0`|_Mfa1; zvV2q3n3jlNnuT!>un z0G0J}K;wh>1=;miuX=P7ZSol~0jwWn)7`XIdWxP5_=xS5dy(Z}3->UmSf)Q@QKenA zc8ml^NW|EkQ&HLO{!5gXTQ)fJzz| z0rlyeyZF)qO*=+FF>*S#)mVy?vghtC^|*XW5O1_1r)I0U6n#gaT$#&PWRpHV`)G)x zKQd66c4SehD3Ypo*GiO)Rm)k@`Epa?6VDhuyg*{}1Y2q&f2PIm8Q2!OGQ&FAq89ke z2(x0vvW~58h1=vectSRC#-~T-MBbhqJtdXn{@SJ4^ZnwM$5CS?onr+CU7SRT>B=do z50cCfY~wBAQloyw35@A#CmiWj_E1E8EUCn+_`48@!Fpimji3l}Hi*lYViD<~Ar()i zAR7mQqhJyk8dF73$*6x&=v(*+u|x;ziKjZEC$YH;(3bcM3mg|jJLbAFj;3dt7~-VI zw75HBI?RjJ8=?_#p(|R17>~nWf_H+#@#$%vsFp};(OuZ@wl(|mh=Lg;)f?1hF&#M* z*Cd-+(+!?rOadkjcEWr32TW`wmPD)6WljVoA>jgCnsF%vp|lK$mCuNiB^KOCeFt_2 z*~<=kJHYqLp1=N}(Kvisv!8jr7|TpHT)7!zu25a#JMi}g-VbrC&(ZgGbqTQ~ah6SF z6bwjHS`O~95T7jS9q6L(_kO!I>JOunhMQ{vYqu_X;!tr^VT|g3!+eDm_zD=dz-Ec< zfnoTE-VchrAX3kFi*x2=^`xA#S8%);_o%XL6umDyU3>J}lL~4XnUn*HaOD(K-M`H! zxsNZP*cys_GQY?iE^=NNY34LIZvNnNwu}~3rdk3ql$D1#eahCJZc*z4I8*TRpl#_W zIuJQa$Iga5DsVTO-OA6Q^y2Lz2#Zy}!jr=Cg<50aWh;6ctq3S08SO>Tsa?xFc)baH zp`g@2Y@ax6bmz9x#vk4lR!BW-1-sEk#}X(X(OLX{z5hf%P08cOX5zbTT7L>85cqD3 zTV?|4TNPKU*L~SoH&zZYLQhjZ&-WlUNOgk+r-RpBkGEm2p zFTvv&kI=qTDMpg=RRV7fz7^(P2W&_gJXugVSqf`uaIe4f6)7`nvqjb}IeB+^1{Pk3 zQ2_)L)#8Oav;@c36e{6By4~qDLq39D(L^rvkyM@7h738ppV44rJZ#_wSZ%T(RN-6C zVZX`{Si&UJl}buN0=QHHx-$XJh?U_d3@ag0oF}luH^-KLgwO0-f8khr_*K5GaUCIv z^~YQp?D7Qe+Pg3X;5#p?yaNz<)L$rPOKyQIGc%}CQV*b8f(HO9) z>`GTt$I^V!N#e%A>}RhUyQT)Kj=uSl1T*bKad8}0h3TYmqGJ`R5_V}R%XkXquIGB# z6F@771@phi*Ux!=3|7aP*onFu?3*P!Uv)?7Rsg=ZtmTCh3y9~;CfI|~1$c?p${Z>D z;if{i>5LBN&s3=~dzq{{7j}!$q(o`i_qYo?xq|iwE-P#3GzFeMn>@=|Ep z;h^7a3c*|{{^s*1%Ro?+=s1m%{I^^?(W}sG(;PQzI^LfT} z9p&#EH{>b>bX?~H!a7T_TK{uYJk8*)Gw)ZfAxrE;mOwlkTlKyoek!$qtCat4q+$XG z>>n@#`^|?@k0pn9lr*M^UVL2b`aAKmeom zbiwV7>>-_1=;>R@E85vX*Rc|(nW>;32>o0dy+$1qjiml62M8&R);Q20j@yu{Q`aHQSarOcvw$&RCzWqmv zo{IPA_;M$YOshXl(FrsU-J$TSkd$(jdUZm$zr)4}VtOUaGn$kR2QDr9^T-yy-Aglg zaWty7SWpR>u@xDmQmx=bcQp}-VZaQAG#;>xZDwS}3pc_{{@-H0g9&dYyUl)$+=bj+ z<=l2b_kID~!wGyd!9fFAO#rJy-Nw4G#)s^S;`l^DeBlL0{L35tp)+H8h}1P~pE7pI zFNn@weXi4q=$v(Qrs+XY+Mhf2A^?=4mG6J|k+r1N&e8cs=f>cLVH0DB^R;^;?fKjD zY52{=h=0=C{bA}$ft~DCs%Vd$x@&x`AMrDdoHPv$_f5hv9&nCC0v8<|H@!kW8VnxN zW+B}_bfVcHIsCz%4Ii>58+_qv7D85@04)>b3H)eLHs(#p7F#1oICG7V zztRoI-jIS+@a?;RwSdYT@ICa4SI)Bq5_!~Lb(ks5-j$Zr_>PfaXY2;SkuF!(kK84;Dm4-wilId6PzE)hZz!e#F}S0(&2`l3__op2{$yeG*Jnzs_fwGE2CcK1hk;+nKYxkY#8&i5=myjq_^(~pXeH_YYH-BH;MfTTF&}y zgRNd>`H4s(kU7su9^JJ2h`U}JpVK)Wus8~(u3{#!2$DKMFhBIrk(6)4NC&aePBTU3 zFW$EMv7qbl!r`@u{l)W>TG!u3enxW(RMl}62zXm;QANnZ^nYD?`l1-#N)Y7_(BaNs zIF0AqwGQ8O$ZfOpb?;=wC2)H)rdpTWe~Nl=XTgbh4}ZPNU#!Vzt@9?+`DHxReKREw zR8CXkMo5&4=?NJz(i~LA`e4+W>*$5}FB<(kTW|-)$#};nn5~?Dx3MaSv66wxZJ8)iF0OVS zfhW<2b0+%YNn1v^E8|VuF_ON?d7-%uY`k3bR`%KQ1X>4Glrzx*QEV;$h^f5NSf%uu z^Dw70z_;e~6l}hl8Co=oBCVCZLzm^+07V_vOXt%q2CTFGdEC=!r9*x22ZC0J?XbHi zG9tnW-iMG@^QVKCvJR**=)iKn*jaPOC(F*2Gp{pEC^qaFUSRGX$_2UD0+_oO;u84V z(t#Pd&q`P`Z5TA$oO(zM2}y7lQZdr_7gTaPc=yFWOyRN&8p`j(;A7--mi1VU9|s_s z2IY=if^zZw`fbHR#o~j|bQ!RM`gFqo1^EOJi&|*$P~bk%0pnms$DTKkP_g`W+rQjQ zbvVJRUN307Wlrtg_9Xfn;Z>85!|qPfSH9v7@lq>OEm}@n5WXWh@k`jTH^GG`7xtLw zAFC3}&5WcM;7sV-FPWaPpb*FSqD2=$2nvY?Em2DcCxz{Z{M8UcGL*l~KH|#dKbyZI zP{izDQgm1Fb<5?2H5PCea9A78OFf?59Nx#H*hBXYu>6LvrctpQ=RkBHz3ykg*^YFT zBoI&LV&^cCC#^hp;uVoA2zFYMBIflz}n?45oir93G}Hn z_Ft1;c~NnZd$KUuZU!}ZJ17NwP0o@4G~7#jG>%_cH&!S?e2%Xwmh)CoU$cmhXNqfI@kw*L@=1H6~2W`Qz z2JO#UaF!JinX5|H^m*MJR4ig_&mN1`+0*!9dH4qy7Eiky91+HoRv|&X=*AL$9y6Up zd|y#7IM|OE;V~3pGPX}#tM(g_s#|!-V;hn9pxU@bMv8R0d55nJcdxMEKLt6;BVGd) zbp1y`Hh7TC3tW-y6^7v-I80_Gm=8H3GuLsKvV%xd)>2_Y3PXtn!p=sE72rR;4gkJjfo zdvpsIp~anYfYE{Hl#!ZO;*C7DhHZdd4vc2wTSKjV*E6;~*XuX5hj@Pz#7x1`Q>+&) z5W6Mo$G`$G@Gp@TmX*)LB`&ygK|_0FCeBb!Oxfi-9zDA7kiJ+13aNa zy_oO31~*s_%^sxi1`()oGY%V=lWQaz^EgZ@~aCLM6(FEQl0X^FPjCqp!+OXnx zs8Pk|qdIrk8AEyvX6TN~CdKtPlUpPHW|5VyYZXZ%kG`|JP}LrPpPbIHE3INu8nQY; zJONX8lyUv$47Oi|Lnr9(i}S!B`eSYjsUCpkx11_TIa2VH&yoqWvGy$c)&+guLV zEknR?bwk|BLi%^BdVC*%31u9G$yUi-6O9RS@NaI&98^YNxgV;9-F1-tVd>%$7g?cF zd3%Zgvgr%Qv<2|{shQSwsV>e7XtHiubQ5Q%1)U=;A>Ldwhbk(p$v>@)$?w zvQ%>CQYwRxw9DcIcdKsY8qfA~?yr&HV z{w*$XeAI$%*SUKrWX%eV^8f35V#Qw@+QGEs40Nd_+^~MDRkF5{=PwUM{M)`5jz#6R z^EQF=_eM%PrE0~AG%hTqe;YceH>as~aX2VSw67aLugsq2y30TG5C+AT!9ExiqLdCI zu0LCRU6m-{+7-c%lhrCNRZPVGVgX}nK`q;DPC_9NU6Aw{r>NU+KWRG-?w@h|XohN@ z#0=9NFP%6umlO`qoS>&)dqxP7Klp(QC>BG_RnB5{;CMf;rfOvda{NCP>mLqM7dQmx{dKF zIu9!@dun>f9}Ewp`)51q25j(ai{Tn3GS83IdWeLvgG~jQ3{t+%`p@H5l^K0{E()Hm zdLp){1T70Zc)ocI(Etzzm>l26%$h!JEOE~3)iIx1Rqc(oGMuyjL|7X^FkiH>RK^Uu z|DbQvH}CG9JY_;E;}N8*%L!2b?CN9S=B@tdYDB6Dzx-nb_Tl{Qgti>i>*L|TlgO_t zE~wo{;piLdL~f#YD?OdVE6PRYT3+QNv#C+(vQYJas}bj6&SJ?&7>=M22Ekl`ImsNF z1N*~Al(Nf02aa{JKks!MhW-bicxnjD#0=6{fX>33@)y;?LGL&{J#URc$l?M2p=c+O zcS*$Kg;=Y`S(E+iAGN#z|xB*bN$6jcpr^ZM(72pt0@7cGB4P+3oYa?fEr7GCMP~ za4pQb*Q6Qh0Wk2$!6f{1Nq_g>+Q-~;{{6?l0+CV!!#ar#odyyJYe|qmP!klqAq(y` z3#&R<<`0}2Ft)G#Y*S1(Mmbb*OV$Xov3OtN=QPwDHJcK^8^*v|yX0NhOy4isHcf3M zB~wK|8_a^>yzS3|l4AN@r-G$;%`bILd>nScE!e9JsU(7p6X4?vhw>5S>v z_&7SnxM=0%*V^)!zQ59YE&blB7y(=I6!QLY$pSxdxxjk4ttk^a8!Q@Jx~jIRIJZ!n z4JO%%6vHgTz`m_3<&DBY>OWfYXBgxH2Sf+}7?7hMM*<+gQzYk^KB?i5_ePuche?sM zH9Vp0{eR6Te0ZZm+ZhKOL0bLB3D5PsH{ATNF~+-KaYFiC>-!nvr=~|itrvBMQe}lE zdV;f4yJ_+r!xL5Yd=@Oj-uE3PyG&PWFGqTSxy?;i2tDTl+T{T!H>vcJZ-%aE?GAI1 zZT9uvC!y&r__7T<;hsOoJihBkS3NIU7RIwt7ii7ek9Isr9IpxWRaNRvQSW8ANINtr z#3EE_ySNF=e-z1$JMmHK;o>*U;Zd&@q>m$*!C_gW-8P}8ru!RnSskat<0t` zAB?v(S7Q8*n2^{x09r)}T>s|sk#sfk&gC9~cGLI?{0S*MQSzlmZteoU&)Sm-lulC5oo9Hu`8v#@wa1}X88%S3)X|i zw1kHIQmk(VXFGO3$Bp8@%Xl-J2LJJQGI@}fNszP7{o-D1OUr%ku|E0-}(V2$60T8@k(2QL5 zyzb+ZZPM2Xt7f&r9mGGDA0`R6AA;rY8ByA5crd2BRbh3s&ZS~0-L5-9yf4n^h}l+c zX-kj2u#qZ4lAESZ$=cV2EG_!lDAZRPPU5~NC?lI_FCgpxBu9_@k zs^ouBaMnANNh2~%*$n|Wq+5ZFcUa6?g=9A`xNxpr23<5jpZYsUpyXdKTgJn$I2ipC zLj-!3Vs<^H?Rx;i&m-?*67ct9W#v^{COyYqP}HJImfASd6+bvD-g?<9#iAD|(ng{F z%SBpA^pgkI8*rFF1iJFe;$1$%{;*RB}45)*$IK5@Cd*J`_j_kbj zjP82$=OFm`k&1OO{J`TRfwyH-jPdXzISKc*@{Udy*RxeUm-(`_)Mh9DwgUSh=T7k@ zuTl_61OJu^W|$|T=i6Jst2|0TaQxQ_oF*`=&GMWh-u`2bRJK24PUW-zBw-1^_b!aV$ScRIa!V;J1^V$MLjx&=8}1oasx zygBR2e8fL?*G^8J;t>*>)|PySc63x@MqeBuhODVG?i|=GMit`S`2QHNdQ3u9nr^Vx zL9h)w`6k`BRKClMfAK|xMKLf%Gk zf!6&OhtY4{l1?@qZMTmNlr4@QcfF>CR2ntT!h6JFBzB0Sdp?;M8n~0ItqB*Gsvvu| zY@4~eF)S3e)WJ23G$UoOWq=7J-U^?>7R_p%vHcnvs>AzZCfw1ZHQsOXsPAkHNz#Dh z^+R0<1DAe@iqs6tiepU#pw{}SqA`zd^5Fh8YOXZ{@uCc)@xNW*_$a@In7SJWm*A;W zDQrcG%!k|Cs~bDXh1G|{Xm>6`t%^Hi{=IOH><+pa9(&p-{F;_0tJ;p1;BO-|VR@>{ z2B6oGB7T`4r>s)+nEo*p<{UiN$^r5EvHqB}5b}v=vf{@M@Pb?5peLlEs7<@O=?q!8 zYFYNtWWxT1POI+uYS-QQ3m_#t`33LA#txaKddv9yGC3{yc81T(?wh?P&hmQwpn|Mc zV5(_ce;wQvFN4HNFdRl9tp4As#DL*2TPj+60d*ck<}^cUYEOQ0P>mof7L(+b0w!7k z>t&z~2P(4BzeRoBo+(BC&pyO2|v$U3>Fjqe45=#6}S?+Oa6@sW}GP!r>6i zZXHJ#aRBDV(ux6tQ*pMGJKW2i85f4f@!7#EEopfB^Hvkkn47&xM{A%NgADg*~WL_Pq{R>_nCkXT7Wt`Uw8++ zBvoy-tJ@`-)*kLjCKIXXz2$JFToUGgykGIY#@cj@JSyl%ynuM|*t%TYRDnl0A9 zGSoDMf|Mq7!&|^q%RVj$?1Qorq%y9FdRV|pv~Bah?v#j&c^0|Yg%-bkA#t%Td10<$ z?|UTuj6>M_FqKJcNEynUM?bK=`u4qI{$dQt*_2G%!oJyjCT?kCjsNQCWPsE9Wa*h& zQlH7X86{Z2O&kJ}?1aLAA0^(`0(IL_#2lQtH>Li$;|nDNbs`L-b)Z0HRVKFAdpKIUY?UDYXW}yP=uUG; zFA(xbK}yV)Qnr!OrDf#A%CqK1ivXXoTo;AG=!^~wCUrM#OIz@eY2#-a$9QMVgx zG_I_>jd1S=qp%k5(yH@PIYvX12G7Z#BE39_5zx-)mE0#*QndDpN|F9Mq`1#{ya_K z5x^n+?6UY)Q+C=7z{IHoK<{@??mvwSAhPdJlkNl2l0Zp}Cr=G?R#m2uLdOtac=}3E zF(Ikq< zltN!{gT)6a`U=g#GPDwwHLNn-QR!j*HmW?o(#uOyD4(#82Vp~S)DoG>Y$Ne5k>-f1@VI6 z!Z)OTS|epR{v(9NwRrMiIpUj!eT#%z08`BtnWekNN{FlQSkbk_xud)3~;rx#E7a*&1kvJzb1Quh3Qc&ws z9fuK!SNDVtWBN}llX<^_j`Q{RaoRJWe>R3?l2HaeP#*||P=)ic+9xhqzBj7q4!{Jz zAKOQv2pQCnW_s_p>gsq4(_&(G**DwDG$BI)YEtmKm2GX*R7bXnT_uIHE!(f+tWGep z9KAU7q(T0YCtq7$M&n!jI;Qd2e?_b&9$M1R-CAQH_~zyQn3w+Kc0>^W_Tz*i?I`{n zyZXm*H&oBpk-p}@uRMozkUygHi~2s$aZ5il1@uSR@$}DjGR@2M8~nF+ebm&1qZM|6 zs&}mjpZy3(X?42oF!jG=bcPZ@Msad?$;e%Hh5o zE(%m?fjxCZ%kmZOh* zzGW%q0SPZGu2xUuhXxUsQb5fGA0fqzBMh%XAyR$SB*`N`#2NFDvPvR!cL&5Xex|zf zBFZga@bde>^1t&Q%uq_8q)Gse`yITtN+)*X9hO)QF;tZN90YJL4EBE zKh>lhE4e>PohLb}e9EsS4v-hxe2uLV!Xb}P_Wl~cC~2$k&nijHeK10YnZ2-#=R9;s zJC3-GNFNnlS?Rf0^Iu?6e(z5%w2W}IhF^?KXxZ{q$KQjNb#F!aQf2Ab-05aluTtmT)i*Xd7a(JSv|(ZER9!vSJ(s|2X~0=|PN=-gialON{0Fp&TtX z3rmfV9`efI=u}f?t^Z(`qT9cS4EP!gJV(*E=gCWmWgJ#mNXE_=XO`Jw{zZadFigt* z8oP1-=dHCr-y)?H2m6pA*KICR*l*&{WBfiR1}BZHe(o28;<3}_)xCzDqKO9Qw?>V5 zavY^R&F|)6Yq~`kP>h`PVQlNHHyW#SkIz^_;)vFd>RB(7564XYGC^|a03iu_zdwU5 zEV-Qk6&!8KH+xH3R}m6TZJ`ucNQrGSnI0sa`Pay=Iq^R+*%?hKhd{r-H25Y@F^Mg}B|1D?kKLx;sf z5=2Dt(9#m&Vn1j}h^XDuiHEa>9`7l`MFs!ku7SI&_|^t?)(H-Xy8{`ZQx5=X2BnP~ zd(bT{l62kg-O5sSKy{|59}1p=GwMG+kF>mw=dBt5>9@=YPQMRT!~WMK8xbWwZUZQ` z)ybKnqx4EAC807VB!s(5_7RHQZZJHTY8r@y8odepM{n2iUtv~mSUwCH8k2RU#_o_B_bOSkFd#dUA%FXzFPaJ!f!>uWOJ!ouuAXGyN@u3f zFBobcW$BiE^ft z{>~CRpn|m0AM4}WDQZ#mQnfYyGHU=8QGV158tQ9G=`))ToQtKSA@IgPl)3vQ9#ucB1mW_3Rd z>c4se`t(0GE<^Y$&-6njkUnqR1@rYBN#+pLMmc2nOW*wNtzE6Zl#o@$uXe8Y3mPy* zpNK!JR`{4b%BRT4oM<`~*wVgQ=m`6X8p&iPi5G|9KALZKRcKkNjD5(b6+r~@21qfd z26KAtmq0OW=}GmmCvWkLmKcK3dsWhJ$1RRF)(t{JB&+Zs)~fq8VeaYu1@Ds2(}XDT zSv}c269u6DVqXsFJm>C@OQDPxxDZM1%#r<5JULTl34`l|BV1v*6q5%@1~^e3`FRtX zmsq!U9GM**9)Ds`7GVo=6zYe^M;h8){_bu@jxtq_n$a7WjjAEE#)vm$RKws&AtIjl zvt3HYZvX#)^lf6Lg`Fdc>>$l2klTPg)2vVq&E?yG`+Uvi)Yy1Ag_`=TRqZ;sfZP_Q z=wXbKammTT!wEhiHu1Z_9_kpcaqp6F?N7u4L%i0}Emf^kopA*Fph7--w*qp-g^^-% zjL6W3B+JTap@ZH4RG=%*P^j!!m#)xkEgOBu>J~B5%?8s|D&o|)ZS}f1laFDN*_uNp z_?YC1!EV~2X$4w~&=dJqy-fZgnoT&dKYRfsyFhY($)QmhH0(* zhXE|+_HpFftJ`>n%V}R?#-oJwYyy&xROi zomwhE7tfoMVJ$T7W{LYbBRepy{aV4&Qu>0V|4fLq8aWPVzQ$wRM;Eiq)A@7hwJI3nVhZN6*gTD) z5BSKLg?=WduK;n6j^LS+AEv>rKwUvO=F?c5x#t?0)b*uB`nyw5Ysxm4J4bhvqH+I^ zaUb^7pOl`bzhDlicw)rFOj5L{)+hB!ji-rm$`U!1m^a0~e+FyT=)v@G*}#AKUMUv8 zicj$nJWv$>21s+C^ycDf=RK9y3I+b)Ph=ofE11?gC|aKPfH-?n@#_4D{*&bT`JU=9 z-koxJd45{4c5!{YT>uxwsi=V2N?A7jBy=d*lH0#*uZ6&q0R{gd+t!)Fr!MJ0ZN4xI?768_a_8|q z(G8_2%l+}#!1`{yjL@6fE1vew(#)!$43me4OUy|6m_Kl>b=qr0r`x7xo8uhcbD2;% z1rJ`%{<4~Xs7l&f#5%I$lELSZAqGG%B$G3=A51p|9yjX2pT!;Xok=az5 zHK;P7C%8u5US#6JX@dttce;Ut@6V)v20+n(y&vJWD1ouG{K$J%<y$6@vWGGBTKZBda37z(} z(KVlk(qoaP85r;9vHRWEL?XJOCBOx7$!IgB)500yz0E_dqqy85q|aouKglf$OW~f# zFr|UnzAKhWnt2#7DQR0xLq^wZkqh~V4x4Vof>D&PCW8ZP`-)Utboh$mZhmaUjt(g? zsZnWbYM2&DYO-tU(t)vBHH~y~w~<;Qa)L!P7yC}>ZCNHGBQcJ(!rw#IdYiK^yKA{1-vw0`t44JVx3CuQuPL^mzKgsa3pv>(_S9 zjI8|6_vtbW_6TO8!TiU~Ow@DG@*U|0PcMVJ0yeHcvlD^|hKU5>DAcOPyqTq2UU>`@ zkd*AF^A-*hgO>~skHj+D9RZlR?T1XsY^j$ccEb!EA%BJe>W++W&yHVK-FkEDV(DpP z@q2h^6^xG#``HvuxCW>}a)1GFvYt1}tstLujZ%3w#|XRueXE`D{AQ zpU^iAPxkY+V>QB>mFqI0lg~8`PaaMfQ(2Nt!?7TN{HEmD!6f&B-z&E%K0~O8$uSX2&6Ssyrqm~Ph+;hO zB95cv{*~2WyZf%^$7kZ%-NxXi2%`Kn9TW+!Z9&zn)uKHA2Sdl|x1a64`seHahnCSB z;4EO2u<9&4f>d*dkU5>QsJ8T||C6(uiYnX2&aFo+(7!9biH)2{TQAYZvWVpEWS!3@ zMFKLV$Q(KIR#TZ+aLRiJFP@**iCSJo?A;NyVC2eQIgr!MSx`8e3+Rq8KoRO-Mtq0O)0Oa%#FN%@#PVu9Vc>(fl)Xb_MdhXUa8)jkV~_;)=dW{ zQj8D&Fo>3|jvJu7CP$&w>Q#?b1w*LG7{SG*x81HY&XwE(O8y#aJ-3-e$Y2yHAg51k zthbrpxE*-JUw#C&GXFJ1sqJJ`ExIqLD%%VGF6~UXoc>)Ir=6_;m&cTXD z6LI7TSGklbF1~I`^z0WV4rx^nXN+GqMBBk-M9H|If>ZBvlP}=R-fPPCrm}@Z`yZ8% zA_fFe!;e0MC?#+AJG_UC^`vz==6-ri?wcrW?(CnbR2;ZUujhgb_ArlU(#+OC5i*@I zy1npztFv-;K5|X7f+Az#NX18v_JHC_TUqw@=!tiiw_!52i6;?o;X6B>{QCnuZ_VDq-y-H6j{p|HCwiqZGDtA zCfCJ{DG|_EKs+^F+y9f7(TI&#_^gR5xioe9QolZFIi@Tl3#>v?G&6FVtf%lcEZ|-6 zUx&f?m#t6VO%p$e{wyu%7-5`?yd1Zbh$8wd>gB zxKvJ7p*bqrSXR^3ZyeLchWDm9Ea9pSs4YX?_ZHn3K#~?*SfwLkp`*H(EYvm)Am!{Y~g5un`FEaOnTf$?Cm_8!O>^!HFv zU10rTM-T=eUPt+wN{w~w)KUg*-}6Eud&xs|75y9<#O6v9rF|%r%h;o_%_<{yt)$Qv zvrCvQkIGe&$>9X_2H7{ILFs?=D=m%*Ndn(%`sWWQ0J6#&`6fg`OrsVt7*+`Rb+*DC zeHvABG&`i2UmHb00_K5`2yrqdd+2;QHt(XdP7`h+YnEY1=RM+1enf7fXJW|xN<11c zazi~?%jKag#Pa0U!EY8Lxf@}_I)H>=&zW;oH2vyZHZ`_vGTnw8;~!dovS_PPc;#VT zQc1XBt$Bc;)o`(8=rZYlq_<$w{o&rvL%aYfFUU2Bd?{AH7t$Iv$Ut55lZP?2d z!vaO@yk{MB)+T4|CmfMO2@vZziL_#h&oss7{Q=nf@v!yhQ^^NopN|X23iH~bU!Glv zw6*q1oWFc{TQcQBR+Z}Cga-uE(s%zEYyp+TwvD-HR}^N<&~RKh`TM$kp4zoMgQZR+ zz@0tNGnjy2;lG#=eYRoScVhE~r)$HS0d z#)s8=+=TQ~FEW}Ek7rFv=s{K%2RUxxRiay2m%Eqy4;UVhVBiCq9H>$-l&K#xUSrz3 z@dLQ#dBCZIGAizo603IR0X-*(?N&)xcN9(X|8eY1PdcUIo;xX{P39AnZZ?rGzf zuetny2oqQR4d=rYf1K<~9p|7)-FGe-&w4GvlIhgLMM3Kf)Dr`2gm0j_$1P_YoeyUl z9M1;}T1>dZ@E_EH`6Lv)@)G(E(m7pZms`OXjtm??3J~Oj%P!U)1*Y-Y%i3&PWo=XG;|sfcH=9X@Sna4w%(u+Q zACp(@3&quX+%M@!C8vQ0s3)SF9(S)Jh%&x`rG=HZ$~GHRH#RzND<|@NxEgyOpT%8z zO?+^?2KWcrdR8-)qSrZ!9tqVUr6{k%h61$Ta=diDVz~bS=pY$XcdlBdF- zT|b(*(j)OIi6$uSXh2b3|4*wFCVpPIiS2j!=q&ymq8~uawDufFl)c$nr$Q`xp+6{e zu@FG6Cu(e9JAjI+)oJ$(eBVs5F6}*$mzk&cu|1vl_y%oYeioauR~6<8KRUM=&U%mI z7e9F0xA`{=KWQgQ;EUEr7?SLt^kg_QuIrsc(hds(v`!1UEeGh|hPpcE9T)s+{p?C~ z4P1A^10dQ6Hy#9#PqSqh)C8;2Njg+l#)=E$S4KBL4=sM5sv{R$zW6LVBgw!!Dd7Gv zS~qyeMFUQeCP2?wTCL}nRk@e}qX$rup1vRPT8iS$f=&LPKgc7$;hJ0K;A@z?owZL& zA7dVst^Djo$twSy^Rxkep8xztV|;;TbRmoXvqwDwY=?tTlfY$P|FH!Pc1X0zq$ER; zoz~-uB;PhkqX2Awl>s4hCq$QP0Be@zI5?q*gc{srIZMaIH!WiNk9H-!1&OM7II{aV z6SGYMH6wQ0P0-llceyEfV%|KG!lpA!$wGcJb@@ON&gla)9OhK79(1=j6uc2xc7ZIq zi=FHx3S&4WBuYF&c-S9t6X$Y|Rf(QKVn2O2qif5pA zQ0MENI)YP|d){2n0LJ`Kwd=A^_>l04pohu4^JySFOx4fq2Z|y@C22}L;$bKav%_I@ zQ5aB2oQKIpWyN9>pzEZSUp<+~uE9ZqQ0kOa!6vZZAdgAV`xi~{BMI=^xVXffIj!@s zRS?O!&l#IfSjkO#2gdTgQcShVq}v?M4cJKZ8XQBlW+7%ap^Rr`1MH?aI{_$fbC?3$mWB|VxR9XDrE$W8YnYX$<`L`CK8$7z z1F-GngPlf+;Sj^8&Bw#2tke?8NC(3(?K|(s08n6df1Q9)jDgWAWbn8zQR$qCY!z)I z5BXu)57L?YkWw#1R%-$5ss)@gxcSDWpT$a0tsb22$Ff}W2`k!G`O;dm9|a%ln%ZC$ zp>i_b+L(yEJu#nu=5pHW`+T*anZEc%MmTy?M_7H$SOSNjy@KP+Pj`s<^|?!Al(dD(clOC4LPp~WC=NNr_&6?$uN}wvXqvqk(lQxE zX)@O$RH9}DC0VdgA2o;eLScW_gwafjNO#Z4lk&<_+(C%a@yciBUoq~fS8IRxJ?q~= zF$$t6o4HISoHp9$y~Tx4>-yKpcaL@){n!D9%DDwaJ`4Hxs@c`IV+pMy`mzGaT5W7*Sj61;dcXgLKL?R6ZWlHsZehJ%97RK!)*ZlzIon zfW}EH?F24z^fY~NaX&!hy)YcOa(dhKYP34{1oKi$MEG#Ua9^w)_aNZEz&A=!e5+axm>#vDpf}__*fb8@9<7wY0_h4j z3%oh^NGe*Ur@UR-3kzI*-=yc5F--sB#PeJ0_9e=NDAZRU@u#Gbl053Gnn%(%t4g_+ zWt@&^?hkp{7q}E^Egaua+QFzJ4hU&{fc2u$s|>P<0aNK^dN<&Plx(<6AeDY3z+|eM zQtA+{J|@!QP(~#U*`PK~n7nQEwZ{&4T$2;!6&qyX=uX>H_Oqz;>5bKB8M^Vx`lj8w zN53<{{1=CK03-Bmy*|Yr+OK%XQLU@5`IpC*@9Sj-^!Exqe0euH*=@~fJ!4$@dE^J@ zA-7>4-?IM_Ax0$sEyfFZgxaHF7E`BN|GPchNJn4X&(SdQC;Y77;}z-+%p0~1l9+=%)zf+_w|*@KF2n%;suq5MRMmJ5kskX%G05Q5HL&-fL_E9 zvZy!BAE;nap3sn&W^U%tTDaj3U-^$3b@iDM11J z1ki-X0Ejy)=z)nafNWKX;e}PY6`C+~0%^(6c!x_g;Sj9QsrU53r9od;9zwuRrqKL5`79zk-MTLdu`e*jl)r5-t= z(v?mrpI3e_jEmM$vAs`4^FJfM(Ci-tJufC!LO)=YDTF_vL6qSe?JgyzFiR~c6y3suSakVM{20OuPR!TvG6?^W~dxT8~OPYHtkmyndD`!LjG!Nw(cAP80FC{JPpE7zKx!6*qilBj+ zc)FekIu+MGt{1+-m0(~^8rqp)1{4GeGu8S8__!ATfs?C#+X`D(-N2#wOU!$C7-6K!=p2PFQBPqOy2VPA9nGR~4A(eH ze)27*=R7D_lr4fZGDrQ|WCqh%YesfQ$~wOovh0sg-=cb$POQ3RA?95SxWh2+v7kBx z3&e_6w$AEZ6DoI`#7;YU*2?Y_zDzZ(^~~IwDGo&wBAT{XD8)^lVhtY<*uE|=9)C{1 zeu}R38RY+PV_~k>`Kc1J3%@7KVT@xr?>5ap#^1WwxM+_-5avN(IZpY|!`egl2MoLE z;asjK*N>vvFo{z&aVL+e+i;3FxMez-;2{5@pSE9xd%8sb3}DDeFp#X44?fV>jN$Qx zdQB-DbY?Ylrd#he^g0y#bM*f4Wf++iphbjN2;$4|Z@z$u@p3L-#nWXA8_{bF}{ zj z4%C{GuOEl}%CscURz?F9RzwVZ^F*;tLE08fscFsev`2%5z1Fo^&-Z=?^u-Qd8>5GX=MJXb?A4f18W*t^L528_*o2qlP-S~ z#fnQWst~!v$X`e)4=ydL4coef!*xUVIo_%8hmYp{ZzkUnS^{e%+?SJH1lnQBdYYFM z^iSHCJIX11DjJVqDHXrH1m9|jxuQXtbKkmR)4H{O)^UH3!hb(NycEz!x>0VrL&Fp5 zs$^mY*+rp!hQ5_S@mIB6v4f`(t0v4qs^yXF(9gnd5>N2_Rw#6;Tih0!;U3Opks)QC z`{&k+RIFg4Vuyu|<|?21`v9>KPxuw7fik8N-B=oHnTUd}xMK)L!oS?GIkF(GcJ?=r zUFE2^Kuu7hJT1s){@x~mTk%mkkYVAvoGX&H*w%Mn=Q+;*$HWpqM%L5fiH|1T`$E`g z@cHK#sK!KXcTqCB>vx>FZeC|iW&+ukRUA6)6xYUFQ=B==DOKr<{u|t1loF1l-P(Ly zJ>v)q*19u%e%j=RM;}5spOST2EB+d}n-mo>S$;W1zNLJ&J(xcKqvY)xKTa)TCjQ3r2x_cRd;GNNvHGf$l=*= z3L-8n$74+W)udLnL88^vsX_h`-o9U5ngPLp*dm%d@6LX=PCikbs)^^xpC z*m_A+lzzvg9YO--KXg(2F`wuv^Za(Fa;od#(}`v0WAxU~RBc1v|IJK1he3P~nh#b3 zsm#kT8?j1h{Ha>sQtZ4|gvaD3K1u(WyiY_BpWmlP3RjJN730NIR4z*u>^AtOmso%Y zE_G4x%BGw?iCW15=FXqBqahyHdEBs+y1?-5d7tCqKmfEYaU?rpwpOYyG_#NJqoqF7 z{syHaz9of6DHGE`-BvR^EQBl;@r3ciPfGGx(8>hL-pQaDe`RUI9w5cm%2z1q#Cd8@ z-=|c9JnqObp3g(aXSHnC_U&QuEMPo9?L}sPR~DvvffE7uq z4WD~nCsqPM)v|F%3!Do33v}Lnf*L(XA1XkZ9PeE`aoSmlJ;@RJD|pL~3aU>g9I03`5RHO>3Aoyj zMhX>gMiwL)_lR&?waEJPz#Sa%w2VIKF7+?KQ_X)vJ){$Txx^v9FNP?{76XWwDQ0GxePyOByvoUT3#>Tte3(Yc~k8&Xg-b z6N^%}cLVrI)iHSH{N2wU+}d548=-wY2N#Byqslctw#tbnvz~WPiF5clKT<-TQnQ5F zGe&)bfG~L43BpO{FANU+z+gOdfVqaM9cf&|`vV?*JIsE2#UJD9UxMW^caUTu_-zTd z0RP~;ktkRgscPc4@o&ktumu_aAHzM0ns5Wqs~PvJ@_QeZV$u~Ol^*cFn(5{+0|Gnd zFxesk)dNVwY>1B?Do8oVaS`#-09wn8!V!b;;N%sl6 zm9e7r<}ho_CdA)ey@h$u+->2`Wa^_YZZ?b*_(h^^#&wS;1FiFfa^g`C-l6ef)f4>2LEGP4*WD38y z64utCzYmWGy&%nuqOKL7hbIV>3e0%7{gvT=7T{3RY3E)04Ij^j^4b|Tb{FYJBjuDq~Tos+fPt=9QOB0rK78&10*tg^Q;-tiF}DVinq+OXO=pz zkI^6R3X&l{3lY@yZxK_eX$`FkCstu3Q8H~jiLMfJE`I z;e>it!o^Q-M2X(z_~Kn6&8E}YPVOVOPmmFtlI7W3wa>J{gt2tWs5gh=>M;t|`d-fm z`3?tS=;!dULrbymf$rJx#!LqCgyJ^AN)m8vfcV-~$o;|1_D+b++ET}=OViz?Y^A<- zK1*g`f|a7wQE~^GXF508WksgxIgA{#oX-)^B;;#{Tc%Q7*CzmKfYD_jJyWr)fy zAg>oKb}`Y`8E6H7YNRAJ-6pFza>KHv2&2)pqk9YAbL)zuLQ_uxWq_Y`eFCQY|G`!$ zUHlthxMIm7lH9nkZiJD1hxYm;}>(*Q!btX+ls+j3+n8dK#*l_Iq> z7}y2P@b%u>?6AD7%aNB~3xqCdLOV1_vFo>m(?yepkF4DX)38Od^1lm95W~O8I%Rza z>Pw)Kn?Fr}?(E+}N@XVK)%fg(sLdbmt@@`9XXV50Om7bkVh zG<*HE%`~T(CQO-s;cliBC3^k{Om2;~9c3nE91%GkD08DvS&7`U9fa-LV)gSp-XBp;UqHQ^nY=XyDHyo;(z%Bn*2|ofPg6GWC=cD=P;R9(>4QjD}SSA6t>ry`u$i?aw%|Jt__98rz|c0lsc-dOv^Nj%^27DGe> zZ+UX<4k%5_MRh)pEJGyJ(=8|yvw_&`(d4`^$itaA8cq@Kh9>h%6g$=pbfuEIeXb?a z<#3b&V}@Qc9BMGE3{WJ9?qd=K^8A1IqomlPE1`D1UN89fDt?glg$CW6#(iVqGTAA7Y=bT9*?MD(@^6$~WB zK8bKih26QYiQ$hhsYEx?wh8~rOjZK@YeeV87K`ZzR{IvIG#?zlcHMhH->ASFvK?r5 zsT9oeo))+%r&q{GuPcwaUWhoE7@1q8!fRTAJKgJaKy<~6##Qm?yTu={|G8TyaM&Co z1$p1Je&nCiX(Z+dx(TTR+T>t806Wr&q;QC&8RUQOzPxI~2$Ja9`96Pg;xt!L+P)eM z^DN6z&%D2AFi5TejJrB6HPE;BTIh%=2K9eEm!192XL#|7^6I}(}tBeXQRw(SDuxp>b@7_ zO#R&baLj)r)@t2g;_xcj82K+zn&*pbSgEoaz9#B&eq9Asf$jbw)rTU*(2K_7>wSt7)Fa z;pW$`wK&@We3NHf`u6cnquAvwCt_O1?S%4G_D!gtlyM&Mtj+;;22EP@oYm85eaS+ax)9A{$O9B?0p8~-g^rF&womxxYjo<6(ee;nflmq`~AAS zO1omiGb{j{cwMmu8CF7nW0NPxg~IzsOAL_R^~%arx0&G!)#mH=EzwHm-yN2hw&Y;RF@+B?X_qHrP2Ab6uBU}FHtye6^g?;IZCkf?%J@-P16AMHd=7q9 zn_2cCVj6%6q^f*9OdB~IVVIWiqnoITERVJG?N-_s%Z*- zJWsw>KTtMscXjWkxXPJ$wNQM6+UBX0>UC@^cZ}z}#PU#;TtIVda!vR% z(jtC644E&p&8;b-exQ6XhX(q@Gk4v`Fd2wTDl|}AJvH-%6dA1#D1xbo8r$?>VjDfQ zWtcfgZpvjMkJ+bOOTU3PZ4(3(`M0?7zJLg5anj#Fo4=88H5#)oN-tR9)yA453#!v_ zFf{l~o7_C;&)1l$?}Gz%73zI~_LMHQ3#yX^S(}$lrKm*DTQNCKEHqtP1nLtTLKf{l zT*Zql)KgqzZ%^X>62L#K;13=St&-i9`x3Rhu3QYbtiZ(AMLM=IKDE%fnxHvaN$>D_ zxzfyh8mp)*?#YX;J-f3HHle@sfP&K|J88cF+_}cZKn(7kJN|%#Pbhal;Fo6d0Kk!U zoT1fbM?mKM+0o+mOiZGuv8(U&GhFNQumr zpp}gWl0!C+(hE0Z*_)c`MOa?wMZ)j56;sqm1159w&#Q*gu6Os1tM7tr4JP!LHF0;b zf><~kqn&fw{NvYdJ%?UhK}9=|Umq|=Ti+geStvVnRz~B8OwqWqK=oN^O&~n|rE;0# zrgO;%69n3m`tTOjb|(N*3aVd7%M$%bbsjDX>+hy~Q@Ks$?Y-(kK-PG)$`32nreLTe zx&OGs?LhM5nX)}s`}9!uk7rzFg^J~?FJ`+QUp{`-+8TWT0T}9LrtWd z&)4+5pT%}lAs)lbZ<(%+Zwqa^V-hv?^p2;z(zep37gy4HR%u5d3q=b{2zU{ejb-rU!1N7PfDQvNp zS4z+7+@3Thb`r_zsW6P(G}6g8;zc~a_+-+$CQcG-e%kokCxw+ zE!=od&eWdDB_||}gsRG{^m}DGxUURIqGOk8tPw?|)Od|^uxP-^7O^ z2HFNH=%WPrwoaq=x93k4d)LmTw6TW6JWaER&^HV2In#UjgwnQ`kvf6jKoets1pJX@q{a43^k)(l5b!I3(Cta5C-xq=lSoN7LTx zG7=;$=v6}PXlnpotlDgb`;Ru;=gxA&i(7u%s@&|H5nwG1cK3syke3pK24zmdAa5_rM$@BgmD;9{k#IH861EkgVWy z&eTL}Fy6$-ve$jQ?9U$-fyWd^Ll)1}203tz4wx4HopQXQge;`IY=-Zq(se_E3;iY7 zUrHSNN~WQTwkJ=(J~$d>;Qo)svH&TDCceVoG?uOOJCJWf6sB}iSE~X@(m532KGKzn>WMb-czp2xnEK}MI-lq5s0|x5PEM@Gwr$&NY@3a( z#kJ#LVugvz2f*9) z7xO9Lz+JshEVauVHJjf!o*G#D!O`jG-f;IYsv|e{fHkLuCq#`)@rcK7&j`D(&*T9P zRr?wfO8o_WLnEsC)o-HOt!EF^)$=y>dDX?+6p@#en^Thk(@e@XpT0X*kx`U{Z7Sri^~xOQ$BI8Diu`?*JEIWWR<|Kp z4V0jVI}<8$ooqYrt@yEy!z!&w~qxxT#H`*(t!JqCX(dwFX zSDfdbZD*f%_(=^Q#1B0XaAX4EesB;bu*m7uQcw+aqjT!YA^sl{q4NEN*td_Jeui;D zm66KiVTCry*f#vd)_#KfsSg`}To(v@$wzzChL|H@%!bp4hhvtTAo`58Qeu#g9WId) zZZ6QegRU9Ns~N`0UtwqXlQrYLY!QoW@$f82>;7}QOW>Uy-Bd?260M(&0$E+qA76!$ z1wah+4Hlqcs!JVoAcebylu@bRT}Q(Tlk0-Qt1GX$LTa1W7i?qx%_d?D6gvJm;M?z? z?2H-{b5xK(n_C+<^P?86Bat(`LT;Yj9-A2qyK4__+)F7J+~I-ixwfkP0}3zv$En7G zLtsh#5^wH>IS!IU#1AiPU19Ve0wKNlz6Vh<7XJ#z3z60p#?xHEx#y{N9VP z_=U^W!~Uc`*m1W0lq^xh-WKFLZDHTkYt$y|@9~-MAtCM=u;W1)2NOQ51qsXB)}PW` zCxixdkR=scQ&a3qqOZjd%w>nb*2BKd^?p?k9vG~!!eUYyx*b^q6J$w*B68< z?^d6yR}vopR}Je>TosdndOSJhABmKz{exdK7Q|QLua)ty7E}L>${sGfR9y;9^qpB6 zF<3cfE{8WjE{sU&?@RSq-~|$O@N#~8lWC0o;KHKql0Oj~uYI(4m|mBnwbV<8g{Q_k zV7eCggAT3I;>5_`M%`u%e`y6bs! zn~$i_)paHmqlg1#>`edp`BK09zE2$sN&-cK)V1HWUn<6QO_?e%;5+q;WaY^y#jRP< z8{BT{wRK%<#-W^5hFFLjBQ!yof&rX1uKO#Yee(;H(d}dsiZG3AT4ZIJwKb%T@%lL{ z;xX9GlRWl~NX4&vNKJR;uVb^9b{7WgISL6fMi8or(OVbQ>={fya%#b?XJ&V8^&0E$ zX)}2|R%}?A)5Sn%SJxoRs^sq(_;{!uNjkY!1qcod*N;xdWV6=Vg#n0{t6T7<4CAvt zM(d#3-y9aBym(*+nxCddOs?p5>|zIJo%#vvyl@zC$3MW0Mt?^@-V z5a3WSKhO-k^?J=_y5Ajt~e7=@3S88Qc&72XWd`h;ojTv4_Z6EJOV-~W z?PO=+u_ChEl*dbxU-&gfPpxxa@i{Pnok`g_BSzQ7@}j=vL#ymAIikozgHqQDHv5*% zR%&`u9^sfB?X0{dai*cMXtrPL)&E;}{dkibPqj!=FOdH<4uR%v4SMnAM1!#`l|C zvMRbL>2!+BG)dn+VRSxZfDbx>XB{zg3B)c_6U(Zwr7jH3=J`@2UtnAt?YiODR#k8y zke_Zmj;*Oc)PCyL_KkM)*oM#N_TuVkC*VCqY%_fR!I7PM-2(DlIt9-N z1#I|9TfP7aFKd#lz$g6UX$Nn5Js$|tU=CRX{)Ruy&VD2WGz4Bb<8PF z+pX>)iIx-X&AEDxT&X)T7*Uy?pP;?7w0ZVK(jSb=imeW(vyNCYpS|B#0p`g8*teqK z(w?0o^Hc+`xE>ruDKdLZis{o*w57>uTVG7V^3uuu?8kf4O}gF3=J=`A0L1ppxE1^5 z;zF5$(tt21yJNQDze(_q)~o#N)5m$~K)q-E8gUuX?3CLa=9W3TOs1BSdP}SnnJ|L% zKKU+MJEFS^cG0kZSN)5)VZjDl)a(8Y)^f|q*)fq=KsUw{vdRc;2l99(Lksu07srN- zXxB@M_?tVD{&VoPK*m35Sck>1} z%%h|q6z@gzmFx|^^KD(nCU;3}G3~T-8G`-`-uZ(_AJy=q(>p}gu{ZbWHwX_BHjpPL z$h)sFf=&*(?BP=;cT%4^JgU5&RZd}@CN4N156kU1QkZ4z=Ggkw4gXjk1exl7ez|#I zzqE(}R1nSXbY;7r>T%b(@V#xtgzJ(oMx1x%gx^d>%+IcK~XC1mHfVu{f zEcM;eMkn2>);`~RUz%XV_;vqb%es3v-L+@3oWsr6Dbvx^8Rfki&$WotR`5eGxMkkb zkw-@WV(X&MdD-IIbEP&e51{WZjaq_imGB_A2nQg$ux}yzM3~okWp{+KvDVL+rZr@{ zZp{O6Y^B^~xYybJEaa{I(BQ=YSOr=W&K-1WP&@A>2_8s+i)ph&qp=nl^|+tpbXuU> zu|QiY#8rCDL@~8+&S&e5^*2}s2qL zdJSn7=iLxXbk=I@%I0=}Vv+w`jpYgS&plJ;MGu@x$_R(afJxC5&3(j_PS13Q&xiNy zKkq}I(}$qk-ebM80*H40_#p6se1q2%(!Hb=n0nSzIp01|#ue)|i(yZGLz1)h4)zBQ z`@dS*l5;r*NP>yV=om%qD2@am#$rpZc+b{qb=?x9@@w_tg$-@V+WKCz zcVzW5h*L?$Rkt~7?-)D+8j`4*@P&GvdQ~4NPov_aw8rpwd%%=O`CWx^%=@Q5<^QZG_MW4?DcCwJ5D9y7H>n>kLAC$%bO86&P8QLn39hbs3cCF(+tgN5bx2hZ;Cnr(nZK0J~pMQ%}GZ z#oVbWR4wI`<;O3b__F}q!UG~#@?Im3XVF17>nm_7iDlRqyJF2aewwoefl1xF^#Vrj zl`b~DXiD9;zVVy0Y(9Hm^6rJ(#+!8ywQ}e6iAZ&GEN?|W`lFaJx2)B=q3c!B4S$#B zLtm1Nl@}wL4@z#UI6|sNvfvm6om@?l@+259APG;OC`a44*-dA<{n^P~`_`AquFgNL zx|+lrYA|pWlJpvC$oxfGoIMfbsqRJl=*FZgUrX%bd;d;P$3pj9sC{lG|!lBw-Up; z>~!rtx-R7rcjgIQ#e1SMSWo7vGVN}y$4;lHH@@`A2vE#!x^Zf1MRS?9*t+U{|5EM4 z0Y8aEMjjc3Qg?n}}Ou2vfkrpCba=aGTXx6j`Xjt&{kq+8=DH`|y{ER|Ga z!jIvSlbFl*!#{NyhujsX&FdQo4E7Lcqjd=|`#>^lwS6xtd|??VT%$is40h-%{xp7G zL*sEJ&nFYShSk?Cp;I1yve~u${k#Q6k$Qb{HRXoSif!~6Pj(7Fa8ci*em_M^b{Lea z458jh7ykM6Q20pR=@KMMPBJ+u&yt;WAgSAYw&TXzr4iBwW&jtOSnLmk-5bF-jM?YTMf>5N6+?scOSY7m?D=u*5wZ zQzsa;SnNU8i4*7gI^NJ7C?aI7Ukb^3|9d1daHk?41QF4 zaib6U|K>$_&wt(+%|{>Rv;gj}llpGt#-x33Y*~+b@G?wd(>CLCTO^AwoqS)J8>n!6 z%6TWe&=+0}*s9M?NGhF!e`(LM5riLgbw%QF{8+;P69K_FoKSy)YjU6KlyZ`4J~Oq| zOWbu{o1p@i@puQxnv8P1Teg1pVr^YM$2Kvl3-C8QN$)lBp?&{|bDHBBq-cM5^PqK*VmH&+o@sc%VvPWvJ)p5e>NRVSH;KN8 zm3@Vzw^tk3Iq`54i5?RdDIN)lUjI8Y;UJO92Q7|vI%rHi(%^D18-dwztBC|L#Go2V;?laAI ze29`(v`o>R*y*k|fnU1v|(sm(Qe zt(ZRD1)|V3s^=w=(-YO3s-;mV>rGM<+q*8~2T_E!He;SyUyqEVX@d7}4BTjBX@Kzf z%^J2v;Tkp|)zR-qOr-GmVCls0Qax$8ZZmPE8m?XFZE;eHOjcjbHQ>l zi@h)y*=s>?qy{DyVgYbDVmEV;F_AdrRrNIjr{-KImF$<7AgB)ax!h*9LeC1i?8V%9Ek6tp2; zkiRR~3q$lxZlH))Sa%FXFZgOcfEZX~EWL*U2(7K-!9V?)q$+2cUAf=`2Nw85LNTco zNynqA_xs~VWK;OBQ1-cv&j}+!LQia)j=$~&L1O*W%+2h6A2C1N$uhC#YEG?u$xz^J)7q z1&3K_=HzOKiT(Eukfvq;b2!ex9FDf`RW*xeN2X|OOxh1m_;~eUm~lgu0kbtFu8`hl zpSthcUF?6atH~MQ>H8=f+><9E)=8&d3)hdnRHoK)!1 zy_H9o_%9$$**rQQHeVq>XRJF<=)a1SEkGO_SzQF> z_S0<*C@-(Ep^)g#43N>eYic|>V|^!NjU(Q{Mf;uhq-Dch(q>8Nj$ln$)XRavlb@G2 zR)%cS)d9{25Rq?Vuc$uh$v_zvWem((d<@>sXOD{CgOK4szc$T)>fT}+R|kkNmz8pT zRmb4Z5pA{_K@8}%Q}|yKKdQTpxmW*Wg?q>6@V z87mnjvn1)!C!Hl+G@UEqdE+^x-sr*ZhUR!KV-M~XlX4CWhHM4yKEJ9<{DsedW^&sL#~nu#^hb8bWDU|nu$~Q>lKywP zSfh;h*iuuFO^vy$dZ|jWShB8z`uMxmYvAWCwM{l#V6OOxL)V+^nEs(FBbNCY9bf{v zmYYJO#J0U>`NXyh83J_g=|~5D)yeMsmR`6XUn|-1QPUW>8jxo}2<*JD01o+gdX?d!k`y-<7gdBEg*0Z%J_=}{W_UmOoa@7V zyc0#gBPu_2lNd?qm-G4;YY-$RtTfis-duNUvufJ6Wj-0J84yX zs8#5br~0?{oREFP6I&rX6y?}aD}!wijuJMkJXFxt3iWIvpNOYtybU zUy%3{v5vdCq@wy8U+gzp^CTK?0(rv)MOQi=cSlsUGX@BwcsSqKtSkf0U)h!~A#-?~ zn7;PI-Bq%@h>FqW_9|L{7LYH6Q0{SRp3HETK`I$ z5p+{rPj)o*r{Ob>+dry_go_Xa#eX!qFMGRER?OvmS8NF>zhj-VsnB|n=^JV6jE7uH z<|vIB5ZV=Qh)l=}>is+lE-P!2Cfna&4_F?i?P(~U+vn8Reh#%;D^BPZ{isXpq2};& zdrMADhEHF*NoI?JO6@z^)V2s$qJ{XOFR&ie38}y=?y=IvyB5cTn+85G=fAScizaxK z@5rW87F;xwvrPjeScr3e|Ze|ZY6HK*gfH1^k}JIgNH=|^tfB?EKo zOWb7`fjs#3e(RtK7WQBYVf|Y0u1^Qzka?xC$M_Sg)jaa&7OG}HT4H2T-%7nd1-URM zadLFWkF&p@twN#_{=lA#Wh%P}a4sv2nk-~h8qNCb!)W;C$dEMeW4fND^K)0e!p!Gs zQ1*TR?}0aw(Fxf-WfhdsO@Vc5@N9$22Xg;DB)(6+tK-H#n_p>cUOct72_`?D+CWS< z6NM_8fuJ^5{CFm-o@+p!@9!zGt%Zk4M$TWdNIxNI4l3zSh$l&oU3+k-M?yy!7o!sm0i*exbWahzqflBXS%HDax2DP1cOzt}r&tzyk2-dYu1bB`k^ z`)tyRNp;zASuxC1>Tw|px4jC9 z(raw~s648kcE9O-w_S%h-|J@MxwH;F8)$!UIsz9Sxr76HPD0?I+dP6W?O}sM@sfW` zQ1-LxnanW`|7~x8G;}E0>^Xh3N~(Ev;Iqle zIKbdYIxKUKOx>Mqe<+mlF-w(A!IN^GOq%<+`t;gD;wIeZpLMO^>wKB6*cv6F5DqLC zkgQe1;h05^Xu}nCC*B0Z(4cqo<2D2C@21GYu&j(_PWGgUzD@0|%GV3i0dyoW*2Wxo zBkd<@Y4OkTXDh;QH%iabadPVz?&L~Rq>j(gCvN3igaS$CUL6CUJ9({l^VIsH(^3}~ zOB^(c_C@^wQ%jB44`m%Y{1e@f0THHdkCx7D&oD^SY>Pun~U) zA#cO_ez0I-UXh(G#D`3?$ycgM4jFewt(~okDfD;aHAbogla_MSgfG+HjeaPDh=OBy zvJ_2kpc3LU91EIv&X(6Uj^li9Hy>4qOR?B}%vs1@#Z9kLs(iMOd|uBk6FVc<1eX(@ ztmeKP=G~ZfqzLPznbor_Me}@Z^__@FkyQ)22{_rBt1;4OxeD4+I4C_ zl`djGbC(!uI#pN5S|xIFl`4DObBbtfI=Z$b!^xtvacOHo$SPJ$tZv`mUr$KAS&Pz^ zgn``qK%{63yCs^4_qobdsRKrLtviw@)PHW1mI|l$MP|8^+cIGPy;!_t2^ym-DeR~| zbV}NDDn^pOi!#|P(zmrH0qRv=0a^fl)nT7xSTwH*V zA1a9EyKN{yQ?Owq#gi}T^0KlAGuwC}n8cvTi!+mxUU3W+h^cIqEBr`(7CrYGipfDW zw?@nJ!sT)8JrX@Y{bhKw7NG_1W#XA^p{w(Q$=C0*-X_f4jrR1I8??5*olQ_1MH*SH zxyKm9tsN!^E(m1CE>t1WJ%$i4gd)BZ!Wsi+Jy!z6_PS{!s5%MER1`a5KpyGpl9xuN z54c3We?^yPI27qiad~gmg*>_lwA?8?+&=G23XGg( zU9^wg94a-M0g!VLt3uO@)%Xf*ZInk0HV}4x@8jNiRfF^E{6uGIN?KW)=qSX@(qQXi zbPUVqrvzC~M6$|mllW;lJPnJkM@N+9A4_3?Zyh0usQCEA&|}3np)VC1`wQ^_*f3m8 zIZa=ha=QL|#P`RZ<5!p^gi|9h7~g6xR*T)mq}-yj?x7pA|CadWV&mgKQ$ZnPD`?lg z@v)S0szeKIosao_c80KFh@IfRlUdNpt;NXK5h4=W(FX<6DWpY^?Hicj9&c^8rhKnJZG)FX$OtK5WoVO#);MKe>%b?U5BypeE1 zfpR33n5_WrU%kauEI5chPqb4~DTd&VNi548EMUvKB-DFuCE@D=&ru|p8i~yO&e0pJ z;0FqiZXS;R%2h3@hyvwroGDX{9FMoubH~pi=2Das+F|_eHBa)n~vJAJpepcomq(QCEtPkvVhg*Hdo}OQ(MEdK zVEg^1)7qH#a!f{9*3ES(Gy7*PteZfSh32?UXUg3p4Kl=gRn@@qYwq^LD$48qTW6f? zj*W$74jX3pIgl7{kEUnKYJi6|nDNN#aF4S1AGu0SAj)wvS6>a`Jr4Wy7YW|=( zF=BBSrqe$;c7V^*(TbKYY9U-*`I^iz`x2m`ao`}UTxwF^86EKUlvaA^XiJ|0FY+5_ zs-)Q+|4U=Ygc71gb0!yBVU3SvG@cdhP4L>fwfD=BuA&NzCf&S(KGBNYX>Y`~YIntBrvR z(SGC8+PBTptb;_?3UHg*=z_o@8v_d$U7W*T-h#R;v!Kw8*l-ifT=qLnnez1U*7H>EIn`Qv+3Nc^PpTZgI2x$2CW*G=QcA~QAf7nTFKy}f@= zRxd1|H}7*t$M{9anpkh%uMrnKW8NU1(pT`sJFL9%I!7TjA7=k>cXTmu+nwEEL`Q0}J8B60!tGP;G$VSF4R}9rDYz+< zBq#4Yg|?F?tl)jOPsa9CR@REmc{#~I>V=D}vmuUgev-WUWmOOxHH7vIR)2hvv|hGY?f;2yZ)%`S_>Ccr9CkNTthFUq4uW#CKeZJ7^l=R zH=nZe^$XTwCWAOd;;Hw2u%b)xyU$RP{Tbckcp>HzAX?U0an5q*?6jVjYa(i*_35p8 z-Rdn=XC6-E7i;yXHAb>Q;oeTkoy-~lH}riv|bFHaYCAW%(G$El&9%C6N$ z6){tTCD`)@7fhl0%ils*Jws3DkKC26%fib`y>kF#7O`|>R^Z7${w zhE=QC7pVWoD%m;&Xw5N)?i{zK*{&MABf5t`5t?JtPQ^u@Fhr)ok$u^ehYV+7A+kPy za&N7Y-`U&VnDoj^O-E2<&M;N_5^Y#eA`*DT2CRai@E;H_Ytmqq@7?%`Cav^`~Vn2yx51-=)7uT>?`9^4*6EcNgd`w&wV+ez?-}P4=P?7^E z+3QAWqwHd|V+#2Zx@|CoT3ImmQ<=A3j05BFcJS#@l$g_j)4vCvB9TCQyg$=_-f;Sr zFVACgtVMENj@2JdVXTZVG-Y&k-hB13Z856-_rU)MYi}bdY@4Eew|GqRa$B+^jv@$L zBg4$^eRAOdp4z?yZ+dkpWH{uu&AGD!M88iMD?X|aMA?jL;@YQ29m=q$U*()#Ew_n@#(^F12rZU^p zS7LID`}sz#>RX5TFLcEYpN1r7*^l|%K^=9=0r>5J+BG`f6XSc3w~?W}>gHBOm76Y? zn4zI@_d%2ZLyQ?iJH`|^{p>%nvXl)(5nn+JP*D8~d_?=NG-LT;jA%vn{^V>EYB68U zs2GsQRzreLk%(d3X)7Ct&0Mf#>lAS$j+NhL1O<-0$5Lt@H%z zgbMqd(s0fTFiDhyuG!3m#?VN+a?Cpl?fG0;VQ4^fA;mx+-~ZIVBgcIrn>*)r+08%@ zT|dMMyJ&&b`coX{=!0Er`l$SWi=n**5cYLI0qv7#lJCzeHV{Xdu}^^{&{OYHCy{2z z8n|@FCBi07&*S?msI87{VH@S1Jm0i+#AM}8p3<0z`sN9kXezmpZH8`XysSt}T!-}{J@_o?Z1e4bCqV$qIrBH5z0bC+l zpzx{xQWcc8eDNFQRJ`9Pn-FPpmXIrbONB?td znJoZL(6%!q*>XwvGS}66RHzQk__~teG;`M>v-SlY-wU-bpy+{v{^c#}oaK^y^;pLl zj$uL3OS$#ugpM27N;zcw1q`%uZilF_t zKP?S04G40ivt7>N$@O3^5bCSs;o>b_`LgWwm7<`>$2l_>>5k~R2zjNpORB2FO}X_+ zhK~m$5Tkf;*{F+Q^`LDDL3SWsqP(3q`6vAaM03=_{hCYD*{{yEZAGVYgtUQp?a2eY z#_+g#SHkPtWHx`!D zU$zw?h!!E0&s7}nws{X6^sg?7X9zUhzwYWMBF~{fZHT$-196z70_@|WO9vt&F9c12~G^sEDMd_WkzQqAi+2V*2`gNHD;;7Z`9pC3tn2`cvgj7&& zIjF-3$7+bU(&hdZ*?Aqq;Ruiu|N8Dw9)A>2D^vQ~+jP3w%#~)I_cpO$K5o|MjJmy2YYr+ri{r+Py)%ofwS`Ak!cHs~ae^lT20v zxYPA<15D3AOzzxlD!LhSQrcCMUX9p%If!d}N_crpyfMqfYqNy_fcNigz^5HA@-E5+ zyuO*~4C2Y3LQfNGytf2Ey~LNIJlIb*uX0&BenmI4S>^YvOG1McM~#+^j!D(QOy^dN zhc%jh;-}5njpI(4Fp0Kxgk;KH+7yh^YA30F4tSgEqI$G3IhP^3yl`b;*E=i@&9o)nZ%|nSz1zH<-ppnkT1*|+qWPr>nG>(H2)DEvrSTQpcg8`p=x2$B zTQ7P04*@Tc;?ZANTk_|NWp_gQbrz1$`=_1Gy*OJ^n70)<4Lq3Sf{=giG6S)-h@!&+ zVC3QP98yART@?BicMB2MZlin0Z8F;}rN_;@5oAAO|G%A9oNKT~cUyttY0=U&X0?elMNVWwkZH>_5G;Fv^>NP(fujRaWS=GWWC=b6 z*9D>j!fd+4Wd>I5Lpk7z?te1ZZL!P=$M5Zkr@ufJ2SIyGN>Tbv@r z)H5$4m~*s{zFF|lrVgGH*{1*Fto8gBFdeAcby&>PA7&mG2@S~~>&e^U!RrVk*Uf)z zBV#qz?Y3y4myW9-I`)f=S+spP8B}I(?>{9AVrNZ5ywP+=wda%C_6m%g(mzkXr@rP; z>XZ8@9--d`Jndg1)V-I)1@}l;zF&Otv70J*hqf2*?m4YT8qhqI@cC|0>LOe8{Mt=i zlk$2fTQ|Ka-j>MCl$N)$HuPz^u=()mvTY6h3MbVKE7(a+QWi;t3f?~fl|Jbm6_v2~ z`pX#j`=VC}`2SafKo01l%^zMlJ!fG?@r-Gp!(x_o5~3j=#|>Hkia6Feyx2HL1|2-M z`f4_JS2Sf&YQHB(UA!gAjX*gszc_{d-i?R*?r?WIqVNPr9L0hudm<_jNFUDo7@FA` z9G}AF$OL2^cly8_PBSz;YpLj`Z1tGb&ncg?GqJ}z)S{6=)`q(Cc?Q_ckyrlKm zk|HGj*D4{99r%F@)qTx{K)tm`@JmgM$+j6-{Y2xsAUY4^pB5J!_&PJp-&3s#QnGp* z&28_58+bdtHjA;Dg;qL91FV7ND?s;Om+b&;D_c{{*IGV)Y~O9Ry53)Da+b@0eV-lK zX)upMyq4>>fb?<5`Q!&Jz)|r3NMUv1570j2&ph5a5u7@|@x9y$Gj-bY*@WbM1t!}W zQ{le3397VTCX>x1*i5LoN3e; z4hFg>3R<|XwASFjSssv@p~D-9=iTEZeqh6pT^|q0*>YyV{0=Oo{q3#w>XTDGo<#T- zT+u<<%achl9b$!H?bz;P)5(uv>+En96Ye~q1sD9A(l|hkB3}VB!^%WRRMMk)vo8L= z3L|)ZbbM?uKRT5s#76Q_L@vz9!Qa=UnBJZP>J8+R$vHZ2+k1A6We1vztemNqRac8P zRs#7YHpV!od;oycGewH)zw*-1&7bj!o}?m(vg!cip;WSR#A~foHBvQZS_QPhUA=@V zpa=8He@`I8^*0sS5h@ISiGuWHOm;$7Rd;;kgP4=Bw6T(h6^=Qd4rAU@qw$>?rMGH1 zsFd8+#*YMV6K+X@PKFhQ+#!(9e@aL-!hrAta$rfmgznWz##LLC&=;~iPaYF`8vzxj z_x-_7r zE>z>>LBH-kOF)QiS-`u5NO8)j?E?-lP@`xCJ)lVlunC1~BS91fT(kL^&PMdT<9XQh z?6AeHczB~OFvgb-vk<}F6R4*&jN^73TE}H@uTn-D4}kIE$D5P#Ultz$u%}JdFQ6cx z2zz_$x`q?yEXOj}9Cx#jpnM%g0lY5JLjA)WpVY8Kz9x{iL7fN(OAn}M_FSR?yGuNg%cZQdVGldv(G`th>Zo7#b_%9hDLqofIehTxTb53z zj$l~n@${qp?Amc>``T6S>f0@Dhh6u>Aw76Op0`vLHTs*OkLV6Tql@?OtFh~F`y}u5 ze89-s5v^*5tBp&=R`^6zSv%|6#*D}N@+Fo;8~EtMRo|zLS^K`1`H9VN%JaS|8{Tf8 zc8>F5uM6o_)i@#X%!`Ceg$F7qp)uE9@V#KW!7}_CuXS88?9C83iZMGgKS{|lrYlBp zAyW6xgp5NIT43XHk)6TGvo4;W=)$ZL@BM&e0cIOoD=$%9oyDrnOMa6Rn+_-5enN@VTJhuw;lZu8gz(k!&s37RUqXen=lou?>3ZbRl~T8-z>>bJm>FGy&yct) z(3FXz$@Y-Zgp+lnPi=+b%Aj>(V=|=wvO&>f*5srAo#TjEySUi|wXa|7*ZR_9MEKuqU%_O43b7#}BMC_%iRxp0Oy89U6_<}s zzT`qsS5R?_`<`NI&zXU>DfDlV7=D5xA#;;U&Jqg}yE|hOGEKM~k&tovK)|$@y^)|Ps((G-$TLc4@k=w4ERXqInUx>k{8l!0E6Q6Nk z7vD#2Z6C8anssLLn0rd@J3ZbfdzQ8+`(NFDa1O2;-A`P47CaMlx-r2VJiaj^ciOo5 zc+7QvvdQ*Pq>f<5ccFI`DMWUgP|ZO7piuP0lJzO;LfwwXa=QBc=myV7w5-srdC6v} zcdtpO^W>ugmWt1q>UNd3?!HG&bK)8wyx5x@ytYU4naAtaY*s*L8xY4{H5nwU$?-gJ zyP37_stF@U!oIH^{v3+f=PHAm z2}J&}FHd*KFVJTm$~e0oScEF2POZW7P8R(OywtZJlYG{1ct0Et%?#jYTCSFwI7&b` zWrCU8w6xx>!G57_)Oj7FI=0ds((`Odjq+Z|+7vq}-}mSn9#J29iIx+!C@@%-j#~MA ze_cKv|X#vJ2|j8 z4?LcF);*T4=F$RwykHnVDh>)XdtI8S0#As2SWhT_Jg$`SGV=pmyJ)t4u}_O%*W&qs z#lnn4(#$rwx2mc4Lm7;2LpVvaF@_%=+Yqq_)Q21nFS}B^XoY?Wl@Eu-^+_Yvag~3N z9Lb02{SsoauA@cUqb~mML~nzuFt{riG>fx%>$kAm8zrP5pRV6OZf3LWcEr&-nq`^W z_i`tPtl*tZrsDjpi`L=v$?#K+CJYO!#oBnS;KGEOOBlWOp;Q>OY- z*Sx;J6OKc6dbA?kg_?Q80ECtTp!%wAnks`~z{ zgUZdfG|-{{V$!?CWU7`@Kmr^1MQA69Uu`iwSD4K;Ou|9yk8#L&E^`IR?3c~uE_$FW zH5t~8B_eu3on4~>v$FW4jj&DcY;r5VkIr!|KZ60_p~xI9&i$?VbE9)Lc+;X8TyEC) z^JbV7p9wmaFM~TPXIbJOIbE@7A2>_|R}-?Hlr{1x@_c%>wA=w}J0v4SNJ;t`Wb&5L zE75k&=!ttx^<4!8%2@1apsm=v(8(D)mLZuLu=u5yWNb7yJoOc?RPp9-$K>}DC1e@k z%Ud4s6)t3Rnssant&&wXGix#M7yifvytCxTJ<2oh$uz@ zQaB}n2^qgiH3NB=#)FfB(VgKuMp1&iS(M~|;@68IH+&iYYeO7-edI3G!_uetQ>5}3;o%}74Al@P@~*nM6$bTt4Z zixjZaP}`cBC5jkxgA{I?fESizu3m$DcKu!@-AbbP!2;XW>HO}=s}(61*XTvV3f`b` z^1G$ATF3GEgSTA2toCx67n=tKEL+%>1i?PKa*{cyyNWv4qsFbfoXv9s=kZekr}q>7 zT_?^`#r@SOEuPM6_$u{=5sOo!8q9<%!}mydCpN;x$9)dL|sbkps+ zbmVQe{d*-42uaPAxg(aJ*7U)p2KnCpbkdFLwPTucJrA(C_Y0MR7=XdB*cEDV#NMoe z6d!8w=g2!z2^|;7u&UfI{}^6jxgquV*ot~FnDU0^o)zGV(Z**h#W(9McUf)@_T5N) zbc?NAeP|?ZmqfOX3Pl`sv60IVQ2K8taE(Ef2PQr$D{{w&hlMwrmqMy396Uc?o=&{> zgQWLCRfdJ7YlE2wn)QE$JZIbWmavQACxIyh^C(%qqflbwx$em(zbhSI3>x}1{l;H7G1D!=O@ zB3K%y$lhDwiK-ZTd|1joA$Rz?J|w(;`~*TfB4D$aX#m*Lo4R6ZFa@sb;$gANw$$X_ zaaVvY-TYmiq-M4nO=7ZJ=Idf+A|5y|*w+ZhJ_W=dCMAJOCv8^C8q&-Xhk^NFV}!OG z=~!%Ms-$(B2d2irYGTz3&#+5k_vaz`3|%4ihrE=~RPB9qBJ(B}2Ar=&D+3pJtXMI) zpC^tilBzy4m-6HJ;M`r#%j3;+zT)u;mJQIrT^uBt;EXJvnsoSh&EvLc*H?Dhbsbh0 zb$UE+zqZS?a^J+>zuYGkMYn@x+kSmk_muS(){hV8LbRtKnM&{TP97Fl{#89{6E-D_ z#eOU>?qZvc@mI9idqHJ@q9p?qE$1Ngt)EKIG-_6}#dM6IsH#gEW2FuIACMpuQS|!u z?$TRGnYKVKrIKg#>>$}vG=)Wf>tM(blb#4@PsgL!i+G%D&XMOV-Gi$0LdwP0Em|M% z$yc_uq4gk%;;Sv%VSfIpdvv0nzBx~y7{LIRE3}*AM(@in>Rb@h3gp`*qDiosu$@ur zxUh%G!(R-v_=X<{&8Lc?hMQzgqoB!b{;3y3teD2jy4Xgg3F`qz0yoJY?~hGx!vN_P zLhg5k2d;$BbHPJtfi;VBvUbtg3+A5)_0Ne*>SxRPjLhlX1s|h1ONSt6{>TwWDZoXE z4cCK)yMr|Pm_znBgd|dnyw6*whC$j(MY(4pcWEMiDr%sg4LAIM1|bs8&Uc`HB4|K? zyYhe3^6Suf{BS2_GK~a*p|jcsu1-LKo1-2NVo@PAwR4!lQocguB3f zB<892U{bIPCuiEL?#7ql2pfrQ@oSK+q5sF!S3pJKd~JiIG$Oq;(k&p}4bmx%ba(gC z9ny_-H%NC&H!j`X9pC=+|LS)R=fHtk=FW}h#?0JF(5jHnCH|U&uvxk3pP)d%)KO7F zTz*M6avVr+knSw{f2cMFl4Hr%jyL(PU7VS50)9Jw-FxuH>9{yzt;F3bNi;njd(h=Y zBh4P9+9AlZhJY}HL^D`P#N))^G{G-+9o#l?&PlV-(euJ~unI}vT(nIvGt8S%$5(cO zF7DzTZW0yM>@m=#z=B&N`k#{(Q8VFcXyPK%D0sIU_aT+Ryh$P~V4DX)1AqmyX-1N~ zDx!}`SGf^c zp}jx&(lvIX4+A$>(o|j|=d^Uc-3W+ES#x@uUz8Uv-!r=l@*qern;Re)E$DI8y!RSv z+<4F#&lpoEwHQC4u~kfXu-B?EU?~p!?c*xm$T_F2;g|{O<#_|(v*tNRh6S3#>OydD zM`T`nNM!=xH%D!bD&7o8{L{Zu9KF1uTKzn*{;3HfhudR{JZelAjw-?E`=~9)p52_T zbRj&!_HL=xHFCGNDT%r|lKzTfPeQOz?Tn+I5x)1myh(HJah%WPj`&qx74r+)HvbhJ0=N44;5^Q!@se!5jyz6ffdDz6%S(A8sW^ zsyWEohJDPT8f#h;RD_{>o0iia4W1F{^(Stvw1JKBJm8}E1a6&3}&3iuRC~2OA zdr5=XWS_jE`7mbJ2wc)(vP;4+9gL~2yu;Fz-z2ASN@7UMkTLijah3es_+f*Q9xemV zz*6p?Ywg=83zS;2{34ll4Rx=BGMpP>&X08Lart&k^dH;O2yA1)Y>QPM7XdNa>wTM5 zJU(11ReN%VQc0j?5~yD;LGV5wH%L~-tKD|;2>fQ4ww}3 zrVR8!z4!sYtc#eyTr?!b#*duBk{Sfyj&mhqGoidi;GRB$|AJr>C_^SUcEgy1l$u(^ z96|6?y6N!~&d|;-VQNi&pSL5`$>sv%eP>Ly=GanT{zSTm-5Q(fwd5IYa~crQ^#%^UQzOG+22xGV@8ZVw2C-(``kb`ymk+n13PIG;fx5yPHR;=uNFQXgX;QRU zDI}aapyBG}{|1KFC<5hMivslEINF_2q`v6J=YYk7PBw-2AsJAg`@XTYCYjMdox@oa zxz|WNz6;zI=D*y74$#UH_p=KAtmG|=f~Y-P(g5zapO)tRZW`4zrUzoZ8rmdo?e74s zLjMPmVnJ*Wm2oCel|`8#d=_kfHRVS+^Vd4LSsq{1&LSzDXILWv$GHuL)0(Ks;3ld2 z68!#!l4%q=-fCGv?|c;PzEeOh`?czE^ruyQTH$n1uJwpfUi?1&A957aSHR>*yyYp5 z5=|*I>rZW^(a@S@qcw=FsiK}L+Y(*b8bm>gqWqiK?uwZf-Kpn+&bzf@4 zm1X^l=~DG$!HX@2C35{;yLM$gs@HiE|D(_SW%%?iq-nqvEWrfM0D1r`Pd_o^$@Qr) zmtt3}HG7mM1Ka%7Y~j zCK$T!wFZ?Gj^W03i>OL;Mctf}vbc7z?YKBBMYM5UxZ)Maev{|K#bN$!qeww2TTDUw zg0+~q(1;GZs=AJnP$m8R+hx_;I3C(#&KD&B+dm1ZvI;~_nFvRMC8X*|VlGnuDk&@B zLZSVkwSL{l<_HV;QD8;|Fumf)0vqrfsM&#E1*oGS^Pyq4q-#w}Sd6?iVCZBoWxmKQ zRFw>uP*ImKmBoHSje`8kcCs{FJ%RmNeF5e1-U3ukreX7to2vckpXJHL@=Eo`HdU`s zp@j948Po1G^zrHNr?V9npZMploo2QcW~lt@1a1Z{>{u%tFw(~k^WxnI{s><%eO}T| zhw_7KMvY83o!nQfZ_Me>mqEpWrt4}dUu;oex{fG9F1h|WLTI>F*$2y3l-b(HdMA=f z;ri35`k4e zZJ;Oau;9shk=^wtg~Lx|*?TPs3(5@%Jp+?YEV+LAl)ie}>rIQSw>Qs~|`LzvgE@!EfDVkvQX#Lwz{6_^d>zEHi z)At&aR@mvoITd>>IYY`QT$y0`q@u}g;|v)KK__5f#kl5~Zn>jOk*FwiUofGntKUf` zeo)B7bbim%2X5B+xAZCmMMLSuP7{2v$ot$HGn})OrQ^JVscKJE$#8mF0j@}_SoT*EtW-h zT6NR?3~xoiv3b|E0q_Sm!Ad5=PDrK6Tuyk{NbA78?t?#MmZ?*a}Mt-`RoDV04`qPm3QyYVYaL3RArvve3Q zSEW=oU(5{LO++!B5anQ2j|ze=sb|)zp2sX%GX4LAcR`!fxKV|M(3w+btPGpY#tMpo zbT^w3=QPFY=`)`fxAJw9Zt^t1L;kXYj2nNA8dp%AZtLpMnbJCO)q_8Doc6p=sW@!D zv@J5;L;OZug~#o|_2@?QLnQjeE!C>&N@4w-7mT>qr#olEARzUOlNPv}s2;*^o%n)? zQeeoD9EYwal^Wpot^g+dYe-1+ND!tIIc10&U}WekL6VbEBNjmBpZd+QKq#@i3A!`4 zAbB7w-yYhm)^zB+X?+QHBFgbsVUoZU} zx);rwPZ>R6EhTcf^3Ato^`q6NDNhc|9@?JCV2e}miPj-&ehzpc?d5Bh)Cm7SJ1;Qn zR1!hoiE;h>MFdlfRZ^=J1@uSBsnkz)(MPs_(GS&@L?Apmdw_@h14n;YDhV+o#C;_S zx+rcVLAj54h!%4S$1Pn8hwZr-aWz-d-t&2j-<<+A^AO_(UnWOrc z;ULuSy%2i1U>+90#UT73nQ00525R!#E+s5P&K%myW<8#FPMEOrWrKvund>odf45+2 z(jm8E6_~n2Mo5}J&rgZF_Ryg{m%Bes?Y!B9~c_lWq{xSPQF71UDA1e-@5 zqLBmQlUp6=MTk%G`cAdC8(k)BXm9P(>P=Z2W}hQZZ{3nFlL6@HRV8rnZ6<*R5ddBMsC{xg#-=4>IB zFvH}%k0I8QS%M@V7_tQG1Cz@6p1G{so*`w9ZUnz-#1z(!tSx#$EEWzdg177LN?llR z{eS1@#sTppVl^q~fV%XdiJ zI0cDrk&mR!AHe(Hr>tbT^nf7V=5lP0)9+z5_dV4!xSZRssx2ziSEX_tS|s9YIpL|B zX{zlOE<2(YjqK?#IbxxiVV_|IC%XQtbS~JU^-8dRB@>9LLwRPAq)p5NG^k$qZi_Bf zwT_7@esKF@Jh(%S;{SKiyZwo%0x{|SC8mbIC^R}NfhNX@)Syz6XTvZ2NN*aBr|}u$r9Js zG?qUwKU&(1@J^?CczlagF~t9z_yTwQvQ?r+$gtQ;D0$QLp9-^7KrY29vAIy-VNcSV zX^D6g+M!!fOR<&&3dpv@~_Vmm1q-azdG20r~uALx^YZ-7t)TR_K!al`CC)_4pD$7K)L8+@A$73L+T-;IkZe9ura6@=L>r;!=b zTmduAS;HB-De!M4HCd1ou}X{d6iefQTK`SM51z*R?tH=-Jx#6}kiJ4pl+$BRaf$!O zk8^T##BM%`$)4eBsD!hWD8dGt(OH)We2H44!!%Rab%Hc8a~|osNB-wTIHA1B3bTQs zi4G+Fg7q$6P$nB{(_P#(QFkoe9|4woAPh@*N{+$c{i>WHXt>{ay@V!fyT#EJivb&S#URV05?l-#*b|a5YhCg-z5xxs0TgINjxqsBa-ZLj0r~KE^m)fP6PJz z{>zd1IDW=%vWm-20Cuhtx)$Gs$Fn4jWM{{m66=Jq46T_CS%XLT{f!PsO#~da#)Tc^ zL2)|{kUs_M3EI46%I4#B_+8r(!IbOp#}C2&Q6Zvq%R##u63RhXhoj-OrjS0Pxb7W% z6VW(0K?Qc(FNTfa0spvi^N|=I%oThvR~~=(T7tQ9B;FOUIx^llvP;b#AdI}#H@&IwU6KQpME;Igo%qvG(TwFvrnawhuy!DicmCyE%U} z)cll%vZS0-lNU;5V6J}2brrI;#qYhsN-l_?iFftnes)YI%(J0M5;NWo<~P?^slnM~ zUW6fYvBOY}+y>2iqic&eQY;EOkZf zH3UP=3|VBU;}f;uSrc^qcj zoX*fde`2iBVj3V6`47`D8dd1eeaZq@y3)EBH5qC$#<+iAw8l0u zr&A-yUk`V*m=^f;Lx}mPMwfI}aR@#90u7=^&fyyq+<($DLRJsja8v(JdNmAsxJ3JW(O)E{o|oA?0eyJp7&5-9)84@M^e@dDUsi)37#=%!83rw96i%{ zu>-9fq@LI#8#NLE46+#_mc|YJAqhso=PQokC~*+d^{C+eyV7e|IHV2izVt<4YYZtD zy%VA7`!zO>$$t<=wB6N ztx1NgmFGdN6>yUNG72;LX0{4<%AeAe{P+UFXqhbbfL98jF(qcs$pNPmz( zgJVp7jYC*)4QXdEp(`cM6FUKy_EL%=n0Nu+ATmI}8Ot^u@^1vFF$ZA+R&$eVa7=Xg zCf(2cF=GKfp#yS?;pmoz!bW!}3&Vhkqg#NFXTbWGVZi^)7FHYw0iaI>AJ7G;X5rv4 zs2)`8za%xHDS|f$lNvR)4fr>~;wXeZcmjR!1Xeq50{kpnEYdJ74L_c$N;q(?tX>iX zgf&L4gaREY-h^WCpFaKaFMvYoGxYs46Foc}4j3Sa-{>(FmLQFVs?+(DMIESZA>H{Wq7!1cV-VF1`O2v-if=&wM$fiLd=*eR;O3Fd9FDuEa`%c4Z0X4OjO$ zj5++?lNC#g@9%6OF`yPvtVZKq7ejK7GOV}=-I&{`E5)u2&1jMIqDdopy7pg$8>6E> zd&X$ZemO^K5V@7c!2tR7r0(@+aDqaddSq1ADU-*WHgldQutkw1KBXH9MxBqkTcsjr zG<#c$P##xfMzW>h?h7l!?h4ZF#OfJg!pex^IlX3Pb9N;#ZCshPi#b!H@-sWpH(3rd)k~5)Xa~h% z&x8dQEX*TPWf>SeryoaXmx7Qm|NiOa+u$AH3+QX}N+q;PWrU3|rnHf}07?{iX1rW8 zwW}AKW3i%la%rhO1YHyv6j&<`ZY~F_2Q>3H{At6ikC&M!yZdyvy!>_G{Y}9<=Lvox zuBBsZ7^C-U25@SwGoj7ueV;OeC{!=F(i(!csA=+>)hbiPj`ZO2N|CRcj0Ih`d1qp# zaThAv7Q5o3U%czr;qKqILCh@Lt>3(sk3=1wKNlDMYS11k9o#0J5f7B!e>WK8Ziz}g zu=T;0ZR@apAQ%`!Pq?%xyE@Fa@lCz}_(E9S>eIZfTp3_b(8j(v4e&@i-3ZIidzDU zxqOG7bQFZX30;i#^8964CvGadX^VIe3c^4-Yw0q{S#k|RjaD;OqOF9y{CR|AFh(^w znxMjbtRvst@p`*S%d#LOZg7LGsdNjwGxzz#aSX?ZT64z8Su$AucHDBEU)wS0xqtGA zu|qe^;?iyS)$tDdyp+>MIvz-?eQqYWV$7ODFlK@Ks8%&EhllEEm=}K;yw{)<`F`8R z-Kr)w7kW&x7LU4XErbQJhbKb49~jUln82jd@89=12F~uA32E03ELFhf#14wp`b46$ zm1W-0goLE=4sGNW3+ygf6cOJ{-Ba-`Aqnm*We$`%Fv=#&n0{SC|5&)Qo^geVfA&xS zo&PlVsazUF7Z6oAJg`>vl4NN;Uzk8K0d!WnFMMI z?$}dtx;JgcOcp)2`ro4{mrS|QbR4O|WvFZXWZEh@CVbaaRJyMbVs2*qrNE}iurx{6 zesJnCg?%9%y02g_D|j08*{Bd8oO-=v=n}l4MEUdJ1l~7nS0!0hbSO6_DW*Qx*yw|r znCKXg3SHsbHuz&7iU3Q${->oNZ7xR_^0OIkuD0q>*B>KI)XhL$@1`Gu>43?a5r4?amwTRQiljU!*ne?HnlY9&B%! zE+bg5F;Q{*F6P`shV_GP2$s2xsGuZlYC=!sMVm}@A1(ii= z1fmDtFR;4F39K{zPu*_bE>2L!6wOV0b{q9#gSr^`i3$BoDGPZ$%;b$V8>B_3bW3lA zmZEE7<3S^@Pve_XvhckHWDHKFy55~*!Xc$TfQ9Eph%L<**BG^De4KmL)b?}?+l5sQ zqAx8i375qk#b*8C&lqA4;L~}4`!CI5QV$UONIJvS9o-RGIBj1Y9BDe(+xG?^7)cgn zwKdC$j28M+w|i^HYLiWvM@CqU?9>a(kltl|5FDIlWw_|qk!mRcq@evC|G(#;=5<@%mp;>x5O(K$SJlcCGy@FQwAMZ z9Tu~$-Q|+Cv|4XP6mWGOrJCR7sK7zkro!VJ@`pc`*VLS3UqaFytIDkuYfWr%JQnW|V5O~7>WO3Pv$@h)9MKP3 zSYc0?y@P!4(L&T4pyE;go!Bvm@?4|*!xoIsJ!F*bL!3%TbPi#hg*bDvtW2iv&94#Y zB=q)Sn~i7Ku>rJ7mM?O4JF|-mvhf(2ZaEifY8OYhbGJv3tM+ddW+E5-fG+ z&>t@?j39*$`I6&j?HDn@kQbxKGYT_@d*P)H7`|Wl@g=V(LbrXcr6=^HRgo(nZX27c zd*s34MIw65Yh;dIhJuUyd)q1@>c((W0<8@hitZ8tpl&Z7+Gx|>INO03ZwfK26vYNo zqPo=EL*b|DR?Iq@3FSO)qq#1mbqOsLr*+s*?xGgEhk$(?)3r_k;0V)1r=K4z3KABbE64U__wrifxBfQ-?a9u1U# zv5adXrPC6VLLO##_&4dpv9DNapOu61wOkgIP;YscKmY1d{y+M9gJp~aNF(Gvo=Yo8 zl|aq(hC16|`ZjS}H-B&F;v;Fbm@iM4ZA`-eS+ui7TgZ*98h|F4b3) z;V4EyzQyGGiLQn4Ns%Bs%9l>p7-eql8GgiNVLCVj#x=72sRyX#TdS+XctWUZJN5FA zMASaW`AVA+`!2V{`@zlII;TosznZDn2d$^paqDfMz!fX&LaSEq70_+b=WKVj?QCb; zr|2UT=Z-h8L-Tq|uzh0*_>3EBM%J5X`1P04pVhpX>L1P`C!pCWa(pT`G@ld7&t~7) zd7!*96Lca0AdGEseQ`M;Mmr((V4;0+FY3x@2y0l(pu^pWacpu^XGIkU+!9pW^pUkr zJQ^NR;e12Q{{+3S%+O3waW0;zuT9@t^0)+^2Qc1cwIv0~cO70+s(6HD=^W2m=Z_&h zNQyRQ?*aPHCMplO1fQUpBV15Hv3X8(YQt)sd^s`k2;0bWsGvzvAAQ44wFhXZ2X+sX z-4+;o&YIOQsZE)nRgqs^bu-q@>&iB3YZ$~&=X5zcvnz3O;*+q@`1ekD) z^;#k5wXdviqkkmRv z1#AV$KrRE>E>ZGGHVafUJ6Qongdb23iGd6U3a$%>1HRvv7)O*wi2t(`);V2*LkNX2 zPeLhrEVe?I1z}+^o14pOEy#icUQGFa>xm@k0ZQSP*#CMH6cw7gp zW>?4tBA5)IRj=}O-W<|ZX%Wl6 zP7BY@I2;$sT5;HVCLF6da&W`D>=g?v6siAXHjH=|-?|#tsrRj^bVUTiAFj~sBt$lE zU96V%v2TxGn6{FB?tksjEp}mn^Q|e~QYa}FYhi}JF$;%2*ODXV)$edX3ovK6zF75c zb~AdXk-Si9ZTwv?QmQ!+R63QM*cAOduZp_6COXcB$h>kq zT-EG9Jn&hymQ)(CUo>v#L-YmLPDrrBS#Htayb|@(mMGAsCwvMdPZ+h=dAv?lqBKU7 z_rrq-nmprd&gxq8)3QGf7zZ(b;VIV1}M4p_5mo06E~{T*J&A z{ue~rqphRyAa@|UO1TJgz?VQ30<-a4?7&B@^vaJFF~1*=o?DqjooZrMQtR$IUluY< zH}bbAnyfs=(|i1^XuFll0f?Ta=OIqhn{%|`!bX?;;?BqejF&%h`=dKYK2vh4QtwZ7C7#;a5lxY9IRT9!{{f=tp4_i z*>bScI|6hj42SrSTJ|RrL_BYNtZyelES|Ygjq4bZ=sk?{R-ua=lbhU&GuA5r7U`MN z@lrf?$+dUx!9r45evhi+pS-+jKRc|X@#1Zx!(w29ess6!%hiuaoWBO?CZ}StrjG%G zPzYIDBjAt;cue=!1cm+K*gUF`gnnvh!SK;e)#wSnn{}Jq64fU0Ak6{7iT(wv$3PNP zFhPW1f-Vq6;J8@u?GWXp;oPw{Kqe_T+=y*`rZSdI_}R9W*l0qLKth2I?d7cPr3SJ) zwN-cMVS)L-!npkwM1=W9Udl|Q; ze7#X$6O2EN!j5Z>+#<{I%PF8$A}8Cj#oj%)iE%XIDS}T~!Fi~=Z)ps)PooJx^&b%v z=xSyiyw5BnxD=El)geM{$eM!yD$bVz`D8UN;RdBvOi|xzW^dz!>_7RT^dBn$dP>AW zp8%}Fj&jt^++Wb&>jG&XdZ0>fB$InO#PVTzk*Bu~bbU{`n2XHxsQi;?_ zcq_a!jK zXpJPIzf@H+;q3aKX2$i{RGG)Tx~7O_<6A2>$p>0ffldF!=}}K&hwqKQkqFj4a}hWq zZxKZZMPxaK&(7;!EJdk1y7i9``XrR^wCpY)ou6@6b3RnuIC#(mt`#}!#Wd?fLq_D5 zYCE#0EEbD5&h-RvPCgU?q{K(B#hD2LY)}e_@;~urSm+A6J0z$nH%EJ9Boh;}$&SX+{XkrM^k9jT=e-D0r z{=}H_)YGL5<>DZDHEkFxczSVTq6;fHsk$!*NRL8bX(v(DXWZZ42{|lkh*m4qERZOP zsxAo!|AKn%fzp68`+xO~quU@$yF04|gJ%5UQ*?r&R^3&}>HBV?7@2WpY~OAqg2>dR zUk40r=3dI4LweVDIF1U3d1K>M-rwOL1Y5T-#K@7;@xJ9MycgiP`u=FQh;vVk>8Ei~ zPl|xby)uYfaL%M%xYvC0#*iaD3Mm-HkfRj|7lmNZc26Kk_zf=m@)%M>qB>n}+&0gs zdVEqKmH#{EL^P8%fglB|lmDf)V|pP-!K<*i1uZ%0kds}}9j&5T5R+#>S&p;sW5`qD z5K!|qQ4#BZ=?gw*(CwY(exoQa=m5wusc*xVg zuJ!ID=tD10&Ck-FMSP;isAn8ea0sT#<|!UYa_>RwRiM}D!+DD?m$X9 zDoc63f;&U|SG?mK*<>>MOs*I^qoJ|;b_1S(nB`x-ijE?<74yb7YYje>K|)*t71Az1 zZkT3y9+qw2hy+J!WtRHm_f#VAjX;2pTEWYql&nPiQRQqQ-&NLyj6TA?A>Z*`o4kY2 z@yk;ALKOo~El9=1cFdR*YN`GvU@hQ^tk`aEoaGB>3l4PjCe_HdhY%Z z%i%Tb==i_2zt8<~PTg4A1FBZ85b-*#>{2;)MyLKr&{S#!Gifk7rdI~X=y=u_akZr?usXP#G+BgH}* z?b6TneBGmBL`A|*8K4SKiXOaDr&5_R>5ytxnV0KrPb6pB^0iU@Ry-t}LwC}#&ejuW zh6nlqZgZ;yYlg5`FzaD`u}-g}l_m-9&mHJ7aP6lYN`em`GeTUWeeYK4wk7`Clk~N zQFoFr17*Lw78SEp^A7wNpU{ z{wG&&rw{>g=!l2+9q!aG|H;)m!L$e^Fvv6N1Mr48e*62T`RABlMBAf9{1|U2P@+yF zhyX2qZ5N7NAUV zGGx=`G9J{yPO(a7{;6@?ujrF|hqc@%d*XR?KP?Bs2RCiI#BDpMU`=Y;Ct_n26==}} zi4HZA{QxpJ`^dlg;p`y1#YMU|Q`q!F8eEu+fV6W^7KX&FZjJ7+$*)~_ogqZ^va-u4 zL||GYA)TImVK>w26i;WVHPvMfUZXhRI)rYH6qOS|yT1Sf0Up7gs{mP99u zyT?K2ywit}+Z91XUkOrwU>ocsOyh4sr_A<_Ehd*cO1a03E&vR8MQ zi*effcu(??*9C32W{0hkXExtnxa1vTesiue$M&GM+l}Lnp~*o);+BTO%I1>F*5~S9 zYAp%f+Qt{FJDlE>9jWE*7qi7CBQBS`&!BI=#%Wf^)hFKbg_9{TjctdMUIVFQM}9@W z3-Ag79C7_c@w;m#!+Ekd8(zbQ>x$OTU~|+#-Aec=^z!Lk&p_^rgof*$>OAHX9=^85 z1p?q$cGe;WmQ?e~w_fAmbeXWMA~39p7jgeIzQw>B2bjb^+34RrGwGO&M=%c7{T6*V z83IndgAm{1!>WjJb1120WGx`< zYf@)Fe=tE&NJ(UVvn7J^1@~XXDiTy@@5os$<0Qx(TinDldnVqNGj+P0xjl)~AODQI4<$A@oMwsD#U3faG$sb(zcS9Er5D?&LRMavZ0PeT5O0E~Bu z$`zYb2l!U|TudN`OINd|ZXU`47ld_hv-(ao`3MI$J6zPNk0VQ1cFo;*mM{ryQdLXw zZmb7*zuXw7H&6le)6)WqYEuJML6H>b{pH$pgYF!Y6t)jf;_VLR0+fEom+&w#>4V_1CPxwe>@{Y_ldQt zS9)+jrYA;;%sR*s@Ycl4Axt{7v_Cq3JX-QtMEcaI=No1nlXYj*ARjW{f|`n7`enav z3;GtXV!AI>BIyMoWjvGr^wI_UT6^uZ!j)?z62;Vc%CgE-#&+dZTOa|q*6NFUg@$uu zH#xS`R;^esN%;3Bea`m;G8YBD)A?F=@bZ}4#CHD_CmK&^<9s`Y1FSgT3xqb5dv1FM z@9ZGq36z!<;wWPA6K%dr>(0TsWxH{9+LW{J1~%Rd9H2lzLx|o|EXRa#`!NqL9##6M z0r=07(&np|x(UacZ`7pRA5l7~?|(FYI<;wi?TLTwAOUc})>+LL(h9}vitc-i7NRH1xA&bl#jDdi;%@JDT50GR)m#9Eqepj6fZ^Nm8k(~h340O z&}CWT?Yaq5aK>g|Y8J-7s>13IKQ)ix-&OjPNnb8N9)AD38|Jl!HW$qpd|k|7O2mOV zSBU3*Q01_x<(}>B%XQ6ffO$V9s-+5ix1(K=XJOO8+*Pl(!;iGLVv_7p$&c)H9otes zI}1!T*XB*NtKWrgxiQ2m%=$?}shO4exYKl?i1tKU2^FYmGPMM*#hw5I<kWryU#2MX z?XMpQkU^70q6gIA_V0u3a+;;{QFy;TQ74@(`>B)nYI4FmAGmS1&N_M%{DuOLQk$+y z-8yd(p5*2;ei55jk|*-ltnG`7%Ga(%AIt66RKLMjW#QOYZYw6+>b-cv34Rfx%pGL{ z87~>;Yh-LQY8tEpjm{1K5p*@PF8>8a2Ze2?_oU)g)xhHaZ=tg!N<_M2GvI~FI?*V} zu{|wva0RlLY{kS#q?O)J9cC1fsBD$bo1%SpNOebcPy7lK*IL{i)}M4;j}=5U;B@=x zr_&V?vq136rTN|}Ny4v{lVbh4N|mGQMdAdTz|-C`N2d9`wXNd99oxuhPB%w^TAj2b zJjS)H&?A}WH0vrZHlOc_*&*2Wc?8jK9n;jz(85Xe%@U327`A6BM%_lkNJHbOO5DB} zJX)bR{)3F8z@R;6PtNAgPJ$je#e3|t6TJpmwk&MIhX(asi^*)?OV+1s^oxPyoYG4G zM`*pQgp0|SLF%O2`uRR|YNq2!MHSidEf&SG^*K~8*f#O?@y)|bIqb-!k4m!#O+d5E zqY0TWM5w2pc%`*s`(ZOmVi35@n#p{8&HSUd;Cna+BMuxr`*mDg+2CVN&OsuVuVX6Z zP>IoR)%i?os1R%Xx8Dq_h5CLZyvM|NE4S@PcM)DCqLl@e_>cE3?Id(Wx+o)H-dEVr z(1CdmZuLW_vnN@x`@ywajs5ZT-HZTu<1jCUe$>rJ&3-%9>o# zvTmW{_O^R{^^!1CD%Y%g<8HT%HlqV$r)N9SK0@QF1R?y_eO$jb96O1A>tTy%?)_`o z*=aI7t*yKu|CR7*jYmh2LULA5%v+ki8=eSsQlb2_1}KvmF^5+(Dza-krNfT)Seq*X zpS!~^me!~)j7D;m53%V!XB|ANQkQgFbX$C`m$@wk4_DzQ!IEBbW+~H zz545)#zTJBw7|-ZNo;U4V;{HZ2XChbyf&K`-uBH$mFtZoYX0kc6mP%Uha->s(tOZ$ z3E`y91LS_NLrf(%$GV%_+Eys`tt~4rKp21$2Mr5FFWcsO^|dw zXhduesBX22y2|6R<={i$b7IENw9$2gI$)R6fx@~WbdlzpHS^-?GoJG;y)nV(S@2g9 zQjhdWHsbW?B+Ix-(m9nmlM;I>Wv{C#KRUF2dlgz*cO zlJCBvf;+Vw)FbgOt9YGO$zXj|eX^&<7dXz0Z@x)YlA* zN@o7&)HqSU_HT@Q?Jr_5b;!i~D8}YVnaVKm6!;I7|5kFG(ITV&1=~@JVyHVvO4@vZ-| zbN#g10m^!_IDV&9EBWbH++jEJLwBB9gJYnY$vwhtWzbuk1bi-LvSz7U5+xihJ?B@50vFuB60K279|LFVK`5&NxFROe&rdw+VaBp)XSOo-rYUwVajv@^Jc00Hs z2JT1=56UJN{1j60hggp80QtXFT9mIi6yLN6DMY|wc|@_kkaCaDF~*e3A=G2D-YVR! zx*7@%{<+=vlEoCI^5cqUFDKNJFbrkUB5RUlY!9m}RHrQj1}eN*ndn}@|LR6VV{85r z0PsbxwiDEBo!jWNYw%YmyunFSNHRD;KTBo0f?B=RI3BR~Uc3BuUba>?R?>U{WT|k- zlW^S#2@(A3!qXm^NGX2sfS)?`XTL2*XIAdv<5>7sW)PC0e^9O(9-u0wd@EMyuX zV5v+}JUNlA!;u_(AUn8^mIpFzwL<*CmXmyTbE02KlP>Istj#MF%r-1;z~WjbUesPZ zZDqa8h^P3j1*E`eqD;!DGhbTatg}m<&uh(|Tl$R>*QBi%@?%pPQmpmYH3R0<|dLtN{2s>M1%b z4VcSfQX{(`C^QF_D0qScNY3=pD|muG?%a^n zv*UwZZzj3&QD}&$icsbnl6^>!ThE2!Sm6c@^+)tRjj`AOP$=0A^xv4@a&MtND;Hg z+&2$f&LZ1}{P$?jzR-x>%TRdmqi>7EwG|K}Pn-*^W~vrWurb|jZ|O*~Zc11pd6y?y zQ!eLr(C4Ze(60+FUA|TGNpwT7xr7|ZB6AAR}z5HNq==WnA#&;(%76M#jZB*3=$-9mEU^Fa-nsx%U5 zh5p3T7UAwJ;e^8=H79q-`K0$XhS#-j2uWpu?|pk2iP2^P@-FfTb}nePs6RN&CC=7+ zsmQOrTY*;{3Q?bW_4W}`yYLB0{dN@j_iIVOZgEzMqpuV9Xf%>Jn6L9qu+%80|O28#Mx>uu(o`P<~FF{s?p}kyJJn{2{CUO}RKz>_=O2`hu zC8_EY@=|I(bt0Tem3NZ-9|+`T9_02Dr1ABDi}%eZdO13!bz8x7tqG*BV1L`|IDW72 z`uHNx!C2LftyA~zW>P(h=|^R6UkAq}a9#EJ{4(hHE}M5L;DD&7yENTunj905!PI5( z6^n8jeXlc{Md0IAaEOqqXbQT6UH(7OQ?l-g$B(uuf{*^A?4EdOu;~&_H_QpLSBIMW zsLI5*6PV2nZwlgghKt5j81Lr;agNn)+xE2|`8RTlGvwz@??A`s6Prek ztCD1am#v*U4TSB7$jDV>`x&`A7D5cMKgR5IU&}vl!ws}8C_33V*f){J8Z8E>B`xKO z=o77BhJ*iH$6Fz-_!JghnMe>y_1CX2nj@h8+I0|3IP`bHQ$|(192tz{W{o*Zc`Q+e zJ=8%oe)()Y&bKjy4LDg__4+O6a-tf$ivg0id>{*|DC=@x^E_Yn^gQ3KcCVIK-{+v& zAJC_n;b-t*rIR%a_eh3hj_rvupE*745xKG7DvZh8@Or~?WJ21G_YjP#OgZSM{14PJ zZsgtj@uA9bWIue(-p-K$Z{gcbeI9IDg^9V+E?pITHl{ts5OtU~dZCY!1VNaDG(iIO z-%Sh^7l@3oc4ROYwh?=efb$Y})G8w1e{vtOKb2cF{lep{SgRoVG1vDDP%JU&$#Woj zr~hk?IjCI=d1|=~Zt&UZFB?5WF%TP)&_e|#aD zd$#Op<#{;#mVM?dbhX2`a%OqUbx(tBb~+D&oManqpeeIpC<`}s#;WJ6cKrFWXzKn6 zrZncNl2ih&zX-_&>#y}Wh74J?^5Ei-b`}D5m#)&y)yP*1XuI&~3iEMmDFHveH#J*~ zsb`LViN0C}n!{-Ey@2eImowvV{6(OyePhO^y4y_~#jDy<7bcoE@wp`r96q%TL5v-7 ze%CpC;A)?6(#HM|C}r+TWxQQ8I|a-JM$hcd;C>v>uWh69zmfItjlN?2#(M=7fqz=h zY=egt#!A=AD`!~|?0l&2{V!>G;+DG*-XEJbdXZGITvzqicuW+9^~0+awuClBqO0ygBo9z{q~EEIy1q%wy&!?Yk6*?vO?y>hV(_@C}e_q=9qnWR!bm0^DWvy|+a zB)?O2kvx=iIAu&}wxrlH4mdE#0|VWG>xi6_4{O!|S<^0kCX#Qxtho5LHvAbARu7;G ztOkv~3nFz8%<#qCTp3@ML-5(kjUr|2acVsMadR1N*AkOoj;Hf2OFOaXUAphvR$s_3 zjLp%noh7YE!G7uO53iNE2hjcSDAYQc^csaJYu}ukEis{3Jo#X#2)AvT1_PGaV*TM{ zmQ-rCe}8ol>dolkZ&>uwJy}MS3A|I+QNN7roc{H*FC@^N9On6}clAcI9*Qe#rZ>0; z7#NhD4)t^vA>Fc3EH2QM&~8*)U`dEkZR~!}!>|W~#7p#8HJ?C2sA8mB%zs)Q6?|;z z!S(djdCN{hIaj@GORM#Mp{TbTFjUHpVf*Xq>1yvudOVBJb;X5I7m zRM7l~pU80Y8V>fT=$C>@qIkSQ^l2od*`BFvO*hzh!M^1%G_wrVXk=cqfA6wjFCx_2JG-o6s^6~B%X zQ}`-Fih3)JyH6Y~=&(98Yq1XHt|r0({f<#gQ=>xs51#4LFE-zErp&k##Zl({a@4IMrxYqDTmp33yV*)h1wN!s(Jw(WHO);w#_7a;zA)F-el7h;Hh<6ujyG$KC*jY_$_|s zqcdy%JP+G01ShW>xR`ALRpjVaBYR+K1Q!w3!h~GiC+7Fvo(v&rxm88RMmzIpPE}(@ zto5uB)I}%~U2>bqe$rL0S++ISZq|{W-umSh-+XQ#7u{J^w?v|I>nNnJY}xayXVE#<;U;@sxJp1@$9b>g z=Ha@eSd~aU z^VbeFiO0Rx<;taMWw~=|z8E2TY=pi~-W$e7st z_`Zhcec6_8ItwS!Vk=7y^a=RyPUmQZ)5isT9)7Q9x}G-D@?F!@`1dx)YBr}oP4>Wi zvR)}cO8Y9!*c~oCQD`8XZo49EWcn_@h^EGAKlOdvzp7=e2b8ukh7g8fhE+BG#FhfQ zG{|z=^u}m97yZ{msvK3!(qB*2){_Dpzl*w)bN~ zEG8eu7X!u83iAv)8ytqN6|pxw%= zN3tlx!m;ldGFSpL9n8vdHTMZ%3gc+cmO4=bf&nF9uL)Nblq*eIS~sE8Uav z?hsv99T5=@YxJPUm7{JWwHdYf#9;1X5>m;!>h`X>{Sh{(yM4~!EDY%bmw;8!#Kfg% z8frP_%bRoNeUN&kI#b!HowA(B=4w4NLF+c7ejh{@Q-Xb)j`gm9(|jkRYxyBkl==hp zUN#Av3Yj~_NF`T|#Nh?c+OpF*>i^^p*r(ZG{zZ9O4_7`}=T7T(Q~?#RMmTSSlDyYV z&jQ(ukWY-v84ZXTAc>eEH4&TH{Si?yafoBVXB;}}u$lA^8z-~%)7OvMOV`0SkEVrd zD(QkggEKS`WQ6+e4?0EbU{^2fkciHup2Vn zq6SRs5#AT-Q5<~9?GV_w{XR+4%yRhc)sM)H2*V#x@V=$sbl5z0CRO?mgRqK40x>%> zCFAyJ3sWZ)$l?D4&kGa`PmqonL&w^c%_z^v=Tf4f0Dt4(QX&YLlb80!D3*d&NQ)hk zRYZ=!qj1AQb2+~YA1cX-q)uSu{Ykcp*fRyC22hW|7R8v_tBHk8UUFCE6e$dZhjP%- zTfp+YJ``KL%!B1KHV3~I0<;g6^k#aJxDh~Et^)|i_9#^dsQsQ?dYW%>2N z_2e}t0_Tkt_)tQbe+N=;2C6ew(>{2htygG8;5zIVML_WK@C>f&A$^E#`%(;$3qkp> zTmevo1ilbaGX_gsHS(1quFinX77okQygQsm3ZNY5j=CGfm|PYL;Qr3}&qV={{92A3 zh@-$ZB}v(jvy24XT#i@4*xB0$ z{V%@8-b^B$q%#p0tJ5-WO(QMNHXG!wcig`zdAK$ip*+Rc{`!udMTLS^gthBAi_b- zi;ds!7q4ce;qseN4VOCTbuGl_lSnJK@9&7JXuk1ke12zF7}b+V#6yI{3w5A(Ta2g4 z6uEdLIK~kBhRQxgyeeTE!PoW<6h|;ba8t;wGwo!A^v4eY$zhmHS<9tKV_FNSdb?rp zI)}WmI4}varMeOVzsS4AJ*oz0=5obw{S&n`9;xHf-Vgy;uP9{2KqbNRm=)Jjp_!bV z9EV@!cv2@?bN}cSkG;w-_Ov-U*t8#}K8l6rV|m2rbV#COaHs=x*z9ofkauonw|EIx zI?M0yDj!DH_3S#N^WC?dpml5RxlUhbY(~}NwMSk81y$*P1Nvlhsp`QWs#Oum$ja*k zJS`G3m5%Kevl=*x?<6FP9B;`2|{BBS@7u* z_mI-M-=uSWM7#5941QWKH4i?qiN$_+Sa3VdDXCuE%eg!_Cj4VDoE5-#%L16w#)UG$ zHR?w&vM33FzE`5#^`O>B0%`OY+SWPrZ|1@^DMPMzZZ`KM>h_}yaZTkkE}uQmIU%}nHL+eWsm~W;8S8kY)lJMjo6{unZ}6LQF0s_D=K;oqFhLZ;#F08FIC7%5$3frXyQPE?xz+zYef<7atD$%r|#?d9o+6)NA!;1Ust4I5+_M!+Z8$Q`ykWxqlRje-2fm=PTX68l}hqYL;%%P1CO?` zskxwdKrtMm4kEA*>J=DVslZfrk8IsXv$lxJ27DaBHPjP*D2#}VX9POWVZWc``1IEE zsZEIx&M%yZcHcff)syYh`OsKuMkP}w!!kJAa8^6~!`;71{<9RO;sSZKOWfTdpD%9= z&P`lba@o_UEQ7-ZT1lG|b^e!+9Du7){(4B$uaVrbR%N9kHN|SE7E#U351%YJKbAit z?4U~|>&!Cw*@>ZH`N&=3?#I(alu^;4hpLI*_vb-~)&@aoY1Sm-;$MZ8LCDB2ylZQ- zyBt=*%*oHaJ8`+%2Qe@%MG&3dM3lTaTXV)t>Z$n#eR(t=PICf7J@G z?!F}P=3Hp85E2XFG99k8u&ir(_5d{=Mx?#Q*{z^CLeAzK|bvT=E z<>GF7%w?MO-nLC~TIB6E>#gbjO!hY$v3kRNz`>py+o%1|n9u55^2Oyy;A}d0CnQ{H zz)E6VbvC02w0Y30Lk;(etr@?eXN?5A!p~3NK8MuULv^7`Ly1|}xDLJt9xJhco3jQZ z%hBhS#L8(&qPDZ&6dnXb+#YZD?5lVo{cw4Ln(le`@*+`>-x{xXIUei29o%8Zj?b(W zR_o>7@r;S4B?R2Jj@;VF83>|0y~;GByzuq>?BRZUhV4-K3~A%HJvVYDC|7REOgI

)bb;Vv zSE=U-BSmtD;_TUSw)|Ypz>@qb!|)iz5G zHpSPo$S3*RDkn!GhTHxtqKnXDf!xRso{gIyPisE?dR#(TFpA>8&O2vGtHl0lUzeGR zy|qVM%lur>l^Bbv?vcfP*wgfO@{W*XL@3^a-OWY(y>teh(>_Ly)b{C3GTT#G%k(A3 z8my{8`gY3#b^H9J1+lF8i8XEp(=NDGms3yPhVvSH8VYMB!#bFlgWsq#{0KLW#!y$~ z5VvL{gG}s(&ju)V5!K<$aT4z0{v+8?3FDAz#Hu1n5pLLj6{a0U^}@!Z&23>W$dN=Y z@vIGR!g8Q8(3?)A=P&}Mal*&*tpZhHMdLoxvQh3A5;H=ddLg}gAGRgLa=|l_mAD!o zj46(8iM#9f#nSJ=BW8z3`;Z934DRQ*Zd&J16P1b=6Ih;YJ3_A0G<3;s7O~L4&*O%M za@f$|f|I+&T?$)N=wd7byF)Z+Y-imEDIp8I2}#L_v|XRXIPQwRxLVFz>0{PkqzK}F zCCTWnij$GWfZ*c1rG2Sf*i#i;8NX18TsVRwd9C5Y=?{dKcbmzdT+g{rgLw7 zKva8ieVN?69&}e-^KL1(e?Ci$@))nf_(WFyAqDi3BuuhmTwpYaa zp`uSQV+^_rqDz4{v)Eb+usd2R-ATa09q|(Q!5%N3sahnCB31s76+W+hq}BbqwYJvo zC{>7TaWV=MITrU_j! zTGa#JXZSv$tHkmLIO&{M!=Dv`dyevREeL3Ot@So1O(#NCW3E`%Q3dMMo2XLDsKbKG z2JaS)xE)yEo+xR~Y)-#~jSyv>kLsM9*w=GCHJcKDa=Sg-&)43L5q~ypcm4II5ELg^ zgwut?Eq?onKm;+BsGySwRdP{CSYT2LL`jlsj|J_VDcp$^ct}@ghM}cVQwXJ%TKi?L zwC?w{6QH3S-ZZyg;s?YQw>p$tQ|r;Cg=A2??rA}E7m-s|_2uQ&MHNdTQ~l4pT$iYi z9F|42CI4BOXs=0`-1qSfML$xkl>xK%E@#D`8UYP!+_&dZR8~yAw}y00*dkaci~8h- zA+>BCF#|TgT=Ext{psl!M}9t`C*su(gNUQoX=F}kRWP@mbXVT$C=|}Tp6;sIsr+}M3oaw_C-!~5^9)uFV5PY@!2S>haU4iVAUuV zaaS7g_*jzltF|E4@#akShZFm3R8Wa>*mu&KDCCN|s0xEN*ePjlqR z+o1`7y?q~TPy(q|UaFXNq#-V z>*>hV>!ECm9ruq}%k#48p4w-1jHV@ooGyA=APV4K^@;a_Aay349CK$S$u)c)Q4aBr zojkHQNjXbg^c9DW`aX_;21a+)$EHq?V$1Jf1_X9SB3_fLSph`$@ki!CQk@;u;l*6= zxQ!?YA{|=L#&OttKgjtDp5bOv3IN@2Y~Oqi)$K8$LTO0qOI#JL40@8Vtc-vD{7_it zT0b)ftYSE4E{|^E?3J02Zfd%IZNW5b3iod1?KU?`u95t@&;(o~s-Vw+4a#`1m99ZL z9^defs$1jdv#BhcV~N>s2KBr(?AUad`@ww9^P2+YU_VP<=zo-n9996YbRKCheTsYLbW8*?wXrrGob2bYAy!PY{1 z{H2m_%g|!|G3BC?vHiGa9J{7vm#?iH0&cE@BIzxn^JzzPxToIgkwYUZjUAgvVyVry zKRcNCZ;wZj*gqO!VZqj{uft1-S`b9dJ)WPdWeHtkx+UQ(Y4kT#?HjXE6^)wzcMuyI zac(BLLAC_keWa;kwM50_w=9zWSPF3xK9b;0+-8`G09=w%Lgt7Gl)p}AjH7IViATp2 zj8cXjhVGGo<}t-J ze3~IIEC-HG{j=x%t<-SOjiw8OvYq=XuHQ2cEv@V|14F9P>lr2vmPMQ-|EKVrgyY#p zCt%bb)je?%AOb;3qr2723)6TMycEm82g4%Xows`<% zwa^1J@PIAwn#Tw>^1B~fpe3<69f3Sd6otL$=6$3&V+4>R1+w##xcO9)L)*B+<*bw} z6aWEXd@Klxf0&(J1;W^+?fWzsv$Ge$QRyJU$LNS3cxAVK8*85ATD zkZ~r)QeO+da|w%L{rdcGrJ*XnOkCQ`X22^AEedDXK@=b`P>$oFP|t}E;9T`-h2ICY z;_|S|*eLEI7WC_@cF9iLe*aFp+bAGW{lev8+SMVT9@l@_8M5KH4?_(VB3Sm${2SoN ze3&?n!Ex2(eHgrGl`AY}t8pFoqX*A7b`A*WzI><*K2*VL(pDK2I zkY+u)b>vhE&UU&-%bL`kk=%Ht90)35uB>-EmaBaIwkAUSO!BUWFSbhw-j^#OrGfrX z4sIwGO${I#PDLk`hv6)7KbqJ7f9OVXS^t=vy5axm#)1k-QGPC$)`-3iJxS?W$Esg! z!puo2D4eS0LnF6YfoQL6r7=)!IZg+BHI(6rJv%FnGSX{r;~LN9yAR$2eeQcj6;0Q= zm3IGg%a)qZlwthNp#`Aqs0V^kp~5bLR8yY(NT|QuP(!-xLKrw?1$Ojk+(MKz{FVct z7#ll87U}!OTd$G3K{Uw3q0K@vkE>JAkB03jFL7&kH?*)-3IohIx=5VdukLPvYIJGx z|Gzi?lBxEbn)eVWAXk8CijAb{K86DRH!E0#OHCUf>{-!G;A2KhSIv8k_4PC1g+_I6 zw$9Lp-p;e}*a@RU)*0kM}^rB#Ajk4j+lR03=d;ix$@ewDW!ga zHT8N`Yq282^$HSTo91V`2Ul^Uzma7VnP(FzW^WkB#sj4V5Fs5M2Eo+^%r%p+EH(04 zFiC+ZDrnQ3WB`Q)a@E6byrtr!rG9?SzliPjLiLslz<+q$JIs&1mp>6KeK2SDc3`{e z4jCcRCP0`Nsu8aiF~2WwsDq32a`IV8uN$sCSvUUCo6`%8ed?tqf98h%$v;$~IvRFB z11dS6+jee*CLXHv{?B`&YA0k7jhkF10;X{_w1I6uQ4aCusrAYfbx~1ImV?7cq%pAz zw*NZaWE$1v!(o3FQ|wU#qIZCDbg0saU}1%{WF0~-zO8=U<0_{!YZB zt>(KB$?^ix!H9Se;q1)Pai>dlY!jlL|K*$xy_$VjUqpq5Ht}J*ffKSwLq?mfy}Mb6 ztZsF5LWr&-G%wb6A!E^L+$351_5jgtzFSG8Ti=_<_mC!&@jZjdMGBSvPOk?jG^`lc z6WUjFme)AnPp7kzs7O*~t4V$o&RGNGbPv9lG_q0!34UT!kja7nHbPCRK)r1wRZcR8Rnws~2EByBVLvI#{faiAJruxsEra0`9hM#Q5=Nvkpzz zmKEL(fp*PdhERDT6QDjE84SJR0sEf2q1JcwA0WJq(-9AvnKTN?F9buO)qh4Y1z-(i z@2L*!#FxQx{hF%z?5-VbgjHK-D5WAkd!6OIacA`zPa8Ml+kePD@1trS7XbI@v{x}Lrw&1)GGrvL5q#M z8(ly@G_t}HQ}PfP`=HQ7J?crvyd0wr0o7- zAA^RhTn&IF^pcmuh0v=1_l z8j}$vtp}?1pN6M}sibiMP>zm!TY0`Hq8wQ*!cARTlGMSByY~>rvp>i~@sg-DmN0&P ze-OvfeL%s1S=Ul@RYsU|9_EGla^NK~AYaXoKs4 zo+z*Fk=VX6!x>^LfiSkik1}?BbYs$tRWVfSYY@gDo^&Qn18of~q8cgv^lZik$<1;pJWpoD}B}%Fu1|uk=_Ss!j+DkQvjl#WEHEQgsPQ$1E;Q&pAhD+0^`SLryKo{VA>0P zNK*}-g(umKvt#0m5ywlXni35PzC+;N!8U6y;;^+a7Qm)SM!$`Vbx#V z>%Dx%NgDzg&5DGw>c3|LF1>qyeGh8v8h>J$yftK+Iz`i&&paJxM0fD$qP=}pFqMJr zxTk-6&Fv^sCmcYMAe#^)j?kM4odTe`k`8FQ(!J3sT}kd3d$%ZjAQ|{{DtYYr&axL< z6c+BdpTlzO`TWb;j@Dg%ecYxK^=Iw^F#7r|B;knv@l`_Zb*G9xnt5KWp%Wjl@9tRo z{0v)uEaUgqLqk`YGtQ{V)0L4e*c7S35o%t{%Gq9Ifc)c5YT>5GpTH-We zvk=MT&Z-656w^kp@LC{s*OFz13Yg9A6nOy@0(6Yc#mu@}^i%>_;!G1_zpII1^(zJz zLY{fBqX&w;gc<(lEc_MbvR@AltIx|iKc=4wV~Gu?yUAM;`_9-mUX0cPn*yoW)w6}UI;oy%BvI9 z|C3heS#I}ny`A8cotAdElmD17A`ID$$0X5;Nx;w-?+Ah!*P$;YP8enD=v1DJ=!wF= zsZdoTR?Mx_-*Xq?1t)$Ou+0N1B6-e-%@ZBRu ziC5cRd13o-GjX0pM~Ke~+7DO*6YWrLVdC;_OCoMaBn3~4HYbCa*qu&Vdg1~^=c)p+ zkkmCN^Pz%mi=jL??Yb2kH^hvDydiO>lD zbt|KxYgol@SxbpfEau5?l$&TANyot$$07W9&RMxKB(xbY+%w~lZ4|K7cL zz_sV0{7w9>HBpKkZXA+-2;FUF!6D9;QUqw$)lBY)x7;6~h}I>^m0VXtET%I@&S2sb z2W1}nWtVEG*-Y-A^t8(?I_7^a}860qOA5FoNi@*09mosOHB*b@pg#e2=8>!laT_kwsFM%(rUs-UW`+m>XqA?Mk@_3LP~iK!?TC6)Ti!HDV~(ksKY zq1^hoMg=o@%-xGnJjoh4%`Fus5CMlak4hmHXG%_E;*0|gK!b)7=E9Pq`bWteRHRCL z+sJ3%L%$Gb?5OA^wT_`Xbu3{j9Q~*^JBzCI2FlX)|E_Foe1&vyLLI6zwbtj~ zae~ToQUp<8-()vr2#NqF5Fi5(xQT>42g&36sylEmC0rX_s!^3X9X9sQ^evq)eC(WW z_!IM-V~~i9p7lwj`rzWSkbV|xYsn_R8}2u@UCXb%oO4<#w~g(1EFRX?8K?X#_0&t5 z&>+7RmM(+DS6No{2FFNc@aDnzI^)UyqsluY`DEuL>y%|3bPHcRaho}e2x&mutY;Y@ zo9wU{nb!;R;_bAY0}z1wkpH1}mybM)EI z>f{X-?U94TiM8CrX{3>7#*?_l)Lh@)QC{vId)W#`fA=j51+;6U!^z+B}6c9x^$x3o%b3)laIxf;nm&FM7 z<}(behq4%1%3skqxxkg@^=d{&91Q@4FmL$HjM z6qTS!RH$=*6g2AD?}R`Zk6gCVec2hzEBKc@xGF0vxRqB|0)kojp$bW3xk2@Kf)~W~ z3`OGcDu==Gcfh=x=_-oFgr{-|nV3CsP1VzgAm7u9 zJtF^?v*OB>c~`Q_JK>M4TQLr3Ui0V~b}cKTNLB|z+dof`^2S#x(xw)~2Gh6C#RA>I z#`I{X4Gpf2gb>_#akUfOsG<;P-hBCU_Xlc)*u{wlgPMOP!y~wB3OJwh!Bd!7H@+Ue zHRb6;>In$4lw>>=MZ0_SGE5BN5y+7iiFEQ%VWhgX@MRbmLucGfXu4Nka-^f3I}OuE z+u+*dSJuC<`0vQFWk-*;+ts8B|DkG7KC zl-RPpX>tHCduq*0P+2Yq&*DH+;OWwl@3@K3F#m(_Y#ht?XD&)>*%%19yb9 zvBd?Ect~BA+vwREb)5%CI0hlx=gmMm)zw#qCv(uISKyDLmO8QZN=Fh-AfM_r0wG=2B zv-Aq^Gmm_zyjL43_h@M-@L!VVv&zlgwbM&SJ$(7{G3t9kw<(Gz0j$-W3(#m2opdtq zb@N>Z0+CJC!f5l8LAXAo)(jS))l%VJ7b}y2M&eH*oA&X8;zIzY&KEZ%BX5bzvSks3 z?pw_S_EZ$vnKhOsLxIheNAHp5{S)!~z0CX4v1G=*8k~f8po$GIe*XQcJ>7;!;ve^3 zR~2V=Yc+rJzizS_eLRdCXID>M{zdzCGu{X!lZ?E+c6wI=?by#cvo$Oo0q|!_j6izS z2b*l2#mBbuw7$+UWYfu4Rq{bT&w1}l^)6o1XlBhY`ys# zs%(Akd~b71`Qgv^u5Ni$9-`8ku$4N)p&y8b0RBg*jZ#|5kf~FWu&q-{LqX6%4LMO* z)=J~4kt!E}-ntoUJbKFz%A8+L#;=T7zs4bN! zXB6-e#F-~ub448Nt(hr&`u+WXK|=%inA3FlHm9PvswIhpmf75T3Actw63cc|Sl4hm zqqy}1zP1~kCpP^&keg@vS+2HKD~~_#0fCa^q4_WhsXap5cv1>#NrOah-H240C<`QJ zWloN2qF73+$wwr?zsp1q!y^!sM@F)9-Xf1H-GZnJX6!niSH)*SL|XXV1;no%=Ersb zq!t&%mxOJk6Q{l}Q!d16?6TCx5>KtV`R{;#T=F%(Zp@j~m%Nrr-w-9`-4gh1JCbKm zU=Bm#p_Y7}6Z=3cy`1-dgu`gAdLu8d{sOi#36>1vg|Gf2qcI=nuKz9jc9y$4p^I;!8LB0@wg0&svBbQIy(m?8|9 zQQX}6#k255;&vm&sefj~9XvgJW(Mrn6BAd` zq0}?|%iQXpckHAw=(A@|ZI6V6)9r(w(TDC7x}@JEp|fc6?j#;1NogcjlYv8-QFW`MYbEcwd7N166z_@LbtY zPJG7ww=*G?%}!Kzlg_m}hw|!YQf9Su-_lmU-&wacNIqdG!?0}Z%Piu36uZ9&5N^iX zTH`51D0D_B`Ud9ESOi7Sd`OMnO>F_vWG z)Sem&L?82d@myRP07nK+DR!!qElx9Csx~pFPn*YSFbOCodfLWz*1e9vdh?9*`5=8O>}j=w@k>%HCEb+@^fD0Ei6)XGsw$bDFNX*3& z#_^bY5uhmAU4fVN>VB<$4WLf`_lU;(mSOZ{s2#kY-v4C8a&EDNtbAtHA&mNi?jQC( zINwWA8)P+c#A}8QkxZUOdB9qIim#Dj0cRwHo&ic?5Rv+4I3%PIy!d~UQ!=7uyy;mC zlP)d>lzFAwR_Y>5LYEVRzt!CjsT)!x9~5>>UY0U` zT5w$2E;D(~_S6oQ>ads_7aTZP{K4>Jk{il$FL&R_Bl0u{5sDOb!{9(4zNW-8-FV0S z>ZUBs-q(rw)GLW4#`ag8Lt`OT6$vw{O2B#IA4%T*IAaC77WclS7oDEuS^Rt4^{t;m zBA5IRdd>bkVZ^Emv_TmWAwb5h7BC=9V{?&KS^@lqo_Mg>M^aB-g43KYsSTrmxwNmV zEBdYXnYW0aw!BQ3`5GEaiuLb9Q$|#zob1}jmzRR(T0HvSp?q>=eP%82KreK?pFF8A z`R;Sf;ge+TP~>`aVv2hNp#_6aOddee^IzqA%#$Ujf0f<*``NwbuqC?Y-i{%}=H}c4Tt_fS0J=V$q~-zIyJw z9xnECVl9JhTQT&$e`PGKjjU#?k{<^S5Ozyb<)~^SGSRO1X#T%E=hiEq(~*ul!L$hz znS-q0u~IsG>x&rQc+PQA&roj_?}0H!zk7G6-uLO)!jHpw%#=R;Wu!7@yUC$O+%=L# z|EMBe#n+;M8H$-IhE?c2mGOr1El=VOlK5J3{ChTQ!IFVi;jp8<&pLy|*0@a@>l~zG z8soa$a+8;!xu@vc=?gzGqZ2#HIzCJ4QvpMO_QXlklSbQbx+-_wSusyXl{7pIh&b9BB2W(6MX%ti`3Pl7o1Iet#!p?Jo)KE%#U(Ofhvi5 zl^*AXnDf*}A-S(ff(KgJaSd``A#t;L2(g4+umBwYj{H~!;A+=av9c7jwwpn7=)y+u zC6iUD#V?A0#V zC(rdI%;)<}JzEaoGqLgRzS2gk>0E5OfsT%4tLGwkK0PFXvGDIpo>0^cJ0x<8ceD2^ z^jgR=KTvDM(oZvV(~a46GXHzkOYc88x6vtIb@K<9itn<#*TJT`5@qy;3;L*e)19Y^ zOrYsJRF~+ukwUJT62pYx6*pk~m3UkY2NNp76t`CytCIWQ=89D+J?z@l)|P@Yi;HOH zbP(SpfUQt;`3otreHX-|&x9BUPZ!!I>JRt%%^}&@W9gKa?XDk@9>psIriyM+R2@Sa zn4-U|@%nTWb=*?9cDB^mxfmyfu&+3{TK}-3gLGOT01TV7z5CC_#gE^~Eb<$Xom_*~ zw9zlVXIboUCG270pXD|+tQgwBkPpsCY)4`guG9*-MS0am_POD(ub$jJQ~9L4jaudm zY1uQDbL>WzUQY1b5xPDIe&ziCO0TdZ;ypSnp)fv z3(#))jAiQ5M)iqs3hbccmp|sYnSV@7U#lf`r;zWH>ewGuo03#^D7NleXH&?0iDOF_ z_*u(#M@kvtp%PS+P9f&C8B^fOjs{`P{qcQLES;1RiCpvxCxkh7?|Uq%|8op5DpKHM zAYYpcN{1;bo7O?h1%ux_n~;~Io?-u;VN@1Y6ktxGRFcX&2gjJQjXnbr>Ikw?Y`ms> zdS<(YoJ#g_CtS`yY(e*x(nw>W-oquByxB_9HQ||(f8WbmT~x(<*Xms&zrpaGe9*Og zA)6-(WR2P2`w*A*2%fDEG2-OcGigTDvY|srki$aLxTLFabj$XCJ=qtClI4p{r;`?N zv=u@oF&c% z6Fy}ye06oc@G!M{cvQreXzBl@U>7D6SB_Z&Tw;R((6m(YO`ZC{(&kp4xk6)*dN0F7 zg;H6;C{JT9%y`8L5lm4AwQmu^9f?Wf18SHSCgS~Q0J857 z%lL2hB>CS(uGsgS#>-gr0!~EqRCP4Pb;Lj5NO>MoMiwge;8J^i=hcA$o&Q{Yn#SU4 zKe_LRUUOrT3uQX-ppDtH`KjTBpyD3?I5YcTrEqDX&4cb`2 zjhMjte%0riSac_xm!4s#gyPlh;NzG9ds@C7_B4dW*A|8AqG`f9InDH0byuR!Lm7#} zaD*mhyrp~q0I_1<`1{viCm>#dQs!}e?!?zt4}T;zM+U85^g+E3+#>I>?|El#Z|*4i zQ1MaB7TGCyqz!j&!!lq`KNTCF3cYN20;<-jFj`D7l8$Ow6aOpQulcJ(D+H>kqB&Wt z?2MjY{;SgvLI~QQ7|u5{WNgUYOuM|EFP?=*GL1<5S5|hKSae*hNoagx*YDpm)*qmS zkCMWy^vJMWCGq!g+qQn*Xwt!uOV0XJET{rHY(x5~^Tw-PO*M>$CKfB- zO9LmVNWKa=BK%WW;Hy8%a4nAJ^~OI|eW-A=v32lhtB&0wauXUs*05!E@8=DuuQr5w z0T*H>_o2}Q{sgFQJ>Py>F`r{(*5r;?)(e@T=>NkF-M8+Og1*HbAEp>M)<-=PGtej{ zve6M}hLQ&drf&&#AC@7J?PlU@k^}!faVIGMt4rSu1-O)p4&Jm(ZDFoPi_`K{F+d9m zfF685xw7Wsy*RvGbD7YI9eP1)I66ey;fy%=2%W~z3BH{V4z|FDX=0%@(vgP{G>jdE z|N7D8VB$XhvRp@Mt~4=JQ3OyM5aRnrT^B>=pzzlMTnH=e&@byX03;i5zq<@rH4t8oe+OMnxruxi~iYa1a$-5 zXKAIyDH0=EWxN8Z7ar2Vu4+k&bHCh4u)C z;QTN#Q0Q0v`b=|9Vk<6w8BRei1<;;qxvaTXcRhW!c&s^-9eEkY&tI`#%0kCy-MrrYQ_tQ%)DPDqG_0oCSsITXC)BHj9(ua zYrwZzUjRA9zK8Q#SSTf-fkwL55IO`@A5&1zO!_4Vt;Hv65QAll&V%INKK&JMgtrbn zNWlBNx&&9s0=`5AXKylT!;b`d)ny{!dJbp=GE~89>V26hWcU*>{r}i|%cwenrEQcz zkl-!}5-hj}2%bO)?(PnOjfS8>gS%@21QHxJ?(QzZHtw)-cfCV$PIBJ&J@>Bj-SyqI zz908bt*P#(s=KOtre|7eF7aYCRYOG$GK~Dyr18ZBnLu}jK?Zz-a^g{V^8G^*`K?3d z;cHwdOvpHYiwRc1d$F{MjH5=dhsU8}uxxRG9q#dl3Bk!OZlC+SNkrChpW1V@dztIo z0z9U2g&W%vPs52+*u>8#Q^;+b(U`v*GMtp|iCwmlQ1Owe6D08KPLE~$`;YYjN8@M)Lm{fqj(2r@n0Mvu!U z8ogJMCz(4>!B%u)qny~k{Ng}Ym+T~U8GnjGl&8g&P&O5sC4qnK?NZ`s#Koja!qFgy zBJ}m}+#HEcuJvV(c&b|LkIm3{a+Kbrv_t}sF_!wbKf7)S^685MWeL=)Yi(I3a(PkI z+N?{^wS1l0)MHnc9qk%DZto~75ts~7AhZP_+uB)Jk`cFNY2By6xBU8@oXf+C?d8l{ z8Y$7;Mb!!MY-y`*oY5J9dAvP7IkHhFW>KP2-hb~Y%Di|AULC2Wt=5KjS(5bHXnqM? z=vceL6#ZBzk;erQnqESK9!V_FrW@yQCeo1hR!;uy$G20A z-w)UDj_yjkIVb}7DFdT5RM(#5_WhtB&nME0|M-r!?}k=7n5w(D!aU0Cuc?qM`k_GC z1T(_*5QXuw?~F$;;a-Qk10Qh zv$DtIiK=J$n!M>IkXDbJ#gN2?NF>F+=?xw>Hf`Mh#Kl4w@))k;_dZ*ccX9e}v!z(I zb*c&amC-sWi}(u?f!LO>MKQR?%1udOJlzY|1FpBPPaT<>dEr#xP!uG4K|asRmP{obc~}ppt39mN8mE zILKT;&KyAqQ~HA#4O)7^WsG{^-cabMm$?hcP4XX6BCz1`4dKetQ+35UOtfg0wEwBb z>P2b(D*5gdjE&bFfV3R_MzP?{>+w`g9}@aLn!qjf@A`cEv{y?6>Nb4?3b7^IB3j0N zQXj*#UQ&QHO2LPlPqBXAGM#dR+Og+DD~htbM5Oc7;$@vL;{TSf}pKQ}L1P!2`x#z(B+G8Dcb>9}vzPdzZNdUvfs+XMgPx$$|Z{@zFaBut!8X4pRNJk)#(NZKlE}PQLJ&xIVLs z(d3}j!ljEtADT0Hjz7mp=`2ZAK&rSa*t{(CeZm2~LTv7}?#x+@Qw0gO3Dl~E_b!ub zcENd00Gi{|Pcnl49&1y4)dX3!Eji}=r>Mq`a}1|(ZRH$dr#Sw2B&c*@S9*Vq%%m;% zqcIkmXg2lRV8+^v?hJ-t;#!I(@sQ^zL_He)DL2HjdS%a_zlp`gLQ@y)E74&K0VDl+ zhV|p*foXYl)K+&|2XT}{MZx|yniLm~=a8dH3+qW!xXpD=)f^4b=NBT5=6e>4pFZF##BBT9`RTpX83BeB zV0oG#|2t3ZElK}Ps3}qHtyPo=Ffjvq=YkF8Xe^adHK8&tc%eax@c2WRi5+S#YLu^0 zlqkC2-{;Fl9x*+y4*J?oYvXXXMY=XxQRUj*-QIA}i<4I_mx@;Y6aiwk*jM{j_6qN! zDs;R$hI+pgcJH6ee$qJ1>=p7|4k4J=+_PDAkFxY5bG)5Em_$tb_IgE!IXWij^LsUs zd$Y88?G&K{hPMXX->^Ik_L7k9rdr>1>uUw>I~d%vA}MeelJF!OYNXX;rAy16P)(rA*-pW(_uN`AR?)$dw>A)>bpZA6yK+x=T*_oA7jTw}An%d)T|($-i8$9>7l;5ziQ z(zV3k)WFHtr=)BTrO0Upj*OA8-NGfA;64{Odov$aFHZ&bSw-Mtm(d|gRj6)a@RL*@ zrUFl62ER75x3Ym3MUHqEXQEoQSq&KmuJbk7*~S_Q@S<-_sW;HzUa6YGQ)3GDr~?P! z{2x_vg0`hew zjUO3*hC(AQ`OJ*NO+^JW0!OaIJRAp3w>a)n-%n{uHRHkM%jE)9j9j)zpBC`HRX5BO zhz`qZ36>uY*0z0@I+M9unWdb67PwuvrnXXPrzh<(r68_H-*tVkwFWYv2o%tpEMx=s zzHhbrg70ZnyNCOGUa0+?7K>i0En=$~qxa9+WSdD)V9`Oj{HFjpB=%wgP@)+hFjE^5UiLZ`i z3wbWwPF`RawKznX>wzoBNt^~Sbc8>OuDG&Y@W{Jmjb}U!_jOjnk{Bnk@MdW{k{m1R zsd++i@x(E1hK2upe$V$2#Vqd66O^WI^bhS39zE>O25cRs((0K_f;*gIMH5Nu^a5Hon` zmC;O*qK&)8>gpbQx0|Gq682nL01x|z7!kQI0TR(a$hmds#ouDm(Dl%3#_$LC(GKRb zqG91lTmBsVYj=&r_-JSLwmD#Tjd@<`#P|W)IV;%jTSeH<$4lyUbmRlbOXD|)_g)2; z5w`AqyfRPC@O=Ap+t}zjk@0WyLB;s0iC_;=#D_220$X8)Aw+QSD-qMxzQXma6HRrZ zm4mk;?G#~QBqNjMrcY!(N5&dFjVbP?>oHT2FjZK03K;1&tP(f+Ghfjeq7&EInJr}m zREXeO*}Nd%;FIBG>aBIU^<1S!$kY8rAML7M&dJtSvjyjPHGSs+pF}BGkf$o1ksO^* zBD#T8bgGq(4-+8JeLdUxITt1)LQMaRb|`)xCjBj2l)qlA1if@MA-_p9=ozym+g zl&xAl<&>v#YT3U|RTMg>2{8>pJ3!B_e6;LiyKEEJhe6vQEp zqmMbCGM1`Atkj)e0e$rMG64p^;>FedPxNe2!F(fs0{KtLl8cKzzOgD)*&f25Uj;2K z!VL;wJ}vGx`|I47-+IkfM%T)KRn?cQDuTe#;QXBa+r{FQaPupc!>Up<^1JymP{>hV z2ERjC&oYvdf6pREX=X^;#*9)|124xv&H^7LN&q9yD45R^YeM1+EX)Wf-!!yX?(KnW zeh8e8S)Yt4*0XOf*t{_6n$T1}MPS4^4Fx=h)4*;(bKK1{4{scVw8-Xsu!#smW$))+ zE=FP}DQ+78ThtF+acmz8e-=Dn=}K!Cc#c{i7d;4^;%g^*l?1N;)i-ldcP#Fx5SV9T zS)^kxtS>L9koWdxjg>bO4Q486%U&TdDEgBtKhh`a`L6#?{i#3sv61zMIMX``Mn&zv zEqR}#IJ^3h4h*#9y>#3%(2{$~dWI1yz7=Y7jTU0kX13*@m>Y*bW+Dc>%3QbZQmZ>d z$NL=3QdhBIuJdHSX(o;QQze!IuO{cSRwR6hqV0IbP*$B0Alw}A3P!Z_Nz!#@Kto4v zV%qeYf+ejRA$~Q9*Az3VJfQiptdV%)4`B0JFOA379}1$NSD|kvn}M)8fA$}gdDEN9 z$P$$C))kkvD6;_@h3ltUmQUvE@72s@Z;oc98drhiNF@Yy0qx1Q{xex*Ui1ry))i+( z>9QoH2|No6g;i-RymfwXU#=Ra z<;wioSg+v|i*bi(GF_w7^F;Wvx~9PTej~!+l^o99`MpDT$T~dXXP)RGs*(*EoPhaq zK0j((R}tal$5ad=IqQ+5A64UQoqZyGL~Vlq3~etERcw;Kg1H@lHPL`vS0y!(J!S4~ zNh-9TYm}E~#p|8Wbq1uSMV!M351t5-z@~!p07`BoYx_H#+0uAD=WBfIhTnbS_nUqgi06P6G~wJ?<&|Q(AWEQ;wlJ4ur!5<^vZ>H(KW+NKPvnM`sVv~ zWMp!y$Fc_Egl~x?l#;QqykQ^F+F?^N%u|s3?F>cED!j>GnMnXI>K!U&eh2%fm<LwgaERYnL@b?XrYzzcc zPWhdmn(EBI#w5-D%5)#p=Y@}TM^X7A_D;;Ifv@wMy1#VQW6y)i@B1%F->x1)s6eA% z_-)l{Aumu3n6h)9?w#zZ9|UcgJ)-0dc{_gko>6e%V-WrCvv0LHBjtkq0taDQ?6>}6 z*Zqqqaz-2>lP~Q8Wk#un-mCljzN4m2PaCJoJ`FXtONuoZXbm(x3lX*a+g(gKR4f5Q zxd21W%5n{X)2vl>?oAXDDG8tL$A~FzpLEWgS~oQ=&Ie7d#Li2@U!p=fqDGfY6Vxzd zzl}FP)6Yg*_0kQ&kzjH<_WvUPEZu$K)Banc=pTrumLoMUe6CaQ=B3tLZ7w?+VNFtR z?~Zm|)Y3k*`Idq)ggw&sh05CIUa%0o6UG-U0KKyVfoh-QlMDf~_x8h1c~unmOyUFwT^n6278;_>u|QU0y4Xs8Q=M zm*Nb3-MYuNh!2NyC>m)lsO{B#DkSpJvFe*;;06uzM>s)Ur^>HlU)#}J%MUfuJ?Zg4 z8M2z=T*O=eW9;htKFu*O#Kj|wM8zgT0pnc>&!<6!(t7OhXZ2k7+@F?edS~l=uB0|;>rJ7hD_Yz!Sm=$i-X=EEmm)PJ;UH#?73}+-^W5O8Jp%e@a$OA%r9@nD zF;Yy=vd032IxJJ>7V4}W9_c{nG|L~}}FM?ty^`iVp@F1#pr<=^?!=0fs zoh90^-0_kle5Yjh*!&rjJ);l&q!S7v_V&9MTeaubM_B_^j7b&d?W86UWOm2hiq4Em zpZMrv`w0wN(Mf5`)yNJ(8e?qY-f|d3i!!Egr>kgokiiymhRQtqkifp$;aA;8x0SW9 zjiYYFDuELNo)LbV{DDB@H?H$<`^Ow^B`w>NWfQ!%6UKu$1!Q3NEcRZgCSi)ZUTONJ z$igwdt(u)S2}>sK?ysCnNuE^gLOruqz;|dboQ-~i|1CI^Dh-~qC;DYi>#M?L!XDgs zO{#xc+^STeUdUA{x;3s8ka%J zEo6E#oHE;>p=To+MV8A)bv#d#w+f=B1`;998OmP1 zL;tQQr493E(d!~Ey%YY2tipYa9ubY-6Mh5!Zicp>k9IIbI7fXTEHImbZOmW$k%DaN z8jM0Dn59iwU*bt!WKen(t=~q1Uhx`;xOsoOvIad4POXSTb;8&@tf^8)-Kj8#yj`8c zHyLy6l7atJBh!yYG@*vifYoqsH<~$f@p0qi)-;n z4&6dL8~Rj>(u5o#YC?Nk#J_#Wtf&waw*-?!*6NBM}muK zB_-6&9`(FWjG{nuTgX;XpcWs@9m8()`tzE#&dTXV?$AlfpVTHBZ0g+VjEQdl(Uuxx zio0$b^es-4^C@J8rGTfPNQ=OUR%?W$wk>&~ZEv}F%n72iep}eDfT)7I)@4?&MO)Fi zyZq)mW&f&bjy;6bERc*GgbKYexU_6^SOTVDQI_4I6ri6^IavDp!s$th3;mY zePqNqI%?c{`wP%~m^u2TSiV3g;=6k5dY5ecwKFpp%6Ah1HRx5$`LrK>h8# z(W<*ZFIXWkSR3AK;mW0+d?COz**SjGWQo#@EgHj{@xJtHhn?y=l{8W86@mawW^7tOvU7HSC&)Y% z_s&~p@5>{p91M-yA0$GPu0>EAL1(j~^ob1w%$Dxe0rVfI^8s^Mj_`xteIN2!cAarm znZJfSj_1x8&xhX1cOF3{Xb6;D>eFJ;6evqgrY5R zipedqdh**!AxciW-&{htzu7F3a@RbeO#4ozI=>)M1r4{w)69ZVh)oA0^5g{!yrxH!g`Yr9#x$I6C{ z%Xvu^0k5468~*G-DcQd)I68Ek?umJ1bUE0NJwG~;Th>P-yxUPxDiHZ^{gKBo4%*0>55zyRef@QS3 z_A9n=s+o@VoF=xhvCjc*HB9eUdKPovMyyoGlQbOoUcJ{zJ1tDb5c=k{d=7^gU&@(H znL{E^{?cE2*^m1ZeOS#%pIkPZ)B(z08#>1p6UMOYY>~rwY8^)>0UKVfZK@dxCG$1CsS%qjAW6!~K%$9fT+t(&ZvNfWN>16Ii~fnn-h4 zwnyizH?Is_k(2Hp1-vD@T8PB_MtmlAW{fjz$M7=H=cNP#wy24CYiW+SYV23Zwm<}v zr!82ptts)7M1SWBobpOIaw)kMarZuc++81hVkA;MN>r9%pS^Lh_F>-QOC1I9I~>es zqqaM05Q>)1-}n_tF@!JEAtx}6Ybh`12f#et$T^>jR`;(jFJOxm#^VSrq=LiN8#MQM ztgQCfEJ~G8YzMsJlC!$JzWqA;`7r^C8=11KTY($(99zC-8!;GV&jC44j<$ywj>Esn@=NdP7&QEtXa*>NzI?TIx5+XEJoj z7#g%SqOi;x16RXjBZXhqk)li~bWow_lj+tArQFgrM`(3cgy$xr#3UE^@;=5*3%i-_ z%6rG_?^c_ZA(5B5S3R4&HShNk1Owo@th*YvY_e1WUq&|J^_N;l)^h`4h$?c6=U(0> zZT7FZrgE+KW+7_)^1{PTA}%(yfTTpJE>hk2aSugYa~a`xQrKDMZ$_f=sM4rS-o5Tkq{%tP%Tr7+vkxh4G`{ZJ-7xo5b-8sOBolvyZ<6eZ<#-<2pbRyW*`=sTq16eI@jvD&E}~ah%}l!^}&y z137uvm1}KRvA$dM4+KJHI&Fw#p=WL7`6q1?g6?2#nXkEA%_mit>GcNRcI!+R>do%$ zt3^vlKPK#73JHv!%^cmH>e(FIn0;Hj&$dTX1XiVXtJaSXc`WaRs^2>i9zZ;=)5e?b zM}_#0rv+Y>okLyS4C0j1I_Yv_9&hzz6ZM!cm3VpvXAB&1nNG*PhuBj-hz+g?L}6LP`K zMBKJ3@6IZXds*;dcs{VLL<1SVdT+Y6IJ>Xop#l5fvlvVc!I^4Tpw~FQ71>*T9NR7t z9nH#s6OF$V$|`i&$A}@hPN`LrBnti;S53DfPn*yFy@s4d102ovs$op2Yw!@2cJlZ6k% z@e-MfR_ITd8oL$2SMxireG7xdHFgNus-<1_-Ng#~PFe=>eM9veC1Q+J(erAmFSp^g ztE`4hIwG}mGRL_TWoq_}tS^`xZc~k<4d{dxlT8?uqzOcS2k*mqULF}Fn)8*%xA!nK z>&a>$Qrj!&i`NPt*pt|zsa~3t=&kplPHhh`3Y+}Bg_3fF*ZRp{2>40MDl*Cu5emNu zPn{1GvB)GYONPgvNW3I;(|+6yYJP$!!wLV=@mapr5NAvxR@ zKR+qvL4~O0g%+NRY*~|IkxnDcMRnU~k<5_jD14K@dp0;fv;D{&PdXP={fJHJj;N3@ z&7gOoYOeE!nT5qFh{=zT2d&R&Xul8o2RepZGIM^;zO$3NeDPAtWQ+5Z76UGS&4IFzN4OF8v^d2(yw7S9_!~Gma+4;OZAD$*QxyC~ndI z@`YCGh&T78R4u`rCin(ie>=ELe(TQ8K25))!>;=1f=t}*))VC^cMmT?YNq-ruI-tM z(6zYB75^fVX9~?Ky_ljCtvVgCv#N8S<8wcV?sW>ndGDO~TkX}R5CfCbo<$957F}{%33-JAk82yxU;mcVqS>@6SNfA4oTg$)tpmtvG& z9OeoTZM_$Q79F>mQ5E!kH8#+U)`-M)!5ud8bz=)H$ zSoh?Mj(|?j&Ctr1`o6xQ;@M1t4fh^yvB~ioMa3PPx(2PaXM+UJ1j>O->LGU!2bu|Z zKArmzbaO%dPA1Ke>Z-QT{GaLZO!=V*Z=zy&BSmrHqE*XZJn3uWN56IMEIuz4WeWN8 z-J=_pr^$7FoofP=t-9hA(_8DBT&3Yk`g9~L`7Eo!NyX)U_L}Z~ge>QMvRgO4`PPAf z@SwrvUi;yu9m9zHR!`IgsBV(PTDhXoneAMR%do@TtDptPTvOuEHxWWM_9NwW>FhW{=PPS$ zR?nu}=##u0W78d_QJ)u0o^IB;o-%yh-wQ`9ifV^5R8M-EsE2^=*MJ-dbN1~q_e=IS zBKf&i0zQrj6aDz#r^Y5*c}DRoF|D#o-~}HdW0WskgVB6Pj1Yv04E!&WV>|40XsG&e z?$SQTQyrV(RW11BoQcf8u^6lzKDDI4CH@nXGyQ@-9r)FI{vepd_o!hke=v1^ubrK2 z&ZyhDNNKX(zQl+WV6cW6+!$XHi6I`Gs5Ox?2nAp?>BBjXRq zyrlj2GJdT8B9lqo&N~S!x1)a7M#M>SgK#dH2Dn0(WGTw zvp9`$(ycjk2v_K6hYhG=@wtGhN7h9;b@=ZS#s_W?u?9wNsF#lF*p7W;Pnc9A&ufoFQA0R?Kz`PvtWb$PyIL2hwh+%w2*+3 z-dxpLi9nMY{!Rt_C!-cH2GsGYkd;8h|c%QyPkGkm7OTsPd&-P(*~|DhVq?nzIX?76&*G3 z)??~E--XJ@Ep6L8k90ZoaV{FubF}K4ak!3A6YOoOXqrb`wQFL2B~~Bi19|jgGyre- z%ylcJUi!YCoeAa)EqcJqSEr7wDNRQ&X|7Djz1sD9;m*$fqEASd?2h8@m6M?KDsp*K zD{4b4h7e(0*9(}eV7Z%G3po{0Yd9A~-Z7cph|M%lOK!ePj!$I^a}87ObFG2xh{wBg zhX=Z<6k9^|pM8b40+v@#$6qXX_)ArAqlwA1SzX>A3Ewn&W{{sqvoU0UYV^ zspA0->G93u0VV12%i{ri>2a;|ff#9=Q@(YLtm&J?>?Dh0qg3eY6f%o{OK-guj`yQd}%pb7D zkGSrFKJJ3ve@vWrOq}>nfggkR?^B`TMpDQ8Vq5$H>n`DAF6aZt#JR`BKv{}Vo|i-R z|G=a`hxv!1c!$zmQYjr$MUMHqw)n*WfpM2`Kq;t*`oE>*9}_1*c~qf1>_heigZ9R$ zQ1ujOH~&xx?@*LWDvm>{(J?>G7Jt{ei|m+7_`vbk_xqmzEhXoe7%)u%%EL8epD}1} znF@WI0-fX^%HY+6PY#aX4gfw0ouIa-<}gO{e85 zr5FeX^FoN0GyBJS1~G+9vIZUfo#{CSd|tc7CGjp0Ef@BWJsHCE1Tvic`>WTpgD$x} zr0ls&yT5|wlbvBZZOqZTP><0>cD1_8LDpZKk${xFKGY;y0##qcG_K2E z1&VEgm@^|TVjI_$uL9Ko8GwoN$g#0~ZeLUrFSx9Am2AIBIiFcnlOVXPca`k3NlBVj zRFf#UY;=_zvq`B7FiC>TW>?AIHz`vACRuP9bd_8N$Yhai&Pa97g3z-goWC}%f4B-9 z+62i0OiJUr<5l3oCMX`&tLti= zl>I#U*%qZoP7zOr;BwGaGQ$>SBfxwYTn@WR=G&sY1DGFz%TZU!Qd^XQxkWsgg3EDN z$y$I6z+?$7CtW3j02zSE7F#=3uFy2xsB^N zSAp4EATYq>HLe$21y*f=_5dcoalQB|unUmMkGLrC$g_#21pHJexLkFWys|}^nqO1{ z7F@2oNlW-mdcu4q$*n0jb|A|No5t4_(4F z{Hu?6|8h9m%ZF}b_3c+1!2Rkl&)z>Y%k=ACeF))KgZx*Kk2*}t5Fq2(^Iw9G{@*co zO%8Jd!8%=dub0%=T)nCf<|{m(pV5wn-aJM&*P;m5>L!8pxayX$R7aeUMq{$G(Lp;? zJ6A6B0*Popv$YBY!GY22tePvx!D!W7?G=w8{?%NI)0hwh?Ptr=UZA$r3qOEdK9DOv zkVx8f$Mj50ldaWc*#jAUAjb~`rx_p|00{*7L_7)s`Cz~TBmy8Shpfc{4q+7p5Ck$L ze1JT8Ajl5{<$<6ATPLQ&r+F8A}2b}kwxxM1afL}Eic`+vB#bf;C zX@0ke4|fQ#D0WuD`sCn&w$sv4S^hjDXiBl}^7N19_6iB_AW#e}4&(*=3$P5bwDuR= z#A+@&Ry!+2{pD%jW<~8UnCihG99Stkt5#Jyu*@WVN5vDZ%xW%!d|b#2%Qyg32!IxB zRZMpOYf`ZaAXh2*|19?(f~GfBN$bjw3;CVRX|!EVMh2?|(e-+#k1sM)?SZ}^p+?$L zUIym(HP6;@K^+~eJ9?h=-)s0Emh```&i~M~%-04us*yw5&gy?$8YcqoLsioLaxuu- zQ4zHNa4ByJ2=+?b?fS7RX@5FQF$e~+JV@{QsRKOu1TI83kh7zLz)YxYmw($U6r@!>q0|>JomI;N;#bnWXAlU*v1xhw^ITDNrT#esm}&Ah_89FrY4XOHR~H}?^hGj7ho?Sgcz(kLf) zr*Wk%uJ}u43HI`|ce125pS)5K2+@MxZud0}HJD`UEfBCMpxTiZ*=~0jd3ib=w!K0G zJ`fauj0r){acU17o)<|L8ZMtw%?j@9S(wg-=hzKS@$OaP^Cr*L76H zxSf`s^{BCcBBrW3D(o*wO?Fupz845&P2)q*Uo_%FWDggjE4pGQmZw{8#sOmdKwge5 zPn$QoYFw}9CscHO9R-s9l0ml+5aOtO2q+*3&Tg0W!*g(o*!t^<)bt0=0jOywdV59N ztar5|AwN*}7{ujigA<_gi6ffYe3MN!cDwrVAb{LA0u>D^0?6$(P?`1C|3c38wY2LJ zNdfXp#P9(fB2oUIkq3p$zcl<3E;XV7>qvJq{e$c*R8>2&i2I*HgS@USFi;bS_#Gw zH83FqBr4pCf0h1FaDqP;gc*$ztn>7pcHPU+YDaTIyWL+VOKk@JqelNIMChTex4#kr z{LVr|wPSh>Abqwk_TVZqyIo;_Afwy1y&~lH8pybL^-qaj;s>Q3|IBFT{bvT4#BR5> z0+6b9Y_C9pgjYK*O#_nJe9O~*AV96{E>PZo3}S}@-bT1>uju=cR_#cpAf)lh^noh| zxTG^22=j`^^0djkoOT`RjRq77Q)!f*1~(NR=Yjs7FaC3V8|3RkH%&GR#u6425N zTn9ML27|CJzEQw-NAvm&rWABI1J?r{x51#Ti*FJr-qE~2gDC?&nuQwx1Va>w%fmLiV2y5e81Z+1n5zk>VK;*MnyBZm zzk@hu;ljadwix`i6Kw)8o0^#CuYZ62;o49nVyPJ!l4P2%&{*&v5mxK!|(9fn)&M3+0&22^Fx5+6}nR;a$ zZ6_c{()hz%d z{Q$}ZKq3#I+y~G&04jU{sXl0W0BJvf@&S;~1E}NyGy#AH9zdE8nzjLu##&34r(kP&^a>ojib2^~#PZ1wB!R zB5rQj1cYEux-M?ShslnQDTO^zha*sL+1>~VpL8MJivJ|zIH7#!iTX2w_?Asn=<`Vz z;jQ=xnf(c+q$lb~1mi86giz~A7wxV1C|TJFrK~6FXaxT)n~V_bY1gY;@iDUF6G}x- z)UgQZTQ&tD;nObhTk&x+j#EliPt@@U?OQe#q0gsX>bK$(WcH_&nx3c=5zlYgG=vO~ zyWZb+50I6eQoiy;g+#30u;~a1A9gw4ig%>lUtettc^oF}-`#B9MzDCg-(Pk`2;Coz z%drU6yI=3!Y*wiq9(G|g-CypWj(Xmotl8Y}p6>3RrZwH4EUn!x=n3ARjV2IWwQX?Y|PG9mdp?QT7$Vg zWlsh5g<9`pB~ObX@jYWFwS+Zs*W=W%mxUggdlw&f~x}iuB$Pq9xm)lTXJ;RpP z?dM5BecYys)Fqhhho`f}S%cPAC}pzC8YE*;2C0%O_bJCzX+_OQIA zxHxl$sg^d!6i#-}SWujf$DP}kiqWBqHqU#T(V?47vY{}^%eQ5ko7%TitL~Xwd(DVu z&n|vcj-9TMd0YipLh_EuKuh*g)H7E~na30AWm|%4S-q=OjVc<}Te4f46&WfZtGY8D z24fmg^8!4X{K|u_MV9u6n=f>WGk0sC>}kz-&x_54;I#YUJ1x7zfHd~A>a#TLy@m|7 z%)zuLfeB=|h7hN$@lssXB2dYWgGOLh)ic<=aWOAG{k~5#NytEWbhH^TX2jMMHd2ug zY^w;Ua-XZ3&i)*V&|ce2!)HOXaC47+x{D|}m#jFY$6He_bp4&4h4azr9_8z}irh4Y z(Kfu%gv>}6aDh(qGd0&RR*Xhjn5KKA=AJnBX=5Qb`To54K5Ure+TjaCldmh~br;LW zV$C{9nr%R=bc?D38aipRI1$dm`Ci$e&1|x^3k3;f^{=XN^!tm`xhm(z(_(eBWJ^!1kb3rJa+Qr8B_?o;O_8=3$s`pQ-fa@4m&`SGlrBH)9kVG zD)zW;N0zRa4+@(tKyl-lst$Lvu}3cE{oe=TGc`={p2K}t*7TZ&_}$|eI>%fbK|L>_ zXUj?kM@6{$9@>(Xm+zd4IS#$A=<^XAe+(=|n^!ynllPfb>sn20ylXLIV6dH;9xU9P zwN#PPeRZQAS2m)?9`J0Pr!33H-YKoMm5Gk^CUFEK@r{S_=Cx1bYFA7%D}mNjf=;EX z?L;s83>@`D1GBLVdzO?(XpfcTX$76kL!jUW>?CfLxwIgbFO~M^dEigwb}!_VA}_IW zcvj=+q>g`R+H|fuQqK6dwnrcgurYlKsT&GrHL3lC?~)&Rtf_Q%QH8%`2alq)!Zq=l z;pr;A1ETi#u2UI>EGhrk%~iYiDoPpD`R&y^-e^v)D2}NV0bXfNTdU;Xo*#Xed-;|> zzDiSoX;zw^?VhIA${5)#>+Kfjfn4iAgndf*CnH`1J`I9C=xFotiY|>8cLnX@%(!1u zHe&pTUL@^9O2cC;+Odh3V~1`XDYlvEi-YMS@&`sT`S^}<2B;p;NI>EzLN^l_}Q;A{AB;_W*W!6=ZM85x!>gq~qN9>drt4PNqWa}j>DBIe!c z!da-ht*IV&&h#~kT$Qb*-aq$K^w9ki%c=Y6jl#{Hp}i{jyV@o`V=aB%H<{NKSYh)q z;ffxQw=VjNkiQ7@#3iDB#;|QBbhI5U=y4c~U?G`X{{VVvX{f~HfHwRVB6)*g@Tm&6 zXxQ#K?cxp6Xb4oR>JiRsRpjFIB9*ZV4zQoyI@W#Jrq)sw7AMS&_~_3^feMjf(I!>i z1gQ0I_^p(~Rz_NfvY5RU$LaMEuL=Dr1=Xvvvg;p1ZV1PIE*%(9lyGGwq6Nu2{3O(I zGPXb#$~awKMvS!oLG{{$ct_MLD*a=ofM2HeF{L@poJ!q{c44#hkr`p5y`vRM(7Mta z9;>2DtSSOC(#nF3(EDsE=obzbzH*x-2v*89VX-BOIx5|pArPR7b}-W7^EpR>1~Q>g z?P)yP%xTQ7$F%2fqGX}74*sULrEvAtp`jB~k z>eKJez$_dx@PUJ~R71Y=WYi4+y$KG}wb7UGs;Fc$S>pe=k{F5dnXK?rUtmF;_jy8M z9A-Tsu7^keKGVfv@L0Z?lkmx@kyWb2;qDh&nbhTsx+O7;1y^2NO)$u4DX7Ihpna-$ zSG<@p6k~I^?lPi-mFej_q-SDA7q*0yq2KA~ad!R5pv1d@6DO~RG8E@JaaZe)j6x`5 z7e1v3P0Lp5^s9=Wwap)`cv6DV*O4}ewbh%URn@L!9#D)o3<#eo7`dw*(h5__$m~-T zsZvRoOp%8Nz;iH->i9gj8XE{wiM6VHh`Z%SJS?XajktY>`Vvx0GAhM=ZUZ~UG}}+P zVKv?X0;D}+U(%JdU#5U#i>Y}UZ#ED-JTE}D{rfJ&k3GI*ut=PFc176yP=RFZv&93! z+dkX`2Id#ym9mC8(NvTwI(M0rR1VZWQLVf|P)q7~o5b|_^Y^E+{KW(ZZp{R=8#m&} z%cZuWMo%Y|nCN-QmQ%^49${{0op(s*R&5A~M0>|9ebuex2+LUt;qHu-AU?mjXs&+4 zo+cO!eFsh+^zUNU74|nKXC=M1b?-3nm?hK4#VBpg9I(G51VeBfYjBGjDJP`obVe;D8dI*^IN_&pxnbvG>N@ z7+Do&XDlNH(Ia;0amBMV9MLzceMGWjux^Vz&nS@TP>^ASdc9yiUq~0vvvTmuAZ&Y+ zxe!7ro$+QefAHI4kcF`Pu*Ub;gMaI{=R4AEHx!}p$Y7~PTX8QPG1blB12Ut9kDbEB zeEQA&lZ!3alc-pKX3DyY{up^_?@n8`tOOo%@zGIEMS`@;s1P0f@833Ung{LnzRGcZ zIK}L=J>DE5Qvaz=jg%&m0TttM{JApc_Il~q!S-?lBcYHrGLo=IQn!PDs+(LF@5uLy zsvl!%Ynt%?1(85*zp6Wxf?a$*7lm;MKLr~URn`uakxarab+9BkCCZ!+f!ElZ)k zYU`{95++Y-F$sO?YUOt;7 z1pMg2i}#Op2DXe^?z$217yLWWW9rI$#`lxxc~XfOI8HvMd6I})c9E}B2pEbWA2|{h z#d9qyOl2%%rJXP$>0lyGRcn9Vp*wB&b~@4vb zf&-!}%*g1Qbt}od`U{52xi2^TS*oHn`D6SSO$k%EKt`dO(mdl=q1Pcl3gM02$|>mU zdTSo(spCl&+#1AL!SWob+r{ui(bDzL7Yr3_5!FimPJVNSoB0e=JWjX|vef0P~9Bx0bpbRPtjfZ}1ace*V|XKVJSRK6~-mJwuKU zPnHoI-6rJmFjS5mj&>JywzX{R#*lUtL#0?pVjI(qK?)KCSGEvh6t0w#1i_FkBwMtp z{u72Wtlt47L!L1MIXUVNz;qouzme;ep?2ykL(~jqP@})HawVLjsQqILSmZe#Las{+qYw$4q1e*&!UOFvis`LeU4$R~S4eSZFqG&2jvFU_A@L&~+y;oB+f6u0z`3h}7G&!EL5{LxW z>mkalP(C3aUdsH^?Nlw{%fP{jMgHMda~;_$_?AW5Eyqx=^Ib+IQXOP>S$n9gfQz#kNFI+U(S#L$9e=&ml;t#VF{MfkN-_X|H3)f(*KCM^mLcu|2M zK9i+}8aQf)dX*2~gVVIn4y7H1>>5}C*jIbui|kj=lgW;11FnxkQRy0G`=t9k_bH;= z$WGKsxn`zIxIvzDhYmb^=<><2;|7|n>G~TSl}mSraMi;q$3G!UyZ5SBZm_W>j^9Xl zuSzm-%2Dlf7yG{SM)K}pD1o{M4=ZhOANV?{=uHyUN`i3+s~cA}y@na`!CjzOhoeh1 zmDiZ`uFM);4VEN%@3GQMg->Z^7BOYMi%4{{pRiat@wxZH#E+rvUr)Z7O$?3)6-BoR z-FtDJy3TO37&?iZA2XvaX4r@DQFZ>DrgwL7HtE%qA39)%(npf08PI z7%H<8HiJ_>hU)_rsWHY9o6P{}YYc47XXm$vOcXn8u3s0*bIl(h#dQt6oD|t!Cc^?=3!Tnk@?q(BQQ`~MM)#y(=gdCMiSW6Vv2952 z5kvV|kHV)`&zhYMsSVS21RHM=?Y{Yo7bJdu+-$c>cjvJcEBX5(moUg)G4Ri!VeCpwxZJ zj~c$lV8Td?lYG++{AS@=<|csW#|wWTcz)dP2ZHCv3f&IIKri+O9#d_duS-?hD&IYK z#~ZL{6()sG(34)jONJ`LyW~SRqX&KzcN`Ed_7ZF;%nW6Qi+WUSgP&1aCMe6Kg)}c2 zsthA0#1e5KV=mD~Pc+vq8EOoZrg{y>ltvlzpATO)Q!#LyUK|nBI*y%eWas_%3-Xv zmM$3zHXq02BxiR67tx()fAIm1pLY_@7waec*puVHkMzvO!MTb;7$Y~9BykMIosZ8e za8tXOJ>z;ak{J0Bp4YBj3MxZA=pT0MGSrZsO|zfb71&vgB=ux28R|q&V=^IOV;(^B zSsG~#P%artM^6Dxeij?O-jvV5A4`ftTryOWK7QV))~BH+>9k*R6qKIk+l{BoV0(;l zg!w2;0>mWhk3@dP#P=XfZ_||NFBwWx&roj6lW^IEF?(*3BbJuNf5}jXdIr&#LgLh+ ze;pf8J4uEZG4stQXR{rAuptt@aJ6*!yW^QWyGx`0o*bx;M44XBI;Eg86u>@q4+U;G zdB&;^tv6@9^i&(dONNTsFD!q&b>}Jrd&_?jDk;K0H@ zic*feWF^Y|9gcDmKR+gRls>!j*~!WWDss%e#mYPqICC<#3vG7)u6tc1h`e4h)bWnE zo@71!In8chDCs@Km{Oxl3>Cd2h9N23_1}9=4wy02@7{wH`WbXB%99mh6rPZ6SJU*4 zp?deQ@>ahW80#!MU-J@AjJ7Z7h!I1*?g3X+w_Yik6#ZhT*nJesLKlq{c(=R9iIc^T zth@}61jLYiP$_JEk)EQ*P|bThHR1_r;Y@UHufi!BkeK*!ioL_W(wIBuvi<#4MuK8Y zECzI#Q}wiY7KKq!cVc+Wd2FN*m$yR$ZB2G-xICMV_X%@}CnH#{sznbiIgt!Cx`&C> zO%P=wK`X zR0H$=P&s)GE0bnX3`M$M?wuK(A=A{x=;>H0_TN_rysGLi8b zE3{nK#&$ZV@$e%dPYNImt5X#*9_l<$D%1z0uRFeUBl-vS<%k>eq*}XCG(1+a-wMu% zWn#8zsyV|@5q!^F^8z1Z@d&!jgRnse<&!A+ag}L_%V^ z^umiDE)RZSrUKnUnIil|&o56qG8yW5QxSAo6azik({92SWh%dBDCNDoVB-SqWuE}$lplS zap=XvEd@wt7en3c=>qV#bSeR1C91s-CVKi;t*Km@z2>Owr z_|m4`tPc!nXe*Yjtn-cQ-r#?lWxK#C1sl9T9e~O2lB2+nP0gluR-l6`H;R}xL-8jG zkuN`b5#j>4v7-HZ3?;W;TE|b=g+yaF5;a~K*v${ME4&;JoK6yWMA5rM4Sc~Bz$8#% zhWgxVq=7Z2p@n>*)Pjag+gJo$En*!^v!%h>=qpz0&BN4BXE)3u>IkmjN0U0ASFCiKPlL9YF5~!Q zT+bS;O)aq!in?a5*h)Ch4Cf4;mYMU#diw3$I)hMoO1G3NhN8^}Fb0Q}bJF^NHvUBt z8z-K092*|Lt?J;<;92F861K|AaC;F@aq-8?KZPGJ7wCeYydBk|+^^utg=>Kv71k6g zv?ZUnSx>!?uRfld^YI?J17{ZSW&Jq7{KE$~rN*IJ^i6>t!pR%w4U@>h;zz~KH&{QB zqs58q9gb%0Jf2D&ByXS($K_%U3|3FNL6f1k6mW%ygX{!pCtop?f!?>1 zqe6YQ?lB@cyR%7v{K(n&yL~1{5+;z$21*pIUXfgup~~~TTfyv6`f%Et*j;@n z&1iaXtg3xwAr8mz;V?*GnbnF)K)7P4GySNZ#TJ!_v$d+>AWJU(zhWpYeH@JFHm&Kp zl9myM_=|K#Wbto6%rLc67%MX z;zvE+42cteI2fiugrjXl;bExF9CY)%0<3YNRrDv>iDzvj72!1!CO<||s1;^(wca*G zBRE?2A_R>GQ6aDcoDV8}R{61w18`kw$Lx9ESKPwCC007&8%U`9Sjgd-t(~6nUO51X zj}s-SRF!!*O0{mYQ1cm!U3;stp^9*<2PFaWBPhep^L~hogusuGyjwVzl>qZJD1V@s zJmkbh>IDX;g0Hf`S%jNje^W(x4mANnwX&Rjyn3ONM)cn=ZYn8(B6jNYo!G%l*)8hxtuvzR_v z>Xpi$^HMEB01u9=Wv|PE+~EwhmZcuMvEg5pdJJyaXWOYtRLWXdK?~qin4ltyLWe+) zl`DniJT(k}+Q_YjrB;e{FWaI`(0jQ$n^yB~cQf&;Q|PhTmwyxgcTy?))!B5GVIOXA zul8`mKJUzFcavcs8CbRX<0zC7n24X=q3CRyB>_)|OBje{ft5rjZ zv0zBP_SbcYv5&A9n4&*uPm>@yv9NTIBrHxu>K$R7i%b#QQ#Ot3Yai;Fffr`(?tnv7 zsIkSOyP3pn-wrLdC!!;=(SD;|J$$~qK~27wN9Am~&PNa20B!$Gp`LYEp#Gne4i-+)wx)OE zAOEGkJ1bpkY73#}iA$IFatkh?R+7`hP?>tZ)P@9w)Xl?Ch5GoUwWd@~N1zZg&*K3I z&ypzlv6jO@Y_}SLlD5x2DtKBB;tv<2epSj7%&)1JMz%$Qd3!ctYRY5o^R+@?-g(TO zOBGGS(!hTJNQDU&6LA1EBkN}|+}=3Z-Y~qpez?9vxiVrfc$1VJm)l?<{w8&~Y?XW* zvujAC{K&~zKS+{EhJw=H<4|SlxCue1i3#ZU=gi#O?QUQPEl~9B;3rz)2Y3Ijy|Z#Gu(V_Pg@`7YPq4VVzo!>FKUPKSu6J@hyl%Z$64~DYP@byh&T|Ju}G5VQ<6MlPT&8o^*RU4Sg08Hjsoy*EfuZ}c(aq2ql-Oy z`)n7)nOfhZE}@^%6+Z?c3rz2slUxdLBpGpf~l;8s?(DxQD7(hQ6>+4BOyg?@n@Jl&;UFZ%uh2 zbjTAka|x6m~!d2BjgEV39JjgusDuQ{q?zW{U~?qOl5dJWJOE`whhy)_+N9<5oo zvZ|anR-%7)?UR$dT%k%EmJh-5hGA*(AXKuVDc<$j#Ig6?=^OdAGp2mhlYFBL_^Rn$ z1Q2Gi?n~K$8btbIp6bKAQseeu}7ZesW#80%bVqb)EhDU%veLZ-4nz z6(kIP?Cv9EGf@%EqwWNof2y+Hq(xSz)D1z(L-z3`MOEU<;W; ze(M2=NLrA*N!9x$m0UB_xPG^-_aD?3c6~NQY6oIBAr=fYH1uG_p^(IJe|3CJl0b$6 z)$cTKABhB=1neVmlT&~()Qq0p11Qg>Fh$Mua2+h+$%cf)kdRC(lR|@(zU<(sTEd@+ z=SJG8&rmxW9afWUoB2bb+7=6Rz&b2l3u^3Jp~=|!HA6w^9h|7yq6*y&ki0>FUu1!$ z1}?0pNV z)xCBX^_U17-tkLk@}K{B`7iGG@ZZ_{;R)yHTE6@qG&zgB?W-j`fDinH$)k&0wVhsJ zzTT{--O!9VRqOqlmFhO{F%NOaLd>%zqey1q+}BHFrlcJp0tkk{JXRB%9`@mTk39#R!K1GIv%$^1wgd9Z9 zofQ|_Jd;S-Q^O4~AtAR?muZFT*R0gQd0$+?#uv5E0*RgNWRp77?D=P_y7oEPw1d!#<>F~m} zQkJeGrhiG6A~4Xwvrdi+Ls~{wc?NlgNjsg0HzX=8b_O#kNBx?Wr1-Sw$*#XruU+Q7 z?Y0-r-P~=-EK*iV;xAx3aDJtheqD2v6`!M<^tYYALPF!jqj(eWt!}#>PQqGsSTF5# z;?_O|nHuG@NtJ)RQI4ZK{7vV=NsXSc5>w|r(80$N1Wl%>jt(v-4$FIRQC1NRpr&7f zH9H&`Y0hMhn(;f7()S8-^(Q`80c( zO(2c}@(HG4)jOIq2~OG|!>3cyGR~$f|L&+sq@1|(5reMNXzU2{ByHnXa%f^nVdE$! zzjp_1;Gpr@H8$CnJDZ^V8<(fQX0dgl$xUfRuA5Cl0Rk)edET5&SK{84KD0XTTn)DR z+8FEV)>ar$cG7QfMmXP~f+rHT5hp6gd-!)0_7d_tS;^`19$YveZ==umNiC;heqyCt z^(0G@u$@iIKQS%3RV#%Jis$l%p0-CXZor;>Gc|gG3lveVyI;IV_~#SpIY;sT5$n*q z%6UCq-gGGwK=C83?I?slxTq&UNkkk8={QZXVoTSk|A9gn8zoEZU%F8_>62ll{C@zP zr!78Nfx^PE6TtL zEQFd(bLx^!U5>i{FC%jbSh6i#?^TkjFjV`WF3TzJ95VUEz*1>=ym`x;;qhiJu6z92 zrGwa+TadzaHZA|}X%%qP>YsvYoE8|M2|aD&ohR{FS*&!KTF7xW-To72Z>M@?<_sk< zGGr0=i($4_iK(C`-j%+ZvTv_2tlSt}XwXT$VcK|TIuIbBC=nAc?iQv`ndoKCXc4SY+Ylc$((~;>~ z)5H3<8)G^#@47(mYlb9f#$n-33Hvz1qiTy&3&2QRyxGsNZ(TE^6EfWxivLe>g+v@w zX~d`FG&)`BXp;;rx=5_N>Ck)4 zC~tx^H@BAB31QoXs^NRUWOk($a3t9zq`WB+fz*8%36VDy+KsrylrXnoF$;yn$D7bh zsGg}R6ml4z2wi?qsR!**dM5etn*+U9XHQLMciI%5gvyWd6os)ar^YKm?mkZSwBDRe zXa8MH6IsuUkRe++3%fCVv{0w5IIcVg<`mf)Ub! zX;or-JGBMun7|tKWJsjEiO^t^G}!4!z)o#@u)Hc77jNn_;2KS1>e{$Do5KA`p`B8- zB>lcQo1p!1C~KUO+VyPqY6MyGMZk}^po-@-?QE$_EXb!cW^Wkk(I10?J&W6||8yD` zgN}+{931!GKYjU!`0~Gh&AL`8-!Wh`_$VkGMd5R&PEzRBHMV;8MKi7W>V6t>4&5^g zl$+gqRv>ut)Zi!@|D&MuBP7RCN;A1CZ1yBqVp5ML2d>PS91nh6>F9V^ zRl+$a*2WaGF-dmJ-Y`_Te{uZ-$~jaTAwP~a35&R&BlBIDzFV5!^_Hz`6+&GkKz=@- z7pE{rY0=+&LMh-4D;4~i3d&9j=2Z;_X*pZmBRj9{Acv9sCuhm&%3|k{M95XPQ2@-CH~5M z?i*Ih`7Z&)wr{=@$+X|+bb05cUf7L9;pX_}(CdTV-<-&lABETiFRM(^dnc~T8`~Wh z5*jDwlyY<}4W$`!!%9DYiV42^aMs|@%U+ilD~r8+ql8{scIFK${rtqaqplaQZ>CCv zVy&Oa~2k(FF~ zg1ALw-+QVSBv4L#C(M_}lKJee0b0~bOm<*0)NhX>rj>-d8|TdnDj+G#OKGtHWmh11 zbODa=}hya@P8)rGd|sfQ6mC3gau zsxcTt;$p~Pj^Y~Yf|93=A)QHpmpFF}$;GpQ-u z4MV~0-O+%(e>yBqyy@uX1-lv8yIbV2X+wo-BEWO;rV(05&ekS#BKGe5QS}-SsWzzO zJTHxT%tCU6>Fu;?9II{cZWab(Bu*Q6-q|qMjT<8jmqhVk>^4A#aybfd9}`6kPQuXa zAnttJ@gz!4MC^qnUMeT29#;4CmI_ZHa#y5HBIZQHehgwx4DBf5cmsv&DuG+ElA%6m z^?57SsbED@c2JU!os|}L)inbCR;8_L_*em4N)!5qp(gYx*dJ^2R0{yyWAgrvq*h&= zB&&79N)Gyk^^KVtA?bW@_2ZVtYYxoH){3|$T)8)9^?QyshIrDVsSKs0kC|kHW=P&X zH%XJtiIW|~=6yV{+G9?$W8SA5o(Dwd_uqU_b)FnU?(VX2If!92T}Rv^3@3$Jr~X!e`I(4hMi= zu|YYpxF}(Q7I*kZOcD|o8@=9$se(3%jv*y`M|2EH*->;e;d9rICauTq4MXAV<0xGw za8r&(1LlHT)kxRHCFX%U5`oFWB%@-eu6-Q5eXjFOYwAfT%UNH0gF>QaNRW=Ac9K%x zLfm{-{_b*DO_sJ-U_+0dBvi>D(V)m!-FLPvi<%zjx+O3=x1;z#w~GEUz| zcYvWhIm1EvP*l<$qmq9zwlen5|5qxNWGHl=I|!m!W_vD;g)Qj_Gebr5mmsyuDZvTT zcNlpj(ed-Ry@YNs-k)0Stk@*K1w%#iH?K;51a5@n6hq(`#Y?$VTUF9<_z|_q40$#l zTd_*GK%^bQQJA`5;LGSd)uDgOP_cYOYicYU4Tjg$l|rK8N1jGh@XOj1Fh>DbbPt`N zp?}LzjC{7|q8a!Wi2S07vxG;Crm4)`0&u)Y_%m~LqRc%D$Bs*&qK=(ghT`O2LqHbB zr#_4so*3wV&PwT8mN?rd=6Xta$&ZN$gA$LVgb8QJZr)=AO1M?K4eSQ`*kZ_lUO58Z zs0qT{VhlJB`7;t#a`3Az!mpv3Q^6BOk{9jv11YTgr!p@HEtG`e#9A$<3Iu;~5pMI^ z1ewX`N|QMm6uIT7&i*b-W+G{_w^Zf_EjdIC2_3T`VkjWbZix6%%2&6ixMe6Ee{{aX z>6ybHYf(H;3HVZ}lg5xk?sf-2H5py1Sx?wW$xx%KWaW`thDz~!cxU~Wc3<`K=T^k( zi}Zx8TZS6(uRX(tb>Nd}7fq|25`hIvBc|3)e_06eIugZDM}BWb1aX2f*qnOC@gs;c z`>|Ckm{mBu#aurzPJSkf0*ge!iYUS$kdXP2!Bd){kns2sxjlHTLAlM|4wj#5k6n|cWVft@<@aNHvlv~7aJV6IZzaL;BVPWFjs4ni-ZGb? z*s2a^43Xjaw4D`!h>Jg7{we%;>6#c#-i`%x?pN@B!uyUK6@E0$xz<~qKU%oOdyK;l zKLk3qyX;5bdxyo7b&}7EmBjopt0Lretuae;;G)4z;dmN}k{>l2-I7_~6v#CvoI90b zuu_iqxMI)NC+v->+TF)f&5>l342hIGvvvh4v&j@X&9(T3kZ6%mi+IaQUH+|RJ}U|N zm@(}uY<+vA&>D1*xk1`66yZ+&p*GP7WT+EAzh6CI#~V#(_C@kTj-v1fNQ1XP9q~)f z{=8+V`c7Ewp$6WGQHL1dc%}j&gmsGP-|ob5X-|LiFOws|j|9!^)j8dnfF^=M&t(1F_ zi&n4bV~ih1vOX)#=Z?-FB~w3E;`1+xPK{}$*(_ZssoLb0q4vB-5y9jxkd-`d3 zK9s%Ufn=rDTZZcKds6x*lq%mc)QT^SEW}clcr>>2N9ohVkId{$lkWzJJT5(?z)&Xs z#V)2Lwk++UAh5sNcGZAR=x%z;P)Gi?q+swJz;~PG?0Ac8vG)vC^o$Bvv)~&B=}P1k zG{es-@=&1E2Z?|m zIhusK2KnBgP8?;7Z4O_DqzGpdmc#iw!+JJ$)J>xWRx!Y7L)qd69j-hJQ2JbvP{H`Ycol z%LBM3nyPXQXBp7y0|mNMyVlEle8q9!bQKx7IGbiYu|z@&9!k8pF)GYc?Kl;Vi&Iz& z%_m?G>O#UO#I|_2Tw1wqtr#TQaB*B-f4;iI`ZAn|x5~Cw-QnRQM}VKV>s2GL*TMLe z!@-ZEoirS}8N4neRG!>TtfbF74+S$;l`F9^K-r3!GF#ijwONG}-svw=xH&4q?iANP@8^23?@BG)GPb)+%lA;-$Cem0tQ^(Fx@S{ zAVKoucQ35xiPI^$CCM#EiTXW=QHy@S3LFkoR2m5%?>FkWHy7?PM&Qs2(j-w~s8T;! z$?@{VkBEj1iHINdnq5EP;2kBOv2WuRt&pL~U85W2JtW@e(&ZjW$%@bQ> z-Lev;4`56UAM&UsE&JrqXxB+lfK8Q%juSsR8QsFd-O}Yft+&BScRt`;V|1pIEs#DJ z(*R=IsfvceiO~coZib!!g44?xGkz)Rb6&A=!va0cIqy7mWA}ZyT>aD~!*LI<4E+?b#&W({^Z} zrCr-QYkC~1q(1bwtW@5QqMN$JtnhD3PCa3z+)hH=^LeG?roH)t>XkHgNZzA24orq9b{u!7X>8rG5=?J;XLn?IDZzryeYj(+-=5mm z3nwV{pMU!42M!e{u60CaZBp#+{1K(E)tZ)irx|y5taR6hg#il!rBG&}B9v8wV-Efy zF>zvHiI^5K6T`{IVZ#6*q+M(+pJeykvC>Z;aC;So9l5Z<)$0m1qs2bhMoGdjcMLVq zhbpGz{l|%*5px!%iG;+DFHJX{OX@~Gz3T=V9Y;<-YQj325B!|*`1z>*KFp2vD>G9%@Vq1^ax;X}4Fjh%T^q<-=pLw)f* zV6X#Q8@3#LA6;c6Do&K>2&yq0V^xQOTQ(aw!z5IL@15p>bkF$Dx72 zZnHz~9eVEgQJ{AQ$cY~v2N>>nuSbH6BGXO08qs@9!sN%9UV<4c_v{2O>m4hZZ&i!l z4uTnLG_e}IAN;-UJ68=hw5w&6WCrmaE9vfI2oE=G-j}5Ex$>^QNVdhIR$np8O3}QP zmB#mxQ8>^>_&_~#Ow#?OGx@Zds2#Pu;1Rs|38i&i?a}guH!e|=CvW>|Ir%MeG&xbM z>1bjjgAho{CVjm#*W-{x#ff5hRAAre+O;b)MUPDkyohUXsjvFlrD9u>a`2^8qj$CPZ316QU$iF+A zc=)R%{G^lciya218h(HI*F+7!JBGUAho`Y=Ri)uBjh>KwI_)dV_uU8N5HP1u&fz0E z4J3ks!ccAe@NBM?0h4Ij$Bcx=njB4_tyJt}oSgZ>PN zQxY#H+B1(Q<0;zV-^(iNviyJVHJUFHzL7`^MKaVT-)rT%yv(Cl$y;UvGlwbM8rrqW zN`Tx?;Z9H2xFj*L2_vsUeT5Ij>r}a12*+^yLim`?FB1eh^uu(zU}y>YYS6UIK}Lu)P-vh*Ln$0~!jfvbCzg z?mV@`grT_iKBVITMG_uA-_9xU7NP(9(3^z9dp6PUcfuQwme>HoAE@LiW~dl`U}L%l zg5KxlBO`gK7oimv*rHZP#}SQ}AFbKP>uwFOtyQOzJz)$*zuyTMKO&R5LQ7rgE^%G* zqcz_HB|l!1wn!IE4|5n9!taP~Fv!U-DD_QR2^Et-Kyj>>_yh#*=A=fV} zq3+{&55bc#1~!-F&{P~e3C1;Er0JZZ0y*d^Mu<)d~Rt9r_0+U zjtD=}^x|~SqUDROuU+TT7Kep|%8xI-1l4Pa4ZHal3ovu_GrAiq_!320@Pn29Hx0V= zbxp9Mks796#jF&;Ukh?Ef4Wc|7_{{Kek^{qvwyL!WT^HMr=`L$6cv97IY5O!pKoFU ze~TVu5+gsNb;9go+CDlaN>^O#5vwkiSJUA6QLPie%c1}_D%Z8K@Wddth8nF_ZpT~8 ziqep69PSt@iJveQ7K=I%CZZox6fI^G*JO*ldxnDICx9>1N>5mdnEUf21{Dh`K77wm zVEhE`LZaix%wkKRCt1T^SG8=l@tP5;aH*&h4-W~C9|t?+sI#_ApRo_bxRNpPqf&>a z2^OGpa-`1{KcaL9*RE4$FnG}|v#3m=SK%dhjUcfIHZM5<{8$tn=)unzSObZWA5}Vt z&{JR4wuY)kxM!#Zet0)Nwb*{!P1i=r0yTsCmgF?7G`fQVJt~kE#;Hl9n^o$@qNz$IUXDGv+8W;r`@hVkzi zN^dt{>8@M#hD5S^hN{~Ms1{Qx1D8Q|s&?c(LpAOR@YuA#!w#J*tT>PsJ1?xn4Az(= zMsk?5>2;&Aisy@x;`779&GPd4^Xk*(CpQWfYYcKs0{&F1E`vGV)bO|*MJS?-lOMIQ zBw7NvXZT$^bo?L(fD_}1UwSXinL@!zto!vSIMJEcqu|6|A__0SC?4hNQ3A*8=$y5C zR#Mi(Y`ElaCtz_>;NqT@gf-EQC^u#41IaWjPK< zKocGMzh|Xa{rWSGlk0<+n{^4~NG4$7$OIxL^vA7ALvndma?pug*GNnpX~7Xp@IeYM zTF*<^VZj0 z`3%?Zqbh{+-KQ`MR%*<l2NeILLR50YD(=|i+i(`3|q0%Jw6Tt?oE@Ruzt@<>Uej9j2gIj2Aii^ zO$E@xyF*W25xtfqV$MXts&W-wj2?Ap_25C0*f>&!{n<=WG`?r0XdHq(UdhC1PowTB zW@^~XKgR5a&g@EPkRUlxhFKG&m!R$jKNbyUe1cU^E5O~KO~v?q5nHgcobi?Crms8q z8>fr{Cti}gxG|eMT@v8_Y(mC#)?Wp%FliHOR9&NF`@&0u%PmK;)46LFhCynw0mMBk zU1L84UT!P=6PyRz$_gjfQuHZBMfa?vix1AMMMvYK6&-vQJxiQO&=EMXt(AwB8gFMP zN}Pyn(W$C|Gq!a~Oq3MtJwsvQc2YLJFJ6&8h5UHX-W1N@VdNzl94G#h0FK1NiQRZS zE@LbPTjr0_r->h3*_)x^_uh2UX7HPEJq!0J=0lSg8bjIP zz4?05bzz>Y`zolmR`^DKG&X+RBNzkdhN(;)AD&J1uVg_y#WOVg9dMhxYG z13)j%=bB^9+w=w(8i|Y_`#3apx~lpPm!cOAj_8gEAUGXWCp$aPmY9R-f1ex`e&nU7 zCoOdf>=hb1zT(MRqTYUDPmg<6y23#=vQukctlTmze@uSQN}XBsuDRflpBD~+P@ z`%euK{ZefeDfx8IP{DV8;_R^FwOyze+y+$j$#zN6Bv({IS# z<`V0~Eq}JJClb zq|L2B5xPRVnz)#fOyGZDD6)IR4v(DQB{Pt)_)(&rX~jv~Rs#Nh@Fyfg<41@nzrxU7 z&&}Z?73jIBk^^B@%pFJ{VHv3w43B})A1;cSAsC~1YJVqe3N zvV*m|$=W_RzhpC2X9a_^MhVso&*%!)Zhwv^5Gz)+p{U10HJPjpl}Q3m9JqulOp|Em?| zmg1j~r5zQ_L#txlV)r1}l5h$GZR(zWxu0zU`U%cJ0K;pDZ= zohr53s_CJ-n06@iOB*K^-$r6R7k^sAx9pcA#6oSITH;z|zkd0UR!aIp-*UuT=(6O!c)Vj!G zRg{457G!vwV}9M5p3D+{U?oUQ=IcFeOsPh)LW1Mx$$Cd{{0LX59rgdD2K63T=@z3j zdnOy5`Ep)Wpo=2KxO};Dc3bfrD-Z z_TMGXP*xJjA@vcZLpP?kDz%pIft4JxN6|M07Vie>&55E#gAJi!s(hApd|vqX+vp4o z=~#cf{L}tBoCsO+(C{NS^UYYwN_rAkmPuD2D@o-MQ8*tnck6|yLwIgpAxq-pM{DLY z2BcfTx2~lX*=*Drs^_=tNTe$88r{m77-{I3pgaSc4JYn93>sq5^2_7ZRQKW$V_)j&M3 z(rb(VV=%2} zY6-yHl*lt(x=-fSgG47WhAL90u>;LF=EJtUQjEIY!WAY0c=RgB^Q15FkHxA;IGos2*Mj+s6u&a)cC^_v7Gd#QYaZpP7{edetFMZGrG;}{G1x-Sy7<4Sc0j*N|SnTQ^zD@mv5{pZI#`L$oq^; zKOl1k_R1a4P|*4Zt_FUjEKQ~iRg_VpRoH$>cWr-QsDPbxtPfQp>PeR6FP+JM{^RAp zxM$(t_&odwuYCH=n%YSaFOR)zi3=!i`)WD)6>{wO5w|(3QC}Nlefm9|AFc`z{z|zo z%9cSjs#OYHv1=3tL}%$W^OjCh(`n3B5>VD!C2@O38JJmX^f{+7s!iv7dVG$^fB3o= zouAQ6u8otT>@N^*P?iU%5i}+*u2o|&fZF_Y5aa<9h*=-^E`BQ@AP^1qJ6+yd*h3t2 zeL}2AtHoxlBT;Kk2aaQgC_%1T2NrExENAnrEi z#~vBhs~tdwC(nU}DF&oep*>r{q`~p&8p_)duLKa!$n3og~Ywjx8uv9QWy77g$#m+ zA(=&VFk4|RJtI4lSI52+cJlr{*`9JX*NC{}Q)X2L4Kh(V(|s&?PaBmgOc|k%2K7?m zknuSNk@h#E-2PStU{b=)X%yu2OBIh@Mgmrc;GtI`z7N}R$M*CJ2ZFy-x8`a49kcR+ zth|l75{Kt(3Vdb^$I?x2Q3DT+=PCN2*}TcYBE#C zsj#c|`H*8ECIJPOU5?ZP3{(V41MT_t9qoke~j<{%*em6j}kYThtbJfGm51Zakf zayQYZwNg@=%R)Bo32Z1mh&HASG8&fe&0?C6$0n1@J;mkBM%8;OldV3Jgo9}%fdoZm#Khh1t~!=aLh|Z(P-!+? z(m}vSV{81{;=!hH&4R_Anjf{`me2}q_RfIvSh!qR5r{yXs^nTW*f#)J4UsJo&ZS9A-75ky-tcoAd@s7zoRyx?tBs)<6D9VZ^9}yLqM8H$x~hX@Xyc z&4tZ~u6RZrH=RiLkW*YV^3rsi{Uw7HneX%@bGjN$HbbLuf~;TrAedfug73*1k6JML zZYcx3@zed|B)F}bOXRosp)y3s3e*y_pcGV=hON|*tFo0Xq10aXjr9kA%Z~z&KHHYZ zwiV9($gbs1J?`bHW^3Sp5t?#XxOSCk>hj_eh`sTsxEScWuKfMH_43hbDiotjky=TEz?KR&WGWEL>S^# zlk2`Kve%Y9J9_=_y}&%38xweICQCSIltD8ODm(qwvB_juVa+g&o)bykm|y<6UEN_U z&Bz_+c!Uhvyc+H=#;=Ukk5`!yA_5+Ym*eBO{ar1Py87MSC(BFx^}${_!zyW4-}xyh z#>It>E#eBu_w!|v$DX4!R%C3YMm8E6_l;&rO=pwLnnrdbxT=Sed~tc-Eakw>TARaT zi|^=UI6I!pnH@ZjSHm?6Meu&cAHEyYJSC*pPRaxB-d`HNSfv_IK4v$EEY+5M=6y8d zp6?Uu>A-!ks!*XQiA0Z#I4HD> zh71UwTLI@hN8BG=T$R@`CE&ZLdd#mC6l6elPwreSd^MM9((mxTF%X6=dd^1ToYPPFIw&- z(E8=qT{=X{uEQ*v$B4rox_rfnHm?X_f1UM!&MryhIm=V)g3u9W{U?f_c*^@-Hy#m0 z?T6{4zpM>5eCCno7hUi#p-4a#0=a zipvO8^mkolPTi!j(@2kp^ghq#cj_O$Ay$JVk_7><}`uINX`CVpwn;E&2 z+xXfz_}aF8g+|QhC6<>hw|kNI8p9Hme7Z#^8z->^-XH4cDhnKnsYrV#VgDq$uiyB4XG?E;PQU2Cv?@i>>lXlErNs}FCF z)W{NYWjZL=6R{}zmd~bvVqS1$c1th}9@raRXo0Gu^XE+`qt&zR-hI^-YJ_H%jEI$| zB>Sm&v>%K69#U43Rh%E3IMv0N~7exiQHKy3BlyIm~M!SuFQ>-}`KW zU<46FC#rBJn-3+ep*XV%re%6@79uXx+BxF0>AYxLL-a1Y${N($X6}C{Wr{XIBb!sS zH-1BEGuW$%HE6=eV&aaB!;d*Z-P?3eVwuw!B^%Ya_>YJSVbOhDgupHn>BXBxY|ioa zh&`kL$`8gjX>zEGe%sme`~{{LC>35i9#}EF zM8^V!BhCvz%bi%zHS(@y@~%C;o!!7C>FCfSE~cLlrjyQ+ap^wA>{RlBuSbT-qzEv_ z{+)NG12}1gWSkHAqTu({Lk-DroR&AoY1ekGCBIIY-X@?vXbPx7m+(Fx~YD6Hv34pw*F6jHA6yQw1rLSQ>V@&Ofxq#Ja z-l-1=2i`hU^7`jAuc@~Z`+zy`WoT>8k{`bN-WFqjGN<)%dxAi)??GDQz}^Rj$-snS zuOm8kn8e3jq_Qu(k85(>ah;8IPU6+1r!rt|`tA_WBvK@v(&DEe{;2o|`=Z*0fs*B) zI}~mn^VK*$hxcoL&PE*3=S|~%->+8uGDv(1LLWNMu6KSwqSrQ#WKEF8U7_L~QzrnI zDdDO|j^BJopE5ST-C&q9#zUOwEo3rC&qTzyEj^3dn?Fg1z)cSfDU|u)6g~A~Pe)$FJta+hPB$(|{zxx%5*6E}C*2gvTKvGmE9mOL!ofJ|r`rdwR zTKN`X;J|J~+#>5(BLCmZ->9pt?*o(S?tB=9sA7ASQHgc+oKTcvy_IB2ZhTvD`nDCMcgl6%z7BFlug0 z7v;L)Ler`x$?4{~8p8=EQE4PMTV@vgnK1*oyht!H0dO*@`8QBfc6ER;%NGED59uO- z$c+;Jm|M)cY@rm9mJ?z0sAzE^%Xu~k{R==M38pAL4n-6$k_FT87R#Gny>?t7qQg73 z?ZY(V#B7|GSpQCijcV)B9akxk3KIapzZ(BhCjPBQoRb80#S|uxuOhRzx>p9r6t0-8 zR*J-LidreigeTg<_YY$yJD47mf-iG(`KyRU-}umbB8yzQh2Z8>4?vYyI^x{cxgPn( zJRq<iR;atb@sk^6bBf`Z@XTxYATsdc|h-g zFF(x;<9&IRQ&q8XRsz~C9^5-%O2}7Jap&7lEW8)vlX9iB@U5+IugKP>&TsC=<=#js zh0IBNj!;q5=!6O`hgL%Pt<&#zF+;agta zVFG=}2CDy-`N3lIkYm)-fX|&j?95;(ydA zhwZ1-%0B2Ii^T@XKJT5%X1AQ)>Xr&@2ybeJWgGH1#N<`qR5LzLZ;Mex`>*~S^oUTM z6mUROn=l1RMOei9aH%iznSGMWg@{7~G(r}}L@e1XFQS%F8%i%gQaa~vEIF!fF)|O* z>w*t?c`$uH;kHR4#U3BFzM5B+swp_~k|rNR`m*OqaqUwy;;xzryQqdZFC?4Uay6L= zS8LNWnAgv9Zcg!TPBA$du)I;lVrg5FeEL0Df~P=`QG0zS>8E^&OJIbD<+gl2iFN+& z!b06=M9WnA6h!8yjG5~wuCGV<#~Jwt2sz5Q;PY{t+{)1PN_`{dqp`q7^K1eJIl~?5 zf7=vh2@$BfvSsX*^V0rf(|`Q;KP~&)mk~)?c+Z7MRIA7!0JSHp`K2(|87e^%ud`10 zi@}t&P2OhRycpL)*tS;h&)fHsIGqqV45gd&QJ;T==ue5X+y$ia)2f7cOALzFAE@ro z2VrTawmOk42z>~dyJMHOk(r-Cf1z0C{Vnyl8Z|KAVb!tS&{jf~Sj3g$mT(`pV7B|l z0O`#;Cea@>i-uw9c*l);fkM&4qAanNC`PE#_l-yjs>|MRA4E){gJuQCuFv4I!yGw}VEVXxn$7eMJ%js#J zc^*!12U}KmwAHRF`1Hty%oNwaw4BK!iW0ps=-0Emdq9FwJ7f|c_Be9kxxTU3yl6j3 zr)Lq-)&JDz>J0VLD`!JZ2Um{D335B`Ys*9!^H1om=M-&}Ej|(Lq-F_GNtB7}u!NCF zsXA+FnHvRI1>NtHqh#|X0=nFT(_kqV4`~tCI#THM7wH_mU`;dN`AUJNv_U62lQ%{0RTHUTV05oyQknoclTe5 zdmTMoccOUf*PU0sNBRePH9|4E{u6EM2C@I&;590Q8=2TwXy$*+`G*0Dae761r55k? z*#3$AKiA(9@zrDQ87y5^wAq0Nwy4?IzU{;*e~rj`2WaD*Lki-`ClHpbgcg^=5@h0ue|72?ZyX;U%6sk J##Ma-{1+-<`3?X8 literal 236680 zcmY&e18`*B*3HDWZEIrNwr$%sXJSn>u|4V7oY=M}w)N+mSO1sys=9k6)%R52z4kt9 z<6H%45KvSgARtH}v@#7%u|Zjhx!0 z@Xbyox5gh)_yzDHyiwV06ZEd34OF%vPv@tg{C1w6zj5;DBZi8%$2sra<(ragWH2GB$2A;sL4M+@RP&;^C7ub_z#22$?w}wp{YaCOpfW3Xb$f-30~SVrcDYD10oAYjl6l1rA!aUz@55dk zX81eIXtZAp)SrdH-q>^2lAsAaZax`RhGVn4>1oMBB7IRU16u!ZuKrCO=tmzJEiRqS z^sj3@9-anyOIc?r1vx}rfXP@C8qGPMd`15YSjo4OhBf~_i=8z(SeesLRqN4pHe=)~8m@Q`M)wtwc~& zEg(j_E#wD>nw=(?VoqG)a5M-6Q*=e4Vs7YketFE?*-8B2jB!>7i-$}^HIbg;Jy44{ zWVBwqRAafee6D(go&as`JL(~pKA$9U-19iW&mBHd7E%Bj=tDlSU6f48%4fa86lO;| zaq)G?z@|$y3XP?I@(jiY)JxgSJ4P9xEW-?A$^iygfB?Zp+2yQ?rFOXFssCBtIL<(R z#Pl$fG|Fv6ez$FOXFDCLPOs3gcvb=C<+D!Nig@ zQBlM1lwGfWb9#1+Ke25>a@%H_$MY?7cCMw>K${$4s;%HztPIfm zi^vvk){|?cu0HC$sW;C!4{B-ttZkh=5I7Hd3|dPypy_L2I1e>z7Va*uThRJzT??6N z6eX4qz)6hh-`OVRG;Z_zty1H@n5TZb5W~E&TF31WS}K&t7&1TNa7^89)wu!E;lQRz zCt}4*{1PKb-t!F~GRo}_V;~{!&Nt~lZal>Y4;LB!!P`|A^nB6|l3w#@Bj2ksaT02C zjOXgB0@TVuJugp|uEXVj^1r-3=8I1dym9^XRz5=>4>N66=l8vyK+w z&>ZM|*(*==e|hA(mCCq64J`qKb3#$aHF5Pj>4456K zs(t6=ROX?u{h|JXZ>^D+xt3=ZW8G^*m_0w!Rm7mCEY=M+ZFxws6e$UINQ7XG+$rZy zTBMD;$p|Q2!t>aQ#1c? zD4>hQ1~^Pjcj46{BX`$T`qH}#f#ngPc1l(#l+sPAqD#f@sZB6{t++3-%*6{$#X~g* zb25-{`=F9>;Nfu2&{7#Qj39+jim^8_C2T&y53OuMWZJsk+e*!@*dA-g1&)46h?NPk zlt!#NAEd%DFj87aE=|$Z4#LjQ=f$$hZ5M{@6>pM(_azIgaEeT`aRxiC zO>bl-hN8B@4K^;F6>^J(eMIMLodNVQ_iIM=vyCl?dHr_TN@6aWKBmRDEKQ2?nMs$_ zNu}aTna6>e@1eGrc5agsy=(A>H96}DhV`_@k~kS`7~?bR!)1KNgoaga0gI2+B;Ak; zUF@S|pJYEBhP%^hPn*>xDVz+i58k33nZ35b1899|Bjj zSgyh2u4QJ|sgD&LJ8Dytcu+Y*iPRl3PZ-sjQCMzfIldIjKJqZ7b@^EyY(_zA8~?HE zT7Rz`Vwcq%g6U!&K@=P7apk<4{B6on^t?g}R7mLbP9mjjQQ`$0sny%1MANurtp%pW z?Ak(YjkI21F!a{TqbKGlrr;kzk9%kSv0aRHUPpO*=AsUpiJCSs2cztHiKHG`3PtE% zQ22z~Gn6~md_y;Yd4XcNKcxOjMsuL47Ytr^_O-AA%8ugaKA|E}&M=K!&}a0|s#? zNb+$A6{oj?8-moO#bvfr3RKj(s9SUKq{w8E>jspz;BKg5e`)xd)Fy;nA%4S)6b-Cz zBTkE4@hLA*ehH~-@6syo!_Gv}b?S@g`#|)Yi=x}lNKdQlJn{yZt!>fHW4v=w{yc-i zXVvP33!GD{!mUQHQ;M`EE zlD&#m-~k{=t9%_!3t`_4f`+yVMi~Ql;vMFHGnv$vo8u)W5Fj3F6d=t1WHNVqCu?U5 zQ&SgbhQIJPot?DXrmi$4pFgW|w2x=jEl?%(n=?fwYP&VJBsb6v?YW$djjqzhftF)R z=Y$cbJ|I)V!$Pt0k&MCe6@w{D;TyJZ;6^MHO6Q>IS$Nxb~P5%gD0Q-1h&Pn&Z z%ImdPc*e%>{zx^8uLiBMdKgaISzAwyX8FQj?Y?@Lhe63rxo8DVo4q=7h}1*1mdrNF zNtYir;|W4@C9dU2w%>xhrABMGOs!ty{bGh)wZ*B&sfwr^bt@};T_oB4P-=Ytq`t2bcuHD?d;&CJlWAoi-ZvJJE|D#|ENWWh$ z(|CIdw|;hqS*bN8x-8U(z5}d3x2p0d>HAkio$%Uc>u>Brl;;lNY1h>o{;)W2tkYR5 zbQyZak-d9+M56bi;ty%fPTIpLaY`3tZG%&Ux(U7F$6wNJ*xl%We7c|x(a*KpX2Hk)?RjDFYB z-&?TN6K|=^aGFaA&sgK>cID#NC^w?x)11MnAKZac4>gna`>C#}c8WBss;~hlECu(G}qlt{A#(HyJM7dRvjqy`)-a3oq@gi;S z<`1pRmU#XXUr(VPf9@^Fvbj(**K0|@o7IM$@9i>IaxlZ^C9q@v=bM+v>5lo0Hdj8r z^79`ooQs_j^HHqJ5w0}`oTm6Tl4@YLG}h(`kd z+!4C+_r34e;p&eB?-!Ki7M+iYFXWvS?e=dj7h~#eZ&gU^Unk|mH`>oST=UAf98Q13 zUr+@2>r`x!xh<%y>Re>A`?nRkUN`3*VnlZmR~~OPp#56stGOAeE6Lz*v+~He=&#DK zH}SnNxO$quVhh@$Gi$PhThHCnwZ1@rYfRf3yfb=PUvqJFpP5>dz3*FdY31G@7K@?Z zg){Sr#cT`xW!` z_Gw;9o|moeW$Ly=l&@2e&p+J9Z{_a%kDph|^WpJXadGR<7JIqa=gHQIHCgYSXoePX zjPE{vB>V_5^w^It;*ZTU$5$Bw?v5R2+b$cK`1h6Wj)LxvUz{9&AF%)Z2cq zW;-H-%TWTgNpHVA_pc~a>af40nkU~zt~uM5WYaoYKMGIqd+zqSWNBfRsj>d4@0l%c z{OQ7ENa?CP%c98y(_UmGdj6x|Z!IbLY{8$s=Izz0qNtt?4I{$U*wHiZWv5MpEm@(A z=Gb_NvD`D~#T!9%OdM*&^xjny&YvkKohkLbs`>be`mn_Y-(%tN`zFCGoNn=n6oqaW z{d*q)M3#-=#=$E<;N&XElxyyYweg)R8GHesM9Q{M{CxYTwy=+d#|ATQqgdi%j4lP4 zWA;Gb$Vtc~WjZ4Js4qIHXL=u(`3qsWE4lc&-zZ}*tn+BiB&L@f9)jc1!!su!_efdJ z_9%J16s~Z+^4`Zwk3PD7Q?8DEn5RW5%N)Tv#O_yKtw%+zCi65bC&1ReAOy;OOPk+T}1{D+W-$6U$3$8=s&NW8T^b#l!g1AB$I3mpAMfImVmnrIOs?vQ!$twkh^~pfiK#RnqlDJ}={itnHY( zdVZO<@gD4)HI!{Abucy0&$Tud0;7EW&>)e)MT=EbZl7<>_TG*tZe z{xWj1Blac+(Mr=y^ir$XehJN(xf1)S-|@$fawkQkusZkxpmq`^=PRVQGm(RBk$BG? zaxu$ZtX?5nW+kRETIgKT`iUok=_dZ-vP`qSN{KSBLM%fHCu>}l*=*lcOGgmtXo?0yknzyPCFpDoJOjR+@Nz%I3JYOxTHwQASBf0v#jiW~K6-RfOR#=QQmR|+2>Gu%21 z_H}0p^*w<8zEb+BkGh=@%kCT^1#Kl+ErD^1Q7YlPRDy2|=~4;lQgLYbyUbpL)T8pH z{4tF`>BHuwWpBm8yQ!`Z<#buaNL%w!HsftTyOqBqK9>GP(24q6xjDKlO%6iE!hHI> zBh-7g*^9nt!}IuAcs#S}YFp_r+ztY9d9~YoxmLP6nQGFiz<1HN?WUrIc~Nrl(WU;v z|I)TeE~SgWI4wQL@YOXlvr$WqhMddbck!6Tbl?XT=z&G~5aYy4c- z>D-fNxi{uhsT@vDriUTw(_wEmf?1WI2@KQA`TB!d4G2#KD9agiQV?uX(3t6559tuvnn=ZNoc zxX6#F%7(INUnP|c!Gy5H6KErWp14S@U?x(-_*a4Td`t3tIGk;FfOLa%R%I0HD%)@` zO-b!)Pl%0eDF%9o6m@;zLxmq@;|Oe65ThO{iXd%kodB8!kx}Es9!5ihhwbJwC}D#P zRaX=%f~gvf;xt!B?s3VEG0maapu6Ir`-GzphO3Xe%kHlu;-7W~x>?_R`eJGQc5rUJ z@3yg_$=_B~oz@wC>9udi_VG7~4_iLnmGd}MSF##oja)Q|FQCWzh%`A9?PRe%ctVXu z?5UUko&!Mu^F~;wXF1Ypu>olc8We|X59jXdT)$Y*B;n)6Bf>iK?jaxj{-6=S=_tXo zA}6s8PA^GSD2YkohHGiQzU<{%7xn32wRXX}BVTb%)(;1(eK^=;PNf3fS!ux%Ofd46 z|Iq5%`;h@HOJy(N85=_Yk%4bjNBbVlKcw&GP7W_xoU94)s6KE4#a~2zKq+k8_1HxV z4ZOLq?%5j;ZN#Qbk@Mi~E)fvj)MY5&ry7Qzdv)|ZSsfu+{T$cxR>AZ3Ew=5g@pt)F zN2}uRmn73Zw;XouFf638GpNGpcl_;flX8VfKPn_N!$Zj8P+~i%cXEs& zzvAVJ9sEh0agZQ3ijVmBuOGx2|D#0%3Nn&H{cNVX7m$aMvsC{0zjOr##527BUsdP^ z%OHYJD@<;m@{kgr1xSZ5WnkOD;!Je)H%^RdXsUeWZ80_-{b@H@DcUpkU;ly}QCqN~Q4< z%;E3v`wU5=dZ21cPaouZNXm2wltD{6jZ?6!e&nZwj!)m;JH&N{Z%l2#x&FLySMEgg zXGd){%rJc{KnLru_!@dIwZ^DX>`7bZ^qsK#9DLrlkE}jsOk4@do6=wtY-TsMK9IA@ zMj3te(U3D1Vyd;HLK9>~0HA062jU2@rBMy1SPh3X_{?nesHw?9kCp8<)F-QPWQISa zJF!>2IZIxPV?uiQx(a1!!CXWJ|3NB!>RI;A=K;4&L$%z|If>>>n+*!hIT8h=2vZy?GLw=x zG6Q@TK`G@Sdwxu@4ihk{FoFx9bxG;SKMsI+76wN5s!jtQy`ksVSBH&ebZt= zh;sFxsATPYQo%UfNUy?Fhc>5mU$uAAr^@-+n8m6^hVw(HwCfNwl{lluWMU{KWLd-$Dj3^?$ z;A(W(N`>k#qA`}pvB0F2DFAre$zp9~aXF7;4bla{c%1{>|A0S40u9W(euKJo;O_=0uS)MWMT z>)VysbB@n;H86gs-fdJw=$w1!RRpswJawPM!2zK8KB#=VKwwqJZYbWn6} zOsmrtoSOApsvfV&GkO}E8I3g30Kg$<96O|lfHI-RcMahUryV@g&mA#F!R7zEn-{hO z7i+HZY7LdwC|o^o*=(r6>+we`a@6~MB&3G2F@A=u%;J`I{dt1aavovl}O@Xd>925Qs$@VIPHr$?^mqS$8}S%!T#JnNpL+y zS?3Y5AKQn@bf?Brxz=s?C~WUVb2k+vw|8X?T|3QON?sDr=iTw6|52>%Y@giU^JG7% zy7Q`SoJxIWw`NUArUayqtLgG;WnjAOyI&X}?D}MaDms(Z2Ev{K3Oi16deIaQPy1U(Vtx6d0 zq1eEqydvwc!!Y*cZj`MnysMANU)`D_R@RprY3y6SGal-MD`U^yM9H4{pfK;OK)6@7 zJ#z*ZC|l-rs`CjlHaLAG2zv zc7kz!m`WZOY|J85c4Aw3AUxs`VXWMe(52X_S9B&@lanhO{)WT^BWP=Uc1N+L?{tR` zLtIby3V0gUNJlyyp5+WTb5Tg260{T>6kwiS{RP6{B!Sq(BW3CnknV6#9C=WS*%q33b_EqMuKQk#2v`G#xmN=mXxo9-%vF+0qJ4j1J z%jC{i(|yFZcMgdY+Puj1p9-i*pEU5p2_fNul(4P-ghl)Da+vXydrKh<*T`6|l`9RrY~FivKw5(fAO$cTHbKY zJ{op}>#1sEFWVfO9{hH+_J(jdxzrh+x1?;&gIo&XjxJrbFiD9)K5!-c5p%*-B8ik} zNEqEiaI}rq6_6b{9sDVVyv~Tce=rSdwz4fte((PH$1UdARsrm5w*BR`c2Z}uFaAGi zpv7eXOP17W;HATKyFhkuFCc;!bR*bdR@0II`mjse#v;93dNy=`a4VDRxZtS@02@PC zv9&`KWOA2t>|-QojIuzkchW*S)cZ|FDYg@xcYm;fZ6h%_&+YR@CJ?YfmYd0=q$&e6 zuWiB3=Dd~;nKfkq*e_!$ZKqM=Q!=8hNXw@O)_zp3wK`1rtXlk+sW`aeMb0^XS3uJ6Pe zB`(HQGJH+jD=}?%M_@`)tenU9dP}Y7s8)+AouQV`kIta9cdu(dvxftl7DVHTnqBo37D?bS} zIxeYTTlR$@wuL zM>s?oT=IsWB1s%>GLZ*UA*7K636$R`Vp2Kf5Rdc+C_#fiHS#C8AY&C&9_E4k2eEJe z5c?BWR1|u%*Se*IuGV$>$udI%GUokqpDM1ttA(eiLQvHnv9+CA@}(JS7w}^b(+}^o5Y5A+@;_!`ucnU@&h}I5IlwLZlqjkB8I|ed=815Kdp1$3`gJ*EuT(a^*{uaT97UMvBXP ztuEvk7XCen*Ytb5ArAya@v8x3;twrb=M0JX(6aasEsK9bU#kz+=_RjG6XoH~jH8Tj zuGIjuR;^JfbS6b06Hyp}1&k_=2$>&pPZJ9DJ=2Fol&U3?e5VkB6|K})AK940Nv~Vr z|0n`i080qmS4Y*Rw`3Stpn$57AmSo;lEmG04LQ)$p;_*5luHGErU8FeK=Zsvcn$B*3?`C%5yhgnzomzfczf4X5xS9-ZNLqiOq z8wb22I^zbIQ2yF88WPTgfxY6)j|YLHIW~;UM+kcz0HNSR%Xm;SZeayL z0eGYhTqDKZ83R-0gtnQ{DH^x~`^hSqbGtx4{ces8D&w&Mmc}?|NR zJ0a#dVJ<`gaGWIuWNhV|iuh}+JCMAEESALl$sdsI~D=I<^Rh1qH5 z=VJw6s}02qSsBX1=m8y}L5Kq@QP1-li2wPekP8LG9$`Vq2_T^oS507RxjtvSp9)7D zee%Jp#)&{Fnf3oH`3y5(YedK`Ukt<^mGYs+fndaeyo#W2tUi!{s^~kDpnD&iHl3d1 zvN&_po1R_-m;76rq)^6nrPbf&|q74bJL&P5z@&HE{qMJe1h}Z_9VJEB2Di*Op z41P7FowO^yQ9%D6(~OAP&U=LZV;Xvoic9K+80mV8wbW&`ku00^u)YFTlhUg||0U2i zVQ@Zo&Mgya5~CaB4^Uib$sFDf$0;D=OG$cAl5Js8LIJ)>8+bxDXp4~+4TVJDnbZW* zMgqcvKfVq86xV)mMdWq&Tv8c8x{eJGnIZLZbD9TTdpQo_MDYvjz;{?)VRp<47o_TCh| z(G4Gebi>F0bi-xITEOKBea=B~lL7CtC;maF@_r`AI)mbtkh4s}bk4JNlbTOe%n@N1 zoiK2QWple+JC=~jQ}hAKf*ENv>Mm1z-68tEo;;GdaMwP6-Q-wXn*+L>Sn3Z?xs{(2 z5*viv@g+&Yx(Rf?=wXElN)oxy=Qn7^PlIz5<7G=o0x+`A?c2IYsL=CHpYzZ5js6Zn zCL`)^633Gr8%?M#q8mLH+JES!SPST^Fzd3D01|OZ$WMViI=cy z1H&lv85;^%phAe)I0f;_L2dI;;{I1Gc!GB$y}1XHe8fVgIS;NOtyZ$wZ9uEvhb?j)d56O5s$U)+Z5__P;-olxL1jtAmv`2b4 z!qPTpAk~gRxp5W-rVxIt_^+U#ffFKmIS&&12#V%u50)O4dfgu04%)8}L}D^WpkuPl zv`V`*qy%6jGI(7=t+guuAr5UTUnL|~38^D6N}>E0Xi9nnhT?CvF=6i7(^6T{5?89E zD1pzUsuWxT`QEC4RHP+K&zc>@h-RyM6hr5n2mglsk?r0MtPq`ZYcD|ly5wau{~|cH z2chGOp8`xRXi7qaxUN{jY;EM?$?QJyYzrbZ|7VQ3=L%i~zw2&7D1X$q*a-Y-A4$%o z7r!4#tGErk5J$$=K#v*SR=}I-c0v%x2i5jMvA&x<2hPeiSw_T4F1C=dI1ah?SE+1I z@hvv0?SI`dYw#ra1|-q!%NF`j(xu4BzLXqyWbOk4!P!|oz7gdDeo(1fUh&IgDURTx zs*P~8l-yG7Er?HwW~UF(Y%)eua7D7J`<7NJ6N~Tn#-aJ!1}piAl_~;ET{Z;ywFN?T zJA@D* zK6-FD!}Zr>Lj%<1y%A@Ha_clCFU>Gcu(3D{ZnR6+zES93v|(Fo_rhqhdb_*-vVIC< zr_(ALDP&#g8V2{dKP$Ccl+rNWXZu<@` z+#OjciVyBksL7|Dz1p}uW)(A5WouQ0+S>$bzP1nXS(<(JGSp+NCE71 zJo}Uy4y3kuJof@4W-_Q#&ll|^h~!>vVi{~6THWT@s9lS`cUXFVL*a11d5uO(v(YZ? z73sd*^3XjSKyNQb?9v8IV$@N27TE9AYX~`spL(y(T8?G~*FMO0cKf=+k9XUv00z%0 zXa~<$8!ZMdtHxF-T_w-@kPz0hLPYE~6IdpG;0;6)3@+b$1Z=Z^X5%$aL_ZWv!5>6t zKKQoA)G56|wpRYTz8i&ch!fHk^WSpr%u zZJY-=J=!gv(lFnYfm45GI__{I`^jJtXO(!xpy{O$LG{##7|4$A$eNuDLKB-5M8^0^RwWxPJi%EEX8VqmTRt zLAae16N70@H6xiK>QW!vH6emBL)IVT(2pxVvq1C+;RPilv5;`z9?$r16gjwH{SZh$8);r)hlX>hPU9S66`JFwplhQrbrX4GPcdlL}YPH?36S974$ zS$sPO4b(^`F=Lf(jc?QfU&}Ue{{m2d2{4FQzt75bJ0(fXL8wELx`5HjcL`+9L`l2i zQTTdJGhozwp?`JxLkSqmx*&PrK9rz@O4(5a`rDF8*?7MwOZ-q*{;hqMP<=S9wD0Em z+PeDL&7gKW^DW3eT?-PAyB`_9cyez>N682o2fI%=1ej)b{&H00WslnuB-o-I(}S3r z5MqGGokbZ9rnD;<dQ(A~M?cNAkac$LVV84YppEn)K-$xERbn3IU z)b=#D5gmoSXd#G(H3OdIJa(c;hovy-YuD`^I&AfP%UZZAy3xm_8Q+^)-LUJwy3!z` zp94P&g6X125sHd0PSpZq)WPKnW<(c+Q2?dmfcOgnNcCL-Ibcw((~%&9qJwecv-zas z9-|X4lOxkCL)!{45)hO@VV|YkI|PwMAQC#x_WJ>ndC_*nJB}eUfDQay7&Ei?#b+!F zRWF0V&uhEa`f8;7u~+$v^=`G_<3%#W9fPSEh=C2CZ}zP&3ONZ&Rbeum@Bz!5hD-nq z>o=%AB9qm*M~=ed;pnsIpV4T)KC(yO3IDkxyUCL7S+BAZ+K;B`-O^-=IKi&Y=-YM=#S!cDu2v2ExF-{ke5t(OY2@PUtxx{(?YlYgfP;CyT^%5*O*Evlx#R zvyd}8iROv9UQ(DPs`bzuQ2*Iyy>-G6Eh`F_qdXtGS!zeB;lpNmT+dcfS$R8AkpdUJVImNPK+^tP7LBOV zEND%2q60osyM}uG0mQdo!cLofqsYxPUEakJ#fT}51WqZ6nJN4ia!?Ho@*saPN|HAS zUoi$c!!L#OjowN2>4>dyxG9NuJ_RU+di)owi`CY4YnB&L+?f&(?B zdeHl73LF~9Wrn;JFM}Z`j{;nIzmnhmI%;6=ZPwkYy>hU9wwoUns3`tBoCS}}UE^9D z4N{%;k3z`KE#4I<2()05mi<~mC>U6O4$1D zXX5m&sW3e%F@gxRZ+oyHNzAb0TYo`eoRQHXjMiYB^a5pjnsF0J_zVgAf(Rnoh`k8w zHb@}jh)RG{_}?t?Wb`$H88$nZnMK`6i&o4rtVqc}o`--SiT^^8&!d;Sd2t~40q&yn zCD5w)%bnV8J+-05VM(YEE%5J}cM$6m4T>gf_jyRXLo@Qt_^RdnW(y@d9P3ue5wtov z$XC%gp=j$lCHfr5gu@(p?(bW&%4nG-&xD}Sb}jMZmCekl=;x}n)PBK7zw)XYGVJ1% zD*C_xQL`{Q!)@A)Q{{16`$m_;8b`Godh$Wzx%eMvb5KI1gB_yG3-Qg77*9zLmJ*Sv zHXnLs5xR#b;CLp^_>yvI~>ZoxUyJrFDQS zy(+?S%N@)wngu#=WqCZ92D}#pfb)B!Gogy@i=09U9M1ZsG21ScsQ&(NgpdYl=<>=H z*WQ&Qbib+!ZOJgU)8-cF{sgnC0G$xZ0)c~VaAyJjx`dZ7ow-;C&D8mYaAMzp&@~ZC zig(0j6{PgFYv|Y(ook0^^>yD{c`sEQ-zIIwl%o^&C6or|5;@gMu|E!v$q1uY)Ob?UFoIXly9wBLCG8`NbYV74rvNmEz`v#2zzhKcPh#(Q41O zuGiHTL+Sah5R0e6@0EnxKo`_;t4 z_85uqEyV6xw<|UHi^vTY4L%gu)d4K`Lik_jfoI{I++4Qg*8quKvxwh1r6LoJQCNzO z1%b02Xz`cr?e#HwoG%nU+A;c%c8vaGGPJy69%I~!75D>tn+zpGg!5hdC?9#1JzjjFF=59Vs)IUU4Nuby0_t1dqP5yYS zeS8}x)-v7hrd3_#PH(fP+FXZBev_+ATBThl0)EW+yu#i+k}R2IzZ0x=28)z-ye>oQ zew#NcfShjBfAhviud2h5vIwha#LN@^7epe*CIxKDB-Mcv>H0E2`Eu#uBn6xi$h8fs zM32uYYd@LZ*nmLF*m6e9_^9xoTR-NxACCx#zVK?MM6LtiZriuOZuMjrUM@$Y28n~A z5G@48`5b0Q1eT1Diu7h=Uln?iATZUf-b5k0^%RI{Fiu!y68$Qn9~SOYK~O-We|KwG zF^iOrUEuxmV<5I|{>D%8m(xt^801TN{Y2 z2HC+H3H2Tr2z?Z>^KinKC@qGRoVvCtPBb9_tV0c9V~8vJxfRPHFy1qHtp!M@=;PSq zr^(;YYE)F4LkeTrBC$@m6Tw>Av9)Be`jUo=7_8bdpfN{0J)IC>8Y+&Hb>fplC&zVr zvKOyteoMe)l}f6l75UJnoMaE39-hwihB&Rj#r@#*I(YzZ`2K^OYJf}-b`ZIQNGd1n z0P!zS24Z7Fs!)uzb;+V6kXnlHq;rJ~&=OgmC`^o%WGTLqf=T6kp0TNC2!dKY;DVMl zC(KwGQ~C+n!jidLG3!<~IC+<)=lp3J6JKnYs=~N;4?Z6RGy2t(d9_-V-02vrpS(oB z^D;hmJIx#+&3k5r(FeqxU@A(2A(nCzIr3$+x@>1OQ8=zJ`Aaii$^v;e8s>6Dd04X1 zqJ3h`9hbpv>CtvpuOmWign&m=-*2SJ2(-U5YY`5qVK>Q(SZZ@u_!FI4Sz`n3%yVxM}f%vq|Gako!j!UiS0ZswXaV05V+XHx1C5x>wi3W;lVRcfnPLU{t}DpLI1cPi`*pQforuD;Y%s4?*Z zrN*(fFO+Hn-qIIO0Iz#!#DxWC6X-kpF;i5)eEbXid}va1QU50cgio{{?%dqGjOD?4|VAJP=}GM+@{|Zwql(>0^863=2Us>BV3EqJoBDEIxuzG z1BPE1_rp#9BHcQ$R`G4IiWz7@#S9UW>}uOj`*dH#z+A_^w`%?!uKnp4L|dDx%g<_y z($J@*Dg5TN2l7w01PKsP2(*UMn^HKH(bsiL=Yps&Kbiuf+arqbl!N4WrcL9Az7e0^ zg}AAtT|}9BXJTf;J|CCyQ#t#w`@V#Oo7Ktp!E-WnsqE--^XAP}U5eC{ z{#o%o?}$qUWR&Kz1_MvWnvh^<@iMK^2OfN!L(7078nu97ui~}G(T~_REHL?F@l;T% ztME~xYO6n6`^Y zz%RrnJH{Pid@ckMTUns25UdHWcHzLqG5y2aA#9vOCxec>Z&f?Q5b4?Kv5F>$-|+UHh9! z2%vQ%Yp#~r757C46!)35-!vq)VdcV$bEQjm6zWpHYI}3}gb2-kIzpc(nDFR#z+8;S zWm?=HWrpla4nV0zhG45s&&Yv8Z^)uIJ@Zx2re48z&hhLrSwiS7cf+h$Tu};tUGDzmS{cW|C9C2Ibs4 zYuXnnEYY0IK?+Z}hi;4#|BHLL-Z}(H%JTEkD2yb*kL!V)#UZ02oB7BncRX#Cr&1k=yrpD->24dIoj?8MM&Z^Jg%Q!J>m1dpaHmuiY^p$W43KOo1u4NcaPk3c; z1&PHN4;?|0mFGME{s%}v_4Yg74yoQPIfw^)%-wV9XIHpr){X^$NQx$oTyvJ}HI z7;fBrJXWrcr@v%E_##N6SjFGM3A=cG9<3(jkIn^A#<6% zr9Pp|51++CqL^O|q!!JyWqe!V+n+10~qn~10_ zS~;4#i6^nqbFy@_?wbD4JQ3H(Edlr9w31-b#KVQsdlf z$k6e8=bV3l1eGfmcCtBR<;O%`9LK0Tkk+P!BneV=50BnM?T;BQJjz#eVn4z<;f(p_gS~?bz=gFM1zw3S$f&>yM7F zzL<()bFQ0jTd`YXvj_pxw^3!>?|Zc*NrN%tTYo_TpPT7oF*pcLCPv+e^ATPmz!-S3TYgvCs zVWp(|y84cy*sHP1Ddc$Y2lp>P_GgiRoSiT&T2K&2wFWi+jG~V zyT>T3VtrP&>99Q?3(mQOWMNseRZx_dP^^q7m&M?8#SDHslf__TvnX1Z_~-#7#Sk_Q zY^&(K7Kh0$pjP9R0XHNKfU8Af2I}}C`~Kb#U2wP(a4y=HHdK9;pVqu9le#QYn9+>l zls&jv!G9qa(%D2H&6hn!BkpSgr<_C^?Jvm_QWWHZn5Ga_(P(8rP|Zb zR!U-YA-jfBYprq~9pDpfKiopUjH0uGsDCl`vXZ)OuX{o`E{BHdq)$^-@u*~Cr=J?7 z+Oat2{pFZf`|D1Vk&EuVP3Hk{YMt?;;`iZtfp#1UZZbylMbB<;U&o0iVl)Q|r==G| z+fa$qc%k35I&RTR31h3;eDkpuVm%{M8XnCX2J+?OfvF$Ef=Z#Sy^g)6Zo+#V13bwy zPO8hEh+Z0al1@xV+qLHf5IuYTv_CWkvY`SpNP`FP?tx zmT2lHWq8J2YDHzWd667Qj~XELR&Fh8Oz!q#A~u@XB+M|$lMO~qaLruu@H^LQ46JIRyI8 ziXh=H?UiFV@oXU}ZI@sjwf#aVJf-`q$at{&&j%+b&ND2z%gJ|^b(E$b z1}c6FMMG+y)yMagNPii@slsqubfa%o^D$r)h)c?JhRlg1j8Y|z8p$OTUzJ!=n}V%D z`LU%2g=S5*RXsMiSC>-YWJsniEX3%BkQG6#l=o8?^fpOPK6BcB1k%z|3}0q`(5QR` zv)FRSsqCM@D5)YEPMJ1OgT{#oGz#jHkTP7Go>JxyU)xIDK(Z9TnNt*bb!0cEx@(QtLPdge;eZ_Vr(eHM*?B$;zOxC>RvR2HXCWg z-1D>Tp;NUlrkL}B>RPj$LZ3r0mUaX436Bl7F+y#Mo(%Xii1jx4tTlceZtzp=t6p2Sg3G%ZhX>mXLdi$FK@j{V5s`Hu2yddg48A^H=7r@3dNzp+0v4NxIxp<<1Q^W zw8j!PDoKUJew+3@GzJu;2-OYKOmR%VZhR3*!Jc%2EhQhyH~7v1vdBh7lS2e56{Dv) z%sr(Yr^kN=qa?X#IBzO2i1|sz?fpbp*?u^QQ)9fkbetvEjAw%a9q|YSUbMdydIP_$ zv}1OlB*T*9ym94SQGVzpdeTACa|w|)gAkYGq%ybd4PHHjZHdMN?|hL~T#;lYpiJ|m ztNEbPx*k@X%OeTS8}g8$ZKEJT=DxXLQ5PVT-%saMH{f0Cca~+{m}^v$&7%LL9$`KmNTRVU~NI z?x>$4>i^qn7Kom*tDk*kCD?KmgYKB~%F2(;upbvS7ygs_95e(lIbaK37o^hz(HLjc z8myu#{wdxDa%V`%uUyX>hBKx(&D<};E7xuLNY$qjUk5Hw%6;}ms zulsu&*1^(ggx4C4>9zNbW~o!^GE2RC>gH?|sj=61%7r}GiaD3mRaTW-ERpTL_PjFL z*Zewo5v@96) zYwDZYm@0u%;DTVr^jn}Jvcb1gKzkExH7EvOH~i({VoO9h96l~NDc{m0#7H zW8+zddqb;AvN7@yM%`C;@uGe@h>$*Glz9Qfd8`@KALM(J?t42ebPN0jz1ifJcnofA z7T0Gv&L!HlWa{R-%p?k`lnQA#ApH;`r8)%@Xt1at3RvS`#io;y%$F2|dbl42?11bb z!%t{L+=jM?w&54}nGZzx1}IJAM2gi1_d`G3oqr75_=~MpG)9=aN63rdj)4zRpy1~A z{TXnEH_bA#kynK-`um=kycAol9?xoV)OD6}%V&JTRYm z4>@C}g zXI!<6?jj^*ydY0eK~w0pb&7LGvsL*!g#XAKQkra=>Ilt7>I1E%vZmvK(7UmYzkJ^- z4TjAVq>V9rd1UDIi3ko@(-vX<6y2eS!yx6W;dK@K(zeg!$Fm@T=5w<#b!h}h2P(9O z?(t9?vB#-9P3+e~ZdY&kKSR{@QeD81>Ms_MrFeczF+rzELdxB(h#BY~F`9S$9@c;P z@%UTV5Rh4hSb@yKGkCL9Qs4z<*sAIf1~`kBVvbsLluAwlv6F#zY?KL?z;+1zS(e|)l;gX(pM0JQ zi4w}=+@io40mTD@6+I|6LF}#pmf_oZ-Rn$lwjELh4+u!Be}4e?JK`xas*++MPIqHn ztSnSiGn^Wzf^!loE;FF^^C+_{EFdCwK9A|^SWkdNAbB$sBZzyvJB^dXwwyMRqjsw< z)M3Q{oYdH9(h%q;;{6P4zxFz_vaLx z$yvrgw~LZ0n7ReB```!^#eogblz77qNJcG3fIMBNg^waV6Xv*=ReO%o1}8e*;0u#V zN!>=o^+2}7K{Z6LxIlr85-i({os!@M=ik+V z>_%6O2loq1;zmweN*k6GZBnaj3-@QY)rbD$lTb9|JYpY zNXJ4$ITZo%%0$=2U9XeMX3&u&5FEhea<@>Mmm1Gb0mE4e>{utI}`Ju15dpxBd$Jt|Arz0BG2eO)c zht#DE!b>|)!u*Y?9T`J)|EvO)!ZH%YdoNaK))p?Y-|d=2ib^FId)}iW0es1}Kfd@! zOY!Ej#cQ#BISz~wKJ#)az{&o!#xQ#>pZ`AKs6~dnVVxoz*U(9TP*+k3nQ3&m-xMU0 zTl}Lu+ff0{suJjEV0UR{g zD<8lbG=@(8W0+mCpK8s`qGQKSzhC7WlmiLA#0j1Hca&c6L(09%WO5G*hg3t@Q8$SRIWTb{d} z*Ge!rUD3IaBy6BuXMT~#k9%(`ke4_NuCXr=MOGMAgXVd&{2w;+J_TZ00kNs-&qQGb z#O4=$iZ+}khs}%0b}Ba;H}eblN1UdSqwI2KD<+a|mi4Pf5i`FA+uS9I2a(4iqwiU^aZ6e& z)k~2m=DqbfZJ8!}`@;XVVW6~k_%f;Q)7h%I_e>1}RYt)H(}E2MCem8j`|XVg_fxJyvivVP|~LF!UnL>=AJ>88UVctydby=+X8H+>fH%4p`-Ge z*U>X$p1qi@-8z}gl!sCB{Jw8hh@`ZViOMu_7-W9K2w~>XbG(D?Ogr3Mcr-HGf0JR zMUJ6gpn_`$xKT2m9-Lwc4-S(QKpVuCU4dZ-Qi8tJy)E$97{k@m){8{(Po%K< zkI}{r+eACkxDPWcZKXu;$Mvxh)fGR$q{pqt%55EZi!-|RW5owP#=F+f*p_Yh0&UA~ zGVi{yB9Ebc7L&yMvQIU;qz*0O#FZ$!2Ww9^?#(9Cm&CvocwR3+8yj+H+{q$gs9|D^gU8!2PO;a37lQ@JZbbcK2)K7~z0=6;JsKFi%*A09;3$|OQoMg?~{{$MZpZJ+Wz z#6F7JtI#(+g3>Sj3Z3J4Ff+xgA@*E50nUZ4Y0L;{I|;;Q@B|EliuLVG55`?K!<#=| zC3BB;R&5yVfRDBvX~2hu%9tYuV%Le?Mlz=IxnVPQJ!_pV0)t11PZ0P6Sd#`0Bd zVS@t$ut4wvOw6Un8zLhPdy?%2gD0q~=lf0vla6&OOesA@9zdyfyTBW{r-Ej6tD4U2xyoii z=2!2Yptv8$98I*nY%5+sfFQvsfs*mF`~KE!xGciOGcp5st6CWMGM>5s?zTY*hH^G&tQ#ZaHK0-M6gnMhDPE zR>T&C6c68FLr`VNs{#@tB)^jI#2IG&B#^oM2jJg`{3lwvheD8A?r%_9N~q*smaxEU z%Bu#46yK;l;xY}`_p9rOOV_NK@gnZcDx{6pVTXila1k2e+{?BL2n;%9+G$+%=i(5# z#=VD3dE-z#+4`>J=a~Ec&ttDyW8zuz@!?rkTsLH92ZUmeVyg6X zLhbix@A@Ju2b4nu-vDk#!+1#dM7wgJ|5BG;g2h}> ze(J?P8q`l&=jF^fqr=@uG|y)BiN+%FJYpw}RNk{<=K>!4Vu&fkcT4hH#)q)iKT1zB z;3k)K!fyrQok@l$r5idt2?Aa|mp34YAP50-*T5*IG#9GT;T?r#-2VS0Kr_yu-^%2q zUq%HpU>ysptlav*m9Mv;cas;IU`y;#DHzxC=p$g0N``=oDhaxbVpCN4YPRo zy(#cSv*92qZNO-scqVYGx~yw|N3opfJ)S(klT}(IzrDSca-{>R&2oeaiq9m~yY9Z) zv@o+?B?fVzAoratk1_z|h)hgdjb+)%55mZHlzv2?Ox)23x!a#Sm;2vIDLLlmt zVD48k%B(78pENV5Ai3(V$jNaRIEMf=-X7+@5hONF<1BvYS&jj$RwOzT$OGyO{A~(S z%m35Bp?&g_FHZ`RO39*p+<_&`$?IBiryCeUw#juNA1ZP}OPGvqR@SdcZqcHTQ-28D zZ3`+ln%KJuWNU0D9A9oG3*2`w4C6|`oI6}80az|OD2qr!d7aXS#QXQ?+pREr&G`6w z%_?RNb&`pxWfgl8TEN6bI zlK*u=R-1g*6Sr}eJBf=DebWwe9g4AX_>M=JMacii^lQr$1NS8BwArFl;t-}~n#)MR z9lX)G|Aq#HL$KX4zyhVSH+gQ)k@`lptHsxge3CBjO9>)ml=yQXtBt1*1-L{RoAJm{ zq11_$h7VF^5U>@~L_oxb$NN+$BcU5nym3zKe8suJklc|=ph0IWhi4v6YrcC>p4~-a zH<8CuCfoQ?-Iz$LnE%>JR85LwvSTl>QuJ$qM%Ch8;p0K_-N$ePlq%S2koo@byQ4Seg|B@Ac{{HEvSzLJz(MJ|z=u zYVnX61Ykbd@8NhpVcOECG4pVrcva0X7qhFeR@DSzYM1){#B@Z9Sb6POnR~dX1ZRe) zzxJI(?4-7B0C8^8_nc0%Gz{YR6ik*xiYTGMx1dwXNc}n7xHS`yo1Y9LL}xw8Ky(mo zcN6{(9dl~JW|;PeX`lECi83r1D7O9K&C#ZnYX+uKMWvfxpG^e8TZ*EthR!TVU7^vf zPJHS%-l@FbYX>-~yB5^8wb<61t4^A@)iSk~zQ7sI9~0o))k;W_q@q=&u~4;2YS6hY zD;Z~|w)60ss?*W0g6&5%s%r+_FFn_ljoy7(O?y25UE#HD2p}ZyAHafZ&VNg%niY5W zmaMw%sK<=3Dr_F{IG`6`I(0rY6A^gaAd353vSZr%@j?^Bgv_oh$~|gSvNU1Xdm3k2 zjxW=z&X?n6&k6sR5*#o^hd9Wv$7$dP!H(n*7$9!>YvDs2Z|+;fEyJq?iqui!o1r#n zw}VKbAcP}0@%)Un(h=cR2MD3cJ_i7N6HK`9)J=Iu1-`E2Mbwp~G7>$5 z6yG+;AP*kp|6>#RKm*)dqwW1)milEqWf1##hx6U?=S(zZ0raHIZ}sa9R?DM2A|cG; zOrPY=6P;~_N$6kOob2KkiptWWDEWEy*#e~dpc??#*K?nFWT2&6ih*sa@r1~)x#(sLd2mIit?`2hGKXH1W`J7D)FeOy@hZRK>vx#Elm7i&mSo6eplg_5 zPSf2t{qYVzyNYWLzd0e)J|GgE*zIYCa4`E&EER%BdnUyXFWXcN;9zmvRYk z&w;f%D3U#@6;$#jeR;|>SHry|)=XlF5Q5~23y5UG4=JWW(S%xJb!J9_oV871M!Tl# z5V5>$b`~-=-AaIsDU}5TuWuHZS=Q!5fg z%Y9eF0s~Y2a{l2u!_>?-g=o_buEa{*DX@+WtQ!x(QI3=K+D{VmxsvP=o~avMGT;ip z_7R45&(szJB{XVH9tqu8K1)P#-o}LTji$CO1DqF~tGFsU5o8K+?9Say3os7xMsi`d zE@Cf8iK9tpzR~r z5=>rO{Wi10TM2k{(dK{k+opbzyAT=b+yLIV6MI?X-Jz!}P?M_v4qMuYpZ=s*Atj|6 z(@?Qzr4o$z<%UhtMo0T2`XOZT5`o=Byy?rM_5aF9bjK(^ngOwV*LtSJTCCriN^;5a z6B)9l1q~0bg52pMp^IOmk)*8`VG_)@pPzjg;3t*}{)@UUb1(;&ILY$nUvt<|%D+y5 zy?OO6)nM-kxkidPC`L*mP(g0|ctel$E9a83|Lx; zC^xjFHw(wfVvh^=@jr~30Y8BZ_4^9;%5~+mnq$xB_6m((BBL&jJWQ7co-c;t*IO^_ z_m~*i*Yy{Q>@N(Di{Ij#OwITb?|{42@e^lM#)-vbBSxRMe&6$Foh^($)I)PuIL8f` z=Yis{Dd63^I#o@TQlD`gn`h@sSXClZE zJPY#AnI)bxkm8l%E3-dIG*=vbwegQa5VC#`5h7$Joyx4t*WwZ>dF{ysK`MUEx|dR1 z+EzvbKp*6`z2qyQfI()r*4UAIh=Y}h1LaO`^QjgG>=@ zY!3~@V)*Q|re%tHvCtidy%~Z%+50lkv7~SD7Rsa&2s!};(Zh5DeKz-%cYZprUG%3T zU3zb`@Y#M{o(3N{80#O8r8jmck9}{=;cxi#J(x~~Uxhz>@2#y&a!Hb z+z?*7Cy41uY*QZl$8N&D>lHd`KRQqve{HRI1ESSbl&kpsrI;ne(^;` zi~jlzn&B|dpZJl@H+|wW)&0KcwVB0;NK|OM+LUY?S}@G3luyu!q4s_CRcg1MVIieM z1KaFGQNElG82|ewxM?dZcGC z)A^fuRVQl63ELpqkE#hm`kFvm%R#7Q{K=RhX8_+k& zjZRG<6L>p1oybr#Ar_!JvDIpTM)ch}W7fVZS$nup1f053TxiZwHg5-jg7cR!Om6B))?H+=Gz-zM~0tnGD@e9*f0j;mxARI>b1I)d5U1Qwq% zA&D~{^K-~u9DMQql8*`Y;AETG%?*%zMwt_G*^;fEMib^4#L8ZqFy8ookRXT+eUrgN zT0n4iQ;kW>MP2pjhZY4jJhVGa7R&4v`XcdmkKN$j0$x;38vA=0&fZHanX5qOlq+N- z?CRtk9QdLMK>ksxW{xw}B$bIv^X66mUbicGhxL|q`;qNVJxfNE*q;!2 z@ThR#$Fc55rPJ6)sYQ<8GlJxM-IiZP%w<qHVL8>(e#r;3|pP71+jn0?TB9|bo%*xxuLThq7V>MbSJaN zOFaNA@9j~5MAKPR7M8E2O6j?Zdf5Kq*=izYeSq3Gt6PD=UZ$^6qUU-rq=t>WTk$4s zNVu+sia^9icOQ&5!CiKj0N3F|%If{VNhyr(i^zg1$c#*WDf0lkI6Mu`yOIgaea#Ou zL3s-`m7SY3v)QZUri+$(a$GxbF!FCP!&%1)Xx=kGg{NNX(}$OdZ7;d`ERLJU5jZ)r zqsIJI@VIb+z3V^o?Ump}Ik2IFGe^teesj^t^jn`nILLox$pWWbl5q-Gp}=G7@y>)w zVx{@)yvCU!QFokFZK0ABXDw-~g6zLKO_2hrpQ=@<=VW^M zI^+BfOe=jr@{~x-)hG8Hq|1n#Klp2M=wfIYQA|&!FQ+z|nA4@X-9NbxG`Qjq9LRR| zkPB=EZ!U!ODR?8~ItFsQpOpFMB&5GeK@g_afMs)@aQ)xB|7Ina?J+|xa-z2~Eg39- zi^Fazp9^WQVRK*?3DEN+>m3K>jVBsS$MmI7ps^4fmkc2rG(O+q%>;JlOR+nYC?e*v ztE<*H8nV!(o&kiu81yEy>~MmUYpmBAD7VSNoU@-{VuRxwOBxf&C@W=lu&6aMu97WH z;ZJ^^4|8ai6b98AUp>XycD~fTqo0#Nf>d*VxY7H8rr~|#e`Gdr=Wx3K@;|eR4Vn4q zT5&qZcBO&kwA(d;K@%XKbNUgBN@_j3$q1b(*SZDRv+bvGemG-Wd$i3Sk<+_z^AyQ_ z?=(Jn+28tHdt|bh_>S>0mSJv?#}O-}dVdnxBy)8Zd2e*!0yY*!PexB)9kL-r-el#z zt(WDtUN7us|0PLr<665}#P#)XU;KMSLz%Low-pQ*F<0l)z`kW|&08fe4d5l-m@oG1 z!)f{Tz0t(VkMWT*#j_oA^dnNY{b>(}76sOln(O(?<)x+egnu@?G%INBb7(7|s%kj?W34r9%&;G3Nv& zeb7dj;f?D@vJ&y;%gfe72#2lA!({OWu}tdB1kYreLxekC|j z_%F$d^1eUcJ@<(&T{s^R@?Rz(pmZmuoBWRNmeNKJNtU}VlNQJIn47HlK|$qH zbNne5ShU0ePit>p9!!>V@A1vPXW*NC30_oAlL>5A`MQ|6@+L*yrkAadp;cyE-5O=` z(XCYR-3!Al?p-G#UZE*A)H#kOWO;sJI_2;J+iQ-1CBK&NhRQpWhTVd21NrN4MFk9w z8)B>|j!*^`bF?5mG!JsI0DmtP0& zztk5eU0`i5P_{_4(Fo)aG;d@?&KYoU9~Q<#+&czTu!3V5vUk-sB9Y+1VsMqDa*Zm>9c^B5r*TusY-Xs0X;e^gyuf8*nxVcZlD@e^J9qmuQ4f@~^jFvSC!e9^ks>H0EqM4}8SV*(h`psT9EiwO&A;vh z#+a25XsNak42D(+sx`0M&fB;ZN&tVz8Kzfx@T^d<4Q;44-FOyVB#uJXjO;C>%@Y(9 z$wV|-bn#Lws+zsH7a)T7*&Dj^i_tTd-aP79w+8B1fmY#ahh=4Cx%io=5;=QFw{>O6 zx4=*EJFS_IKdC*IBvd%#*m&Y_-xsF9z9!Tar@O>cn*lP9r(??&0-^{{$$_WlXh%}v z{kswU3H-77cZZ=gRQw-}6rn6w*tzW0-I~H~QC#A2CxwnpIO5M5LV%~C1BeL6@B)JR z?ck`a-DcrpxMkeDin3o|fOYRgZ1Senue;J>yC{Vw8qLL@v_^OLTXlanUE()Sx)2ty z3d9oBg0@k`k$bNWbExZ`7X5ZR54ib-_a(8L6LEJ^j9G;cPuSQ~$v$+9GYsku!nZ} zg3E1rA|(XT?M7Hq#>SJd=G4?}VC4@_P2uM?UYPCZDg}@#v&MQR-KADMV=%gJ+G+TrT)`dF0Kd>>$MAS>{Dby5HQig%ih!-N;0Z+($wh)=g@=`ZI+JlDaB`JPh z+a|=D|Nh^X!@jkbrCe^8p##5Ms5#2=TjNW$3Q9o}aZ)f*X7A~l)d9K1<(?>bj&;wm ziLHZ7c@CX<@wi$An;>^fKeO{1RCS=#)buY@V_^4+ZIC;Sn0eSoULxroTqZ&86tMrGfw|>ThYN%TE)W``=2&9}mZecYk~dT{=Phq!f?g^= z%Z6q140DrGr*cA#3WlR%|Sc+c*^jIssz>MGtSn zaHn7NX-pnMiA(7*G0Gab_=+G5W^JpPPjF!~ABz0Yj(_L+C0UFebs0spgf!{Rt_T=(_HNppXr04)qTgnn}sf24-O(rtLq!dRRTJ(t8o44@l9CP}i zyK%F6zp>evOu-zFbob1cRY^CvXNS+b-UV>bZ7hfG&s`)Z;%O2LIDhTNzplx9sZ?v< z^mBGcsPOBUS#yq7!5yH1Cf-I@k?jprQalDwIuP?!mtCM~`2Rqv5f}MyA=b`0L@e#< z@s>cc5>1IvR%%nIfh8z3l~bdR7n3ozND2Dn=XMvRj5nmUht=`oOpjBumAzRdH`1v* zRYdh;EcU%$^1uw>w$Wod;;P0r`V;Vcd((y>-oEn)800o?*;V2;rWN?#`ViiHDrmeB z^dK;DWAb+d$W^jJXz0b!laqpc`^E7du?!@RQ#q*Dheb*hS{_mVMJM)8G3T5|W`Mdk zaE|?WW>NfOc!M{13x<^ee%_;jzicSfc){VyPC4Y9$Ghx{o%}wU)-e|rUAJY&?Wo@; z1UDAxWnTik&(_YqzB{rxI=TANGupytWsW->l^BeOsC06h#bLpvs8x=iLzh*+h)!Z% zyuSBk=U5Cr==U?1tOn983NL6XIx{nU*0_!;zx({;u8DCVvRhE2Bt&O)=w4)-V4|Cx zL=sb<6lAiWKm*HtUUYe+cq(ebeH=5R< z8wG#VDOmm-_q?n6h0krBZ>Qpf74HEOgl$s?OxNGTX1BYx#5c0*zs|dK+Ny?6%piq1nFNm;{wZ zR43|yzXqmY%8v#bNBQ_n5*4RewWs|=j1M5tbHP6rwf?xCzWjEtVkHb3qX1T3gro@( z1m)mUbEL2>Y+gMnBK8kTk#zGW=P9r7o)%-heG)`g5#)+2B(LYakTA9**1i=vG<+{8 zs-h5ABqM~LWh4c@j3=QaAA{*Uz@)qr)HaCPQQ<#FiIGz}98IUXo8igem|sk^I9Edr z&5#xUb+RVLwWzG15?x8mDMjPPJHc-w_UfRE-?|(bu%yIjL~`T|5(Ji5=;# z72GXOwg09r2zPL#T^Q+7Q-Zf)-2k_l!u^;_eH&BAX=HZ~izR~)@D^@A-L z!7}L7`HY<7&~Y{%dW}lU=^o%dj7haru=c7n#tW!qx|?hPL?n6%Zl0RIlF(|TA#KvG zg$)Gb5O9qk)l~d7`F7`=3RZx+iq$d50jU&6b@{qZ-;>}HEXcxdUG}8B_?i#*2tU#R z>(F)A*&inXr!uB6NF8xo@Z)dvU3XGwD4A$hJvzwWn~W>64I<7JGaS_3NlxS@uk{_$Z*8+kMb5&@5uVzffaU}BSfsJ2Le>b(wUQ$RyB&L9Pma5fe%| zB|wymsqcpf3`kDiA<98w9Q{3HQ4YBx937e&miz9AK6o9GAIgUrD;+x*zu;LdvgP%tCqGyKsQ)q4jMay!fl+|+ z+h_sc=kC###pH-mC-w98V7$PNCy{|IAGYM!Dk~H~M-qG2$5tw5UC1>;!F8W7j}zZS z9}ky+shjg%SoI-rX5lSw*M$$3#g&gDSZ8xKG&-vCbx4h^Fa9m^rM6a$wkUNo-Bwve zvG&&!cMVN_Sdd8?@)w70EVq&}tpO2KVz0FpOw51%Plo)OhvDx-!*4(8LK9KV%E4J1 zl~9}GNFmFnrmc?xom2cz9zUEQg{%+5%H^StpzbGS8&|nU4vXgZ?Gmo6yfAbFdwHYLA{}s{!gTzJJV3Dkfw>6%_NXA5a$E zb02{^gja& z`}q!}v1lN*tIVQjgm@KN+o3x!7$r@B&7J$5u>7q^gDhM-!;6{R_EYP8eHn?yaMz#=Bz>Vg?jaakY(vdf&%BJ zdd$-0i|5ZuE|k|m{D)aPrXMPaXVF6}^*pn2a!b0_)rNnhM)6s?reA5S`zYVGwVM4! z1ph(_B-A~yr&9S8HBpfkI@;uZMXnWqgRP1wG_;8Fh-4Cvf2BqaWq^l>g8eP`QI{Vk zWw-Ub$PD*{O06!%2|PZ|!^6yH zKGfR>)~Cl{GQA$9=}a!VgD5!1iKsmV^%>yZD6rI-x&rkic|~8Y*IWWChU1FPzR?~0 zm6rRyIay4d>Jt{HTScu}mK-u?%9P8RX7?zwUoZXHC6k2KX4ZXa3$$0p)jM2vJSAqK z*pP9@p)`Ir3HnX_V}8?<5A87m(#+j!OvQ)aF)Q^JeM2i zvn0qe@BO)#L4)c%<90Qe>}bb?3ZzJlkBvCyCg2MA2ym4<$x)N?gH>N zy)vac`PwIZ#-88JLjd=nb&VA>a^(nw>9E|9Zo8Je8Rr|htIWnC;L584oj1lFq-7%# z)k;X|zuNSKnhiizy~T}dPU^J8F|k5%ymd?QND6I}<^x~z0wbZSLYYrPnaCJqs2ZNr zW=}}|W!%9$KuC&~d8_6oDC=rKP}T^6ymd_RmxbknU(1Q%d2ex5Nv2;!TUBw@AAH}9 z+f!OaNog1bCb7`Xv=3Ltg&Cq4oSKrzl}mx9klIv3`*c2Grq=)EN^}mnQEWXL6Ck(~ zL}>P^N?dnTVr?gwy149dROV(TeF+Azb}e>QRWBq#o$}1`n~6d+EnuvH8aL$S7%>DkvqXobsv1yT z7nM9CGkmMr{|m4ZkDLr3z{dXpn1v=4C(y=V5(qrzv|#B}n6nR)2GlFj{`b$nwP=1D zoR6pzs1{FTp!_~eYJr6=&s(_B)v!n;{_eNpyVP~Pp`DOnzqoX9nOxG2hfF52i>PkhW;zeGTH zGCix3kq9_nh3cQiaVv+t|qIc`j>;%5;gr8J||iZfKi z2FP9{)CFnE>A9x58Li%&mCbV6mZASm>GX!XT*td^ZUQ)^mxiR3^pyaEXdU5ryb>qm z)tO>@E`VZ1y>7Z}2Be322G6dO1>P1)_|n&!EGD>zq;(DIgFk_yl^dn4TZ^O(?AP4H z;3%&sU+FLC!LMy;LnMH0dp9ord1u0_asf_AC?qldcO%JLTa%Ca%Erxcr8H z1?|`!!Fiu`GnJYgRV}lH@(5gelS$nkPHYzYBp-aw$gVU~nN(IK;cIwNBHHxKosN>r z&2EJv3?d8sZM=M6rjk0k4!sTang(~_TN?k{Eu8{*qx0_~`Iti-l3)@J+Rn0Ql6&D3 zH0=jjc054kydSXRf8NZqyEJW7bNE)=9i%6AMBJ}~e z{UkIRTPDo(U?qAnQug6r|KlTriW?HwkpW~bB?Ko86sg?R>v0aSDW~N8uU1AUOS#^^ zyM^&zer)9$=Xb!dO?wWL1QHl_m|#sj!5C?!SLkCGo^mg|(w#;OnVrwhnu4|J=Vn`q zJg`l8GL?B~UoCL{^tI!DqFilUI3;Z{rEeAgX=eGxxGbf{?$4Zcfwg>!cL;cwYIkiW zJj#VYk_&|084!cC+M^2>h%Nn|LZ}%V8+Dd}(le$LbaO^w{-%P_z1CHF&GHt|l{=1i z?V~I3xo47(JwHvZ zV2JzlW8~_#XRHJV!Ub7rF*Ir|F1H5;#U6sGx4_>kTm-}+%rj!(bJXALk>Ml?0~rPk zrVLLS#e!n5xn*e+$)guM2AnOr-<4_=ZW~_#r-mAma8)+!hId`dwTn`!j)gP8@e!t7 zjZ_>$nMzkz_E59=VcodhXlRJF&(M$-Qut4->!O>7nS`Y)vc#6ZCyK1!xPt&u57@Z2 zQ+o1lD7np%=jhA{vmn8H64%LB!*o%_Y3PcbC6Jzgp9sflyw0Ysx5sz!hXX; zh0pXTP$?t^=L&*4vNR^>$qMQuh}7le=-N7e=`(DP+r_}K4lo7Gy{psQ1&6p!2BttDV(Rco)9&{!!lbvH5qAxNOBM z#zw3j3i)yUd1%5Bb&V66JMAlYj_-9DwCB6ZIQ1i8!M6~K!8|q(lWJh}l^ac=I{1kx zPA+gLFI&aGoaGJz9ez>eWb(U{Lu>3N(v${-T}Tt}3ptnO4B7h-|A*!MTn|#-9 z(OrIm4HBH`P6jdUS`>h7u9sBQ-bvgH@lR%}L%r_17HS&10oDU)At1l^Ta(MS3$ZF>VyKWy5|A~}D`U#Kv^yZnz)Ve(J6=kGrsrL2X@WZ|Z2 zYA`Lu&CY2#%P)}wr$(C8aH-hG`4NqcG94+Z71K=-0zcqYvo^lT!&`Q%$_}S@^yN4G7dvV zmJg z4sVY+$U-Zc{M?&L#2N5ulAf&T7LRS^6u#i`v9g8ILp2UP=E0Mgcyi2M?DJTv}sQTn+A0AJ_UZt$h4#+ZoXkZr5a#e*vrTU-pTwrPfh#O^_Z<*Qnqnw zbvH3-Djr9%{XMiS?O!oerQN<&thdmH2*`=JIUnT5GLMXXswNHFw;SDRPl>6jA}x+L zg+Ru_0`O!W;X8<=As@!fh9hTfa#SzEZ<+{LnPpa_=mn=v&hcXrCaB;ArmfYPa8YMAt|xst@ffXJqeT zIa%hrO{$9@+G&Z9io^!Ecnv3m>1%x1H;vARsf?_+TQpKsKkrpm7eA(+^O2kTf` z`%T3{Z1{c@?2B=8`&3&Ne=s3R-r6Rv3EVG?+;j{iQ9^$HNck97G0|sM7{6k1 zBJbezE88yS5A@k>z2@w4a;sWjn)NICwv9zH8IxYLI$>F-922YrG``QWZmmIAMc;GOX2++JPnXe%9z07 z=|m!wL|39?h1Cs4fq^QMgsA?sTqP`tOq2se z1Qov@E3uHW+iV!j;nU;I4C;d2zxRI1Dl?F#UAhH$?@457Up{d;VJ_8KP&_?`K=CDC z3EuUQSTtu!XZl6p;+VP_nyDp`7g=gvlK1wX;}+%nYiO!>PDOGUMnzFf4D>Wb|IVa=2%%4_z2&<0X8$DCL;ZdKt6vwjyxmPK34 zb?z-{9rAY2Mk+0ystSb~jg~5(17aFfFEsj`8O@-cVtqMWx8kzDo}%qO(~K|6@U)}# z7jg$^$ygl;E9n!s{8qBXJy9v{L9f-7c@}6_fCInD>3bc>VD|sT=MOfUd0cT|ids!b z)|Anvq@_h7=wlHk)o?dEu&AyT{$8;yzE6J;eWL6q!P^u3?D(R&OP?aLt|p@3N7o1$ z>c1Nxfs7Cn6JRDeO|$-HkM#zcXom{s<|Gh$t5gOpS;mgC z!Ynh%lBiDkGTZO3vSIpSHq|URC7G{Tyl0fUgqRcyRTs{ae!a$to+w<&8r@h4z5fxk zgOX0`AM26tobJfnrrHdsT5LOOh^t7QEMc`2GZB)4T+(&2aCj$VEIVhFCy0#^l1;OQ zmDkoI*e>IH?L=?wvwXDBZJbSy$-WVZJakDti$}TK0H ztXwk~4}O5eQ|Q;87Z#ct(!p2B+(uud54%L1aE0!_)(6Wef3G3wIX#RLpD0 zaciqOg}2wrRcg;es2nPREtTjzEMBG*@eXu#@&ZQ~QlRY&fR77xy4S|@ZW~bRd_(Ir ziZ9|*#!5&Rm6HTiZ%M=NJqW|h#JZUrXF|!MvQ=eJ8cYB2Hj}-s)x+2NYI%V5N~sQ0 zjTKnoJ^FlC%eBdtS}nZcjS`PAr}X?`&>jWZOjg7^yG2@n_HUy}cv4Z)t+*O{=qUjS$G ztVcPBqqoD><7%X}g;EXBVMzTlH=Jxf{8rw$eRZiD?zyin$- zqP6rOxx)9a#88^>?14WkhAc*!Vj=Ad{b`^@lhME^!FN_}!u?11{@EQ#8aad%eS#mL zDD@>K4|jIC9|oQGCKVS_^VLMqQzudW|wdZ{I;x1U*U_$@$QV1ui@I zhS)|nhJq!l^xjSci*fIgz4Y6kbjU=^n!@JI3-^D@>Vi?V|}~ z%6`yFa@DKbhKFHwBp6nvm?MzMyrRCBYlz51Le&^)D5sKeD6_XMeb6@IAG`Ir`j|7q z#JQ?}X4cPVa2)eT!XWI)^=}O~Zwnx^yYwBZh;973PZAK9Tfm?fgw4oJd?K{VH?s*h z>X9&vmkn5Nfe$N#EMB=Ym0Z^|gE{``hJ;T`!`5a{UF){`NNEB%*5^0IbJGMMT~u)n zGvwY_Yq3ZezpSsIAgF7UGqbk<5EK(3Ste5zeP1?LBS6=SeM-4euym2q#(|0mFZ5W{ zqCH(+F4;p5sH<8c87lZ_QbiBuAtw+GO$Q@IOXtD;Sh$o3ED`&6T^*?fpU3EwV*%H7 z5tf%UI}2a99if?wgp%PLGrM!~5`WUg?DC4pU$ttBJy7;bssb1wRQ}Xyh+b>uJm3EdtQ3|m7Ww(Ow zrFuV1b!za9?Q_UeaMD}1^hf3?D{4^0uT^@@eBELh-k8?QL101WdqPWlVBY0NW%rRD z_PL(+hWFdn4&wC<+Ss6vl5ri54I&}};Ckk>^POZwpq2h!snIlrR59@8>xX8L82KMj zISMwrOj5EIjU@ApZZ?sGUUAVXzx4O}*~7JmR%j1Iwy*N3#GC5sb{dI`Aw|W+TNUY| zeL(Z~G~|jsTY4kn--RY#iX#s-Zo%Y=q%q<{Ct>IunYH#Q-Kr9r->)P=+qTFeP(tgg z-z>9_tOjIl1kvQTQhDndB-)VRIxB;j>u+HaS|4W~G6oPDkI^MGC%dU$mw>tD)WtO? zFF_Si(JJ<}+5v~Bsrtz2*k{olSsqiofI&`De@A&kegJ%7^HD#?4aCV;ImPDiYPufC z9uv2@$e+z+q|0rlFRvhfL}-DH(PD%0T}J|UC%JI|Lf$1nxAMtu#`*!zKeGMaZzXKt zcd*T?jr(^^W((^(j(+Pb!uyj|mBA!l?plJE3CSnmw`r~XpVYAWGmW%95>&~3q%`+$ zlZ;YgOcXvPd(fJep&v;_<0fa7nRC_R?5v*{x_3Y1wWc2X8J|}xPgQ=P`o&5xPY78^ z7bAaSrAe!LvH17WJK3Jm`l250mhE+xqEwPV5WuUr|7SA3{A*4Yya zC;DP3u<~ESW0Y>xm2sktCQikvzDl*LK+!#xS^0a|QkEXPrd{Hc&Q-qqfxL{f=!JT% zWkkvAh%)6|ja}Ux!lK}GJKHfU&VJ1S%Zdr+BnTNlR2#pM3mpwG}>4>)5Z2(i8A1-ei-@zj!H1vo2*pX> z{71m3&KY6=sG=}Uz7B@$M%@sWPDW_Yun~B{v9AELSKTM<-8+Ckq(f^Cn-ooWe<8M} ziDo_#^`anH)P_?1RIM~?1pfQPJ55p`KU!F9*UvN%bvCGQHx&7BDpiq&I;YUFhj?-i zZqU|;;UlLYYPbUJ{@n+xr-0C(hc6LOS%mkUS60kk#OrO*X5tzN z&PhOM{Z*P-Y0BRGNw5K`q(MY;*}OSi;q*scJ=%My^!b6SuFQbhlLRA4`?hZYt;9f7 z00fHMhY?y-wj0_^HlI`qlgw^?M@)V?c-O7ZJdj%X0}i0zQVUc85L^m?U@v`IvXXq~ zvsW7BAo<>N@e*aV=VG@$;V_tE8D-pCV#!DjCj^dRZwz4B)4VyIqgB4Ri_Hv8llnmJ z<+`8b6s5IP54rxK4}-FX!%rKlTzv3!RcA|OKF&G!!#e9@($>vCkfqpvMj`s!sjE8` ziC}65PNsCDByE2+Q}A*^pBn7xgS24*ZVh0hlG5V8h|}PP3j*4&ke1PH{5g01Ng64s zF6O@-gC=ZngOy|B2@LGzy5i4JQHv%#fyfW@Xr5@1mcNRgQk}}yt&IZq{~fB8~ekAjDfS$;^#L1 zhU(+yEk7g6>ivF}IRoQm)Y!g&UdG2#ISLH!r9^W=iX$5u9gEDu)TrVFmaxyO(!&3* zfK|0rQ=7C|2~##d={IG5(wo%p9Q&MDwzD!s*3~Slk(l#+x#cNxLH=#5Oe1ghSOsn; zpDK5m!JOoC4^B#Eow+-eqVL+_ja?*&EoRoZDg-f>uMMv{Fx zZ4n4?DMO`cs=MM~(C{zZB*FarGsGlhBMK8Ts@nT53`zs)?7Ym;|EE2j>{3e>wOb5u zv`uG4Dgfb-%dJ{{a=!g@kgwQI7eAHgoZ&(li>Oy6Uqj+dh)=}RIEbb>6T}=`c+LIx zL;uxuiy?qL$LA)|QDG;WQGr%cHm zbMtGP@LIq7D=BF~!bPP&$Qm7hvg4a0qRL_Ipl!fnMpfEN#3V*b=r1^wRO<#rejzBP z>H84hjk+XME8;p6U17Pgwk5iaf4c59F}>3<6>?;p{{p89Ei5D;fy@h*11P8aoc$`Q zMO#Lc+fU<~i?H<-{)0rrP;?{z8Xn>%OMewDs|EPs_H@RvVnzvxO^9%rUzd|)OjlS? z&x{kktf5i`i1~G~DTKM$p(Z&{&DsNnOqs0C2v&Te7)7h#fna5lhz9B#zuc@QD8_ZA2a8>Fi07?a60f}f8{njYVfkes zHQ`1WKAZJ={L(}NRtce4U6~i3Qusu5-TQG!sJ01{fUzt@V4887H>p7TVx6g)XxtC6 zakv%OdnXllQRT8gneINt6&BWPeI#0bR3&Mujuxrw%8&zF!l>fFY3SrY`;ddWiwZf& z$$WuPCQ6iiqNG&pqNnf;PI<_AVo)j>4``xBHQE=u&o*qXS!=zKO4RFz%_yKs!@l;D zip5iS_r{@S6GwWe^c|eswA(6>1%+9NiW+}5sNWnwa41f!ryE4>tJ-J^5qc_W+t}@b z@+~^cAj<#}&SlTcyk@HbfBMg-bH(T|gOvldTLS1*n&8+=d$cI7pNT>|w0QBwNPDd> zX9pb3%Pi5PXb(`8>Zt}3q&o_#om!FFPP6f?1+odhx9VGoQ~kQh4J}q9k1{?9F*aJ? z1-rP6i=~2bh*2>T+FZGbp%J|bH)DxX98i}Rnk)T3Ycsb;!oa&d}>K-+aIZeO`m*tx@u5XGQI{~ zky>Cky9+l$%=KcQEmNLW&Gl~nO#>3#+Y3J5y4xWnM>qqUeXDq35-%YoOUKzEEhWy_ zh8h!%Yf-`kS3?GGN_Us7qWpljjdVj^hD0jy2rf)To4s(}2?pT@V?LvV?4Y^NLDN<% zUTL%jEzTRN!AlzCC9lxc&PZ4_23E+Q`iG!;PqKyK(3DDru|gi5ho69WVA;=df(qjJ zH{fg@VHb*%&O!J)&%zTQAik?oMIlOaw~q2baf_}XOnq9%5OaZ+ufC-#U@8zc(wRnD zaNp9Eu8J))cebDY!l9L&%v@hTI(HktCNa(ZBeCoo)^($R(ksh7Je2ps!v;^P%FFr^ zgzGZ5>W!w(#WxupHktYi;nz8gb~|@foQ~$G9BXiMugQxB3=rmQ@BQUhskPg>**AnO zu=3FeZ~FUH6Kp+8NGW2m}n)w05P+KO3*4Z>0)rrZC1VeO3lPg;3H z7;O793tGmD_nRL^%Nwc6#tms$aZChB-@>{T^U(d@4imE0ugpUp^=p%5>ui%+%ne@1 z-_r{;N+0uZ%EmJoDZ+^IkmEqfWl>W7QRn+(7)hfP#EeeoQ%H+x`ajJ1^Dj8bOZkV& zDu@~XF=;MKO9+(ugt#=GQ!hNy-vo~=H_7hEYu1hAweC@9J{o%^SM=LKF!dV?;ZE&X zZ>ju}6TNt`sh2gD z@xAwdHB5PFF!r0nY2NXrPdHi#Z&Ie?8A<8!ur zXptE#C*B$rIBshWZ#!s$62nUH2fAsnK1|xsCZnyQ;u)xXkj(NP!qdalO$I%_#74DL z(7jcBWOJbCN8Uq2zWzpO&h}3R;ghq&sB;9)E08$<}IZyPTWKJ!k$M`HwLH8 z_LR&&a^k7ZP}bsoZtQq#k4S0B>BCU$H>G5M-jkPH1%;zTX$_(jheVwkEh0iRLje?Q z=zEIxQcixC1MEawSTo--XysjPG?d}YTZ`R2(y=!GT#t5TA?wq=y!25{O|zdL3E7}! zW#E|>4LQq=F7a0h=BA?6NxZlaNbHwp)tZ3Iuo&-RuYtJpK+s*2^+YQ)Pt7uxw2Jv= z)6@lL!Mp)^>7|b6+uNBA;0mZ1%UG33o}+>ug@Ga~;?xs8`f(T%!Y4Q+2}5&QOI1=0 zyYnrgpa+v}c7z*{F$?ZfS`_)HvE;AErH3l_HqCg8UOO`Jo%m&}{MlX3B8hJb#{!bc zPzwnTp%jgT&x@&V*JX5U5aovjZuC8d*T+E;M^cd&s84DVNAKCth}W8cdc|TSk4dz< zY-=VSgfsF?qWIyQ(9!n^(xL*PjeH?V%rU_C#OtFctMa|AQtUfSonE3H&K$;stW&U7g*{Reg z8K_EE6W$sdxfy&%Ev#$my%nSbBe*N_xWVuoRJ4t(mc}J>Nrxwxoq`@A=mK{5Oy+*m zJ#q8IsYTPX1?_Cm(vDoDFEfdO{BCz-gE@orRIo&*`)fgoidK+QPkQ~+9`yxtW1tMq z>dF4q8n0Q6w<3?g{UyTB1sTBuopFTc*qO=_I|!EX5*-!`V#Yu1&1`cE5i`dwV5>T9 zk0#OhcZczhJ2u(zoT+y%SI};4fp1pslX)-EuAcWyKHRPzro}d1H*fpA6VG&=T?;2) zUe}ZKHnl}xsIVtHuBl)1Mdpodq@YN7Nr-ZJC5XVV z*)X&R0MXc^7ro%Uw4= zmy`3?FUinP&K*g#Qm~lP6fTq)aQQ*w>y3TuEwR%klB8q|7h}XJEt^}uWmr$!J--%o zkyWf;#O1|ugbQIApd7fa)x&g1LH>e+A-KJ7)Ts|!+E^;4q^PU=%9&fRz%RF1`rWx+B2A&HW*!}ut{ZjFEb zFj1xQl+NA0S0#5M&x-2b(qA#lTka&ApDGcB_8}FsNU~DmNMW9Xd6_Bmh8A!b%3DM} zkQW>m4)$K(uB`|n7DyxX2q0ekUdn-`*tFri6oA^}7BcAmyChG%ULS#Y=1ai?bL>-u zB2CT8ppxAwBR(Ekg27@2^ER_m5JLU^y^hOr*;RUEjw_(6qR*rND>c14A^*y$hMm*y zE=Rj8HI$>M(iXnQ-zmKyBK%zKXd*IIVuHPqX4R2erff@fWcoil;lLQ2CQET-mmPlq zwO3_M&Ug$su@1NpqVb2BtY~-Ryb9INT>L3S2U;y zs{8uP%>dydHG6`(qe2Te_Pr+#H2D16r&s@_(KX!LCdfG~3W}Cb$;^|HgEpjFz(;kQ z_4~laOO**OD{1X7AXIaO*7qFEi6cEKb+AKN^F4|!j;VXM&6MXYLwOMg-P&TOYScsj zF&!9d0%CL~?2MTXgoHdc`B%PiLobqhL2sQmpphQM*)u5N$TSG?VCSEUS+1S5v}F{N z3zR_fFA^!8KoZDE#pDYeFzgG4!cc(g>@u08qx+UU#sG)V_J9)g9e@ zJq|#xtCG;|tiYjF`K5A%fQA5!*v0Txw4=HUTplOB;7C}M6esBN&4IAedLfvG&YRoi zGT-Kzl=1Wz!7L}greuo`cm)9{2tQD`^O}qUbdwgifTsqFhT4@vOwJ0@GS7TV%#Yqo ziJ~8_;-v8p7V@O?=?XAwO@=*=cyd4#!ZyT%TH_QVGjip-tJ%DZmwE%c-Fq% zSRwX$p&Lcxba<`slwB(Z<%g&9CfA`v_9MY)#ngBT{imc;x}1fss8q7Ca5NyXPR zjQ9Y0RYO8REQPKH*y0dz0-^JGQ7!3v;x z@X~{)?Xd4al#jKdT9Mf=ZKodR$_%stpR5Fks&10$MH`cjg{FSDmKXLR=z^|DceXA1`oS;d<9QQ0-O?wp15Qkc!z5K(f+OE~ zU0aq}W8bnFyR?G$r<2;U^sl;1%;-nIm!?%wwRO|@ojQkxgc*M+jK&EBAF@R^`nv9H zfvlE|ap?VUm&_bQSsnq5Ch6W%3ZB^#u8g-k66$^BLxdlYDmNIO_61{x`P1O3Bnt5t zW7rpw2i)oF1Z(Qa@AXZI*DrOi^nh93hs@7k1DUK5XocYHfQ5R+lHBlzo;yj3M2et| zXD%ZnOJY9`8R`vocIdV5&`<#(A9MPvaApCaK+79S)omNee7}pwsKG61BW3ni5QVtTR=6W6j*oBqMBf`4vSk?b%T*mSEk4Ar4%Fb z84dFTJAMBUwh{bN|4rYu3IGg0WAj=UXHOk6W+WB!H!2n}kYc7e}SXR#)ku4AAjOS= zJuKnTK%pg)*UmFvTa5M`yo?vU@0T9p$?z(3ABL4w^%~DN;(O<$IEUn@?UP7?GnqN{ z3|KqM*Lq*0HTBBycM;as8-7Tq##r@rGW?2f*X2V&KwP%1W;tiE9z`M<&?05(jUCa6 zw~5x$9QVCJ5A8_xsvig0L|Ij5U~#B4KEsvi zGSgI)kcLdk&E#Bl8^~rK)kS_QkdRvMD#0ayEYxLMp3usiWrO+PhwYvbE7&P{B!TY6 zu}GaQc+;oZIEC`+wlbIV_SG;+@p1D0G4m76wzfA%I7;RtI`>qE8~8u0_X|&Rfv0(- zPwK_wE~T8d7!qi%2_;_Unp=4-V&6W+Z}EoTM?2tS^}|R-S~oTAY56BA(i7q>^_{FRG(quJ(TZ{6Y`s}0^&r^|r7DOW3crYyZoILkq^8fj7p!T0<0 z?rRis-ObdElH0$<*7&JN8~dOX4Jk!=FBCf6FUO&0b6RFV?%+0zZtPhsImk@6g`tF* zm5e%0?t&@r2^WH4IHa6TQkqwxJLJ6Q19^W{+K{l)y704pKWc7x|#usvCb4 z(`gJ|X~;VrgnnjHbmxmi&j)9Uv>XtaWs8hK<4 zT^gRv5}AzLASYMF5*5;P1yFAlW3QlWVoBf8bl?~*iAe(`Mx}BF3i9TG9o}V(@{3@= z4hK7^C1Y8nwQ=q z-3-|xW9m6C$mW}zk&f9t;VSs=yRVi|sMYBe&&EXgKP8H#1h{u9R3(bv0|<*_48vD^ zlU&79qC55ArNtKruZAYFL_t)sb(fOhXJR>cD|r8;%|*j1xQeB zwZv+N6=v?(ER@FIRaa?=r1 zwvDnxlhRs1luHKHC0F~>mk>;A&{KLTh z;R8$<#a)wXe7lilINW{ULbBQHkoU>6?#Tp=( zp-cM$OndNaX{>mDWuQgL*Nc1hs3&8*2T1>zg)s-}+}H36w}dZDLMezbeWY?OVa!xj z+oNUW>_-`d_-GT=W3!%3=j64gKv>nDU<1z#?QInR-)G&pMVYx<^A_!*Dh{=JMkC02H zf?OYE1C^f$e`E-_43o|f7#1xNT&YW3>|57vzzntSYtV^2W2bAY?d}ddE2HfP?Ki_v zMJZxj4c`i3!`XHCqKBgWH70|LGpYII4B3X~V=-s5E%#)Hy?<2e$of4``UsifCHAUUeUUbOkNT;$8 zKqbRe;ZbLlbl(3oQ^t%@9pD%vI#OKg#`;C>%ykOJ@>jnYBnyZ%cnQ!RYSk8=B1%cA zSOz#A(0GXSnHt0An35E9Ff53u-#z=-=gz->{e)#Srb>)FTNx;c${yV6aimhviH-3Y zMn<@bbP_kleiGClTMYRPn;YNNH!ZG!5V#$00?TW|8R%Sg5xgHYF3%n$>*0L5qrVJs zTEh&sT3!B%q|e!iImLwe9A-c(^e%QUJMeEjSbyy3%zTr0VH}!?iDvvkFD+&2kveKSTrFqWp(J*rwBnuv=nwc(Q09p}2t{87fMvbq3fQ%S^ z0a2EAm;A7NB8R2hOqY<}hjH~ff@fE*>&qnpve*Mv^KQu#aGf+~haJ|0n)nbJoK_2GB**+BG^Y^y4V0h(ib8YiWEXY3KSV-^|Wc9}pV4xN`8ba30OI5XG+ z%YJo=|9&M!%r>QKPRxfdEv|q&jHH3s4mpwZnvl;MJt3FMH#1Xi5LzZfn5=V7?B9Nj z!4GrS^_^k>`x#RWjg>rU<}K%Ot`wdO=(Q&S5_o_lx{9I_^S2xFWFtaj=j037q92<( zOXqgFx$iZ=sh)!Zn`b9-WU7H@ul9NK5did;jB~;+r4UL&chEq0>w{}dTZ_s!1dARE zP%1`FFN&mo(RBCw$izksGTWf&=KmzQF`No(h}%k@aQ7%*QNSWqCsQ@iT|RUQk>t;$ zJ$k5)2v7d4fjvD8+CFv8VH=2EJq&IRUWJ8vGwG`mUm?esu*JDvZ8F{!%0$y>0+rA6 z{ts39Z;{|$MR3U zk8vsR$)4sO`O$Mp;C9{S{1&cYe~p5stbg|L*?&zo(X+-%aQ>{oDj>JR@i(9$Q86}R+dl7O}0?#`vb=9HTxFzg6U z(vQoiao!E&Jz2&+{bjb5u4+;*yIa}hq_rRuOLOa3cjA2jUiwwaPu0g8vu$!`Z5VOd z$=^&CSzIC`x9A9i2nKpV;yOPh4DDlZP>30PFZ4#AJ{VvC%uMYpP0|wO%yHsL{fj7g zN>v$UyX(~jeif@`qb_z2WmruDUFOy=rzm6R0RF#sP7K@ZzgTfOTqcj~N|vEzG)fYu zfj@LrSc;4-s8lR7g0|TV`tNBYfoSo6ucGUk^_wE5*@4P;)^}!x^HJ0Ta+~Ac-aL$Z zIv<#;sOdXi$S6lr=-PqK?@D7tvuFZ-$0iL%|YqBe~aVAxBophTHp(W;`% z!ZCtT+eR!4cSO%;%f_TG$9jc)BU%&QzhbL0vkm(|#Kf=u;A{f@)tm@nag{WXO|JfI zS=zEujpCuXkn#yZ>@F7oHH-y*V=B=9sbQ`#2eG=tc3=UwysKAa!g|%(=E=#}3{1wR zDK*1x`RVy&j6ve}8u$E>I=CBET*^U&M6Yp|j;7r(ox1oMNH zYP&96MFEeL|Gb9b6#Kc$aGdYDM@F_HY>qGP>ya;;p_agCwq0Am0e)JwsYTnnfmqT$ zZichhx+6DSI>)|Nt@j1*H9|G3vvkD7#I6D@1^wC(xi0LmhV+?1>iCoAbX|H@6?S4&8?tGo2ShxbBQ|9|0^nCVU zKrHdc2vZ8@O5FyLC<-lFeQM8?>hNE3|75hvi*7lD{DN%p#8t3^;?fr|ig`;KrthG7 z#<8@Yls6Xig*`wa)Sm0Gu^upcX|-9VRdTu8=sEM7qL%v~Jd@nEQTr+ME5wkm+h+F4 zKEH;JWTU}x{^SOZ4i%JxY!GPr7&Oljd}}^CmB~&cdsqifMXx3!(9Fpp#G}S!V%JXJ zo;Z2_%RZInpEu}7=%hVi@)rLN>uhLMW6*4)aKB?QL$a;jBE;7&5yPBMO}7ONIety;={j z@EJ?+mf|2gEdT6;xyaAFW4yH%B+n#kYH@<-I%(+levNBA^Ow~ac|PUjIi0w|yAlb} z@;m~kHta_%fny=!o-q5vuU+6a}Emo;zxuXh}>QuZ8@K#^8 z;N<4GiZp^{D6t8GO@CTEUi zjWaFS`GU!U(bh_p{P;J=iqV##-~EB+DdV53=l%a1jVRe+;w09z!Mn69sk@U;OM4f< z6Xv7XZO^D;ZK^c zkt^0Vn;p#LDOhFIhljK=s_lRP=mgcJTa8M z5>wwqxMJymt-icHdqlrPV}YpJRKp9LI{;ms3gyDhG-UH!ui)gluFMa5*)mpn>*Juq zKX~+EuE0}LDo!J|y9;yI*i4nh<4bZLiK~vA&8LNHHR53O7<=$2DT+51Fup<|HxHw- zZ0u01**%OHz1lneMjaRoL!zl^+U!%HNn&9~^zJ&@?%Yvt6jMjECKC+MeCnRsTN34H z%O%5MhkIuyk|tRD?zNGl7^L+F!LValuPzy2GVNo$5Lmn8Lp}mVe-rTG-hF+eYyhvx zX+SB#RHt$LP3I{86y42@N6fN1con7aw-zIXC1JR?`y$u1@ygizEupbySDJzTm~)MC z81uPI(#R0ExJhh}2%K7TgzZ$$fx7gs*1CP9|FnSKd~8D<9Vr1LbR>Sq(|0dF&}hi; zUsccBX1~|!klRJDMAequ-x9|@W{m7f3NMHqX zr}~KH0Ui&lOJ302{0@SY=pe?#)Et-3#BCX}dL* zD{#EYczI*Sw6X7)$4IwsBn?jYH3F7#rdB^B1C)reo9VNjv?u>+HKBE!tGR}%%~Ip& z$B?(=q+4ENz__Td0PXU0Ev-?0zVperR?Aa!pt;deK6*ft-nWa%!*1OJy*Je}@#?&m zmn&XPy5Yn+7}QI=WByc;8}9q-?bijCh3@OM@l&r&?@Nx`8Jn6ToV}SR7W>G1uZyFW zjNQ$o3?6Uom80K4DsIW;=n8Ja^Wrj&41mcJF@9NfY6#isQ&vvv&hYp|T22~unTT?H z$npaSd-tpIauK+YMxmBJ=;)!0n3AWdp(M3M0J8S#7;Nd$dD&EL60dI|Q*3M~^jb>zgH zk>B?5kXaG5P&eFz2@{o_z{f|ETRQobcwm=<2yKhZ!qR}s6oq)US1|Pu@T$*oJ#YTgRaWzLebt^ zW;~v_luCtCM*TyO$7r9l1sfYn0cVCTazz~GS4k>_$*=61fP@W3r)P#4I2zW(p|t-S zJhARW@QYH9HK@K7W>oe!_=?CYotr(4m{tslmqi-aDxQ-O5>TmZa-)SeRqSfwPA~Xv z-Cj90ARWALupmY2RxI(wMdgUfa6mbGSfB)LW|@aBl35GU`fdL5zhPHPZ+CG6^%8{! zb;?IBC-&;Cqqi5iKdbmKi|h5Ej-#R&!~|jj^F&%%#d4-Abo~Tvo*EhcnakoUFD77^ z4D4TXxup%r0yIP$gXHhGzT8htE8XARaaganjK!*cSq&LJQNplAP)fdAfji-55|5~g zRqNxKJ)&nBCg12hRAZx;za$zGyqUicxhp>W^(oORnGV4O*kbDQdsO&q9eBz(CDTNO zbDl8Tk4MnQ>Xg==9rJl*B|*m9NrN^u66)>gZFQ#g0ceGzcwzx*YiVpTb5-#v6VzEz zbe|k(C={_6M3%>C1o)fcwc-y8mVda523wnQ(YGW8z}=!w`4%(tfxTWSt!7t$M`T!}4QLeX}z-Dd%t4>$he{%w0njvZ~GGGig*z>B-MIR9YTa{43Fb5pUaxozh6gesu`r=7=^#nl##Xn~hh^*EgKQXkRN2k| zEW4)x)jD~JFB|_hp3l<^N%kV*gzzvYQ6ucEEgh#;p03x|ZZ6NvzYt6#jP70PZ_%|T z;8^th@MzW&!#E;+HOqqr?1MFMS(x~6-w6Bl+aLo;!V}`YkgkcpKVMul)6G|6VrD{F z5^4Q5&n?D(4R!i!AXtD!!2VstQ+=FX@)9M1PSa|S7UKOQ{?5VviZ|tevAb&7kr(dv z)3HA?8|i@sHd)O!y}i;Ln8y@L5CqoU#rHvug-k1OrQ@SbB>oxJuF?k!S`Z$=q+nHf z%xfOABTFp5O&CU3#OJPM>7Qn}!3tXh{PX!|tjXUC5lCRO5*mt*D;(ViA0iGO zS7xqt&wq#1t)RS{U#m0UiaNtEOVJtSlvDi35g zHK9VCCepC5Tu5qkVeZY8_5bgvyS4ru^=b9rqi$O}W`80}Zb+4Bi)JsZuCxV&$Eox<-tv_*tE3ww=?Ku|3#7i54f z;y~2!7Gfl=rR(9(Rjen7Z|mdM=}TR)LL+j({1fj=q~l${NdvVygTKA4Q_+D}c6wZ0 zBP!k~V9Zwdl~!Ngy7=7O*J!rDMhq}&!dS=zy5_u=H+m9MO>1nN?R>pmwAn3x)VM4O z{*HA`#eAe8qA6>&4C&;Y0%yp#cG5J4w%)*}P8jd#c>ZJ|O;2TF zPe7hC9T&n~prvO)-H1Qu$RQm(qi-Qb^&Wvz?f{D&h774m;ArtNAVmSw!Ff1hTXyXT z&H9!o4NP7z8!1Hx$fYB(TRh=EDQVzIRa)KN%3Q<4{Ev&qx^VwYr_Nh+9bGI(S4(;vSdj064? zKD?A;2rvCykyD&Dl@OD8{OBWf11u%zKu%%xmiK3`CucymlagbR?T_Q_=vRWTN87Db zCXMMPuqux}Eo#IAzYAwJu_&s?x*-?1%FkAsr7M4s)fWqDY*ezL@xb14YI9^lG3i7l zM_Lnw@eR%P?U&ccgfNODLk*>8+=JGxcxZ$XW?vFgf%5k^8Y4spCF5NE@i1Vh7*l`a z;ND8or=NZ+{>l81hL%h6MIqv#(*!>cA4&m%@kgU9V~u{V4D?~aFO>l9>M;Kjn-4_$ z5<&)YW2KK6(H`6@nf6O`lob;tO)Bm)1A^AzQbd|2u4!Yjz>LfoHv-@d@LZ{=Meg3(s41_D0rsuz$0 zgURrF3R1_xMU~w@s?KXf%(MjsjCLKJO=T5t%f#wzyDqjQ6=u@d^ZPInoHcV}z`&gz z>)u>V^nr8g`2(^A-_?CC3BNcUGE>P z8~SI@>zd3u@D+W2&l?bXN>9()T{XBsheRFCyQ^`;5yDk2hnM+B5+%>fT97bToz(i` z9_WgsG}Mu~G-G1QpmD;pGL0gIc@v;2um7CtBQAw^Yz<>~xTQh{CX3ghY8&rGd zPxmXqj6C+MTC7F73K5HuQB&>NqnK6@kiQ859Unlc%_=D%Gy>(I?K=N8#`SQ<)zvP z8U2O}0}*6#%I+srGJfztg;8dgym_#s$oz9W3A zwJGa)^}e%7@m9fj)CM&pQ-~@LL;MomA35rb)6c}NzpYNHmMZ7*`~nO(z~H@i4uc(( zi|hw?XNY35KPu)^(1lJu$@T+gHUx_q6qVc}dGuq3-*>lGKTLmNEOJ|q3qr%yjWcII zq~h_p)%G&!oZVo;)wwvn7V+GSH#pTvqt0nK73kKk(!;~FYXAV?$=#9lyXcbKvRe60aWk|49x?mUtFux6s5Ytsi5itR^J`Z5Tjt5{* zso*c3Y)nPNov?oZj;8rfbTK#Zu6{^J5XEd;1mpS~S!i)$2Q%8rk`s0G!y4x6hRC*eUiy%ZKj}5)Q5(z> z1^%PsMF*z|ORhCUC>0be28~`em)q%5EAo~@qy zI)3kzm*U_}oZ<%!XNLoC)#cH;7)dbg!xYI>L2z0QH?H}WZ%itABXn^ z!l1|CU_^>Fr4!L(aIg`Q666&t*EljF6-+Qo|17G4wr%7F96I6X?dEq9v<0-g+v@kZ zEuGg7EXv?V!w=co{4rBg%yp>NSYs~CGBIJ5sO=3BkdIaR)Ey$Z`}dHSW6vSsxr&=r=lG}8^G5sqbkp`*xtgKaPpotNLl?$ao@ zPvr!l_fmrBGLa*6dgC*}-R8T5cmJv22tjz&n?>V=afHsnSQ7zMVV>S$a@<&ZwY+0$ zuRpm`M|woO!#WnMn}k&+b$BV-+qv<3YYqcWzZ03Tgd@3&NfqWtpNpHv4^!1W7%<&j z{ko0NfIv`Q+;T3*8OVM)o?Saoe(n_nJQg~sq^M8V=QkZw=$!yxT3p1I*0>wlIEVgP^-J{x>RjTl#>bC1uu^F-~I>z zx?#VsN>@1%OUa_8^YPxKb!M~Ii?B{6l$S!;nrVMV1+>3%RnKQe%5so~hFmU;nbwrg;%F z)+=dIlcl*8k9OXD>KN4#>txN^+0i{O`{Z+79MLuF$CI1(mPu<8)}Z398LU`%Z{M!i zow0q7U5J$7@0x2C_*j0>uJ*WS9Z(~2wyg1RG9H;E?2$0M227=N~? zdb8tEF&WqnhEikq;#d{a<>5%l1nH9w`ILV)(4QCC|6ES#5Ho@Sl&@foTmIrUTUr?U z&Y;#GDr01o72L~+qY-3`4}0-5YR7;M!Rr7udnLIiUKkNJ!9aWHvPw*NG}eyvcn%y{ z6Fv0L=LB1m!!Y4N0OWqs3G%Rf4o(bT@o|3xoT;uMw_}g11(JTt#zq`&M=CyE_NFiS zEEJPS-5iz6ZH@u#_*4{ZxW{C00D9QNifOn!UW?&~!P8Nnj%z@sW|2q5{l@yhq6bs) zaviCl#i=ecO-q#h6Q;)+?JHXd`-gqAdC9sl8o0<+l5@q%nKsCHRHXpyvN=PE%5!^O zs<-~+v&dnMo7*hSWi98*Qb=%(k8^shc$5K^lbuyKd7KGGRf)Vx&kf~sKG3~vP(>#o zr?3lQtA3aZ9l=>^aBeEeQVBbxO;oJSVhO1mH7j6=JEZb3H)=HhoU}#?R8cW8fOM}}*=9FvRx&O;*~m}PECH?Z<81^N-{nKy zIR%KqG%h-B80%AhfDoy5`#vDGi#yCmP!Ob07C}b&(imu#D^(C;fOGaZi&skktOE65)olxXn&d15{;fD*y3Y3Fs&_78}Y-H$-+_i6W=IyR}1mEELEGIxt~f&Gs;(N5UC`04tyd$0E}uAt&xaU=(YYrj549K+Nk z43Y1r5>zkGae5w4Pk<7J%hz-6>`Kk`lg8FpLsx`L(@gi1HnFgD0e@wOQ^$78j`-H% zM-Z_Y+p49s(!l;^8|Cimp@Thk0tfWx{5c24R#ziH)H*!_gky0y5RR6rG^qUwI7wVT zEmx5|?V*#?Hrjeya7-pdu;l#tM_$dpb=My=XZLinxQ;m9&g4+U|E|TGu2o1w<+I%erESI5s)7=P@HTo(o0wP$@|rD?ZvCMV-KQTPK;n#`)cRNRsA?FbjBkngplQa0|4cQpH8Bhj`B_Oe zCY_;}BI)R~bgor0lF#9yN-6#GHuWbJMD+~ws81|OI! zEdEK_c1o@hyQkEkke=~cPr z6hPqh%&O-L)?VMqN%wH>-2^LabJN*)ddScY9R~^v+3#|Fh}0|@_~p0w4vetNLuvQn zvH^?yvJ;T!&k+kdL^z&h^TspuEv}{LUPbw!jTo|cHN^necB`vFng%^0yq9tw8o^Pd z3l7=j{Gn+8SYih$nz#A< z?C(>r16Sfg3CE(Js5E*1F*}@`EN?1Tp;yA;aUDpD5|^aod4-vhS3(%8GLLpme9X(t zW&HD*3jHoE;mnt#xs&Bg#O13Kh*>i9!#HCb7Y~DuzDACvuUd1$nfcd*c=ZIBV%Kxw z?r%<#=?%vzWF)RF@{g=WQPwTg2d>!tV2Gc(Bb3779yGI91xDfXDMiL6fP0QMgV_(w zV$tRt4as<#(VYGn5g1=;@$c+1^Cc$8v#VWG|PQd1~jxF%aw%+kj@9fVa zo@34%g$cPqZcL>or5&5u=!g}I`WdNhZEQC zYVk0TNjGVgRD>bcV{kgNG_{<&Hjc!V-d$fC;CckL-GItcs^4W(s)orXwEL}$ndN4N z)h`%&g5~S%5#J{X4mD10Y`gDr)1h@U1^S`<^ih3TaM^|WU&!yedqa~`QE*{H1UT4h z7xZ z^4on$hvM^Nafkhy#r>na759>mt*E#Zt!eBn$UMG!HJ)}G8QEOGN_>y*tQJ_<()$ZZA5A^9*?KGwjkIoE)xhhb>rjq2w9}l@3s?e)zWV~C4P^K z#SZmb`p2_3_Y1CMd@o_RTXJWcz3g@zY6)puHQU#OYIY$bF^ZZAX-G8&Q3u2wSXC>I zf(R%6VeY<+lLtwZmaV~EhC^S0v&=|7mzPZr_Ffwd9oP@Y6pzcKCP^9&UGEbi=XQUR zuhnb(vW@NzsbHfX);FcH0w3sQHreEaq@GI3{wc6>UE- z7yMW!!Z>f6!Am6r5>U&~X0k>sSWTv|_gpJXSe7Y`r_dw`=#kY;N=#CY=M5xMo(q&O zs;Ya9j+de_8%|gkBbmJ&p^XZm=b2WW))nczolgr8`tg=S(%Wo5Q@*5uCr`sPOf8A0 zIPZB>8d}nR$1Hb~bE?)q6DmF};vL?Ljp&6<+K{ZZXTMlsZRv{*8E(UROl;V#hT&C? z7zpKkx!m2k7?<=GmpYg_>OehOlQE87_GdC;bHsues=gstbRU{;EfN?-y-<-&E*( z`%s%`p(KJ8RLBCk9?wWai3Dr56{($3&y+ial%)Q>i-5oBlzQ@1*%-(txHa77AWgAK zNCxR5y+NA}&<-R&-^zhuW&39SQVG-BUn{m>{ciXlWc}_6{fr%lZcoQy#`_{oAD1L1 z)8!Ud%7(@pS`TYsvi7|e(wVy+TvKZ$JJ`-~_eQ*8;OwWtnp=Jms@Pc0XEahKey0D? zTL}x>CQAkj#9~yMHnEtDEx%m|@RvYT8k!~!7bBaiQ5Rg9&M-Fwq=Zd|5=t_6H)S9A z{{iOX4HyuZFn@rl(J2W&qy*WoR?4EHQ$8k^`*tC3qU)V%Z$CO=t~DWpT=zt-2S%H! za?AGBnr;$Hn?Y4kre3Gk8gL{&RJ2o|RF0rVO^uNx8oTP($f?w1?`_+b>Rn8;(Iv-k za_m*aY=$RhjDT$hkKiuU#{SIY4jc*J7e9L-EOCgUs!-Sz!$A@^Tf3kL34oKSP}>mD zrQqFw%h@9M%7X@7?w+YQe)*w#?LB2R!RTHAH^`(q#qBy+M>1Q zY4Z;)u~R*|b}(=tXU=hGQmW}7I~>e~noJ_7O^&(UE5ac*UdEKa;ymQJowZe(xUQ&h zPA7@M*~h{8mf=)ci1NWXkU6k@g?@2^{zh)f6lT^kjblwj!9{@>uNrvODA7qqsm7A_Aw=?tS@{IKk>e7a9QqVz%H+|FB2K4es!m24nIE zd)o@&OmqB_MBfs8B-q#Mrlc2%wx0vtIwGl+l^#ItKS^t#>TSplP<5G|&yWf%rb-p5 zOP};s5MUmw#+OgpQoyP z$feO~n`=P*uUo}}|KcT<0V^z= zSN^px!q`sO+4|Ys7)6-5NYWRbSdSu|#3I&Tqd=M2%>K&3>0~n|gV+F80Sn)xnA99u z21}nnTA{renG@NSBWSLL-t&680adsj5O}SnV`=eRjp<%&-o=*^zMJtz;Sh7Ft+qK4 zcmttLMr^1wwI{8(7ayZuYFrG60?P{D{-sH@6_CO4m_ZeZ`JTB!Rjp#a0z?wSkF-$_+b@f8$ve<+aFx_OH~{i23`_t8!c*moNw6)zbdG8 zpA=SIJZuZ}-4TeNR?Ie;W)c*Uu+wpCBOcubND61|H!hQR-VDW4=;Rl;t}Z>Ca`T_X$!zq5pbU%_TsNE+q z!EStbXxM4B@tUtx==;o4*qN*STip)tsm6Exmqq!c&)(iFSdvao!~N5Y1Qt}QJ}n|M zoWrzpErSmglV;(Kp^=T=HYw$Ur8Q%KqHY5Mr$&$)=Cs%ofD=0hyHzSO`00npo{oF( z2$4@e@!Wm^)c3$sAgbMe=&=NbvlsH>mK;TGjp=jFm*K7Jt$keKy*o#nJF=TcK z$Ulj&!iNTsnV&g}#N{QN_p{doWqurI*d132KcUjMh4Zz31kw4;U~!rIrq(@E%+kpb)Di3!Pt zVTfR&r-iQX?vC4}e5?ejc9wb}EM?70jpU?&$Xv4hfvpQhMRpH-9a1Z&0vLd(;ODV% zlJ1)d{nSN**@Jbjz|zk6vr+38&nN0QT+JcC7~ny7`#1U&2B;+jYz^IawOwckA0N{B z0V@jmYVJRiiT?|f@!AtgJh=-Q$H#TWZE_Z}PFbB;@D?oYIKo5Qhxf#)bvd*f}pBYTFkJ~Dz^T%+Pl1>1RrA@xM=S;lP%wR0%s?8D% zy5ncdwa#+o6@WRMG^^tAmc?BUcdi-$cNsY3M6hwx&UetoACauF8V5np0o~n{frlkD zxR?m7Mq3%)6?{_k*dm5CGs1ALg<;GRiv=n&^V#xiIg5@B!f+14pf6qeb+WQy(+PzK z;<6M+J(lDSsCQ|A#3@j3v+Nk4-fGkWcGeD>aI+XxNqsbaTcmI$sYx-Q zPJbTyI|k@)$~*_-rgDTqa%W&%SUw*R<6Z;m4g=;m`WzQU#z=&(A*A=JMqS)zx|kKG6t>M%2>N;mzU(^>O&=6t(;wI1PpyPjF!DfXUnzM`LLDHn+97YH5RrrFT%9_ zJ%f9~`%0|((3!oBa(Clfr+{ZswL58I>>_}i6?`>b?3Hh60rClCi4p6h(vwfgBIlqH zZ&BNZr2rWOBr6pZvaHoujBl~D2Bl-;GQ85*-+9V^MF-w=SBp1MWb{XLUK*v^Se!a& z7v3vJWt&*z#))dt`5&aHB{_2eT4oZTr&XPbVLj|k!L?G#7ur|C3^tJ9_Vh#oSI2^$ zZDOM1M4Zu$E(81BcA16@@C0A zlepP48_hVT(z48)K&6?32_#1$OJSe+pkhBfaPHYtm@BY2?}qQBMF zL=izVOT#O}qK7Hs_??Z$x6gbXD9 zKYnABe>AB@ND`5w9C7MD?WCUM5Oq8OGjD_xN$*1LijNp;5G zGvq6zokTE`U{RM1AW74)45BQqq=o~~OgNg5ldUnElZIvaUJHmEakZ($j9fTP-#F_~{~OTumUEd!ylhQ6TE7 z4sEV1N!i6$awCn`k|~1}ufqddr$Yx0mTsa=T;<`Q^?JQN$ZcQ2d_a;}Oe{V;oXQe> zvI}l$Ia)B%nZ#Zq8ni1zawCLV{V~RcD+x(ziy@2L6+?_>wM$9}hZqb;q1^w!*5l9H zz7z5I)x9_h#dOd0_{+K!G&`C&SN2>`apV`V5t^cLA^mH+#)i3($?qJ!QF6cWDD`=9 zUcPnTutgrpgUn75XP8+lHCAQ&2&zmi2RItljpUhAk@ij}hcDLG89r1_e}EsDn%URV zg;z|ila+H|UY|E_Ju_zInw1p1lRh;-ys{beS+u1^qEC&WHX7jjQp*Tz2px!4h{Y5c zu)`ZoAD{bP2<465{AP;$7#TXNE;Hs}!N~cqB00Vm8a=fSNh%&+n-7=ny-dgeH?=7u z9xpGXVMhw7HhJqrIF zB+>sUsJ?>L*@D&yK1DC63%`I)l|gMU!y9-}t;3^zx}3u56JIZ~n9{E-xZ1D$#qi9| zbmn+t$9t>CT?EmbIpGw}O^Zhestd(oWYp5Lpu}8$kjq6?N_4c{t|%UWx`U=psQ6iW zK(+$BMu+)X%01EVPqA0V&dhpT1*Pt*LxFJ#eAd{TDc!9gX-1&tiud!J zjPXR(GNRPegHIaq>6ENWPEKtymI+0V4M|BTrM#9v@S!n1e6B#1&8~Q)_TxF#)m7Mz zDR!_yg0QfGYEDZN66*WAr!OlMavX|l++zsa4>DL-M6PBG8?P%HU!O0*3IdtYQ%om$ zbxF*w5P3yTp!>GZg5Nw%=I|2BeFNgJlcaY6$}XIy6MGZ8Z}Deuk5-fSVCzvlaZ>hC zm@Ab;tt*GhSuJYJBf%zvF52B@1ifF}03h4aZwjdROppoB8Cpr8Vsbd6^As7!RLge0RkckZ*+&(P5=v0bk4dlE;^(CR!I9rylwM$m_|U4Tm-B zpW7;)1n2XW?OoJh;;qWLX-x%LF5Lhs1RuO_WM(Z!O119jw<$ms;XU!!`-(|yYf_;9 zzQD!M(quRTecEiJ%N_<8t>~)cBOmP6FtwOK`p|BndvPX7@P^i&IjMJRMzw3pj%_2V z$1pBPI`UWFg^_<-l&p8(wU6Gk0X>ytAy!ERG zVjiQ)whc|U)`1j+Jlv*yM&=iBbclI9{sMh0d%6F0sS)kne6b@Dl+${!83u5>u-#ys zcB7EcJC@n*F0A&xr2h9!6DIMel zn(|eaMzNbN-ZVy$s|)2b-k_~*hSa=9)?XHqwP_CsJfh|ju$C_nPCzm2*JO>4_{KDX zjwamoob{CuSA4b>_-{>XpZDH|%k+$fi$U`l=Yq4x&yaGD#P!r`FKgKhaE11m*@t1Z zMOO!HCuUhIt=S>}B@A+Q<&?F&POP=J!y*Lj>l&n`hk#P*qKA#=l(GiCznXe&n!&=W zYPk3>5!y)7c-HwE+Oq5OBcR#k#@ZeMh*H1Pc|8xVOuECx#bkuF*X zO@g+=NyW)4I=>OM^SN>hP)f_G9OwHTqoO&>$Z?CWE48eJZ|@KBWNelI7t(U^KP04? zrlSar>k}tjj0Yo-tgSP67=<@7Jw^=#QZergqs-!G{x zVu(0g@>9z^l1dhX#fzO|ZrMB3ys|(QjWNJuL|`lHo`H0@wd5!CHdczD5q~wCvZ%Nv zeW>7Y1fc2V{IJ=6YWYF=BO%{CT~WNgk|p5&lO5AOUk4}1!MBDxWh;nUM$AMnIqQwt z5_Yv`pK)WWtm3r(K0I8S*K?=~QSDJZZ&I8YH8o!q`k#tO;?&cXwjjChaRz>K&C1CZ>}G~P?(K3~pG7lu?+DDRdtT0>Y{h<{;|4*hOL zJ$qT>Ekur>V2chpw@aWEYm@i4(W~ByrSU5Djh(CZMvvT7m9Q$f*525HAcEsCJ~J4g z(7%$4NPkJry808Xb8Vu7eJsKVg-FG}3Q?H$4Np$&R46>QB|~YE5+d514j5uAR2Fk< z8u-5Z3HlszvWr1?vUpgFob#VW8AFh=_rZ{}eEf&6&ONsVo)2;dGJ0}ca#h$#PR!Vp z*ye5|NI>RZ{Ewx|(<3DMl@Gc#v#M6kE$wyA9J?Tzx0N{(FFKhJ@)gUgci;hWa*;o+ zWyvTd{=-^HQ%)}*O9@g)3>)(4XejcRegvl;qC^sbdn$23ni_>|g2upAm!=%Bcc>}M zosmm;2*71`Hm}b;Aq&TM5V>a;iPr~SU^zTH8$7{NFji{zx0oh@rOSp;JCfhX@LoMl zC4rL4&#+e?Kg2SV{yii#NHS9$APG@pV+zHM!?-2kT7%~jfwwK|Q#4tKh zm!p=<^TIa#pGme9Wc9Z)En-8s;*M_2Nw3_H5n+(*lAWm8obKJ>a&aLbIqko&o|~Q z>s(rJqEnC>TKR&IBn}jqIM7~li+0P~VI^Rt9J#vXERQa)Fz`e;TQIvsfvvVYb&h>& zZx|W(LyFoO1#@$H%ihsfKlCJa!J2`WgzUY5P(+&fNY zbUYm2n|C_79Z&&Qt8YqAHp`+SQ7eko%esArrzb5VZ`LcA!Q+XORCByU-0XLM?pcV%eaIUuT;zmJ zXB79&m$fdPIGC`)Dvt5sU{716L9$%;p^O#`aM4m1BwIiAu#a_)SUtO2-o2~TE)EG| z9nkBYUUli)%zc!-&BAH}-aDV_*#{V-JXcw;g@O>Iqf-v5xp*;|7Nn7(mED(3AkY5m zWN5+jyXB?MoNh;!YbB~2J&9{d?KNSS`mCN<<t<_*RW4%>M7#wq>lXQ20Af)PDl|I+S0BHm$9=L6(gY+ z6opN@v>m*vb}SW&`EW#C&q-k`h186rP>fw|=D&BA*UK!;Q(<}uEv<-uw^)G}Po z<@<{^d4<8COla@BI{k=l;PmxcSf064V!%6>VNi8hzu8vw*xtRVDzY@O$TVGV#^43%Ke~ek z&^|PI4Ut_-n&qApq{ZVN_sqzh_V{t>xl*N%r%eohg+HLo<2VES3qZva*Xn<|hELsfm20EUHRYd&8&<|vbA z^t=ViIit?V3tL-6<|9S_R4N*QztOXMbBhoU4ei0d>8k{z_C39E8&v*N;vW6)Zt8E? z!t%#~wzy!o0#Q6PGy?BY+W#mx)I*{FD&C(nmzQ(%EBk2i%j!YHxHbIII;%!TDB!Kh z(jMgP_gi5`54~FbG8aRpGRvE~);u(2DIWnlhQ>yj6;swCzJXR@Jha>LFPT>4v=^?rMc*eJZRIBH~%5V z0aM0LXv`=iQ3d(tZsp_MFj^AgDV@-J-qPf>X41JPd)%M zg}Dx-@`H7l?Ls4Xty7N#WpjjIrJ1aivukip7T|vCAI&e_%;(Ub7r1lBGLSE8zJ9Ke zLxF~MMUsG&Sh||MV$$-^&HRDI~3LCWi02*$uQ`NixD4!e?nUj#nZb|gkYWYKAVsgdp? zG2T|p_K2=nX75e6qxnDNmT<48$Wrun#FPM$ zTSzg5z{#G~ulQL-wLv8vzKBZ9?j^95t49Lgr2Va3u_*Q@*118;;mt0iA&FYKBx=$p z#CzUDT*Q@fC*$7Z=RReVS;n-jGXosVzd~Oons^?Rlz}+aRX8R5j%g$?h&`~Ow-@ep zK|-NI(CuR2rAX4q(~fCc8H3pt0!?gt=R?5+NbVsGzM|TWgq^)>V?*}2bCs)M3CA4j znl6TnHcd0#a2|`Srt9cVM@bX>OUKT8%bU!ol4F|!_x0O53JrkTm6=vNq4y{t=Z$(k z17xIiIM(UR^F9uglfS(U*@-ZztXlAoj|p+|*LTdy>|;j*cmBTBHz!6miROLdb(%1t z|01}5Kn1G`2I8#vC7_t;ix(z?_80olcH%K4UO2(LW5FNhkMBGbUA=Gm=*wtU=^0<0 zq&^aE7SseL#MqjCpZrFF?Kt@>bV8X(^}6K1j1)#$Z0uoYui>Ml`-biwEzMDG#vY0{ z*~sHxSjKlYmC^n(^aLR|qBJ@k9dRB1j%wti8K_19&{Y{U{5GhJ{zaEF(?$*N9dcWW zvh!$Z@~OwA_e}Nk7;^}}k*6%2C-3ezKqjJ2E ziEE07aR0_4^(s}0Ccb^}DTWD`!t1NYNtGe#RO2L7B-I6Qf|qT4M@T?-{BC-CZ#OdO zEw(_uuP<&&t#pk(D^$A-wH4lw<1@e#)M_T{<^3h9@rauEr$6R3Z}D9gv%rVavuF-D zD_qM$C1BAci;*>S+591K0vv5<@1rIU+Qwz`kEn?Nax~pIgRrMy%}GBd-Qshu-A7@S zUNsi`_GzmhHV@eEFNT4S`$6-3^s?Fhu@(zIhrsBE3~MdzK1W*_x3Qu##Bz`Jh-Dfp z@ACs^R%M6GLNQDb#p>jeoSAQ5OfARr?Xa09%Jl&EL<)fO>-{+1nb%%>K&MfpM!k;y(ap-jPm}ad+*|#dvfuelRg^pF_}ZZ`USGl(;4kXxun$cMzBOoUN`Z zqO4l66SFST#*d@S=CwY{(KY<4z2x^JKnwXv&HV@LaS?k)&b)yS&R@4v2sQESZ#Qy= z13Xd2b{6-^oyNz3ML8Ni649QbWoYxb0-Pz|==vyq`)m`A zf74qC*KH7v|5tEKFij%#4a}||lTf?#6O4#?R3l(0>6BSTVh8lmy|!s!@(TV?^0wjl z?98XD+Q^%OaiZ_V|XXxlR>I63{~peH;u^euTY2) zm8gWgmlMyrPmqq-xxBCf8XXy4n??RU7SueUHQRRv@CcvgFM#~-}M*vp8VP26pGuO2_lg*?0v#1_2) zBCirlzHWckBTjd@Z9NrqBHdh~G?OSyVp4Mt_?taTb=&{I80;sOK$yb~WWW`jMx+L1 zqi_V5MB?26hsQtf9VgaA2>4$D`Y9RZ7EFGV5jF?tM#ID<1l`1LZMTOCTCNS2^V$^Np)E<{4` zbTKbOn3FDn`t-XT>5`Ql3=;<<&&*@*NU#nVw*rmoU6d`=Gka-_y$2 zkHZ$*sPRA@$jRopIu0<8uUAu?0qa|18-N3~dx$ID2HjQ;Oq5Gp?KbVSgtawCq2+EjT3=)B@7qS=0nmLVqOb-B8O2o{00jg}M((!AsnU%}6)Hu*9V zo}0QCHX+ozf)5j$1Jy0Gpf4k+x&5y>v9N;N>_0(e2RtdmnHu~PEOo+?dhz*7jP!mR z7KJSnAsoDIIyCbVIfv~0|L=gL2hSJomwDZqjojTyy90V)4>Sj@2O`dnv?OIAK4$i4 z(}|lp?)f&?HIKbj^CrWbJfO?yW9s-G*oDhe4Q-4hDsZ4uCz|Fh5R@sN7A zaYFqc`=lskx6jOSH8RU77HV&_diFS|A#G}Ua#^I=sq(UE94rl6&%`S>NV7pnTGvUP zz4G&kR{+B2=THONxND~)VIjNpmC1~b>Mbade-Q^k1K(Y7XjbKoDMIS!Xd&x8Ce zXG@fc)Mr%6U&7lD3E>w-j+HMl;@1R@5r}@4h6xB5qV#4!`kcUxk8N9JL#b_r$l;_J zni6a*j9T^D#3R1bJA)o~y!`zrMed)pfj);ow|Cr<8u($bfW=L+gE3m3Lq}Jpbhvm2XJ!fWvu_TGME*64d{Ya0( zvU3+P)&q={|-g}3Z0m1 zLQA#|vD51&2kAQ#4|Wz6>W5^g4LHbntGvp8lD&#Fd)e(u=Cqk#GSX|_(qSvJoAYaW z%w1C|HEX9}EM1x5v07G;ZhKH>F%8a#F?lO!7+7(Al3nE}o9RJi&RdKx^VeIKX-DN; zBN+{tau`)>y&YbCtS7QMwZi6(m9@)Cb=Dih(`l+*JkHN$+>s#GQMDWEe9%5#=Nq7{ z_;nD+v!|uCUaq{`U7Bb^^Wkt0f&RS67fSY^Yg7kAa;V1mD}{K?XfNFuM1zWKb5Dn5@C zGYQX~!NZC3{OGlyBho=u7n-4F;w^n5u@!&XRp-ifjA&?aPNPBwZw=zBL)l6+)8zS1qT0g2g$mfA{tzFeFrP>aO z_C{RnoK?H3F#DDCJb9a2HgWoW+^|!r#CHw%=WYZmY#N$(3ID){<{2H1a%zovNtcCwFXy)6H(zpM`t@G>ZTOpxrT`4Dq84F%_Z zXT-SIw>6O1GVObv@SRT?vTjKUzQm+b&;2MGHM5xpD{F<^M%IDhqaitdrCfuReb5^J ziM*B_ABX2*3?w#kFVaSd(4lfh4Opyl@ZUbL8T2`d79tHv7!-MSG&fz-4@3SG5-QtO zjH{5cATZj^*EuU_8*+kohNuDKCfB_lRpa8h&0?_j>nst(qS>~PM+$EimoxLP z{o7Vm?2n zh;UrLu+@YM>ShbyI|B%%X3)^N8EI_*b1_p!>ffmB889(FpRo=_)+{9EGVrGNix^=S zAn=GJm4q|U=043wo^&3+HV+Ht>giAQTuJ;Ffo>-L3AHCj1gdV;qd;MnxGSAOsB`v*0y_yD7l) zPq5C6C|Wlof_0!^2ck?|&1TVlpJ&fXa1qu~$4^dL`9JI^;GO(neAv738W4pPbCTF} z<26$+{K~9$7Wg+Qj_baX5N`TFO9XwP%Qnt3!W(bNW~r^D4S$NUj$%f1R4B=_7H{L9f|xw+M@ zN8M_G(6Em&ae)=q;BBCfb23s$VHg@^ZN#gLq|wE?n$x*);AxV`9P`qo(e`|O*tTpMP{Kl(DeSNq)vkR{rr0QbH}GgV%Q0wfi3Cm^Y`Abygi@!6|CN$6bX zz@Qc92we1|v?Q`HQ|;c9 zci|V3T@R}(kfIO|$3@GL2-w6QbMltsUc6y83$s`SX84j40#bu$9pIU^RkuSEf+t$# znEQ8@l@LrGaRlszlnpsUA^#PiBxDr}3{l}}{(6)*FuYK0aSy;&wm5C@H_WT304rRh zT0XG+P|e-nA=K}{5gTtRTnNcjs|L!XVyE!Q8jsauc|n!cPEIR>lM}^Rpzvan-<1Nq zu>#wQ!bR}mROIYl>Z2?5s)A!1-e%j5s;y2Xtg=b%F+d^_PsQ{to72XX(*%;MQK$Wr zF%LfRjT{*ihO7$U?`|I|eWxW@i?6HC#jeUGI5TQ-p)vV0%+F_B?5%y`p@hDMQtkpPutoW z-zrh#q3ieJyhizSC_jispb7m!1?V*?1*9%eJ4hvj|He1E^@_y3xr7V^XbiWDu$F5% zAXvuK6x%#>lv<~*nGo?-j@}#cNN}gck57cHT5iwzDq@O0mA(;mumP(;= z1A?pOO4y-GG;2?;SLkSc-4#YZt zicrd#MJgx~F4E@uIE{T&*eE%HE(+yVl=Vc_kJ4UleY%v`VHRj+jiH{Z$Xs3!V1S-g;`;w3nQ}2qWbO@&{zxM}|AgYsPb=feF>)=jH-K+Nnd(-6eW->kCFgyPY zGfjpnRD{{bTwDuYQP-wsA!OwgKONG2wrwtv@+4`#+18;mNG$VLx518xi{NWA* z517{sB*`bFib0AQqTZF1beeH@Fs-8|NAqSY=6u*eEy_R}_u`!;$;s|Jm9c+a1a{*J zW8GsVX~3Mci9JF2GSut_SiFO?W&hH-6cj+ERlp#PWK}r{_G;GtJkZxXKt>VAu)`W# zmzR|%`h|IWnINoXaxRm`#mO=)gmeS zV&BR%XMK&2R~Pi}cQW-T?4T#bBRQ$;_1%6+ofNy0arJ+D0PF&1*DMD*!I*%h_>^I8 zE}tfT^lm}}O;p;;tmcF}+<;s-GcuFlf}_2?1{YBY zgR>B7mUCx0fd|t~1wOyOANl1(8q_b+kRa}@#o2M}iXjfHp~bwZuAaYyJ_nK)? znR1py>hM=l6q=PUZHub0h||6^O2o14OMW_y=yHfjZQQM(p8g~tLuO>~9u~l|V+$iD z&_I?DOyfJ=Iaz~;NmBm-;!Pao>hjyg3hpfqhcBhhj-CO`KS$FWZ!O6fCN4V-?kew6 ztp;|5)M1P6H1`_i9eChJT0Id-T|742?+<1NdMwLqf1F9(@I8@+b!iv(QhvRY`BnI& z)P^Km{3AwVwC}6G)p&0QnzYCFZuE$J0k9S0aQq2QKJcH~5S$fAI=>e^BVyJU@eT)M z7J>&B@m@o^8npTwG6GN@mkM?xvnO6s_XiuQl)0B3%}*nPO9I$2T5w{Uu~G{`9(E)j z1J`aMCQE(S*d9Cg{4N(w;S;OrE;wJZC;_PpH7PCxp2ZT^W5s~Gq4<@+$|IUbbzwUY z3Ozhu%GT+TEsKW}H@C-`Tkrq@=p$(4$u<#=s5Shj>jz=4jg+}EC2f+00P|l?Uu+i~ z2#qzGPr1h&USMv?7P4^+L0%qst#KR6SSoFiZ55NcNfwc|7b&7Sv80Vng3 zEOA~gm;5S`5TWJEh1ILow!x=8t}tsO-0rMrvks(iYY6E)G&(DXiY15btqbC1ht3oL z@P#1G=5c=SkeY%%HbW$`keXNjF+-T9X7THzi;VC75p_uNE%j-vV~iI!+ikNAVA|^5 zhe1w-o2qsqE`Pq7CYNGq&eo3Faq_0MIc}|TmVT(F#>HiY;<*fDL=0P!i=5|*IrJ3g=;9m-Yi@m&Dj*BAw4e6TXUaaP_ig7JHENq2L ze?Ip*aX$YRc)F_tFKTNuaZ@A9RsMM+&+> zT9;lr5^KZ)(??5s9;~$4CGtIpIz5BgXqMSR64PC9VVwKbutO5gg;4o-$9&W01%IPx zGW`Q=aL-ONVIi1K#`rA~1AUWYCB&5HPL$q?z+WWBM}S zipOqURt&`X__Ft|&|gUDIv#G8S@Yt%rC!?>iDJ6^oq|$OsWz))88pU@Jl%SX3bR^F z$ZM3OjW%)r(M_rTl$F4~&GR5P=*V#Rk|-Ulfn063mtv?>(XzrwIHC7u*cJ-#@DC3J zJUjnE3NrK%4BQ9#B8>@C5lpR97ja}Q=%mrpd@3KimX|U}ZtVM)Lme8Y&8qo!A07Tg zb{jDE$Qi%^9pT63c!W~kEk1l>kX<1TlqPX7uU%4zW@#kC2ior4iFwFwob^uq!*kDq z)6y_q#;j!)m;dL24uFOd2!r3-b2{!bk#g>lm*NgvD%&VLp?7x zpRz~xj!d`(rN6`F@G2X-WGkC-I_nO2AIIqRo7!`!voYUja;Xw__gp=bb+D@1Qx{5@ zaOr6T5$nuB{Y9n~+1=-|`diI{-t!QkE?efd@u*^NrN#4H|JS6p&Ov?Rrud$Nd* zQ3Mb?e$3=E?U9x8D48ad-%l%e0Ct=_n|9fqgVWU^PK;|t=GhbL143yJayKaL%-ol$ zWo8qy|8$uasr8~@k@`+QEH{1cn2>5IKHatg8x0@kCDnnwdYBBLAd~t1a&o9`+1@d% z^VD>S5J9E&saSiZdZ=nO;8d5SfnzUc&C(z+o+YH2Q1USb3@j%)*=4eZ+NIq{d$W;H z;t7(%D{cMW`OWzm7`Wd5_LWuB(KRSY2_*}KjjfKP|7={atHefzWmnBrtgYjNE$nz)XzO&=t08GsDSjx6CCq+x&Mz zE}eE9q`p_cij_+zjlxV|z{zuk7iMAdBYqnaZ-F><(P`W@+jK%@{4b_j1g-u(-UF>$`$MXw8Iq|RPHY~|^Bru;@^~4f^Km@_W5dfuA0>VMixu@5QP z6|E>H7V^nlu7|E0u)z;D&E-|pHb1hs9r(fiGjN-c`J1y4zkn~?BP+u<^fC#ML$hDS zBU|T=<%{O)hX znfP7yN#zIv{0S}|x*i2*UqiYKR*~Wt^|t5dp`9#QBkI7a6hlj-DndHp15uuEO*bJ` z?|_!KC^0)W6XPZdk>Mjo39Qf3*>N46#bBZ;IleSrxP6F<;Qwzs z!~6uSi&&_-7tEZ*mGp_N$c(i^Ig9;R)yw&1cV#}Z3dUvz%{af3xh^F*mODT?J|#N+ zQ#6Vm5w4Kn2=4VMspxn{^q+oHwDaW(;2EFQ6+35#vT>Rtm;)@hl`OBO%HP8HdGc$3 zaDmv0XJWi}IZCqAs_^*9(m)t7_jOLLda2)oC>%vajYshnD)+Ws*t-!|6uPG50_Xv1 z2YrTdL9lX@n-xND!NK@;Zi{MG45UM%He3+&Op7;K#a>kgESm(% z!4pZv-kmo7AYu7lg5-H1^*@b%=Z2(qz#7t@<(db(Ziu9&ccuFXv0a8`2!cNc z#XNMX^@kY5ZEI_T-zdbQBE0+)fRq!zmz*`~$AH7T?Hap8Vq2j`D%s2h!RL2C{C6!tMqAaEtKl(>Qqw0*H(t|xa$GneZnV>8$uO|L zM>D)PgOU{lOn4{~{Njb34zImeJ;JxKaY2aaM+NQHx{iv#^sg6RxgNtL z!n2AGq-bwS`FADow}FH5;mQ=s5$V|r##ryL2~;K!b6ex7)Lzjde)P9dcwa4t)w2&W zq*Y_s%=^A_RapJ+=k4zge@Nebi3WlA8%%<3Ei@|#G`{eX{uV&_sWB=6OLnedXPg2- zK$rMYm;}a~OV{*3lsY6>_Ef0BUiU=t*PQ@$_-&U&jZ$c{VtD8)sT7;BS{f-erI4aOMS3oQt#V+W zRJg&{L-d23_5dZ+U4=*_i;+kC)vWGH-ox%pa;&fl%11lCu7|QtvU22L&l@n z^|t?TIrCl$Vo$q9fWl2YFt!XCFNuylIPYSZ(7tnrd`i}Khg;YWXk1br8P*A%aLm0 zioP;N_(jvSxkgcFC^s#l86g@`smuII^JMJc1WrFoE6*`M356500H+7x z$iwMqW|`08XFjjx9COW~;kSO$_sn+dj>p@*;PGt=D1Gc~YA<1;BZ6r_{+K!Q`+fSl0@g>i^J+*yf|r^VcNRC9mC+eBuv+ z3wKc=81H(xwaJ}QrX)dS_mIu73bqG={nzVeRn-bNa{Q->c0&}bDy9EMZiN9yzHkQF zxS1%9J_${pNc7=uBrwQyx?C|{F?z`UYWs$!-+w38OJlwXoLpHxiga6|bi&~s(={y$ zl){LV>XG^mZ_Shy_3wHco}_e~T0i7Dn^g6S^4+HEuMblnZoDIya*M~b;?1b`B0xA!1t^zqNEj}W#uUkD6p98> zUPEkSm}6V?X+Z+r6t>f0LmF?P+j|9{1-VsduNM|c5;vY6#maNjyh#}))KPfi{G-Fn zNvDwOAfMZCpK!|X>H}H|5`toZXSh?`)Y=crB2;zT2z=WJp~Q)2#4dQ>n~Kbff}r0O z#!oGG?d&Pb3)9xUQ$}zE4^Jx@)4j;F0WZ#r#{4-3JV9a#d&=QCxDM|+xQ+y@pHhc5 zC#L%jkHB<%V5Lwy984vX`M?u0*-dq#Aq6}+(82Z}0#;y$Wq8M$c)Hk)dr}8RA>+Vq z`K;}pHb=PGK{Tj3#_V_YmP1F-I1TAvY;L^lwegzD3s$HdXr?`>IgcRj)wxGCmpiTA z*RDFHb1hLnxx|+lu6Y*p0^mnl{QKYGi2=Yn{c)Y<*>R-*1sbStneg zbv5YTvajy8h{-IuMJt~%7Lux%Ij0s}g%6JdZc$K8X{CnTe)|p{CgszJbHC)KUW6?7 zj3ptBTt)tmyh&stzC zx?fvjc(MmO;49A)Bl1U#xag46D#=3y4{RVvB)q2$wMhxR;z$eANgR2yFPL!tgDdUc z%jny)B9S3-5$`g&3x>E(Oqc3B`=X*icr7M=2C# zecymB*wC)ou1i6M4aS7-Nh`U9DYNdD9vYQJWf3pl!K7=#oE>G+pyzc#V|&CY6bRiT z6qVfJj;5aCURxYtycgxoGFd9B%6-(1ZCp~q5|X!nw(iZO|JpL)#8c{wcvw(OyDbCi z4hx@C7M@*9qD=q9n@g@aRC5`ssZxyX2qt-ZpIAnK;WLP3=xRC5cj1HJemid&`w+{i z2>;?}S)`3VpFlei$|GUrdkomG*|QbD5WCRXndDB}j$@VbinBTjC^0jP)xfM_Yu#pf z0oAOsxab4SzjLpaiki2;!?)tAI^$WCZev$d(!FZJOJd*rW-~Y}6>GQg=L|?uq9CyL zX259Yn=&+3i6ztd9jYPH_{Sb_8xy(X(KgQ5CdG9!pgfsfan$dPU&ETqjCO0{qrx|m zNev;WS_XC~@erR41`O9D>~GHQjC({B;47p=p`6q>!V5^V4SN2T?D9Tp!H3|z zo5!l;iSql{_(&_Hsrmwc6pIg(bd2MQ$=?TuIQH8dJ^=XFGgiM8dE_wbkH^JVW3Wsf z)v2@qsJ2C7?2p5FzVMsb)~1!LI~xfs_C)(uXNwW#K8T3PECsu6)jk~;V=IuYl`Rby zYmrNyiMinw3}SF+lomM+&o07EwN925#k0Gn$LS8Qx;q$hIk_T|KF!>^;N%kOy1-8y zF~Y~n5{?cs4Y};*5%$#%6}Th6VMCO#7Wi1p4(;FQX3H&hHcSWKsX9dWCc`>L1 z&;?yOtcVYXiAkhL#^{c_ty(3kUTCM*S{z9cg@q94NI0n(PRZlZPkv)GJc4sof}iY9 zVpc5ODs=>FoYKM%A)`bj@%ognd02=n=l-V!R*Oe2$OK|R(@cOcDbEzyHBmS1s4oJC z$S>+0&!w@SMvNTA_RH}uSZv_t+j*tSsGH%Tx~RY??&#ee!dUW!$JFl{RQNL}#uz0M zV98boGl%B7w$Y7|m&eCGn<ryiux8 z`OlYs!D-;`4sU$3PFYcc<+;JmPB(eDQqq3*O$#9D#zBn_)50lYLH*4Va1)r2eO~%qwp|cTb0XZT( z!kGh`;(wbUfDi0#Y;q+6sZinrJd><TBId8N#VgNh2DgR`>2ykfb_Jp8;@xlx#HE-*vEM8Ld&+!8RnAU z;Lf8O_#lq%1i3< zJeR1UwOwDI@@7TkD=$sXi=u)MAknmz4D|>Wj|S`e+d2Y#aJ=dLH69rUqN@4lPUHSq zeU3clDCXEUo{PGO_a4CaLQMKC&Y-Q71J`4{?b`nbJx?^M zpd;n5r#;&b5J-P;?jI_1%F`u^5d!gM&5Jm0cAjYAq`@5}yIoMByl_r=*YUdtuC&JR z#@#2PA*WHba+@UNFdmN+*K&7-L-JSOM)4gXF-#TO>J%JJD!+VuE#sUZ(oQl^l|E|DW>aU8?-+TSF!cuSKE0$d3#fXu8eOcUd@PyCW> z2LG+mHdSw}_8T3~j6CgteGQ7mG}5nzf;Mw}_F|4-W;6($bef+eNA^(LNQ-?YUc(HX zdXD*?nGV`a_)%ju>Q346&wGj6DyS7D>jKXVmy>E(HhNEhM{|za3m6rM?7y*EcUc<8 z{FBk4ZjtezVXGvLB=Z@i9Iv7iJsgeoAxov%QPFKz9q;o(%5YJ(rf@^uxADh48H|3G zd^A+?Z@*+be!${jeM!LQ;oIpS#7#}Vqiu6)PQ)NO?on!<-pZoXcB%}{9Ofl3RD0-X3Xe8AHz~Ar!Z5%h>TX z9c(!SGeB}Qvfo*L`vT&J6)S5!J<3}Wl$e}GKlNnPDOqGJ&MsV&e>`%q`~Ob+K^C+B z9)EFW5?Cy7Hw*9aRL=e86ee9iIyVXS{&x`C4?3FoFgFso*|@Wt@X;kFug{_uoRLES6mu42-s#3Hpz}SWho2+JIb9{52u6%0r7)sb_>=+cmHcm|^{HQj1%c4_Y4e zZtB4$pIW3u@yWok;O+gue8=kLqg;LJ1sT-Hf?l&&;8FG{@XCtBak0FLcnp4Rdb(jF z>i$hE38Ki)9aZ>LFgmA@h`DHhXrceCkH7hiD~H$_SL$|n-Kgk!12Ri)yOROgw1A}a zW}gO?X`$ogq)F(Kf!hVcv%Cc~+ur9LDeS#~#sxa38hu3b+=gSreEHMwZJs72Yb&?e z9T1XPyM7e3%>z-wuXSMJsDpU{Vi2`JCLog0K-D#nY6z#DHI+-YD<@h=7LpeALj#2M4hlq)HqBx z#Wfa;FV5Wr-PM&F^j4+}q~tcua!O;0%z&PNvY8bcegAb3OSon2ytI)8N%L6{Pr$@@ zl!DlF_8Of~=UAvi$$h$=T#mH(_xQk{fSYyCs<)DSa3=}b_-8=j z&@vMhN@R>4?jmEIOT8x4n;;|QlBrybMpGdP5pWQsGMXV{DvXjhm&6G1w&>xH#PVQs ziD|`A)@7yQ)jtPd!>_bBN6+xS0_%t)YCdftA*XL4?H|o~gc|M5nMqt7@_%AOySpFf zLs#4WehG$py{w{7#;I{39R|cZ*V433 z4dE+6qSXdbcb$n6!9z(&f@}REm5BJul(Blyfi99SxCH#()oWtAd(@kH!`{uqYS^If zVYD`E+kW|si?YbogZ|@5MLronkSF*^$3UJe2uf|9h;q6G0%b5|mOrm@jAQHUlYxv| zGY@!5!tqy58!kRDs8MZ?F5H|6W#6Mtp~dEPN5_ptY_rPWw(M$ZKCen~)fvl-3n)2< zGz?Aei%b{c330)!Y^M_FU3nQ=UE*o5FfeU>fi@;ORSheM33AdUd*r7Xurwc%8n?YY zJ`Vke0);QvgA`(LDeQRHo7(oYD~7LzAA=x6k<7`6cOy}!gurOiUPPwj7 zJDoEn2}0fX#Xd^`CFYmGH$K+I@97f=u!(a3lX0=98L{y2@A34aU0{%IlvaV@;0o#k zbK;m;Pz*vSpAn_v1B||EY>#LLtC}ec&`-Q55f?^1_0}!{-}o{4K>{rck|el>Vn`?x~>#)Lu>;R(rjKkFdy>7h9UIc_m+7~DEYmOQaRp^?0 zDykvl$u-~4W0Wr(5R7O_wrvr*)c29piuQQqryDsB&OqZ#mx7Ga2J7=aB79rN9aiTv z{gDeTA(78yGZt6_sne@Yf2v2>ak`Nfw%ip%mChQueVls#xI!0m<*XX~+48>XRJ-WJ zQObVz`S(iSmgAlyY#vrUzOL~W9Amq#IMv-ESQo6a?SkJAtWFM?9j>w-F8EzS%SA=h zOK)KFLxW@z?J%mUdlx-O47zGjd9}TGykn3Ey`Viz!jIx@O22NAchp_6*+10qJZfg5 zlgWG-AH`(MZaz93SJ4%Q4zQbB7^oPfa`v2&Av9aVV+_T%l3svg>T>1Aa*ceYa!lwG zf8qajP~2tYwwyA1WK#sPP`fl@ZJ_=V;@QJ_`SIED1NoLrD=spq`^%G!m%L7$z?cV^ zFwvIg!6}oBBKao$Py4eXTe&%Y%#kV)Qmu7!VnSH6Hy)W1i)4t{!^rv+Z@Ut0h?)LE znCX&EN)1)!gJ%KJ@RBqsdzfBPw^Wp&n6&M43LtwjelW?i_b|h8^7(-UPYd`4=g->v zev6`Xdr4RKCy~BtXj^s%<|l&sVH$nghyd z+lvF8IWs#icV|PhXY^{-z0ZPSQC2G!kWO}{7{m?1F%d|g3364PEs+m!_qnVo$4& z(8qK_378vcE+fRNK&*=yGIz-DBwh$h#QydlAQN> zXlgbTMHCbJpB0EgVnSZ|fW1N4V2MooVY-5TXBCM%*MCdb$dXmO$!cGNI_#+oNJ#YX0xrp|PVh0P}n4_=p>+>pnrBB52jzf%sUM?}`cC)WQS zAtY=Ozg-~<_oK}s5(;akupn9a#p|;QbH6&O9zN)QG7}Uo!uQ1<2H&@MyD^+A6A`eS zsPV{_qF;DZELF8Q;J|Cf_$|aEUNFd}sfB}UdUMd*++2mEc_ZI&p}Ka_dU3!~FABlNV5r5EX5O@m1o6}O?Rd*_)0Eu8)Qjbs zZlEs=2tdJ2keEJUQoJ><12HI8Gfxj6d1jkZ*@k>q4kv`IU@vQQ3fPu|S=jt#lI6og z7bf92^WPxBH4AvEETl4 ztVR@Wbz%MK6&K5ZAoz*Ma(DCo}njO2snlu(dB&x(}lA&e~|W1hUoT z((>l;E-%K;jUII}-L6ct8`E|DL*uNRs~rM;8j!<)zGcDTcDOo+mXF0TC+oko-1zTKBYYE6-x&Bdf5OD@lrEtD(kL1!X=i`QL z$ZyM;2>Mj#M4#N@=S}u=)g1iQ7}?P$BYkBd+MWMd9}-3WO$f24FmTCVp42}vLT%iE zvS7*O!#&2Z(LZ9Nfg?a-Mt_KfktG9(9aR-sa8f;7$L232d&aOV-gBgeHy@ntrUyJ` zje%X6tTi)Y7VGi&z?`VlZU1kUu2BEY(nOHiDw+i)CR0i_j71LAZiRwG?bA?w9;k&S zogU9WKE{i<1Nq4FhmY}GcfgfH5Hva(aU?SF(5G{_y;K{S)v)toy9?aq+D%Wfpm*vJ zwi#hr-3EJIHVb+eq^}o*M*Shuw;WpP!@{zncHBJ!>I4+2qKiB7Mt9Aj#F))`7a!gP z#X@9T*d6A=8%WNAYXAnY+%(g%oF-DCpq$KHiaM^xO3%_|4|bdLZT43l)t}hIz4XTc zG}Tid-Co@j-4V!B+A3@tY5L{p^2g~*u0kJLR5?Uc!qG~;Z7Bj_EhifsP#1cYQyfAD zf4(>MWOD}n(OvhQ52&7;^C%xS23xrIBsD{=BVICJ3ha5w!;1U%%pso$GnVEtU)DeH z{T4kA^?HrC8nL(Vlx-cHVV{w5D*<~JG}tF_NKQ6H!CdJf1tGgy1YOEAmPVAlzajpG zTw)@>MQvdofebCunuq+ZRc~wAG_Id!nV}I~T66|#O6Ule(C9wy_q84~;w!QhGU%V6 zd5WP{Kj3T0w)JrCHa`C*%M^>4u<~?jV00YdKA9{_&SlPkKhL|HyGooM>Yw*wAVMZ? z0E7DDy%^GnAr(eF4(6`p3EVOfTh=dg1;*~&&%Ew`_j+Kcc;6wOhGv8}pCe*Qnv&?? z>2VQ5m4~xU6GC==F$#^4Lk&`$sfge&Akz{T)>0LcnrO&ZhZ3QAW8rTTUv=U-J{lkk zANo;hfEErKEY)B+-ELemLCXc4+QiSjG;Gg-r_P4npu^ABkT%X)5dGDvtad~QBkP~h zBMOci^5a*j3YnrGij6j-J816-`17aKnQ~cGb)I~JWq8ws^HE6sFP85atYfW%wifUs zJQ8g8Kvb{)A;$HAg`pQ~`|4i;`Yq@9-)QbAE*HDTx6x1{J_ zHU1tP1r~}F6WL$a; zt4UH~#YF%P6wXz0BO* zR0ODSyP>myq8xx(lg-*%nl83?2=3`V=_)not3gdR5)*dPUZOwHm;)H_W z1-~|W1-U~t#FekbG}rF6!a;mnDhvIwuu|E85a?YEZC6(4rg@dR-GKAG z>Ju>B{7#JdP7L!Mak1f)kpn@JOTzwXgNdKyqO7l2@~jlHs4$Fw4d%Q5JgMnsBGNk` zt#=!gdQHYM;J#GGbnkLv?n;;Is#x)!>D@>Ws!lBHxJ{aH>O{(R^k#-@KklqnNz)&8 z2!C%vJxS6?ubwtBUWZJJh}i*B}f9H&^#ZzAAoJiQ{mnfcw~@us%Ugx9of zmvPy2wW!lnDI3)w3rFr3nj>`!h`3Nk)sk1{g$3h7ucY;5K>w$3C}ZJ#vD@ew&?*Dh zhWIkFepI(y;ml>fZpL<2>J9)V5)BrHqKhO3R1m_r_?)t zWn|b=V%TbAf2~s6!DpR5J0#;GlpZcf`#QC`ACgf*c{NJ{nCfrb(9cAw2699FPpC>D zW8z08>S4r8jP228>a-Lq_MvWx$|AYNY(!|ctoZ4ic+Rojg$Ho2`5nIN>cKrW2G3X! zf_@Zj_4d7G8?c)K<|S#ZSqu|X2B?(4zk9`L+ZY1HP?+T=P#eA+EfQbB38$gTgYs)G zHLC(Y=>8Y6t%(GR*}`=D7W;n6bCoC6Y^Xz6I-!>@JxIe|u^90`A2qMzK~i)Xy>d%T zI$s_+NI%jWB{I}7>A*)9B-eCzMm&hub7yCVMDx08!CkR zEx@l7HiWdq2Yj1dn!y<4Eu_~Y8YOK3GwxFA96Dgfi%0X;V^3y*Cg;92j zD6*KO7+JNV^&8)&9polrFXal;=wG~jm=Y2CPAx#fK);l6nU7%5>_)HpgHzh-byMoa z-6HyuT}zgQ`~_Bv=L@555yp3(UC2pmgj;?Y(X$;RHg3Sn%t7S5WOy^nu1y<{`P^2( zB$C?GCEA35+jX&K8A6$H8&?T@UjGKyv8VI_Urj<&;5Bcp(^IVJ(%1A+ey6T3GD#gO zgesjGS8lhO`>evdn`=q0AdEFNwFBf{=PSQdmE3!_GovLqU^m6mK4grU6kE-+EAPy-#}uj7!hy2xZlVLv zT@S&zpI3F9*AgcAqOO^-X%3px{3y|v+s|{co)0Z%GNFwoiU*y0diug3(Gyo*yNlD$ zKc1-gto0A!RC6)Q#b0RKDSN&v1-~zj0V&Bc;*pt@>~5Ty_PJ+6l1IpQxJ(qLRItF# zIaNA91yTNI@WzmIV^=?vZ&GgL{WeD|0NbgY8kb!)7lxxU93xFS+1b_B`gx*L8fLKk zP>Qu|W&ADL$jCf7GMkSxn4g+fnTzebw_KMA7*MSEF_fTwRi*IJ>xsl28QYTd)swg# zKnv}^cGj*g{8T%AO8t$ZxBSib)qnHV%dKlK2l_q)X)Y{kz%o-?O(MOO*Ght6h3DPy z2_metO}Ot$I4did4^Wc6Ar4FBGO$28^~oqZ=|wmYS|n?BH{6Ke7RVa7L><5vjHgCF z5SE~J3BFAZ_Oo}uq(-}-Cdu*g918B{pj4C^!k$QxLW?%@G}?j^p`8a5TXd|xW1t(? zRR}8^=pQ;q7_jiUm^k8C*5rWf#xN6R7U^mo{gqPRZ7t;89xm|}&d(I!0dG_J zZ3qgVTlX%YUVMHdiHxl~mhqOxa@6|NI?td~OJFYJMdVjR+Tl!AoDfo?={~tj*q4=@_J@SNWc95&0m^*LxQm z@gf)bHu6^35U=U4L_#kx{gr?XjiyrSkNK6H)azNTt-@rAze%mcPan_E0g;N7XY;lK z&Za_JIdvH}Kw+XIb z{-a+}Aw;#Oq2QahT@uT;CfOZkb*1hv@c;SEcsPC*0ozIqe0EI|m5(1-K8zz;?~H1s z+14J#i>)f|NW!@vt+2zK#W$H5HHDty;@u$f3tD5f3k$aQIOeL1G#`BYv;1Ru?LZ?9 zU2=stjanaOd8*t^TkMhkX_f`P%~LD6+oMY=Wt%?=wUJ~JP9a4^{0nzIhJ1|+N?&NO*)5O0KLP1mHOgWVQhyK_ z8rsBaT19g~kpgf+FCac_rTA@dVc#Y3fAJq6p#^7y9B3XO`Qt&>;vk|Wuzbj#KGDeN zTz%6#wX~Su7*=8C0|>=2=AEn~6EjOqp{o&Oag>^(5(&$Z+3~A^n!q}Hlx$m0ehJkl*q#b~-D2F?;3AiNK^^U~?!S?op3*3U;9a^DOE)Wi5sROh zfXr9!cB?sE{)$Ct=BcZ5vG}ep`PYv>#bXO2`i*D?%&`|!BcAd#x$H{dox$dMnJ;9c zNs9f-Vgyrwq3q_;sp%HYFnEc8ZbSa`-XsY`CcrD-V`YQWM8HVRMAO+7XN?cYli#4#z9MdEg;uf8_67c zVzV3i`?vPCf*qZ$mk)V=`{Ntj5AmMnvSo*`E#F4>X{)cYCM)eq8NSk1$5l|n%B%eB zKRAej=AW6?$x2yfnooe*lY*Q;sukhLA64A%_vy)i$`KnUdhpNFCn&vZ8C8Fu2BT`s|`Xg&v{7;K#G`ZW<-rO)Mpwj|vSl(u=l?CD2sPHv}9`RNy`uRT36F2N0XB0((G4JuV z3`gNmZ>x=h8?~A&z;oG3rirt$?U$wKfI};u4At4p?iUItb7Uc{=kqGrwv&4z<@>E{ z?1xJ+!-ppui3i%`2bEovGTx)~8yELMr#0=-;F+z{-&cd^#OG_Z_S|UBbLYQZFh|^P z8(uE4pIy#_U8|3rhdkvU0V|VCcLlup#vIuZ>1(Uk9ad-ex^%618=@FGqnBf?JV{M- zZ3CH&bHz7HR>rPIM!XDI%Wc2j>+*NpO`Nr*dk9j2uhnxjAROyh$klxwtyJ9B!c<6$ z=99s!6k^JZdaV;LD_Zz7@V;r`$#2NZAGF>QR2nR?PGKQMYWn6l3L4)W(n*55~H+ zQb++DocP6X?|(uy8m2QZZcsJSUdbVSbxdgCAZK>_=60@Dc;ftGT|L)<5VUq*_ijiy zfn$fTXGnN;n&LGXtf6->BZ;rUv}7D z%aZxOvT0+rGS4Q;YNBD$f^YS8k!(UqV2xFfdrWnmN&X2PMt~<62To1F3nQT(W7l5FYM~QOXFP# zPQ~q@{}l7L5>G^wK-&f;*{9U$(v6b8HTWdwnRn8Z8J{`OJc8l4xN>I5xqb3@)hq~j zQAJ>an>+{9#(WB`3~0Gu5<7K>ukvhUc+3MD@5 zF5^TSy)lA|jd0{bBf<#C2ncR9MgYzUtS85Uge`9gOa9tDF{zK-aKoJcJJb{5=tV$V zap)}lzMcLx`Po>y;}R5#iKhL$^eQO!>*}Y{|A-TvmxdjSbyP!P-6oFRcTq@@NB5^k zhuX;>@+L2{yIqLFxzv24eay7kaG~)_6G%IiD~J|=vz8l*GJd__-Om>w7JpMLpPu)W zxTKkIt^d_;_rj><)e?^Qsg>bWX|s2^g4uToMvVpe&Ds^w$7aP{3NUF!7+6f?+Qc;g zU!r>x_+9J@?K>J(Iso#hW?D6d%4xH&XB&s5Q?F9#VriYs)&mdRr6HWrl>K$c-u-2G z{id}^gu>dtl(V0`|oUvCy7VZ^O@!)#G*aP5fs+w71o$zLH?1B^%KEqSbXDb(ka z)8g%u!HM)W5yzQU-7#VRZ1|Yc;{lIUGr{^!8JVK9=uuYM<4#J`YOxT1Md}tym}t=v z+Z-IbiY}cu#fIJB`@3@{$>?o;p~1%nWThz=0}cS^)7?_(j!|~L)L|7nHCF?EIG{7R zh5Z0`Z$;aCxsW~2w*Fm)UUMPNYvHU*my&F(To3b#0D4hUTrGrpz(gGtLtxewKVHZ} zyP(;`XShWn`RmpD|NM54p2)tSC(PB4VqeCeWRLB!Zuwf3tEZA88xJSOjn2AL5o2_8^QGg+?C4QsU#jYQGPq9k0=-;e`_Y0h)MD*A4WDP zH&3>qjKA%APL5vvOsne6GqGv?V280nBnSW1*$(5i{FLwmN5q>W%x9DSgtszlm5PVU zVlO8`nb3zl{E9Wq>}tpgYDDjChf&=V1SAJ^>47NBgo_>eCR;BBbGAo^Z#`F##tpIk zdwLB8&Db|&frX<{y*J+PmZOhY5emqgzGr#2{R92#Xdm^0a(*BPcYQ%|G*O)}Z#h#` zB7n{(e3FeX;f6P3ShXU6k$)SGVFEIT9PnNqG#qF{L*8VIZ^r#XKAJG?>gIJorXF`3 z_k2TB4!Ewon|7?_1l%#XAvWW6IGD>``#*0SeCt1{(#j+t9Pq!Ik56mY7<>$GI4nu_ zP!g5saZ4H;J|2&9@Y2P9_jD+2gpxEw{!B}m`$I{@yEx1zn=yt{+z5N0Fk?SGNEt1J zFodF7MSYk)vr&3qrchaz@@=An`9zgOY(7(hXz}vrP7aQKm_u;4y7`vY6Y zg@M&gz0d-oq>_yc$o5TGbQxYeJNZ-b z_ED{?Ow~3k94T4Tmn@sML8w>5Z|mCT{MZrdib9qqjOCOPKrCWMtIqTH%YhYELXloE zc1URi*f#vw0sC(wg}fa$5WI!91EvaPf+K6|L*>K@=g*fGcm5HHD-)uXh#eh78RA+l*3I2F2BEuZ!k=sMG+#y{5slyV^s1N_fwM>~IC z3F`aKrT5%CaPr(aFssE7n=J%aMZ^bf6Qc^_HWH5OC-=If7nmvp{e$=x#ZQ5dNECqg z!60uq^(7el-sHPZ?db}Q?L*zcMs+w-h zUrw@Agjn3>a}0=+w2LPb?~Z?T&g(=pk8{ZF^nB3LdKfP2aF1{Hl(%r`Ok8z3pN~n9 z+g zXklrWVP9&g+B!L{6f{7;?)BR@f9@x~GP(A9emr-C(HL~-zhG#>1txHlzfUjuI0 zn+{$GYfl==o2lYW50DX4TQ}oUhq+_>!$*N4KBER9uE`Mnp!&}^_kKtx^SIi>6gM)c z?hMX2mMg@X69km&iL2Etai={Z2-|ZZh-LqlpduLI3p=9X zhykY_p)lQp;)&vczci&j&kDl|nCW0uapJ~zp|gd${y4=F8>s#8e4cGFhT7^5f0z=y zbHMCN97#wbOuQ`C6X)ALmLmoRlGD@_&#t8BkExto^W<6lPnOmJFWS-hUJIzweZLl2 zp*L(c&QmCbaVB&&0y}u^8>$hV={D^nQf`Mrm}I(W9aoDeHV%cXR_ z+$|+9YruchC(+U8Gc&4Yiy4{?xW2H{u9N?#MWxU6Il)MvPmg+uK&+PAtXqcD>Bg#8 z2J}4m|1@c3riNwMa%`3)Y1O}rup3tT6+I?AG|P(&YCKj>_y_A7;u@=O>(H z9P1%WGtwC@hXkZ)7I2rl`rrPPEpfq`lWKQt5rDmhEo=&ulEN`)^+84|kjaJ;btR`E zSs8(P+iBw<3=HR^3G+WS3jfamezpyL&}2f~Pcm3G?}L?q4Nkm&UyD$q%~KIEE(&R? z;IvQ-e$9apuZJHwCnU`;+xbNW^p&38Wg}{~_x^fDN5rh??a(cU%8$Y#Ipp0^V9n6V z8W44GTeqJLjjH|=Vf-S&yx#>cgVBK6N9R)spt;k2agf8eJF|RtT*BM^J~SX|bQbW5 z)ms`wz2;GSHVsk|>YC+D8ixt$vMQ6DRghC_9S1qDJl|N4ZN=_=iOd z>i@)rBI2SV&F`^6vxwOn8Ll_nzMkZ}Qt-%r4Xk_ao`N_#yV(XZLi~f~Xk z1gRjb(E5NuCHznGhKz1RgueQnK#yuub4N6)YBwX$1Yad{HUJII)LEp|gzBnt)l;Li z<1za9CJH8W4F28u7a2d;Pj3B*$X%15z3L6zj?h@lFc%EjRIe6S;R$zg88Tv_7Qqp7 zyZ~x>jBrZNl!tFa`NARYK=A+6SZ%S9ZFV1J{L1r=K$l{7z&E=5{({)Bq7%^52`oP% z#f&^O`_Y4+gL@KN5kBs|35WBi+~f46X`A|~up9Sb{(ACv3b_6Da-}}=f)n{(xJ0Z< zu;!=epw=A38h}AGTDGIz>Hxiiwv!2!;}QlV*1zgLWNdUI?Dg-Hx>R~rClF>;yK5;h zq^0YDLVSr(xW(JKcdoqk8@H@}%nSV=Czj%_m|2OL%XTa*#Z1%kUo;KyEkB+dTJDit zlACsOe-@5KTUvBbf=u2|juOY3sfo9d_wAxF6#vg-TI?O^^~HTOs)#|rxptA@du_9A zgYWaUW9LKq^VD3e`EtaASxfpiJKm0c``cY6+O$!gXNgK&XJq0(Q8i<)0Ti~ZNcxj* z6>P)I@?k<+6mv|Gc?$AV#|>wCav(!Qz#SIA&vIQG^b?KVsJE}iLQ!Ci1Y%7RUx%Fu zi8Y(AqKTTbFq zVz8ZaN#2V{`gDG#fudJO(yb%born=CAqcae$Z0wiO4|u8N^O{oU1NN_xMjq@jr$oz5!QIsheKH@w zxy)i*q8eO?QtBv#aPoo&J{Jq62$!TfX`!QJ!FMmb*%}!?ybAQ03!u+DCXzk#qhcG= zXU1&0IlqZWa%akZ*uJGd3cbkod3Qyw$vnZkM*pwW*n>U{Nf(1eS2vDSMIKEk`oM?# zwDwAT7R?n0eMWvE-#j8gnm+8WHiMT4bOPL`ux{nMj$G>|wINDYS^qgrQ_-g(`0%Tb?-&F0 zsyrjfx=Y~KVW}GHJX<)IWS%GHxwSR(hsN?xaUGR>UFy{6X8{bMCAERm?N}t;rpjav zP*>Pl)Va5}Hk=oQaPZ6ZT=C00rOlSm9%k7;Qqg?=L}V*y1{xGyb@C03Z6K$J#= zGeJ!gr%7746l#iZ=n$RL!d!!Sp-+HB*v+2{G?T?5SY~J?x5}V|&`fBwRCC-4m=g&< zZ?Q`pv68D--TE?M{(-cH2F(QsZDCcc z5T{PIGG$%vdEtue<)Dx~2<{t*8>{3$vT;0mv>uum<9p&=RwO~q>oguu=RN?3hz0J& z(I3xWs8vOIx_|4{^Wm)D7DwN$8#?E+lbN#%S(^Ln^lHmqrNub4-jZ zJ)dWTRLCDE)(Cp&@9eG-v68wYV%IJdkEULh0CiGagey$Wy)0&2%d-~mOYG?ZolL@B z3l;MZlE1`p^KVzT&rFl5W6vb+Y*~og3VV4^-6Q}z?n94*inLliVDA!z1+0I4dKJb9 zVt7I^{6=ED2px&#lr^HdC4`I$MFc6d#PnRs!wa;<1I zdQNuGs6I!4saD-AMjGQe77(8_Yg-QSVQ>9XC~wI|Y-_5r8gPEj&-o;Nkl1Iq28}(P zTIT&{6|#_$S_nwZ`N617_sJvf2-Bvpj?^<)kQ~*`#r71839h!1c-vZ=1tgWd?Zos) z5Y>=7g34UH8FW%wcR%&*l=}1;hIFu*g#V7T?C z7Q7C316N=sAT{j=BTb}?-78M)Z(bue{um;Mk_;n+)L=GEOqmgQmM8j8f!P~ca5fQ| z_M^)&)80r=+_Q1N3SG`r+muTD5fOECeA#FCtW9^@6iNj*gfIj z*^t3rH`b84q~wM_@EVlRRFYEQJKh0*=8ujzQ61XZG`%2jA55&&jpl&!NS? z)=k!b+gJQLz4bIW+jv+YLJK@MoVJvGptFN!p^y4-mtvOP>cNADPy(yK!wPTKmf@&R zyRU~c&|nqMMWq~c|F?JwyA)&%t<%HSp2hEG){&0RZ0fFD#cvR@qy+3gB@WY<8O6bkD=hFFzdv@UegE`2G;RBf$!aL)irEaFKx#;Lo zbx@g6740=*t!M6`$(X8V!z%zm@GS=OUNS9$Su|+dEx=XG0n8NlSwS`t?)`ff3z>bh zs%3{H;HE%FgXOXG*1t+WxLEdoNNofHdZMG1q!)Sw{6Qk2x{Odl32ZB%&?mL%v3Of# zC(sjbuJQ{YwB<)fXrsNsRgh8n6ITcI8duRiX;Fg7z6Po~qq5Nx{FGMP4TC5-?#`a{ z;oDJ*a_!XW`YO5!zR4X>KLJ+)epy|a9n!sWd?X0YI5iqEAo6ZXLvbp zT&Vs?vgavi=Ek{ZeHiEpy0QRXwZ-9}Kaz`c*OuGo8az>FH2;Q&B4;9%(C1H)?1rZx zsBGtwM-b7$VYyct89Kl2emlX@Ae9`!D#>0;tG_txM;VTy&|6@2=gSG|Mwb_&yLgg3 zH*obnzc0x;PtFlKO-u#Q!S_EEXV-l&91ZxcX4S+yk9*ByG-W+2EYXH1ki+fbR?oV6 z>B70sioX}uH1X4PK9%t`*E--Agn?R{@C7l2YeM%*!iB!}BnO4Ip}9ou3Is?KZr8~> zY{}H3>JLHw$8byD2@?&GyCNF(v__Wh=bFn9`1fiwT%dN^2oGBC_XaGwEtO{*a&OaM z)b>w11)r8#igWNL=Nq-)1+)mS8a<0Qn?xp#cU~Z)V_hrmjH3N18oN9Us+?TJ#^ZRl z#C5nEC^7+lnq=tmCwSH4DdM-Qsgg@~ZXxk|lUL zPf;!&XT>%9jo#NQEi1=Dy)?6^MnrO(3`i$$80Fu0HqvLb$tJ=v=!%c&+t#F>s^kIg{&eWPk0|iXy9qw95g+7N9ah zDo!$Akw#PWnnC`Z*s+J-q1KI(aDsmApZA<+JboqlvJ8)h=&OwMs+ zO$!lK&kfVW-?@Ded1-SeyZ=edj^TXU+>WzEPtDMQZ{$2caNrk~HzZJCMML+_1t{*4%K*X=O=4CW43i|WSp_NS(n0YV;xU5-VP9IN?FbLY25_c@CeS(~4_ zxOI3L6})%zQ5kHcBP5-!d2Se{|HKBwFMYrbt#J6rC?JxAyVbEwl^Pe##sl_;bXlg< zbtRYhR{8^hEujQa2r7tudK%agVHXYVfIKVxCF*;t@{bUx zkHZ71_W4mqGkCiik@W9-Jk;hb&qm*M{VBUI;V^wcH2zK)@V+Juezhh4VDC%>g)&Sy zZtjX)0$U$xg|#0B;lH;>PL0IKIuLMZDD$KUC9)TLm7{-N9 z$Q&&V2*~DPgIM)^WJh5Rt+A#<^rLHFuy`Etl&aQJ^u5fQ;}UoX;w9^zg^lQj(dReLefYt^jK;E23?M!rW*RD5-aJwyP}X=xpF zt8Y$F&X*lMnphCaT=(tVOC*WY=dEISjp%@~8pOGEq?djciDe@^TzN6BcU$tXOBZM@ z$}WFigh#%34oL*^^X=!ah^p78Ku4|> z>?sqqgGMuIp@o+da`;T`@e<{$;>5u1a^I%J@+C)HT!Sa&NlULnCAY%W%Sk0=Iy;`%P}Iq<^B?BLR5t}5w7@+N@XkjLe8hCBMLN*=@?KJ%E-0I zHrv&}k;Qf^iO+&$vh$D=ZSfy46l(sB(S=y*Iaz^=)6x2nb51s?jS=M*P1UY80d5nZujR6c2d*1@`@FA4I^YxVOG z5mDBIAVFRmz7zT0MtI#C?ix{P9HE{!~!j!^>UGgbN*pUh@6 zDy>N9zmF+Qb_czOvs^;D!e>UR+vB=6YhPIdY9gTDvYflb^1l{r)_{g`VS`yo|M-%- z$tjuk8!?L2-7P7((aHNvLHLWunNZpgZ84Dg{>^aKLg2k@gub8`@L-&tvgMK`GUs}?U5(Uf*4st70zyouve1@b*) zRQ#ONQlLqdElfYmy)6lxx9@MznGEi6@QVLo!=?E2W$L%0XF};wy;;i-cYDhr_w03?zUsPCUuGv2xOl$BIL<)c(Xm@GvMQ-d z9@ikZJDNUf*t<_!wGC{NA780_tC6Xmr2Jsa1k&kM!$kDxta8UCk5C~zr|d-w*(WnRgqS z9Rm#Hl01($wgcJDKB_PTs5UhMhbh)BpkEPDJ$)MzliyIN?cz;m)cM0ptrgCYk<%}G zMyI{eXa4!g)A)xz=7d}nCqeAzgqXR}=bz8NWY@=YDkZi0+m)kdgef&Rr;ykLoSy0j zj>Tkkuc*t77VQ5yx?pg6d)+)`3>&te;Z4{T8Ko`|P2KY;US)mdEjU$mX4TpY7Dhg;BiO0nvoJH9GxDNwRV!6;{WTikdj5tOHM)M#Y_#W*Cs$NsL$V6g&G_pZPNLi(-^d6k-EVPv(!;7ac$BX7TEcZZ z&It0%_s;=oqZe8aw)^kaC+jI){Q$g9WB*Ly2Tlt9;`=?kB?}29*cwpx-2|)aLRv%cBfEH*4aR>df;K%a>|4@~ z2s@1GxH6fIeRu$;t7~)D{MEU2)rUBt>pD$o~8jWf+`}_xE>#@3=f9*shYA6m~62>nN9J~)jPZxJbAo`&BNQae!XAq_=sArk_;0W z=&Sa~lUaU(UH}&-c57}18~xZ3v`n|k+DXAc;#l& zF?z)5gJS6kWK__rj}%Du_GCun#8;KkvWt8Rq?Orax0XiXi7|TKD37f%#Gu#}$ezuk z<}(>DXb^&t+D!7iaQW`SHVxoOvQymSt#n)%<}TUOtIZKaF@6dHWY%ACxlx?1Q8Nxd z)82ZfsXG-48Wi})*=LWZ3g2~Ecr_Mw=-1!3Em^ZYA<}CFa)j78N9}3W7cW?5OeI(G z7HoUEmCW0_0q1_3IxU?yKRMRj&ijlAZ?-3V0N%L}W2{E_ooe~$B{sE*K0D>Po zzTKTl)4b-o6dXlKsDcEf0QI3QPC4N;Ihi{jsf=KCBZWG%*apPxx+#x(0iR-$|2&$M z6klF)FuaJQBIB6!Za=Om=Nw*Ctx`2Gup@AVO5)xqeX62P5zdxp*=jznb~Q<<;fb{O zwoOnMP+O3$|B<~tg9jc;DmII}Q{3yYJC~E!av6AK`S2_2w0M6JduXMjnT@M?kHCqG z8oiQLbdl^!bfKfsn0xu$zO(_tnO*AUE&E<>Q{}O`>e;C1D-v$Oxsr$4%S8%^G-q6# zp`62YE=S_=2dK-VXpt*r7@6S}y2QRqG~k8)Z)Y7mEb6XgOT-&ex=*#xgRb<6$E&@_ z?fh=B&Vy5($5y-8Vfk+B&NZ)$>%~#rAP)L7~R1H-{FUfiTaqnl=^ECjR-96SL0@UD#!FEmEAG`_r4c;2V)M zWiujo@2p+B#tm6vQx1^wvM3No;h}ui#B6`)W9CdD9miefI2+>guZo9c@OCfiQa0-| za`^=gNfWQ?!6T;K(gN;uw-(>EG@FXzPGXl_Qx?gyQ3yCk1#az6TzB2M#6sg*h1dxa z^whl`WD5gpMgP8RGy`S4t`eo597VE`cq}DJP{f2tLV1)6PN;~m!&gy`E<^y4fzn@7 zMT-`JOr-=eRZH{}2L&jC-Wq-t1tP%t(bGW8+vByY-&aqsrPv0gi$AsUlKtKWwDK(x ze|Ifet{5+sf7)< zXkU?pM1t63Tm!IKhO!W)6&t}snmj`F{*rSYxLs0%;ku+CZ|%4VOm52gqZq@cfrD?T z3j9d^`D-a}>5ZdFU)$bPfS%DpRCjH!@sr`@quFqIA=OOjXcK_a9Sd!E$GFwSb>?OE zmi|g)S+NmfU%w(yyG-+=lYUz8Bk8xs<58wA)1lg(OVWUN&=!L9BNavQp0`B&z_uJ0 zBNUgsp&r2!;YjLt)(E5xX&9^g(Sx+o>qcKxLF66VHfUUgWBX04ju47hG{b3e0Lb7}nWs6Fm9!D|QW?GV6cm)NZDia$=PTW7T8*S|V?yy{B`Xg)!G~Zve_Y(6(oy&VP)*+%XQ^4Cn0Xw2$(8drI=b{L%SRvLJBSz#6qo0j+;t1qU%jU zdE1|BM9>#sizK0_jyq^P7${i&Cav}D#W-~x<4=`O)gNg4&}L2_V%(~z^De}X)YGnt z&-gr4oT0nNKN5Bq_O%zqrDC-JLsx>~M;zlj#W+KLoa0He^l{`$jdJOGj zL!mZ=#^i-Uq|)ez3lUt3|Ol2Z>GXYz{Ls0_1mZo)aHDhIa075!<95$`*Qbk)w{U3 zT0B=9%y;JnW&O|@?KM%E#ac5r9c|s=kde6CkxGAD(<0{&X^tAyM8vD$5KVqbP`1n- zo`Pk6h>`xbADe0mn*bT~0A$dcyZS z`pnW>x@X_BQm^>qdWwrgC%!w}c5%%0%;2Z+8dNwo*;RNG{}FtOgH?vvo^~jJS6ebE zhBRp90F7X%^D(|kVCssqHe34SAe0nX&3`f1sPENeR`8dO-RF;MMo&vaIX$Qz1rzZQjiP>(v)9~B0zwg}Z z{BrwZsS7Xc%zh>ZOnJwH6vKp-U7gVHrYB1u+edgJnU!Vz7Z)NK`jkuR=HG$$`6ySC z6hOLst+|m@^$;177VFUIud=GkUx||`yQvAz-j@;TdA@Z)1;2>=R&XWq3@+V2z5O;b zi{nsv!NrOAkWjvxf|#6R{|hkx(VN+Ci3$jpeBuvG4_?y3zfQX`96Mb(zg_aKAep?2 z71hG(;Tu;tf`xz0%5c#P+;RHOZfz?PrZb2dVjW@_(HE527<>XAdDXIEi&dYU?IvMh6j;@vQ2n2A7U>m zuC!`n-9p=;X#4bS&#Y^b289rr8IS9wOU2+9gKyK8JVX(o3(XuuTJyV5Q0{K$MG)3- zQ2vxstu=h*DX5x75MU^cY{>cZ{0Zg+26B`MDMJb@YE!;^ZZu<{d>gl?j!22J9gz}* zCsym8i%?Xrhg~iXh^_b_JGmoEAMbCb&yRlFw7xTn=mpTq%pGNN58a^mTL#k<#E&e3 zw9M;##&ZL!(H&wMrPXeHX_Mt2@`3b9`Om3qIM+Zaguq$7w4IwU;!4)=L-+5!3+ zHU@j6BCqfFjVSKfJ^=>+BCJZ)KfVZ2j5=7W@1&D2sfVx*p-y6e8L+P=>9PKWJlLX^ zN{&RVf6!q>S4S4*!6i zXZC~>(S`h*MkAr9-yrrLKH}HKa7gNkj7o-1zQ~)JMi_~W{evRO_W7%gb*m!m zdof)5+Ew>6MVY4lN=)OjrYK#ajqtCpog%CsFsg^>_2U_WloLjCl}IG=95h3})<+k` zx)8^(TlkQVErIU@fu8v5LP|tEl&y&Ry|Y&=1(y&NAXu+*=~>G&;ljq_!Ynv38UI0$ z>~ZBYcP;QE*R~_dUP+Vl#-;7vsPezfh|qS*YJN1my24lViJ)_M1U}hovxuq7i~ea6 z7^SlEs4S>-{~>M?pGrTZrMC9BIM3pzS=D2j)n>b9m`55C z`5eh_c=!~Ose}Cm9>RCqQPlypmQSDCGe+0!nKMq6k7jv`3%x1N@NL_Ma-Y!Fk*tIHR(VAAlu%P{h_bd1Ku&oVSeO%N?bI-+Kd5aZa_Tb=JSY@JT~!B z(4QHv(L<(?g5((kO$9bi^ym&asDy(?Ykqp#GttNMH=zEQ#SFc;&l0caF-~QK%T=6+ zkfVb#((MTTu70MZ2~L0|fYhaS(Y9fbE&xa2Nm7C8PSr&nUuS&HeXZi4>8t~Fv;h~X zAp>44430W^sW0p{@w0Zz2Npw5=HP|EG|YX35yT>KFhR{oos-noRMHVo8y$E+O4}mc z>+2UlZR=t70U6=oOJmCpQA*NN0!$A9YZY1D!G6@PKUOMb(Lj zGX@9`$UZ9SX-@8kzQ5C`y)pQaurc= z7Z&yz+iet^(DzmBi4`!w2or4tBa|?229gyJ`Q%B~&36l+1fTKQ#UIHVU>I8+cc^j# z5isAzt_&xrIT1m?R2?6dld4FtC@=^?3USf&-~{m9sGiG<^zo#J6i)I!on*B$tsq!E zx8r_VKJT5{ntj$qhd$8OZ0x0vnOr;uTR1tYpDg$^kvD{oGK;FN)%NM2yw$7 zOf3_mu#}^l2=k2F(F^sO{sm#7;S)tCBBp;Z!`TRaIB0J^Q7D65g9^Vry3aK)>W3^{ z)tE|mt4>2+zw|p*n%R?kXfHNHES1a053j6bF?+Gn(Kz*P_T~4lpUbU_rV15Yy@E_> zs&T3bi45<1+ld_u*j`?x3dd3-d}@QcQUP8eK-Ub`IBZHPXhd{-Z2qNQpUXn^mZekB z18<m>f2(AsQM6=3;A;unpVH}QTs2y|Kz!YqG+WuyIbyS;^IsDl=3aGUU%mr?S^@TY?6m5pO)IH%uLV@* zwDJW#b}9}SCkhU7FrIE0A5H{UcX8|jiD1o0df}YFq!NoQ!q2Oa3K59JZ-FrY`ya9U za0KFtjKtBsCiM!J@YdNgms{i5tVs`5W^t~h5u-YMg91}Q<8v8Rdaexe^NoW-;7DXl zMeX zAlYxrFhJh74TUAEkH;l;7q2D{U0pKYJ`nZE7ZXFloY;XK?<~NoIz1z{{HVU=QJ+KM z4w#c&1{1e^#Xsn{Fqc>7>o%J~9?ho3ozKTF!cy19u_MYM68H%{zg<$6M6l&4=%0Vi zJiZm~OGCZ7ZVRHK07rqJZ2(dYaTGxVe~;RP84-B69RE~zIG8TKc9nLoWQ! zDnapF>!yid@}A!EcALi*o?SBR88(A_Wmy(=X5kHE&S!jj*L)azudl8U@>~s0ddQeH&h8A;wk4|uS>}5YM zZ7=R!e?5l6&)>>_zvunX+og5;(6dOTb*Tff2qR24go!7Fd+IREx_Qu8c}jKnblUa1 z-?899+ujJ^t16(2)2;9CG~r)9;AmsWpnq*>`kOF zTP?YuK`$Os7?#0O8*1+ekVc=$=Tg%#-W{1nO#VHnR|YSeb)K{zyfdl)pn$62L_1bZ>AooM`*hw z7i1I_LRh9T*&wmUI9A)&Jp1scKN4@G>VML*5hnewm)H!{nmjrNcwRaFRGcGQ>cVW? z$sgxi;9H%0_rY$aP7ZJC7EPMj_6z$}o4CnjFjjAEO~#zp7Ws?Yx%R#-O~T6WL5H=k zU~Avv?{1%ELKaSfbL?}w@f<5cdi}bX)^}=JNslYsPEasQ#dBysQo5Qcn>}d5Y7c|D z6TPA&;)a6>VK4xCM9-^#v>pQQ0|AysmLGA_5frIu*_KD_vc4_BLaSgiSVbwU0t(re z4N)N355{+Xh62m~09;BPIMEPkC!!H>_Ntq|n$HM`>QO10LUyUZca`VAFuU~S5?E52 zq-_1X+rPLEECZEoLDG&$Tdxx)rsT}n&T;g)1KEiXMZSVFD$Qu8deM|z&@rnnu`_x` zXx@XBxFp1uhrXozL%FUiXPE&@_)dknEvc}DAJrws39#*y$L`0DXEGv%}m}Pme zg>uiH6JT27r1rR)Izh!lx|1533xAMa4&xQoHa^CZFm;S!6!PtT^H#k7JGW%cYhRXeeb%mNMU z27M>)U19q=d<(xRUeRpP>`&EvFIzq4iDUhyz|U9emB-6MT(_woU=YL7=dc?KZb;$G0qkF8%dmyi-{Bb>3 zD!>(<;;1y})MSy;MR~2vB2{}g zMBgtf7MfQ%Y|yV#hhyQe51@P_4E`x(i@^Gr89@)tk5DGInf!J$`ERyZ)=Xf)j=t0IFpj;;r0fcNLE?RtTVR%bWcapEvy z>C5BRo+l>xeLw7%E z;wKgJ1FI)_irR$BJCJ-O&(;otb9Y?j-%HaRi%F-Vz>dqDFe$AvGU&@gW&l(j+Y;?6v z9IilcK!B*@5O<3OxarOPJ>I8Xq)gU^XfCjH|0o!?;(|qxLD;Kche(3gbJkPP`yZS$ zmwC%A*v(hxTLKeg{}k{I8oaxD`HJu}mcW)eh2gZgd|oz83?c2-jK@yZ4}`ZfYmigJ z2-3Dh5a2-ez7}{UhEtqLzbc&a7%NfUmpb)G`P>3MV=oVuI^{}4PJbDugbPI&acwp+-bi-3G3xr?zw8@NhoY3&uwAuMoL1zZ0LIrp8Ty2M*0YKBy zfxE~-6gz;1WGqLXVt1Hc6fg2)f(&2tFOP|I+7>Wn=*vUYr0dNN`ld`(XFJ|ky^~{q znyfcRrq8DPQXW%3j}WqaMG9--W8(G5IPsz)zt#-Yff>X8TT!&&oP$I|ov1`&j5mQMv1&;b<`>aXXH%1`vg(NQ7^BQO)f*R;fH zt@e07a*ltPW_hzFH+zmn2=*ikNNiDhQ!=jpe$W3|6IRuJpqd|d?mnq%5jdTR3?wYZ zT)(|wqxouX#j{{`BZgZ*u}T$JBfWH@aO0|RM^UIf&YQGVu(L{?G;YH8FwO zKj1+KDg%D!)&C|n@39nJZFc!k#kSJid~GWF4IY<kZ?gKp3e@W@+P54L6x`$~04em_hBeZeQe`L-;QZzi>r^jdGW z%_G5>Wa$k*z^cG&Ah{4V2dUu{mhPg$!u@5 zw#DwBa_@xBJs;!5jTQ?%H?(GF)$}Z$Q)(7kJUd!kTsU|qP9AHJUxY@|S_4?WKMDPa zfHK%KDbFbRIKGwi_Sw(8@!z5rt9!Kz;$$HJOmDD#B0wg6%nJ?6s zxu#ez?)bV*40-&<2QHh&2Xb`au(Jg+eA#yVP<4~}xqVP|*eF%J#{zT7+7Ue7=~u3= zm1wT4`%#!P%@x6V7(|Z(!}CLA7}3@;nxhLaOG|%MS92a#SBp#$8>mIzN%x`|Y)*Yh zWYknw&yTKN$*6wDKnX0{pSdSe`xRGO)WlguzeX8G2?3 z$p@y*)b(?>9y@jGxLjC(cuv^Z-fBE~2tZ*9g^YDhV+AOn`> z&^I%)coE(!SKdbhdaRm^Y2H+ru_)olWV07v)nj+EU#hsn8f3XvzIM#+Bmj7K)uY|j z6ziQ%fWK9`)9_|MzPAmYutNPZT(8BzZD!4?QX9DSA1hh~Zn31>SC_d>2zr+9co9U3 zap`!kA3tv@!67X74UZcdj2}Rj-G@l^&PBZYH9W9Ut@}xLt-Dfz;3+ z0qDI=qZ`v1`9H9}btZlSRE{17DYD!=B!SNHsJ7%VTv)jlq-pH1&i$a==;S8)+p&Ll zf)^4tZ_F@y?R|d8Kp^KVmsEbps}<^4>pZ_1Ne}G2hI*B{6Af%BKdJ^v0XKU}A;l>xA7<1WVMngtjs!~lRF|r=+dMFcu&v48&`jp+_>$h_jnnN z7Ti~5`sy3IOs_@H{c(4u_rhGK2q5j)o#o6{&z8=w8o0K>dEJ_5z-M@AS&XBX-%_RK z2tO?ht(eXF-X+FEw6=22A`smv{vfMJff;oN`)FHHqgv7C!)esuz9vGi-r*jjP?{uHFU;f#Dj}-`}dY3)kjVPYn0OsYw^2O()IX`lWU3>%=zNV zyYpcZ6I9F$JM&CB`2xy8V^4d=LQ%E6cWtH#S5jJinsX$xT3)48h|5jMcxgB%^gWzx zN3T+)UCIwu4K&zT$KD@pIV8L-k$~trcR&z8m2#e)iaDL@Qnv)$InC8&j+=h&rZOiI)6KNvx$Ki5yjIXIQUzbS=Rao}@EWBeDV;5~A$T&Ky7$rM^4=)Bl!J zYXMK|GeZ%o+W0*>@>ntS4YfQo_4!YlKu))yY+#=kL;F9bt~xHN?`cbScXtR#$I>0rNDD08-O|z}UD72jUDAy- zNOyO4$Ght9i|^li_cL?m%$a%SnK}3FAm{x&ag(sZ;f-HkKgD@XO5F7@J`JWFx+kCg z++R{3fhU_dvIMhk9yDR)2gP#>rLror`iU6$CR}V-Der~Osm)t&+B)2-4>elbBV(86 z66KTV2Ot72)JVVH%IWZcuYd4@q`NDW2Ftt7J<6asW3M*VnQS8Zj6t1&p~5s%m6vAM z)l`0`o_%u`?yj>BT_no2eB}ND`8D+-%72!>ro)nuA7_Qzn5tkg!jrF6&<5BMIbSQU z{N3jh4M~)+z)y@KFo7?`MK?zeO7AfqzzG!{GocC_09o7XpHpPsSa3(lAir;!P`Q31 zOc(5MOaq26$Q}{CsGzgbinq1?8UJ=ve$3-T_JC)SaV#PjR` z%c&n_a^uep%uGz_kJ;(hQ3T}*&n{KW$}HQT^sC;M^fVSi>FKxvwnn15XLrw{nv#&4VnmTc}L@8!FYPNsQAGwaS z1(V72KfFn?b{(v4`QXJ*>*gskmnsZ)=hi-wMcV{KZWPeDE_O3_IlXFH1YD?|WG?N% zv*7H58bIg*LE7SeW#LCa)(j&4!^vx8+O+>a}L&?SUTW>&~BQULucuvOc_E*HI+0I z5vxjXS&X#$kDB5bN8ob)LkCJeiyM$j)qsw-Pb_$q;k!|p%gi1=vXd9$?-H&p1!dE80_}I^SdSLlHVl~V7S2py-FG3%k&{MC-AHl*EY%z zaNP=sgjXj@^%j4rBR#Zr9<8c}Tt?%X-5GAm=X3p%-jPU|7hS*151&Y76t?XwQ$F5; za)e;iXs6(IMH&n!(kVb^9fRe4f3$u{{m)^e`Q0b@!MbWY1_&0w$ELpz`E`;#& z8nBrzMD0q>U*A6&58whpug-59v^bX9D>6t&{ z2x!n-a2NeCD;0B`)Mm&8NQqPp?-1fJinkf8(L=uy!EYJKu3S0A3=j;F{tGLZ`Mt;Z z!%5N%aB~dCnH6lmE-{PolYG8eQnlz2)U%%w*oJ0={=QYS7~nl#y_%mo+2*SxThT!> zf~D)TgMw7T#WXtSNA|HWf6CuN?{3)Fbc_rm9cSsG<%j(k%zoxQDhf>8iHj}xX|G4M zL!}o%BauJnw?&NnX57Uakd0j40$6qh!f~DK4aRyxg_B63*MOpHJ#S^g+YN;?BpKeB zLWOrSe`zKi@FLm!U}u1u@W1FD(HKw6vYR1}D8Kh11Lv)cbl0H{JRaxBvCy{}To0{s z!g^DNhftSUUgTPc!jx$nGl!+G9VA@_GYfb2pNmwpLRk@wx+LDc5fckm#=X4VfTipu5LtYBpK{k)qrU%y%sWUDmlI@qj%dFy0NZM zs2$#CzhQ2h;3r})j%lf5ZkzIW9s`p4?w5GUfNqI5Z17jL%+DTLf8`9E6}mq;;N)xD zcM#X?sC=$mAmWd88_aQCrD=QLF!nAsP7DgEb}w7(1)pFX!Z2$;3hkaF$3rj8+c{Ib zEhWsFpIN>QnQG8vCoGA6t%rdzFzt@YdjuVL%W&y1GQo$ufya8$wWt1CcJ2FmT$XrX zKk?+jcmp>(-Xc}sw2SfA5##106*j3?m??YmLPnTToD>Isbx55M^3(-%s3!GABR4Kr zd{}hdL0UTdiGlnWDybOPd;BABcyEdLq&QTALeM1P>%)FoV~cEBo zTq4FBP`i=L{SaK9M{9doPdE)`u?bOzFLIeIsY(EG`oK$U-0yA_-0EZ33f`1=Y~DxW z<7->=7@w7F1@nEkBK{t`1Ud=SjpmRHDZM0JIR}RJ^?i;R7nCqlkd8tGcpnKMv~glB zNI(;|5lbg}-Kpg1-Dqf1`a!vUtfCw>+};6pixT&c*HcM6n$guog8mWlH>lVdox0!F zx?+3t>l;nviTNTS0KG|bhEHMS`O?-(W`IRlVoU`5%j3ta+vkW6H$bN zJ!~=TX%vV@^mZ<1IJr~4VNQHDqSc(f=S%PD#2P}$64Z1f^XHdTyU&OwLSWj|o|w=4 z1i*}xM)+U(^7I}B{)Q1MP#G)kshyM_m(!us;^9#qSv3C*cL`pl43J!>aM19)xK;h%p2*}|42yOY&6E3ag zgI)OGsGYVmhu`+aom)JFK(FXtA{KUO(*JtS=d8IK9ssq+ps)Q2ZZIzE^oeg^qdP^e zSH+5hUEU@4FFV2N6m@vbDDDDMFzDI8&!#woB%qq7y(|pg@{X5*a+7Df>7#w$d%>4t zqBN3X4()o}FZFU{KhM{Xd-ux1hDeqMHXZs^!VIV3$s@W8TSQ$qn9I5Fw#Dhw3CxR| zLdSQSnht<-OQMWPe6l2Yha|H%78L5oNXnYbt|2S-4zm<}Ym^G=|Fq z75KKXyisActm+(&w8V+!k#qmUE-@<}n-#7CRrkInz)RUCK@37~_ohP|n&Q1L_iKX$ zcX~@1(skP?ZaO}y0{jOp%TddgyOVolqAmSnZ|8p#Cp>t;^8AE6SFpR7(BqRg@QG#c z%t@(i8I+6{8>+N925Or{90bLnN{Nw>NBn=4QW>$+e)_13z_9kHk$mPdV^c$j1t~+v z$(00=RgH(kf(8Aw1vZ0v-O*abayskd1A$j#E)(NZ6GH@IIN*ac2g0COF}!>YK60A- zC^$$u;L2`wlH#*6+K3bNIOuv7HY|5QUKvWV6hCekJaE?08^p4xb@?i*{AF3x4!{bQ z@3eO&zF*5OU+x`MX&pInTvM*Dwz-tZjA;0*_NW6$0&SeNV7`1Oa`2?F%)ui=(R>U}TLXfUQ!k8Gt8!T$7< zbngA}xh62+8Z#i@pajYO3s%BkP6^2ax5QQ8-90;jK%9XW$m*PYIuT1jBx{_l^C!Pt zi-!0S?bb~zft78$yag8-O9DifXB*`tQ&Rn0_cmq3ENE=&WE4dOg2ui5Z)pGQMG6{> z5I^CYE7&(GkOHn48C5x#o0n|w)EJ^1lX{FZKEZ?Q%-QaF0N#YX9ww7Ru&m{~w5^Gu zTiNFekS$VU!n#9lkr_=$pzGnd3|?B6y^c<^iuoU=zHhuR3mcKO;ZMR{wqJwQ1*+`n z8lU~7uJyo-qJJ+i3>PIIMD^Dcxd4W}wTf?&?XlV+Z$7`Tqr=FA@}`3sqP)@AOigstgsCD%midRfBt0s=xeCPHvPTKTC3u3YK}=PgTs}XhAs8BLtIg)LL|bUc$Ju~>`6e~NCkd`a`Bv|R_MOm{IF`Y1dp|>-CA-{;;ywTI)ML4WCAC?w&t7wf3zSG-=L2F}Yt8i`+FK1F#Knk@=_PEdB0`RO+vnRWa&KUr6Cu55AZvs5?#Ik) z(hS09%n>ylKeq>WxUrpZb;{~b=8_f+eu7oluMe@Uk)!S#n+DO8wJ4o%tQ2$iq<*B~ zB1~{CQe`xLnv5?H!tK(!6`JUfK*9uJAojHYEKT3*vMW%|Js^`6{D2Dk{=56~H^QbI zKj&eTs61v05QD%Dz#S#45#DheJCZ7flOLy(h;`_r+t+AFHh^yzot1gmGtnr_j1TfI zY zzR8Rbt-(&`hKOd>IN9~YQC(vvXth4Jm>cbQH0p9%Sim(4%U__6J8FU?rf`^9?m_gy z@MjFVr%Knrx{Gt;sNr{{kUKPz?MamHl}eO1q2>1;ZMNGGbD?C|tPX*Kib_5NdSW+r z$_MHkWuWo{EOe)XZaBBE{l8-)2FSzrFxi zP$=JZbN7Yj&{8y%4H|0(OuJ`eD8cP}2GH#J$%Y>8Yw4s}1ru~f*>=S)BY*+JTf*%k zgH9E-@tnwowCFVn%>!-s<|MhcbC3J8Hs>RN?)wdxnEg*KRmbw`ebv-*3yd|7(oTjc z9Wkz&WlO1UD?dY2fwct)QH*VUZUNut_*fW% z=jUW+2%*Xc#HaFGT0Ye)!-@2g5L(6ZL|4^k%6(Jf(&vbH@lrqH&@C`QS!$8}#0C0< zD3|8Erb_*mLo@T+RE7s`W$0wvRVkvYEx=TRoW$|i?@(In*tKDL4}jXiz$8?FXQCTV zyCY5tPhn=#1om;rr`XM)1fKkaV_j)~3;4GSi|&|dKG@dR2R~0v`CqIUx6H2}R1(39 zm*d>(`z4<4=axIrww5h#ABUS6T1e`0% zl$&0})g+SQNTM^8>s2k*4^f{kM#%@MaYGAlYGMi{^d-m#t|BH2ePv30ua>>p8nftN z3d=>T*6^p(ksotx14DcWAt?)0-!$BR(kNqeItpmLn*yj$Spcxo zScO11PC91bUs6*zg8T+VU6YS=-2qT`F!;0yM`CMEO&H`%sSrLenKbYsXvPNU6P9ki z;9Tc|lkBX$9@)MSe&P|qaNblsv7F@ziEsFUcrmm$tx5973tBDeWlQyYo#wPj#U<+d zX8J~=*4%eVI0VRh6siFeE^y1u6$J3XD}~qV8}mk&NWZOP<1RnFIO?_s zkBt-kD1qr^?X zavt;XzLVCN!9-h?kzVUqhRNJtkJW|c zaMVzrXCEcI#tw@C7`Hcmd{tOAaQk>~-;aQO+wiEM63_5t(%LsqS>VXoMW3)i(klI)Acy-*!WX0M#dcTmXY?KdGI%wmll7JwAOx;Ksup)}4T z*kK4EV@~-g3hirakP*fzcD{KF5DI)1eZ2>!@~jEU;IqLX-}D0c=5_Wd0e`XQ{o3#X z=ZYEfTOnsiw)9?{Td>n8!qoZT=W92F;2@WhRa(@kL}kNaBV5=&mN)5mPeL&_BoZy4 zJrqEK;|Ir-fWbL4ta%(vOb^&`OWU?dnJu5Z1MK<#Cp*Xl&i$K$Pz8?iu*j6hID=6x zYPI54yiA>et1ibdEq)xKDW^vZZ&o5Nk7e2Xfxo}gongo*d0T#9$mtWza(0SK zCvS&QFVt@p7?y?eGI{#f)3c4vEqJo9sC8;3r(`=!URb}EwfF<(rd`6d zrNn!tuxW`KfFjI+v39 zR)E*fIks3>Q(;$JIh)*~Q>P;0NbAvi@_Tkc{s)u}qkS;zVG!*ON1;k}Li6?F= zfd7KJ-wxYB%iJjoBT+#@3I)LR{coow>JEI-Is)5aiOnk$3FXXa9u+q=%Z`(*aZCzHm&j=6zy8q%0vEX?4W%aolS*6SV zLXMi~kIgx=*1m~;jzb0$<_Y0*F^GJk(2t}_x|F5BMH-?|YcSF?agLtCh@Hkr|96a@a~5J>dkg}pJQ1^3I2R+d|X zqE}!XR|_Qs&-Kd#?y^M{5Z`=a7?>P^h6afKvyH?N3uZ?kE<8w~LX5ZY#fumb^CVE2 z2g>GR+i!WVY3f{1)={CaJ{Rx-@H&MS*iI-@VeDZk+R46r{>-fAtJRmV{6)NDz*LwO z0n7;{dGtcD4BoU1hs>V}SwHKw#Dnobm9Qg&^)F63Ull|2r@N`=&4wsPkPL?8ob9QF z>u4>y@*>CrBXZ?T-Ag(c#_IdgX&c2!G)eh%{amkr+_x_+!(VYam8y_=g}g2EKo$Q6 zhO4lkbEhz_5~+scLcVGa`6nkh;Q}nI6~&iF&ouO3H)K@gg6Zfi?UhKcnXpO+WdW8k zz*_MtW4SCX#9DD{J0k9AGo%_Dbw59sg}o)airfjTdEp4FCB4XRqtL_3G@Xc0H({!& zg%Gyf^;d?Wi@q?uLPSP6KRBHzeu;8^R?XQ8IPjRD}`yMz!E>Wc!o+Tb8#CZG&i;E^` zAdJ_#jsBHO$OOYb%N!98qXR=svO$(P3S~!7JvP;- zDH3gU-_ihh{}7#qxgyJb3!fJNh!?4aAOi2|SA_p#7Arr|w`9n90g&;r@dm1WF;Q-e z0j5qeQF+y>BkP(&;&h*ghYrWoLqy-ciZY5Ljz1*SW#t$g+?^R?Tl#&WU7HYCSls697S{!lr=46^DjZ!w>SlJ6K5-5ke(6 zII+CT7ALF%IDcln3at;U#GM(&WHUCxtHCzr3goEkA@Hw&8T8Gz!T=l*l|pxg2Q%_a zk%UxHzAR30_HSloocFEg@{7dNo-k+4`z;Rmh~nBv;_9WEKswllr#Ys~mm{hn+$r|> z@*|lleaj&El#E=uG{pR@KiU61z}bK@HI8=w8v}nx!cS6n9E4^u#sP!lsO`FS_I$kfp&}kRA89ulIuiRqXwz)jsuM|d!WB#kAG_QN{tcQ@Bg$1 z#xvX)hT!y*p{ocO`Xwn*E>>I)wjX1pT?@SezsyUss8f*|7}XQ=Oj#rTLIC1=^`zXy0Lki2*x@s?5nHb)dc&2TtyhcCJ-HCwo}|}-DtQ(&Z?=+0<`7kT*MpI&PL}HhJ#6lij=oasfP3Kf(=P0+13(M zzxZaA{)UGR0BH1eTq!9%Qa>DWT8E?raukg>tEwMv>D7MtqVnD3PD&;k0-*g~Q&!@E zKIvK@GivejL}F@)@0e|IWGrHQ2yU6cp=6|olVJOEQ5KCZ#Y~Z$R4uZ$@aedT7M7}) z8E|QkBj-M~OW`c0tAOx6?)HuR@JAX5@;{Y=BQ0_WZvVC-IO^GlH3TKlMWIzp-cW8C z6Z@ebNx^Tsp|*XAP~q%_{y7QZJcL*$0vITQ6%g^Dp@N)bYN^Tf$`nb?{wu}tzLyML z>V(_dy77X4hdP?&kObb@v7xua#&4XR4J*I z*9y1%&oJ69lWj$Acka4e9=pEfz2z-?Q@Ofc$_Y$zsU;F+8r@GWFLuVovGYEY6-%Co z3JX4+Gv&IAuA}vM0=f^Q+kuW&`l`UxFzGTH& zx@|7NLsyuyP6?|=S#Mo0L5+lxN#npB7}W52Lq2$ZY|(qVJ|Na+pFM*-W%hpwT3?s= zD&*U)h#0!+Nq=ja73O%7^48_H>)QwUbQFCL$heOZ!fv+ZH}GXuTs|H}7jxhxMw#z* zQrYG#XQwQ68?QRg$9i!=x&d`{rC6=?I~=J82!I>lUbLc78& zu;NT+68VE#hV5EuJMVHrR>Q}0`UWYblX1k;pv1{=XzVKt(wfX$&nH-sj(AK%^a> z*xRx&d2nC%0jD0?)}s8|aP~E+yW8a9H>-eLnMoSEft9L)41)JfrQJJFZjxX6r9BAa%_;;_5bB7$#;ow`vAkW8UC<_(hs%p46*?Rt z?VMb$;f&P`gUQ#@34y6TGgiKJLE(u|bW>dLA8)eKT|(Hg(D4eyU~xh4IH~ZwpZDP& z5)x$cacOP#cscKFxWB#|W`e+TIZACAajx^*JP6^i#}0FMU}$h>#|sc4_zi5B>`@1# zICarURnXyQ9G~L1s34z*O&Mj>&TY+U)ndLvwVoc@S5puM{L@tTTBvYWgcK8`sjfU^ zcA>-mwBt@j23zCcD35}z!W|uPilI<%X1D(Z(iaF`UIJ4sF1bKs_z1h(Pz##C>@^*P*-K={qx%b^~ej)oj=__qaqzNtFZqWmV|yN#vlD|JIch zghpX@(QnCx@>$>eX;z(U9`-n}!-oarDUBp24e@coP9zhExsa@pV!S4-yFwUNaUAgE zLihJ1az@F84qhbhl>x5W;>s#!S%g;I5_!BYKeLxFt`h}^o*LD$k5oRiUaEPg(djDf zHM6-*3)Z?#59fKb=N=Mw=~M2**+t1o#QfEUg-{&CFc?CHsZj3?V7wn%2l$3`2={+b zXRM2@2vOrhx?mTnW3a>g=MQ|-qA@uL*-|PkVuhSlnqPZD9K6D7X{Pm3pCZ)>B33|K zZky1#i(>bUTJl?CbC6PL1ok5K2bLN9od+G&Medt(Ev6E!($BdSil^6OR$ckX)|^DZ zFzPOuznm97G810E3A-N#oQxn^cAJ46=({bfp}05XcbPe>K*H~7 zJ^b>Nt*A62Q!=;_R@esY#c9qA8z%UDu3^2Zz$X7bmOR1{y?O`ckJ z48)xB_HVx0CiLp|H4KKa7W&HLV)#L?efU{Jx&ZMO7Oo)~LxoH_?7p6rqJu{Lg@r$i2& z=re|FvLb$i8eTvX+Qy-TYz4tK;nxn9q)YijRz~uUX3gDRAZFLwq$SV;|7zaly-I?! zz*!^^Fjr3{VOWVLOO_Ed5r>a!wy(OtZ!9w5 zMPIRzwBNUnjQs>?{af|(UL_W2)$kx3mpdv}=SMfgdPyVf=K1bhL%yycy83}(T6EUD ztHqlXS*gFES_nXfwhk*?a@tw943qi!33VAPZTujV3Bhg!X{$>#Lw|}S_ z;tDqORwMut6!#(Ix+w}B_<6k5osyhWDaclUhaYHuj5?x?NGe9~ZRPX_K>jhIb^r!C zi@a1fB$>VjIdmZ;!Y4d7;sk+kua$^Sa_A48$K?NC0M35`m}>C^(4w;jY9W3#g{|1^ zLwDwN3EZ^Io^0yMrG2GY>JPI=_On0~Fi#y4{)>Fy0btNJ2*qUWP~TUj-0{&StH(Qx zW8Xn-xB)9DrJLC|-C`R1zWO_&zSf7EiNr8yx*`5q`+1A3X#QCPEf@>VPg&D!f;07? z_etssN{zCQq-s@iV^QoaRzmL(6y~SnTT){n{{^`y@&FLXCHAv}6-yqGX8h(61}X0k zp17?vvflm9p%q=pS5b^b9`Nrhc(@0MdXjbe7AHB3igo(Z%^c%ij%W`y0%|IwRidMS zR+LhO?z1ihRj6g1o^NhDLpX8eITcFoz zM(k9{&T=;ir;Q#%@e<9K1X&5(Kd0P);SZ+k#g~pEpbtpuElaH)N8!iDOdE95O{-dz zi;LX}O}%#sAnQPbe)WDz>Lfp3c_!=)4j-)0=6E83O_h0 zPr!wLOQgxePRiF}@$HRl5a!>oLQMEU%1(-mj5Ls32g`wQK$Dn;jhjK7J`tY#L~F~9 zZoqCkSlG%H1^Mm&w`a771DTXB2)}ty`@yR;w4F(;xXzf0*r~qv+&J);KZO2SGA@Y9 zoxg$ZvaSZz7BBDTuj$#SUc7}X9Zmyi65_yL3YDVnLil^;Fp-%k0nO2|IeX8zoLB-fxD%oP1Cy zfk4OE=i!WIXTMbXklH6-e*)c4WH-xrUxd_%?}5tWv>wA96q>uMV`-P)!Xv#JL% zHK}~j(r@DaZDIw=c3mgLpU|8tGnGHG^Vu4{xLL-lzIZn=zbWKTiHU9|T z=1Eb4ScGgOm6mP+k~xMUIh9q|biB&VVIAN_I{_;!W=Bz~Xp z$B#u221$%}rZzxQX_)3YH=o2N)D2&1{pBA{h`DuXb98vJDY9P%OuFA`9&{`Pda`Z~ zT!+99oV|M}xzM$}d3l%oG+2AFy-<3gv^digyfHe-4D%9Z`eLwifle5aMU3gXZp8eT z2AA*d2nom{8G*BBY=bSY!>3hS5Ja8Q?m>C^Xgx4vSvfxw+%l_^t~}Fxgr&Q;;r6tJ zEB4+t%$+{SzHLh3zTB57_7T_ZMRnVh%d-Xe{dunU-kjyL?rqDbrIz*EYM{o6A)?)t z3sZTNAb0EYmdqX2BhzUgmnz&^OMiBHZRk1$zbUe*O`mQ?$fQ#l;@Kr#enP~DFylC<<_7NkHePZsO!CSfLrE+h2zxI z0TpFZvDHdNWU z=|l(>8(3)T7G@Go(P$^_m%-$uay6-%MaZ88uPv5B*P}J%{=n0>#lT|M^biH5twwqZ z3pIpMm70DHF%nl>TUBl!G*6^#gZZRE+mrld*Iz@?J!JBVN~K-A!~Kt#f8_JXrDd{? zd?9v@|M{KM#Qu3;6G>~P-rBZE=Gwi>9l{*u zAmX6e<(@z1uHhK{mq7-D%lC~STjHVcg=5*4lZV7-@1xbX4g*Pzil)qcd6{9-nhSUjGa98_+y`2Xg63>1cO7EKw^X>T zH8=LxP#4*J`_p0f6>~2wFVp2yQN>eJ71f91#ya)Jvek_GvYT4ohPXt7?h+1?XPGK6YZVKzFmdZUIJ9ev{bc0K8PZzFsP4my5R-&Kaf>tC3 z6|#$cq-VPH@eu=;D3F(JRK7jrCFZ=nH}QDtGhV7PxU~+lmNuO>fwOI^ZOL@D9edDx zIpCpPevz=~$WV$*2^SX@pjQ^uTSP&}?gn-{pcQ=oa$a%TKmzr)3fST6{F)>`mS29p z+7xN$QDv$HCc}PL-jXerI_w@;jGCW8^(*x4kbX``J-QjS9?}5P<`S}9x4uxfW%_V$ zS`0gi0S*!H(=-ZFeD(`Ju~tUbnJ&Mtqe7DZPSEeNERK5M*6j$qhudgI)Lg}Zl2Kl( zVhzoqz3%z}8PqqEQlyYqm1(Oow1QW)?CL9Ca~OUiu7|147HhmK|Zj(5w zjj>*$WmYs>hl9?)cCmA%!X?()a*9jjIaEEYbmzd`wn@85fM1=Va8PdBpH znz4jV7z|roQcZV(SZC(DawwuX*; zLqHD$_+GIMUPW+M0Z!*yk^5T+dC2u5hbY$6*uBM75?7SFGP;E^nJv<31~K#f9p+Y6 zL80n)VcFgE`_;o!{V=x6$%%B8`S0_RSAeZ`AuQ2q6h;4{v4s zC{5`$@x=HLbd1PD*)Cr}xluc@XeKZuyI?;L5fGDIFd)aK7oH!{%!Q~5k-B)lLvmGe zblgeiQM^~M$bnb=cUet#LjpZ45Ap4X%1oDJ@}%@`bUR7j+N?lGfx+-X+9g(bHw%>3 zSGn%PB8LmPN`ZKVswBe5Zrg;B?O)UaM_a73gKoKW%c;80 zs%`sUOWHxDes)2|di*bH<;(x^1M1BXHu~XXKMH>mMx*)OM{)e% zwr5WXW*Bxc`EPwS#0u%akb?aEyf2(F1^EL+T}~$M<*2dfR+FX7-KLT~{k{+mA(q+?Sr~KSM=C2T*bkV+`C9xT0q~GuiYIWn@O`HnD?{8qot{XEX!;llwK#w{x5whB&sbFs@^C*@4*u-z=y=g)HA2AAa>93BWVch46PFfT4^lEJJy=H2dE9U( zf>LG(32h5iAwpP)BcujR$X&T%(~nf?*O1I7D}EL>EUmO)ng1roM;tvynh+O-r)79- z@t1@XdCO`9x=1JUCe_fU^@y$j3)i6c9;dqNtO$I5nBQR5`I+XZ#kL%k!s7I6Q!21{ zR}3fnR^m4=x=xU89L#w?Hs+;uCxTHHH?StkZH zLn(YcaKHI?*w<)pP*I8f!glE2=@CyA>#>o*y!mG;wqAZVAoLB$RKtLX8`8mAxbvDg zi7(!QXrG!6!6 zOHDPJEX_4Ztyw-@tUA-1||vBz>Mf_xD_KT|9jb1&i!IwmZ3IBqwv1`hpel z9Oi#iO8z2lxf$b$J3~@+%5hfo1Q~Ez_$)%cN;9~f>zpsrG};Vyq(`G-z_C{xk2S%v za5&wd9{K;DLg(=e=f9_LIyne*3b)@F)ns!_s-pj}g-gSL#P|%CIUoti96UE*oB3px zdQ2?yJO+VQ&9NdHfNNA5xK3mg9&-v-yeKAlBcBsvb9MFvrTv`kA3-AXDAC=P*>#1=#s zHXZg!+V08B8QRr>(bBuO=sVA(Pl*WREn|gX5GRV(UCkTv`D|moAcl9H=nwa^j0fU= z7CxM&QI&u$>*3KvBa}zKuwe4lk8WzGjr@!KCzrd3HzH2ZAk35=Y6q=~d=WX91~3r_ zS`vUj+(h3FH)S5%jfD%|@FIx86s_ALHMv@$fwhhHabieRidq}nJbrAOU|R~-?r)D*v-84w@kFwQ@WcR zc^9orH&nXh1?U#$C)#iAM}+y)bz2N(BV-)0`vKYYtFxKP-|U0K6c&81m%<2S6mxkx zz{x)7p9YIFhJZx`7DA8)57gv@Dh&;qD%`Fx4fhVnb|p%YvZ){PasmLyJUNpOD+0bn z$NM^0P1jTEXIa=lPo(}dOpzXfzQZ>%>~X%`hlIsAwkS>3OCjpP&}Vq^`ii5z_g1Wa ze>Wp@4K^s80+-QO54N0kyaG|)5kv|c9;Z<_3hm$14+p4Oq>QK<93JsPif zzdgXE=XW7CoabvCWmx&9U^&Mh(uFh0mP4E-3;f%2@CUf9t#1a(MB`9%Gc4W*CsT_> ze#C-1i0Oz~0{!-ncqcxL!8s1>LjXC2KSl>a@gi?!tRVLYX`b#XdfVj(-d>JqT^pUJ zvK*5dkKn1^0W+yLq4eK^eY&7_*X`UpL{~ejQ|eUzlhl^gydt@u({pc! zZTQl#vWXEnmW>o4t%pEk(!E{6XcTi_BtMf=(}DR@@VFqVPW|d)xjFj%!>c~5Kom@S zCde?wE0dp#n=U(Ykm7|718#H}igWo6V55Xj1(9H1(>?%82$?J<^3{e~mW|Dk=^Kc@ z>m``Km|cz(HfT;Lm^mR%7``*FCrAFOsNfF1Akwy4Ltx+AEyc;T{v|ZV%7zjb!x4LA zbyptQKiZpMT@$XYD>#OTAdTf;!;Z_Hzqh*y)ezLMYlyMJS(hkYbhG)+3Bh)Jr_Lg; z^lSUeFT-!&D~_v}w+x_4CYJRU3QOjo_8atbVKQ;q`>o)ALuO6BU}-_;*d9mG zeh1%temGOR^`GEeavCES0av7kO*?#Pa<5V;Mz3ZuPeiQXL0#O2P&?3QTJ>do7}ktT zVNGK7&kpi229hllyhFL7`?|~m@An}U~!Vume{92x|``N{fg>4xsM7^ z7&gQnssed!^!hk?B;d}`=U-03nk<;Y_&vqck4zB7Di?%hdAostc@d7M_!jDkcYk~A zIP&$M088siPJ;tT7b2e=;xQcNewzB7F~8SHg9a+P12Ji?k3OIjXuX2}J|KT%PZR1A zXkX?n$(KbEEN^5ww82?hu}x(3wanhiL$m|WDGt-G+?~sEA!N-g}>!iPC-s+=KE5$580}Xa!t*}ifa~98{pPq3OJzPIS@Nqj@`EY*hh%il!j%e`8 z)($VC=RK{)DxW?=S19BgtvISGsdu2J3+^l_8%eUWsZ8L2>;4Q_7vWz5Rnz&}e_9?U zLTL_Xb^|>Wv^ez)i_uL`sXf_xzEbK8aM~kbIka7Xs}0(ENjlIY|K__9XLGfi5tJBJ zS|(Mws&u|W6iHE4xR2if1sJ`Rcqz2`wZaQ(M87_&Qv}y=tXxDCqC{waPp*bCAJi4( z97$j}enc!++gQ?Feonm*^q(8jj|?(#*{aNB*)5v8F%V{Ch;xp*g!>hmMIo$QB**$Uespsj= z>szDH*u8FlA<8ZqU^x($uozf{@-<{tajVzsb6QDf9fBBxZLs`looDyMN96(nJBK7% zt;af?ROrl(^+m)f=EdH)4!jx;(0!{~7NwNBv&55=6!j(JvQ}3DXp(cAu9+_-Z{>IF zx<>)S8))oN17vBK^qd!No#3N`n#5uP6WjrAYk5UaWu?Ire6Lme<__`jhEB+K_C8fo z0fznm5p~VMl`l!Nsj2$SboX@6 zJl#(Z9sn_$Z%gCqHtu#r9NJ^*9r4s%Z*n-a2ub+_TC|wox!XIme7AGv^8-oq%384&0p>pf^g0DbwrvwK;W1y)hiR zd8GAyB`9Q$`Oh?ra`2=9(4sGkQ1#3o27o4dXIa!A>y95TTe<1}9 zxM9;sBL^J6U!fzg`Sjn^F#{Q>1$dI%yvJ?^9M;oRuNVcusBsGZy0PJVdaO$U3|M74 z4xp^iUvm2!j~7h1AtkJIY^o)&71~}kYXxYGJ6+~qZdi-uxp=#&yKr)qIMS#AuXndXaiHX9{(Zar!MCs9%MkGaDVL zb=w)I{GZzEhwO$%> zz;j-^2BkccB9;4z3SE14A8m$4$3q+fR#uHuHuim*muGMTemLdFM|Qz{n8SdQV?aZ| z&+UQe7-TM9{gOKu+ zyG)CLhVng@~t!kx1SH@LtqY8FeZR(4gXM7jufl4Pqj;ca8pbCB&=}Jpf480U+H1 zX%dH0`$H_6ntdrp`b+9^ZM!e#q9KJU;Arktq8v81)pjl;ab9SdU3nVOt2T^Y0Zqo% zg=G)@{j*Q(D7(mVQdmP~n8Nm%l11PFOWF*0s5sx}nPL0w(NIRXkwXmrc*hZM9*UuE z1QbC)aI_&p5lngo29$-4208A~Wj$7CQxgUEb6}QNwQQ3)F#d00?A%~cF^W{Y{8cFY z8pV)8%lDEgpk3&UQ`#}0ZY2KpXry`f9DINv7~Efm`u{;N_*9%LE#=DCVd&R*GL5m5 zBAsk$CjZmq<@QKK3^5(AUq@n)*zWJ?{Ueo;UfL8NN$of$SrlsmkQgD;?%?g+5$Hdr z>sAxe@nk|scd4v)-;HyV;7nZpLLJ@@caJ6CV&P{6c^^#;SGNeoQ9S=>Ff7#H0Ax-DWBEq_Z}bjyWXaX;o{GQ zd-IucY*Dy*-^#upKKm~(?cqo+RlDH*lKL?w@Tb#FSYl&~7#f!{O-3HM)<8*=x%;5ajnHgIC)-#tscI#04y4i6+F zIN*YTgJH_g+Y|>FoKsi2iD^!Yrx%$LHf+c7SFDaXWOd`#874`m% zh$%aZ0%XrZu`@ILfE4?htE0GWQyEmM3hP$s(ZAoI__+3ScMxwq zV`at2USHW5)o8^zUtepgr)%8h!sj=ik4k5=r{ZaQqs^~7Z^QoC@`#Y9EcoHgQ64(s z*XWxcr}dA?NhZS&RZk3%ZJ}owKY*sb{7D?h zldl?n324CRx#d)++?gMhNj7*4l}VUyEqPx1{RPn)+Kb&1$^l+X zW>A#Qfw$s_F(*hO4Zwoa_#ksWxHY%V#K&84Ue9?PczsbRrBn*p;F+jh<*SBh!CK8= z1rk#y_VEJ5{|tR3!%1r`ki7=zt=!#j~ao$&s8UwnqrJy+l?s9@U>Xfx4-<)8G)Je zPH%pTTJ65$mtX10-O+dc;(?>@C?V%s&$#9fGLK2WPHmQikj*!YFEzv5=SvI7y7fLc zG9OkZU~of22CZGRKJxOTFJ10e{4gVN{O>k;B8nFqc(Ls2H-uVGsbjhk<{^7=6RkZh z!rd#ajwrN7~~1k&E7f=PNJTZpc$ZIs%b*}@-JI^XMioF93Xy3`w3m3+uXztY~6 zy!JWk-1)r?%n0V`F`8j-61?uU7AC)@8CO_f8x+o;5zeYx-Hvg0atG zBS_iogxDdD9b2G`%TPgp4$O@sqg?|kj&l*btxceSGmnM;gU$;+%7^d3Oc**3?^T7A zOJ1q+>F0Ij2c2x=oV+}saU*1yXRRewGHmjfRh!qp&KD9rEe*ZIPtiR&*X+QrLoY4- zw(B;slEzMKJw6<0Px4M?LPBLv#+PVCQmF|f;=7(#t^P2(#LIbF#po#Wj5YA0@IbWs zfnTI~Ta~qEwZcx>U%bYigV)^TWe~EtaWPOe1+8|yDow*zE}-tYc<>Maj~rj|`10BG zdOj%A&X|+1(xi;N>b|Jr6cUyG6W?c8OqHDnN}nFn1J3r0!xim8Dv8%6icf2rkN&xx z$4v}%OUmgx{d{ZAo;c1yWcy$^=!I1E!Q65rpk(n~0K`siCBPJ%T`}qpLFZjJrVMV% zpnUrDGqhah(ML$X{F6Am8+RjxMZK^Hz1e9#`>wGVm#=PRy#j0A#~Qv>%MG_3QCq;O zy(xn6nUd>Kpz*4M>E*5W+n@x^@#Sx)%_ja^7`SN{G6KVS_FLFBS0s-nU>q5i3Q0yE zPxCBRyYAgsY{9Afhs_{UHX1AKgBFhZ+_t67qvyk|rHxUyYnBlDT`O3&dg)H$4~;6V z`@ZHZi)h|`LnbPSSXDuPpry&Gc`&NBp)9~l^Qn=Q;OzBy+|cSJ5}!F5yF0F)-?y#_ zr=c&deZ%4f-BoDS6i~iFkAFcDA1c#a0agWL$BX&1crRo482G8a-RV=NFu>x|0E?d{ z33u@-mcYnugUU*TQ`dNqNtl1oYCr|u(>uSH5ePb82I35r`Xbv5$&u)v#qdm4VNTvP z?u_R$_eH~B@yRY_rxK3q=Qr{k0X|&47~5H%=`PUzg$JKmR$MX*o5M?94pkcf^PT`E z?!tDt{Y8g%0yj5d-{c;Nv%*=!>asFax3_G{oN)_(%h%_Mx+jP7{jSB+*n9fI=JIi( zQZ1Gjs#_2N!3E+;N=O(X2&R5%%*l$##1)W@=1XGYTy*MW6qPZ%;sW`z-G7VTUm$>( ztP`@=!~jZyfXcb&rR6bo30n|w5Cux!HZ5IYGQ%!-+V>f}+-LH(b$Y;D#WD`Gk+4%Yf z_vO#o3bWV+oPhlluE#CdjqE`-sRTxFUyUW$?KVpFw25%4d(l>e%w&c0Ejyn++5)RR zOr|@|t9Icnc-!?cWL+f05#t8mTo#mq_3&NS{Wcs9nxSsEiBq$f6MLLM1wi;-aWmOz z1i*&xtx;j;o*&0G=6eTImpAHZkmPwek3-Ku*63wDNIrhrwAHHSr8Z#Sjr9O%{P8;Ra>u133O~QoAyg(+^6;dWlIZXTPfIp3iwCMgr6<4efw6A?v7IvnbZr}Wl8lr7TFJU1-uVW&3 z&Mlgz;S5rAp&;e?of+xy3c#sj{*|t1cxM!dZ}m@$>+{4d=f1F)yt^l!)kvB+t=ka$ zNVxSx(ux7Yx~Zl3Lmh({42&(IzqJL+Wum{qeQ@Mum4#Q1-Q;+bxiuZUYOe}PX%Lk) z7>nho4aib*uMP=-f3C|9w0p;aO~KE*Pw&yYQJF7j!>^^e=!^oXd5<&!mb-774{{m^`voBHXr)VOsqGQGA%R8=7 z7h|s4`ooZ7$j_bf|`pkWmJMrRsY?(pR^LaGe6FuT~fuc$g2~J9d3fL%J<9kmECVLrsc`eo~ zNwp-bbyiSqdbCBl;Rn979ZqEPovSqWs&{bFD*V2^DyZztpE*u2PZohQj(vyT!#^J`GY<=yT%Q zp-K0^>FuBaYSrD~Bgq@vU4@K1Xv>Jk=Q+pEhRzEe!G@~Y#zCy!*7}bn5pTDtJJn)KTP%r)En3D`X zGZXGR@#oppl;mxk#;6jG_5N)#bPt86!#WVQ9!uanCy;18AgR(OKHxte$#elqyK9zy zL$O`K-jrh;%w8Aq$II#*BeoN!Z9O?Fmi1mcL|`^K+ih%w?VPrmKREAlGj*KJt^Qy` zke}Ro>dC|`)qkyIbLDdn$SWuw4ud71s{kOpBIzd-+%lG-OhtsfiSE|h(-L$>70P)1 zgFaI?DE@;lRPs+c_2CIi7ZjP_{)BpB(ficd*sVJcQyK6w2 zno;7GT3nP$xJ)33BO>(Qp@Mk#PH!N#@QDoTFbzoOpD)>knn#Z-cP@fj(5M0PY<#xA zY@fHw(zQzl7%RJV=r=8ePiC~5MX!6i&Zw5>9WBVQr{xO%3rE~;^Xm#`nnOdDOIM4! zUR-BRzBL*F0g!^=9~0pu_W;^&0|pbm%+Ej9wzy|^B~7s%J><#9iQF1lo0N4=A(nUf z({tR-&r~lUAE3=}>-;YKc~0hEj!jgV6V8A}F94Swb+uJR2&WSS;=1oas4HxLqk2W) z3muENn|GCZ_}qaYp530!<7yEap!z407!}~Tq9Q%b7-91y^tu1j@GZYQt=s)oh9<|6 zoi+Enus$};M$8FTx(R0>s!VV#0EY%V7{JXQh`NKIBKBRap=E1(ENXcSwwIe1(CnKGS=6KEaNauXyG5*fKRGNm%(klbyD=vjkr-^=dh9T zguKSCl|jgn{m^el##2vnH>BRsXHVk+a1H^O4&C;dd}xCxVK3gZJko6%j<>-@wOVW; zucX5W<=LxF?T!C{(>dFfINwj9I6SIlj##@rEhN zdS@pA_20ELDsr=+u&;rlOnk_PjG3kAhx0Bns^9f^{}hhe=@Uv$1&bc5Y96qk@7Bb- z%Ju+Pqh{?Rlxwm$a5dIkulsqZ~+=DT#bmaF35#pcyavsy5!}mu)tKnyBrUKMM?=lq)K# ze@|X#+%~-Iba{rUV=U*@tRih*0AWk)3#Ho!H`S1fjv)X+qTi4@lx#0MP7Gd#zX^< zgV|;WE>@K+kGrDoeC!p-+eJ$joj&1IBYB;4@&2WTKePw9?%YMYBTdJ=k;q6qbT4}> zk~PPjUEEgCpTRcol~N-rbre9ofzDbez3ZaTp*Gt95oA=e_c-`)S ziut<5qKLUY4sznmt>2R)LB<~Lox4nh2CH48X%sQJEpf8ATJ;#*czc;9>{n(SK!7lP-nvtzS@Oh&KOuS@dOXa~cTu7W zyXe*R;76W6ws&T}CVH%_2@==G3S90Vi71&HT)Tv_{EBN*ex+yh5Bfyyxzt{Fj&CMQ zSS^1>s)t6~^~^Y3#ko~XcxG+ngQk(bS7hG={Hb}iwW@YbDjc^!V&pB}$4n!pQSU$F zrU0glG+8m`J%G9EiA_mk_ieZ+Ng32wNp4E>LHkOmkqw+vZy1JSE5?kr$AR*_mdYz@Zb$b1pL)pG|cSDYgjiswyy zIL0wbGHTJ9>XtR*>``hAaI39&ZWH0;{m!O7XjP5|AwIoDE>(`b=?AE~<~Zilc{EUold z!(}DCmB0`h&UQ;g2J+4#C7XDNVB?ZD1z#-=i;}qn1m>K*9gLD7Ca&Y{I0b1cXXve4 zr>Am-k?6P&g>lH^q&f0jry^&;Naz1!-6u*AA!LR)>5;fIg(=3jM56`@;I|x*JXi?n zDumY!Bw~^^aAqvc*bH#e`LjqV_F5Y1MSh6bGe({&ls)1iX9IW)#Myv3BDQ0#eBZ-d zDr?l0R}8=|;h0Qgp|=h-Q)o|DEIJqnKXHD5hQZb=GM6vb+;OJ)nAK5X*sygtD$rO#U!((y2D!pElO`xC>!x&10zZ4z? zRJz8ITq~k^kV+qnL{m={{FV7Bz3cC%%0k}+t&oC!yG4dPP3OgJ)1#m4WUNqOy&$;u zFE@}4sqU-r`Kx=|<_V4qq4^rH0YIOqZ0|hlm7hQlm6DnK#sm#5SX7T&+SEl8Z8TbO zFCz2Z9BU2tI+@rPi-YpUYvc3Hw>!+zYoz z^|~Cq1`Vc`9JjMf zz$gcZrnpbo+hr}D#ZXGTca|4#RvTE@U)l$FWh`_yf#Dw?oX0;Mz+FAp?# zd@#RQc`N$W=QvX3lwPFZRB7Wt5l)JVikV(7*dC4#+sN|#O$(@Qgsn3RNT7q}JCw81 zlex6=z6M|A4}NU*#g^BlI=`}H|2HA!b8XTHObSWWgIBO{&7}M`S4~|>R`+Sv7*^Q z#Vb5h8Wy9*k8m>V)JPwniSYCJFOJ#@@j+(d2mA^%)a4N*wTl(ub}|@A$t{VyvtyL^ z=e!K;+k5SHebvdL=iU;{mCl#uN0Uu!d^~u;vQJ{;vU+Rw#cZ!qY@$n1@;PX&s?F{p z^G|^ewhN?eX9vrdmebtY(+mdLqejU9Mdv3`W0#fQRVPt5EvCqDX{w~*gMgAceJ6~j zhZ56xW)a7LHN$bg&RiZ|10k1{{}Z(zU~ZV7t@p|*_U%^N(VS1rP4iA9vt_~t2{>JC z6V$u2-qnpyd5V?^-;1mG<$?0pSS})+$l>T?R;y23H763_M}ugMa$OAdW~^f51I>sJ zB9Y6gRhf*Z62g=k`65*6)0m<&$k?sZ*=^_Osq2|51mXb{KkOG_srt(Nz$9MjdQR9k z>V^!!sK48Z1G~lSX5Cg%b$s{0lV;)fvYd%Fc?<`DOTqSDl{G9;yM^vF+bZXDcQ@wp zM=5y5>Ovann~ZxB8L$0GmuP7vS(T(%F$^ZK0TZzs(Hr z`}IMJX)QuRn)Q8_TuH{e-G)yO1e87qOy`vRzTmZmLita#uxlaweq@_bU!8t(U+`87 z`?q1aQz=@)3&DJ8wepPYXdvHR@BYki6vlL%GuMM&e-hjP{nlk%h zlD=awU}|?XckgH@!iD)F^x7~pt5h)9Iz!SEwE%>>prZw7&AK@5fOY$gJ7>5Av3ZS1 z@@;}Hz*l4h1uq2duYOHokLWpKt~}NvTFQrqjj36hDi~Ci!cN@_u$`gb4??zgbJlQP z>raDv`Y6VQjD@Y!*y7QBvuL`$e%N=@UON4J7?MKHZ3)#J!6eV`-FgaYW_$%-y%bvT zmRHp2kpSrK%1Y7rN#T7hT!o}I1@UHhZSTB7kWVCed9}p1C;FCJr{5}KWBQ&zp zjmFTE&y^41S6((Wfwn&(Tzni4Nvun!`_{o5s<23!eN5ZCEV}qee;`TL5c97BP9$v~ z71q{PnO2uRZQ3Gt69ME>^0Pq?M%XNtP(!%3_@%@R3j@vfV<_0gm|GMFVay+O*Od!i|oGR`ZAv<+a?{j6s zigUCWriedM(z^z0NX-NX&o;Y8C!2EAzHD?IzPE+>s7(m@wVDPVU=f0vAxO(uHu%i5 zm^EB!!q^@1V3JohN}bvGRs0YZumzEGUTStzL_NSiy+>3EB+k$miP08XbIWB$ zj9fwgFOLRAje7MMs$n9kJ`_q5@W`YV>~i3pCeHv=7I>e53}#-{Bvl>ZLiCz`V6 zwTj1Xv9oRqyXF%=c&bme7k1k|q9~--HDWSh`<|h!hMS#RN&SRJ#owX5T;JHbSbzUK z#b-nDi+|-g!c47jQ0uyPWPAy9HqI*wTPVVAQcFpuUYJjjxlAL?JG=%8MX}T7Priq+ zg^DpU!o?$5k+XcZkv-DS@#fv7 zR8UI55f@;W517%ZAwZMjdmjwFciW!NPWumJ^Nk*3J_{43-{-zG_%>%=E(13=!kN-@ z_Id>_^L2G4LK=LDMgeqOq0@BD##TqrMiI3!p5!-1N1MC?S6SA1B426Yy8W>>5l(Em z*Obfj@vCX0rOIwKqAN>XXI=B~F?b4?%t8L!lyDKcoqTo0C49*6fh?VlCC0jq4gN}x zC@;}Scc<%;@-VE0PLCdtlO-z=^q0K(e)o1Txuh$%RFRo5m`xx3v z9PJqrVx25w&z(5b!d!iUc=jK7E-pGKtH|O-?4dytl3HVSW@GV2%;A1_+76S7$Ghuow~2A2_$Nl>&kTQ}iI5m`1o_u9;RBwz2jngf=%d{&&9 z?6OKW%eM|;ca=KUo%6|#)z&kUy4MM76MUBrz8fAkA|?o?mRoQUVGX>rJ7Afm6-%Ob zwO=1h;oQVK8S%rGZ4Sgd1r0Q>Upc@c=^oy}S39n%ZlSR=-lU7y6f*54>GIdKRC6x< zN&TfLsvz(U9%231B=O9{pENV`BynN1mE0pm8<|m6aOW91TNAoO+sgp~Ke7lX3=A+_}$#MWP={Tup=GbA7&Hp@*F* zWbrkn!#%d)>+}S@>^~x5jmm<1DoOzAMgf1DjrhX1IB(7NA_foWy!-;cE!b{jRgwZ? zL<7vXP)W!Lfjw1#xEanAR2J|}Dx$uWa9d$?Co~XM5;6;%Wi+07w2!@NX9-U!c1Mcv z&)$1d0Swm0*kpTEF$pm2x_{eP@~YT%-`>J=VU%2kwH0DC<8d*rg}_z2WV)~rlA8YR zO4|Ya1j>){6Ix>_cXe)g=O=0M%tfJg=$6^|xj`3)eRIo&Fwu<+L#gfvs$IIpJH-{6C(e7T~x&3IKGbN4p{tIN1!1Ey4 zux})Ld7f*yMxM%xz0<>!$z=-KUwc0SoVscq7H3?>6QI#4tsOa!F9@@BC+INKie*fg z=0+`z!yD3$g)NIuPi{-fR{GBNk{pAlz!xwW*o8r~fS zg#_gcX(kj5c(DUL1z)M*U{mKpPfKbHQCLb{)>HiPI~s4PkvIY?r7KC@e40hb3Y2 zsxJ}_=sP!E6HZxYf+J%Gg8nDea3}k16;JJDZ=TfAj-tK5cGh`N58sD3E}dOm2+6ZJ zAhm3G8&B$cm7tYwtrfmo+#yJL%1RQap~{8WZ#X9cIo_#VgVsFVGHsk?e`0xTb)?=q zJ4Fu=B4^^S*5h{B@lKX`oIF}q#ryWK%R05;07*2d%R2dyx`ql*@f;lxoV0{auTOb% zc~!^rhL?VEcWE|pG2qMBm}{p2flKMTdxW<~{9>aj`ib4|Z{K58@>F3Sz0YF_99pGR z_mjp&0beiU0M7gXi$k(UewAn65r#7>lD~unV-?KRn7GQW^diOF9z*#xO{Nt?f za2MgjmHR5;SeaUt$HISZeNB4SP>EkHUq?eQGajF6AF&v?QJ`Uu13kc2#h>QsyOdA~ zdzUM3AIQR~D(7(&RWdOH!S6ccA@#IY--w8wyh$KWF_U+EE8wL=jxf)l<2gs@Mv3+# zAVr!G^EiAaBJ>2Z(=Lb2U5IM<%u?GKzolfk#pyV%F0i0bqBalfBfFG2>&wq5n)`L< z$e6y-ZMJEs6Ik3{{gIN&F&T1RnQkc}=tqLLwnL|Jgl?Wdr5@MCc?3A{c zo-#tso@7QYX}g^Q3v;#KD2hEj9)cblxnM8L&DL_BQq;ZHBv0&0vJn;b`@4>bK5-sA zEI)*u@DJ>2&}w`#cszdQNfSe9OfHV>>TR@9q-lpen`J& zpXS$oS)4zdy6037rvn-3U+?!jVu9PKy&4JVa$Kp47rE!I=0Pf=CLj!8R8P}I>NbG9 z?PR9}-ctjQ;r{;L>byddFyp|}0z!OXsnXDlmnBn_quZ!e6AEa@-LB`7dHXbyYA&*$ zkR~o#w5r~Utv)DZ`S-S?zR(hU)4bKy4l}$4cT%n3;(XQF(sh5t&LrZY=S?Wv8@(U> zic~B%>G$hIq*0&i(U-KymwsMoW~D<9_|9AM(5A!&^);wK$pl zu{M=DbvIp>GwW5wj3K`ica4C*yvR$#2;w0){~f$$YJYI zk@_>6Fw|WiMxzfblfv ziaZ9nt`DR$!UAKG%qKq%**O#}BQ zT*cykGtI;ce*Vc};Cgs39bWZ$uQoI1^i=be?i+B#SbcPeT>MK+?n{SjpluPQphR=+ zMN2vX(`|}Nf^6~Thi%)+h4$5D53#N4ld>y5^x^x1?@xkFQNO@;VBNPh-)aoX9r|@g zE}lj{Ar--tQ{~=42wlWmy#vRnwPU*0E(hv#XeB?(^?)fhg~prUh#%__TnX{z(IKnB zays2^lK^kD@8vu%Ud8*AJ;qW5Ul3aAH_OWfjkSQoX~x-2Mp15#bqC6JY@1xc@?M7b zg(840;d!oI!oB?*&72h}OT(7l=08A#kYAbj=%O-~x)YOWNd)T4c|ME$q~5EP^ARAj za{lDyc?Yx=uAj6WV{H$upNCz2ddF3M3-hXgGm5NfIv(;&kfWjqP7!v!%5 zrmnYrK>f2H-r9S+jH}~skl$WO?<#J0Zr|Dql7e_ivH_1B^iQ76zrrJ}`-gbtPLl7Z zyo!3$lUm$H`hhIaaw{v}motQ``4nIktTXMlT55OVGYyU+kpBykrW0k4v-We0PxPvj zIUS{lkBP-66KSlIf2-maI7~xtNG(=2p9aa=&LsV_b5iqr)s5khtir$P2xxH9@lK=Q zR;9MTU%p?{r5g0xwToLPfkO6G!1+%6=@dC}PTouWPEYoxg6+`RP0=O}y6jvLKvbvr83P zS+!U5Naie9#lHtz?M(<$Gwxp(Rn0xYH3s-9+rdrADU6{~D>Lr%8wJRI1SF}RgOQJnfa8}?}uJuHF=eNeXbv61oT&9of~Xm58` zhhW96Z5N=Jihwq2j~9%MWj!RhSQ=s_Se8eMD$709&nOMy_YXDFI?=J7ik6Hpa|IM( zF(fP_psWxF74_SelVBP=u$2D?%wf4BOo;h7MA%e}p^AQU%QKPoS1zl}Bo z<3z>9S!=Y(H4Sssa$l5SJ$114gABk8EX2AXF#5T~KT?YevR*s?B1enx|CzG;=iqzo zENDko4r{N)t*=>CfCCRtsO{tiLRn8(ukFf@Hf8}IA#1h)*7e8BO*DJluxoWA5;V0M ztR-#SubRBaiMA9(clMn$&Z1#XJ&D4ZVWGb?0;M6zi3Lkid8bQd4S6wH4GihGrUlYX zuPF3Oi^_-@B`})eC&^n*x=aXlfza`;;}dTXG2v|cTSzKH`{+Xt=GSx%zq481LsIC6 z{(okj93)t_g;W2?(teFxO9+FL?vm`4?6na79_4G$1+}$Fji%P(1+*Nv{?G1aP3omh$!}n zWV;v5PDk$V#g)@ihp(%A7a&KaJMZTY!O09Ryo0Ho(m`LY{{bnTxCJ?S0SSS^0OZOy zf;*;e0`a{Pl1P7$+3{;o6Q$pT&=z!20`21YnFO@|AwsD}MyY%A9Q-B;yJT*NSJi<|EZQybXzLZxds zw8zsy3&xud6Nj_=`ddGQUK82i68J00YpX%ND^`=enGD&zGLKP%*FpHh!P- z#n7ssb=dc-A@FE@wp0QoWktLzudXlveD#I64n@(?9x_XwrKnwSoQKuK1%`^;{$B#y z7A9;PqZ%%fBLl|;rrI$i`g+mrGHjdO8QxDocPe^I@JMM7`f@Tq$x@JF%;9JJqyi4N zD(V711_|l60D=QSQz+~@-kfSOyoxkcqadDqVK&R3D2a!C|DT8ZR;K?=^{_QlI$AS) z*C3^coz}-J+s)A=QMptbtui2Jqt(vf-%dl)6*&H8Bq zx2L8TQfGLVcUru)7q3dy-X_auv5ww+47I01#yq7=-f9Tf%+8%vBc$GQV4$_Nan7P+ z@?}@;dx%HV^27?!W6cJgwMl(()I=h%%|sHFsKOgj>6J(jx?^kkyuQ0r_AdO4gcuO2XLOfbZdO z@so$7;+=)1Od^DQA?ttVhJYbFY| z4Hy=7yduLdH)__a^<#h|I7`zjePXGU8`r%n()kL&~~YZaF2`cP@$5n zuS{_*#RftSV#Iw6xh*!I@^p)0R~Qbc-eM*$Wqq62krD}Ql4n*F`skTDf>Q}eZW77v zHGitsiNWY%!^}9{Y&3b=5MIi(UNU&nsK@Zut=Dtlk1bU16Wc=dEK5~l7==QMqkbqm z{K1bk^iY%^V(9Q+kTTPI0%JYY#?NqI;jn&6(RY{{mj7-+`$*%oHYS-_?!*^`V>^#$ zQc(O1hQvJ5KefOZRD<;~@2}J(U=;d5lmkdKZFL!>sckjrwX>AALFD z=e-J?iI2HT#BRI%p^rBBV2Jw9s6W}#8CZeocHX>0bNjWK8i6AYjXFA%;C}BE$GI+M zTc@A+Er7R#K(XYpUTYQi+Q%--KTg9FErCi z;JAOAp(-yoc=#C{;^6m3_*-Exv@`9z=tqDBA!`qTa?%bzQhIMPiYrxStcz^Dly`+e zFfF`Juj$-_^j&1y($3uL89uP2K?4$!rlhO%(GGriQ=sl}v)#K$R`-E&Y9dbjBDTV^hDcgEKoX0^NCqMQ zy$}&7Wt>wdls$zVwNH*sAe-)54{wFs01^&Oj)eyY;f}HMi2iSk?{`4ODbbHlL?sqZ zy^$ZMlIW77<>582V>k95=o^#4cV&MM`2(B>o6PuZ+#mC)ChP{gV7?!E;)w5L4^^F* z>G&vW?#Iq5sw`P9DtBxEUn(-$^|%us^iTSY8L2f|br0?dCt*7oFS1&PK=DNOdz^Z< z)y3H`qKE#Q0b-KG!M(F}oN>qtSYw?FXHW>1`?5mU8kL+R+mSC5ukkg|8GG;-|DUs8 ztvoR9U3CmxTRKkjFNc@gQCaP%TWd?cW9&spnz zGvU6vC-8rV2M6km`2Noi4-Uv34gmoy1=TwvNi0ZkpdACbI)Z9pDA56_It+*2nQ?T0 z?;qRHI{QM>PoY7^(jq_E0(PF-?&k}WuLzeq)i=^PfkwXf5TWEQy}I~ z>V~YJ;Wj6B&X=r~N7lB*tyx*a_X+V+?DEB0Mb-FQa- z$iQcN8c-u?Y0C7Bm{oJrg6g4Q3*rne6n8}?CKDcwRlaEZRz)M5BAWcgJ|$GZXljq` zbg}91{UUt!R)n&NpZnL|fZNV&ST;lnMW-av;ZN9AZbUc@cet5)2q+a$WuX&-ootHj zQ$Omx?9#}c)|}aa3X1{c?cBdt3|AuH#=B~G4S+fxg=k++sb!frAiDBMzoS}{kJGHq z$WA!Qf`!frcbFf77(XCJSEi%eEN(420z232yNY;Ud$g$C9YD;}hv-FpImN^GE4(Oq z(snra<3U+NCp6~GsurxV%ixe%bVL8;)TW=2w(F>^%h_3?s&rer0}bhWCZ(88?y` z?)_}mkoUU4DtwFk)rUGu?;-x}pdj*c?RbI+1teoLaRokUal}N1sQ7wXLyy3^5JlJj zOsVYB#517pwnlclH67=ksXAi%hN)U)Wl5Jq^@xT_Y4j_Duf>9LAi-BEI)8S(X8ws) zVWEQ7x4IW3Rg)e#eHXOu&lJP%>O(t2-_mQg}HQz40qwY>kk)QVY2HLO(Y6&?4|TwEK$W)D|b4RaM;bK|XXQ-m?uRiDyzU*>F~OqNG} zilY`GEQEdyqY_z|+u-tN-u?pP?ceDsKpcmergW1Yo)hj$;v;wc14~X4`H5UgIU#S4 z57J`!oZm+LA3~xvxQps(!3+&3QFlblVdsQ}vhYTXD;%@BP-#^RFo4be=2|hdX?^QP<(p&7I**13*L$Cc3}p*Xc1hsVa|@RAW~MpRiRqs@4u0acr!+t84#8wgktuT zKpA*XCI^r7ctY4!xt;}YWI-ta@lG%hH|(JEuf77Mt$BvSd;FI$%QPU$e7lWN0Gb1V zowT>`E#nHvLvG+jFBKwlAC*_%J z#tcUtH&cmFks3BQ;^71Sm-GhH;+#}^e>yAz>XVjpc7)j&;&`V7eL)Ys*{sE>(?#P# zWy>8`{<1J=PS2~GyEAN4)twy_G7IBPDT%p!+0mY`GHcLG(K=E}5t0c;(=ne2^5QxlvLV#0U;3QSF zgJ_KTfYOm4@MHo`uAa3Wx~9H~Me{e;_3#l)^tLi8`?n)PU+7fSiFlc#i}lDJuvtCM z&tUs}4iy)7MucAIWJEc%m>1}*vFbLLcr>JA1;4#v!*%SIeyP%RtFwXQ1hPT0$ys#s zC0^@Avs&U@GsA87P3E-84RMY<{bWs+E^{8@{ZQApenpxL`%FGNd>-_mBYkYWL8{}O z?b-i5ymw)?+Xp=p#*Z@y+e~gDRorb%cu;sjwQjm5G0Wd0%W{b3SH=oPh?OrK1N&Dc zf>fslO{O7ySZeu;J~t%*i$Pf5(PWh%HqJRPLl)2I7X-|Z6^4uU05fDeWe?sTZkS+l zOGv0w)yYa?drL(SHw{`;`m+uG21qu;kZh-Vgg8#@+~@HVM-zwOy^}( zY<6?ZRen)qjqMzPZ8db~-e9??gW+dizrU4#Pbj{j_Af2hVc zCaJUn;?K0f!^>yt5|^#`2dEhy`5Qj^O>J+J$OH%wE-=#Ue@GU`$ z>J}cwUv2&Tqsstt;eZKfx3%Wjxnw0s?~pWdnF6aZNH24B=uT3|{9|hM?~w-9H8a*~ z@g_J{^}gKn`QdV0A4#>1O3mI&G+8=nwaFP-%Hd(8_(iRLLw&h7$* zH!8T~^OjtYnrWHJkbocpA_+G73wlcU!}Qx<`$tA1UrUISQJW(ko0IvOntuQQ#oFz%6vvY$mU^BGGT;oacSM>cOn z`lpVEb8~9sDid{#=~(iU5TYRCwx&RWCH%vNJ%FWLr(V%at+?QpU{NTy&r6XYP%>ap zpG$i5V8DxGCPxfoAZ5Pp>M>E!*2cJxw&AtI%ArXpi_8J5|>VL4rS{fO}MUjU@XOf(*i37MaYB1%$IT0@q{p) z6Zp}^JlE-4-0vuPV0(zHsfrGREeAs;O=;2>N)*wS1NX6Iq>K6AR<_}WEWptwRB;4a zK0AiKPde~vM^@p&uAeyv@(sl{dlL>+tVwVtch<|! zw3x!l6{Q_3+R&5&&(r3K(u{fGB9XpD(o&yI;*H~f^xi9D1Pg1A8o5XMf=~+l(@-<) zUNald?HQnkPBe?Bd{!q-pQsi?NkJ>T(mzRYhffws;H`g+`{<{1%*kD1kFr?eo=gl% zpMtQLump<5ycijSzDCT>2Xa$2P}ZcvjqLV$W6l1(nVxfC_=cO)5=*~h+O4k_1=Ut? z#(oeoj(ZXaDL6mK!K((&HubrSd$!$JBlHIV>n9bl1|Om%)&sF#{2Vp4j39JtZO%_K zsBy3~(ZAyMyhp{svvBc5n48-zdbZW^NO-no&ne}@Tao7CIoubzz)5aU6tWU$SKhJ) zDe(P1T!ne3sZwD@H%oRZ?h;iGMiMG+s=Gt5W!1qe;AeD{7VN}8ImIy?wkl);`$Ii+ zTLYv_uW$lb=(Pz50|QW_hJ| zh=HALo5ta=SsTOXKQDRciVXwX?nX7uLt>8hp*`~ldTb4UudU|4*O`D7!dFJk{C?fu z*F1hl_USYILzW*S^scL-`O+?{yaL5qGeO-uYK`l6b{$3V?gglDLpHu53Jfh&g3OATy%p;8_FaBK= zj~oF%SqFa{p)f);jROI{))p;skM9?ifyP!0)9$&Eu($8LnX*vU^D#2cJqrWS> z6oa(H)6L}g9kP8NKblxZ?w6YYTq<3;c+!-Qu8SAO4JH0=VOaoZgj98CE2G-QLd|7gMk zliokV>%K)L4EYhB7l=u2PCU=z^!xAsB`C}{HQ*jNS_M2#fO*gw?T;H7b3W1#^wJx{ zXeX~Apq>`LzVj~?b1moytXHNwwWy$zV48=V)^nx{0I35CiRCkcxIF(jBGbi?=)zwqDDP@L7?XSG3%HL7y#$7@9gSnj`3o*E3a&PQhwLq z&1>XUoOFNF0(C2ls+cx$>=Hw_2FPjQz63Sc=UUK8ULBb+t`ro$QwzosYp+NBP0XLgWAE{dt?;koc*5yhb1r|%J_c3E!|D*yhwe_k8 zm|bmmC=G9a7#7Wnx`L1IZ;F0v)8MydX#F?f8@ zGw7rke6VD?&9B_9)P2?Vnr0q1IiP3viPHxUme19PPjtz^ zpst1|l^mCyc0mPx>{uvOK`yZx@6N?|xq+d**FrCXMl@IG!DuS}xo%a^eVnIgF~ zb8Q%;T7a`;aBNvOVde2yeAJ#L4`VA@(*ZfJ0Ei@Gl8*);_|e_IaHYWZ^G=1|^QDK` ztLe9@g#U`P@q_y-0lGz^!JHFRW1x4VfB5G2ZPqVc1DhU$Zn{(I+SAy*OCn@S9)}48 zc{|q`X`&guFMHSHIZvjc#;mfXIbPp!ThKc@DhKozVdca7Hz((Y5EI^~4My-H{7?@( z%e}!DXPyjnx&9gwyopeT?mvSKAFbV{22MPY&0%S_H6xMI{<9R;lg<8DPJ6tGf8Fk^ zoR?*XPc8{S;jjwwVgt2^SJRbRnuxmP5Hy};TeTOFEoU)RGD*8MM@oP03~*vu_tshw z*<4-0ze(54mECY|hR@tIw2HEv37}n~Xy=MY+fr2C^@(L86efYuo#4IXkwi`C;;vlF zu%UwaD~{74pV*ueQ7ND}&W8F9(##ah@*vPqr9Ew)s?l)SD<5msGcwwJjdxiNNLp8}6?{F@u07yd5Ul6cX~Z* z@fMfm&?NHy)f2_w#b}xZNcMnUKuo7|%$34Te9l;A8~wBWadoe! zKRR{YW2V#dtzeM=abPIPu;~gPsKw%HO$$5OX+qOZFT539pxoFfrFgM&9pxN$9Tz{( z!PEvEL7R13WP_j9g>gL0+3#Zhe3-p7@;EgBL0&2s4IIHx>afq_T&E6WIHy0lezee8`j^K~f6!BltME)L>`;n(e5h zrU@I>XPALlr;{#X@_#Oi08BZw0+AY6BxuN}VU3E=jLQANNm3J~3s-FkK;Z3ux792W z@fNQD9c$!xQ!~CiI$b(qQ?sriNiD&u1!nkPNK1Q%kdXgi%_>lALnLK5SRI7Lj(0OV zxhY_BdA3z1UF7|Upu=|e&PZeY^o=;>F3>1k! zfXfp%y^e{BgfS75tfO}GzxGBV_HzC3|KAHC@5~grf87@20iDgAGdj({<0n7(NyxiW zoag0%7Y*Zd_q&te%*>HhYg0!6Ho@9x`|34%2G8mRIvJPLvZv9~`A;%psOX8!BL^5X zDh)FXuN1>OE|gu54N_ACxb)zIO;1Qrcc+~C!X!;gun9z`QL1sd@=eKB*K2r=23N$S8wOjFM5OcrRU2UZR2JaVAJWSiGcpZDUWZJ&qk^WDKVjdN-Y2TKfF%q~%s^77p3f zPPG|5M2~-{=7V_w(OP;y`i<0STLiW8YfWk^>&4uYg9yp?Hs^~5krW*2s4*CzguK4j zR1q=a{+4ZSR6^^$);>ql-o6pgME9Ma>tlCGOiDE>(9U?kHKrh648jnWk$J$ zXLmKLAuM)SO~?Cfqa)ll?Vk(MZt;!lTNoJn?S$`2H;pUQyp~Ug6`JSsuTr2t3>PZf z-I+M2MdHfUFIXwuW;#OQJoq!LN*Nz~U++13fqLlhE3OPx^?u3_FycYPRM_7#ObZUP zB|!MG4nzVGH^w@U12oWug-H+}lrw*j!D|4%jOLX28Nn0ULUSSh4Ot)&x;D4APp)l# zpYys^UAWX~ZIY}vI*_lqo6?S@$%#3={>u!ViyxCh(S7w8}2{AW1C{5`@d721Cr zj^5H}>qs?IJwgs|3j*^YuNO*zbja1f*O~Vwq+bIy?oY|sN_~bL3<+{29JGX60wYg& z5PHX-9K2DQ%B1VQJNCXloqK^XBCwoX`Knb=5&iTHX$gW?ftU)x7+%Y$#M9?tSoY}~ zP(O!u7~g<$%E}RSI&o@ksp&t&*K6Y=knAc1c`+bL|KQAKiSX)O5EYeL$dLcGY2=|Q z9`0$7a~C*t0OgLBTslBif~3%YV~95sW-E*MN5Yw0O#BH6fd^0oQZkZ~Z1*V2F39(k z!aCsbkokJVq`Z+w*?&ns1euxI9-fjifL`6(4qbL)ZkWkIIUx|;{>v8i?5W-}jN}&( z;S7rg<2$&Q(4X$lBf$rD7vjBfczG*W-zjVb@|p1;`P>sIgfEK8_3_66R)Vxi0!5#k+_u{rtCUNDIt3|zxovJYby z)`lLQ&U=&9m>{MJia?KV-|9K=oVIsDZekomK^(^j&pg~V5BZN&X1JsK^AK8r4HqIR z(1Ga^5L+V&OWo=2pt?Rk8|=AyB*%#7D|Dw!z*n<` z!i;r02q?fNe7XZk#iGRecRcwF=f~VG(DfTQ^SMHVDdYB&xW!C%n}^4{!T#DZ!tpxX z@;UCH!wXYJI3bYBr8ag<$fjOVh6BvDD$q-r641}GjXt^qiINvE?}s7H z#q2lBEv!)_r3#!_-DIa$K2-n;yE`o7dYs)IeyM)R9-2genyO?@fQi>OghtHrV=MT< z^}l#21x|pmNg(q#{wk%S`=Ch^Xa#~KW;A}9-OQX?fw_K31v_0|=XYEo>bV>PTbVxF z>QCr{z2oXn&Xh3esYbp6i20PfqH|g8`)7ED4c>BLp2Fi!Wxkh5Q#Y)vp>X^>|IXD> zfUM4heJx`%%Gd<`XXs+?==FVcU0-E1$3_)jN{ecvqX6JM1pvJ8Dcbc++C5jux|jw3 znxjh$$o)iZ!fPO+?VP^C@3Bc!qbQ(;2Gerk3z7s_jrW+vV%I7x;*~`W@3PmBHKg+? zV)YDlsWFQQu%jFZ+!e-^?#N_pJP7Cpf^c2PpN}oX$>;9nX90{ z^kr~QIO2NDabasp+kBz!$|nEx8#ImTAS9z23j`604jLduGmTMYvlBKAlbJ|qjvIxN z1>g#1G$IBXnOZ~-qkIb}8uIcYc}E9`uc!c2|pFZnnzDiB)VG8*6qx~cZC5a@&-flTya(C4GqfmbfG zj_;u{t9wGn%ObEP`*~yC;FC~C1z{xO z%XZ3lNp0-*d%)U5zbyTD`&A`Q{Z*b5?{kg*EZJ<|vYTV;j6&2`Xk540p#ty+p%ty6 z`^Z(rvv40?)HM9wow7$gY<@{U)kY3%K)k3BtaY@)ru0-f`wA(8rQ6YnF$+_|W@l1t z0S|i`wTw*xoh_5eZxr88ZYh?*mY4#MGnGW-A(W1??&_E%OcDh8!tg!r==zLgG|46g| z?@=-W0t>L>jONqW{PJzYEDEkfzuR&)J@CMHu)Y46FR#}BS)Er0SyB)B{Da5nHEs>* z*|`zeLC_76=w-@X9ZputuSSsP&|$cSn!fCliznfLD@%y*mNopO(Cpm_nR}>L9G(Y- z3MK1VEsGuc3zuuHB(f_hecOO!yw$cvPc{3|0%RrE7lO%E>!)adsdMyrZQqo;wqyxmEUZvgVjs@@pcU7iKv^Q;2nD$~9v$+#op@QR1c#9!(n%#Jl1IYB$6eqR}g< z9RLAyLPG>#LzG0L$j1zlQWgKXX1N1=?te)5MoX}0nF_=~V36ayVs>LTYT0uBYVm8N z%yl{89!Pmbxv_gLOiz)G765%KykB@w`*!MI#zE&4^mx@kjNag6)eS2p$cL>mci=V$ zt4n}U*=k1V8DkX6-*tF|a-XYBe$fSSjxEdcKF+ILMPIrA#ZDsBct@JaFn#r=z1L}SeIxYYJYy!7@Dr%Q{@Lrwk{&L%9l; z?*_jx`_=c(jMd;AB!nUWlrm3}01aAK<%M_;gbuw6hmtfa6m6#SF@dj@8wdk0TU{M? zl@Fbn7$2%>f8dHXx8L5e_8M$-`Jk>IQ!z5f-(}Q4cU_*?39xZ6@m4&BDTxZ#(MDZ* zIz1-QI%S2_@J<}&^jS3AwLhN>UuJSftl|sNj8wAx@KcTEk zbUW3)+!8XdR~-!vTRV?~R#j!ynY%nYU2qz1t@v?&5C{0U-rpE&<>FmJIaeUf#`5){ zwI%0SdbHRv&hB*6{^d4T^4pb3+fr?huNR*N5!Nbe2U7PO03`D~&c@4-9h4|rD7BYY ziBZ%mrTFy0B3`*z9Ebs_aua;^zt2=~!R_xr3%LZ#9P!R^ucy!4g}D&E5o?uQD_aft z>D{`63sEyTu&{{`C8y$GvvTUGXy1@wtKX z)r`iDG0WFgU>EVwP8su`Jpkog)t{lBprjlS5Cj3DwVsA%AS4w(U3T-zM*Cq!^d$$k z-pwYBUHngrLGeYGia)!2z)6n7 zD!pI3pp}8U$cCQVbX@pb_rP}@A9wtTGCT4f*On)w(FOo$RPrnMMftU3_Q;(B3*K6X z$pkNz`8Jv&=Qmp-&1$abc4J}zU{d^;g+d9fzthGw0FsW#0Btf$c84fTv=mIr)(hva zM&X5YDHJXo6aqDhH~P0m32EPB7(nwR2w_YuifYbra4+y$iFb%D`mN=2Eejg8AQvel z2|1ojGnnSIxni<(mAkerthG)BE1t!m>m^xnoGGKLO&M}%93_)hYisvdH0C|o$ew<* z7^t4-MLH2LuXbk9PNY5{;U#Tg;q0ei;crX-iE4h&9eMx#Ic*5qHI#IhIx;%f!}e6&Rtm&^2cd655(5HTN<;hSFrtrL4KErV@xRXQU_+waqg!MBJSXlriaaSK;OA%)Y7M=~D7ObCanpng8-xRK-sv_T=-!_rWo##tqDQ z%OjYLg?8NONt|o084VzhPHDz=nOo@8{vUcu<7@5;kD8B5q@AOes)`sf;pFjos@NY` z!3M+E4mOE^l-B>F&%^^0Q>aAD0V?7>_iuZAkfsFoWQJXfvisnA|VLU^GNWN&IYt6cw`0*XU?w@o6$z$@l^fWj%49*F}6*f@7b* zNw3HyXh+FP!sAU~0MD$4alG05vUjkiX{r>vl%zHBsrVGR(%bDBG#RFuWm2GP7$G5u zGY5T(n0SKh>#lJ1YNB;~m|p4F_4*T>cI4_br&D3);}Er0YA4LN_9I-G7ESm3Q-UuI zqDe6iV*<#8`k+&jI`1TsdLyPTpamaB*a?uS3iSw!lGrl_?g@^VpCoJa3e7#C>g5Bd z(DEe=<|4=5-L|4ddv(1J1WuO-f(8pI9s2HNU@;t zQt@Fnj2m;wIEx#;UZdFbGiy5XAx~a?$wGh-b6uksQy*3U!y?xsNXrjFfpY?p_UQS* zYVC|b^Ydqx)5rF$`@8u^_a4mkI3rDEz5?<-Bh5ekC?4gs1%RzMaD9A~emW9>c0gWH zX;$byXcdo>Uf4iw*54#RCA*>K^vOVNBTxnF68mZ!8N5krE*!W|#FV+~o-1B_)@FEc zyh`OQp@uHwUwzf%E^mQXa?p?nKBNuQPTVl2`c8b8x3 zz&%<<$~76rvLfz;DB+~78R5mUKj#d-gLR4Zn55lw3QI`S|t2qdm1RLwxam)QYk=F1kcav8HMqCNG%B z&Ef_OTi@!HZ|hGu1dsXPTrbXrkR#hy`GJ?0-J}e(s3R%H&?Bi||M`i}%%6fr29g`i zBu(UQ@fnHnW}gm@s*1`|8oB{B7w6M+HXF^hf=ec&xb7}nCsb%GBY&+avTqd;R{)DQX*vDC6%+A*Dh+xR5)W( zk4uJ#`1jg+UVc6j$iH4TEdv=jPFIkmA6QDBX`v(OcXU1YGHV``LbPWAcK+)2JXA!* zMP=ph!Z*NA?|it=L8;~aj4#yPt?#V0#$QvBu~>pij$!>AQF1nM=aQF#{$li^5X=~^ z5uLzrwQt<)JOki59#JR^c#>weMe}Y>f6Wu{Jhwcx4s?IU*AKPi<8^stfYyN^nKzWC zp~(nICLkmuQba*WAOeTHV`cB5*R`0LV^pTIhke4jxEDtW;n{6p=rUb6^Y3)pw=Ip+ zJ#3iuUi`%_1#CI>62|Z@XdrXTJ#COTH}eK~&sm5u!E$1!&){XQ=i_Ic3mn9X+4M1lr zFR2p3g5<-1`YSm|G*S#o$Ein!s_-{C1hUG0C=>~mj-O+ifYGG^l!4o;Ut49Q~e5 z>wV9e6q8F`h|OK$oD#G1G#{=%FD^EOYd~X(=R{3%nNL5a`##?ny+RM85PI%W{16>4 zN3r}LV#WlUL;jxZ`%%y~cRE;691-#~B4UG16y;ApB@6|r{J3(G6BlLnOt@|$|Gu=| zSm+`dj3z-)U$s;AgdXf^TOY zV(*hB`wq40PR+#IX-`YXas-TM?go#wps8$}lI0(MM0SdSIV1Cxz71Wz=^oE(k$or9 zTKBO$Wx)c>1l*3Vnb0)@6_CHYPihJZB{-gc4J;w*FwSy}!0yyLUyWFLZ7%SiJ9`JC zUo|%)r$Vo8SR>XDqC3OYXEUOvtay7k!Q1IT0YFPBRXV3z6Pz<+(Kg5oaQ1@mcmg= z1I^1mD`l2gF<~T#G8&qwWqJb2qJN3cZFoN(d*Xo^`Ztv5WyfFG7#Cl%YaU)ZqYZG? z;)Biz&HeNqp!Be>%{?IcTC=e(Y+HPHpp$E*3-sTDLyRZo*yh7WtRdS@o*^U#ezQ$G z{fC|T^+V)>DVJ_4_vJDj+{@xUm6U(D!mk}FGB!C+6m%1uK0x>JY`b9UmJ9v=_5==A zj_-o0*&b)6aY&+K{kT&y2l_S}#+-q`*@eoMf9ZEtKO=;=Suc zz4I#WCBiSlVPTz#1y4pVmp8(7Z-EWVu}UQ!>k86L4V>r1v8@fSv`1nWw3Rlmv_4{o zLKN=l2~8y)x}1`cFS>;=Fuew$gb8G@v3^xFC2ee`Qb&M01Nh+Dzu#T|Gb_>AXdi|G z;XH#uUHY0G{8xr~t#I|4nL<{lGNShIbHwP<&4mp;4*b~Bh@(=ftYYd=LGPC&!RJeD z`wt()SVQy$tOExTKGe)4+i~j*F4rrY@1Fy@_X=bVZhA6`4-d}pS>zmJw{+ycC3j<7 z?zh1~zkj6u=!$8QR$10}GceL{N$GO#=(@X83v$oVQZQm@@!-boC+d`XS7<|OfC#y@ zoSN<;As&>h8`vw(>CEfiN2GOT`ij_A*5FAl{*H!Bs(WX~g>q6yCu;mqX8eeNC4^m& zTl}ysbtzneH10bE#XEZHR%a9!KEz}n)HAvSV5$K&$8ipIDjkjbN(a;MA{4h4Q5ft# z26Ri4$ec8mU>gqzkHgq}`gf9TE%%i+L->62!P*^$`Rp`dWQC^!sycLBw`1LNG75BD zl@4C)1(%O1OGhqMg+>sfSqukzXN;PU~ZHYm?}Af^}qe>!$nqwiG}&Y)RJ8!7W= zIK*}LwT!z|0UXr-g9PefZ<+(G0{4)f&R{l=`~H=Bg~OEv@)xbI&?JL?YfGMJ<3-I+ zO#8VMtR?^9M$W}k_ZB4F>(uV(h(ei>JqkYbQpkL(M_!SAy4bWdUFYP%9S|Mcam6;X zl_b%d_1+-}o;Mes_6ZEs%U42LHUhAwt^EZb^P9zu@j79?y*_i{nvEF25*_qeZ#CKg znUHIM;7Z1KQMH`FCB=o<2kIq{2?Nd+vs8&TE|eA-MuCtvVx=(IZ+^Ax6b~guU$33+ zywtr?RFO2lv$dI#qux$^l8u5^ME0c@X9eD=?IJxh!mS5#zSo-{*NV6Pn?2o?`(SRv zk$p~J{>Z|DNJIa9c|v*OU?zqLLGm+;0PnBZa5SX^)o;3h(`b{Uk;_(-P>@o$bA0h_o{EV-TAsHctS#0x#f=OuHpQ5Z zp~-hawKK;RD{vl*0LYtCrlgPaU)~gr=O7JlM*Zcbs|UVL7`|(R8LOd4TFhp*EG%n4 z`x}EyubaF6b9t@tYo}sl2uHo2*S^-!7L|pX5Og`iF$_H?i&6a-RW(syX3krEK%r9O z`l!l1jo@eQ&5gGq4 z!HI{c{zK3O1UIi1!9BdZ81^lEB&}d~Su0Nh%h1f-gQCz=e6w6T+PpK(0wMmKUH+<0Lj@b}7u}4DmFUSYZTL&752i0&Vlg^0_$kvPT z!+?;2#i9H@k;77D<$4@cP5>EL^4}bcOVZ>e(*|sbQ~jy-C+%TXUaiAw?U$!3qZVcm zGiJq+bocai`YevdVYClMX*Ployh1wBh&KGET{{!krjx1dbqb?GbPQ=I{=-6Bt&?@~SlSiQ+x6?Y9H_yGbQ0B=VuJ)z9}bBP+IyXzBJb*(LWDj>_Dv1X@HFL^j< z=MS<~PuL#5VcI$L_@(>fPLvx(iF3L)mSRtNoKk$c4dK4GN3>6^6kk|nIwE&nAQR>Vr%OJbDGTrn&d-;+kA!CT|m=)JYz8G;3-TpcGI7rWNeg@(O{OBN7r_IW}= z0CWwX&1=^e+IXVPQbGG>#*7$Qd*XT>ucu}4A$5TP1 zs-#zFiq+!3sSotO-35b7h8h#cm`G=|{4z8$T&_m|^+mfT0!3sQ?XXC_QyC*tHGLrQQ%4WjZBn4}&Dv zy&{?@fa1jrn(|VJ8u5B7{q8~NaJIgGZ0+4Mrj8mIR_tmY zE$Yv4g>iGEr6ae-3gu@G#b-)Eu|1XVSJ+)Hk`N?gPI=;d9IWuY{@!?BsXzhFc?sbcFn#fU$opEJ) z<_&@B7$=fo)z^6ovnK0cSBoOZL_9wEPxk1I4_`3w*%FH;dz<);m)(hXfAW=;uvL7( zn6t}AYc?MW<#N){_{a%E!x`~0m#_Y0@k>Y%A4aepo+ftocj5vt(HG6D&(&rv#2JMV z~x_ixNzAq2bOJs(6MFI(Us8)LRb3gyQaG_m!wY@#o>z0=1 z!=-&a>f@$*`*}ZS;V(Kt9~V1_MB4aHnWW0@hf*dZfTHVY`S5gDDVvn?%-2iNg`Y8A zigmOIdt9|FBB)P8kT=(LvlYe@PEXtl$I=azG!k=HpO&&#SXA=#hz?$qQVnZVmXcJZ zy;a=+bD`=>lygn9!X4qq{^ExZc<84a!*6x79q6@1((YsYv%?A2&u)cInTRJ);fIPb z^se{y{<%#gS{{612q`j-Uq}`SSej4*lGxxZ7;@+gsS!Oeo;3Ph(qQ)Ief5HrsN`^# zz6tf^an<%_;{~gU151wULbAu6?99}2HFF6=2FUfYwVdi7rih*H?ZkuW&O}n?#Gzh2~_xcs}jU#;`f6E`3_+s5ZBy#NHB~gPWT7AT6w5KRqRwx6vgjRtMDaoxK2REJ}`<31sq5${;V48B7PqI4soE_|-YJy{e( zr~2PoM9{&oi|^-*^FB>Dm1G40lpv8aP z3{X6Z7o|r+#TjQ#uDaXWPb2w1%T6eDGAv4E4BDPX^eXVpwVyatnM>l1;4SMXFhm~C zn{gfor8wm_U-L@a?a*xXuFif)=YfL7U?$$@h>YSagep&TbL@;KgyrmLI817f+}V!w ztELg;Z^N;k1M&w*IuJClT(C#9&3A-T0IC?@V;A-V>w``cyibnpTw3rJxs{}dt zuRcciWC3IK-^0&j6J98J}6&OiS}2 z#Wm>X+DpPf3wR9d^C7C)_r!W-%|qD13Fj5V8n1)ci!TO%B| zG=&(u%flwKOuX=dO-`$skU?Q{N5SAVyQXPEW4S^BX({;x1Qo)f+2sGV2`4yTCR-~D zgmc{r%1&g_apvCIiuNcOlgow;=JB90>9#zU9`}pkG5oyOi^@rh4jw@+@;AqDLc>*C z2K;N#Gc&j=r8~j3TC04tPmHpfhjw$AS=8@OcsMi}8D>TPV+su0z_JtW=K?f8O~l`3P|xKo zzkf|#A{8{bJ2bMJ4OL$KHLc$sVz5CY+OUrTDH=lBzdeC|{yYyj{*h0m6 z?(JdgesLIS!AhyYgmrr9nBL*H5&W9h=vL}4D=s}4SE7h!jz?K0KjIf?qWY5#jrsb7 zPX1#?zGLWV=jIg|+W-6%^RzGD(6hxAS&3OoOa`?AaOI3g=JkDIy??GGl4n0~78P}j zUp0tYLS;bC5%;kmo@$7yr_d(aO(#b>=Hbwo8Rc_jthkjZ#b41oMhxyTD%A97Soy{l ztowRadA{-H=GaUC9ud8sh0Yda0748uVG?b2|3oP2n1>>JRnodL+{BcdKOfgm`jOx3QP zqJXr7Z0*jV=?oV|yMCkb*X6M3y#HhBo8$WMzW>+KvTGTuW!tuvUCXv@+xF5cE!(bT zHs*`+X+uqD2NV7G-u(1RzxfAa= z_=9#y6{s4Pr~57o`bLP52lVjeqwyq=zr2^;Wyr@v19}OC8ACamM-!gXBz#asCxc?j z?KL{gK<-aQ>Dj?B&h@rL;9VrrF$aB~D!+o}xqW5v9Q2h_7OV}H&Yo+~(+W(pYj^~| z^(L6iXDO*tmn|@ii?Ydg($aWUou8K*vsKCeH1#nRf21MaHd5NAU3(zAe4hUgXMPPi za`e!w+(L27%nPX@juhNQBg}ZdN-GI8*-bLcu!RTj`t{$MZ||xa4AKqvwe-O8jV-6= zQr&O?p6UJDwIf@K?(M7HgklBI)+OCc8o4T2NAlOhIHoSq98YEoZZ*@GlfA}uD~kFMW`DP6ddZ;DQLnR1?26+vGcJW+gUw#ynJjWl&Ef6lP#)U= z1J3i(5s|ecr0kf({46#zjW0@yZbo3_4_?&u1*SXaC)@4=5F$o8jFc14i|RNIbpOeR zP9yrjKph)TZXfwH@wFL7z{j5l8wI|aC1_JCeo~F%$f%~i3m6rB{O^zRh-G5?#&CVP zZuR5t#uT=1(yDyqR5EwevGL?Zn{-ra=JDqlCZ!Q{_sZmRMKlp8g%!EJSZgnZ`e z-Mh@PJ_93$cmhieNkmoZ3jvtdshHIZYqkmkeMaFjsaO9#*KSC-vxjEu7RqKON8}1c zgt@Y)Qg?T^q$*M&$(Hz`gdm)jj*F3fZy)Es`-uX*c)OooPQ~%2g;M7wF6-8OQ4uxb z$rnX#%Wq$VWE@)tdLBUHV(J!Octi7a5aFdSf4Un$zRjS~W?)9*$vWLHtUKj-Bs1xC z9%ymjTZ=xrOs+Uft7PSzQME0HceG~F&n%z)OJ9GO`5QZxZlS2-iWeKM4>9Wx0^x-$|_sTE=PEGWvrej~W zR}GlfWJK6l`tFB3o)*<{|LXOyM&%-ZsY0<3**tYHTg6@~2||8jA_{hrBC;GO#gZ22i;a(U3%J9{w2dkK5zJD zk4#$1s+ycI@JXSIHNPZMl#YSf%x1yMm`)?h5B^Pf8BfZN7QP$f8vLxGH(2<-VXGRT z)aO@xt+pQowPmPSO$Rv4lYwcV_$6NRQ8UX=KoV!z*2FO2s}oC15m-R?X4|(SO?Cqt zKTxCdQJz{+9bR#%6zx#!L93E(QpLx_)my#O0DXlCRUfKlnUiOK(vnbHPD!UvUHumEV1 zojm9Q@4*!&o7CDOp8_>y`n9_zjKEfS6njm1pVDvd9McPcph)ofCi1Hez&NracOqVz zw=^$PfZWi48DHSvXySyO=r3-;TXEMy&F04;M|3P#ai;j9NY+5fJ#q@=;odysdUM;; zFh3?b&2!Tbe-SZiW!2RBy`BvmcQns`Hw~9Y2Fk`(f-gjY;&jdm@sqM^2~51&FNQHe zgAX&i)Sc~ zEMdseIyOyjOy{}FUl~>0BwQA_$O(FATbTsI5FQVDyBJr0~pm)tJ{1&mW|7ciA@W%c^eBb#sm<&SJK;n92W*0?EH*FME0 z3Z=3dEQEE*vSw$T(8*=qup4(FEWC06EeC?$hO{kK_R`o6b&s`5!?uk= zcYudwCje*ep%q#ugq`jOZ*F?w(q7QM?u!q5ymZs0q_nha;(P1sIM`_GWkzQ#-df9% zGUpFA30eKx71v!!JPxL+s?=f+6u7gPr2~`}fX90u0d__f+S=lt4rDY9gsd15#Eb z`n%ylW=U!R&EnUq?%2*{#-!wQ{X#Y zbL@x$Z**M>s_vx%NCDisnY5Okv#_J$(k7Nm!fmu4!X0vt?ClZ-pA|o_+V5Pq`*Pp3 zWz=T3n}qT(>FS;KDk;oJ>*cN6)SE!#{`!wIzS5*Y+fFKqg%l3w?W$=u+R5P=QK8z7 zR@0HI?Sv7>#~W=H7A!K^PNKepl$2dQCbV|4dj#DyV~QWew*jW|j!pG3W9uJK(z^~6 zZ>(<8o^GI$+nZ`t$ubtj&%4$iJ{)SzKk&DVO&LaO&btPbx72_2Tf*FS6Q3wY=$G`L z+j*--;Ku3g(N{@pu@BOjP?Wj)>9|lF?_aLY##fOrKPHe#+>A*QK`-*Q2KHUIg&5?Z!005DhY-Xu3hOGm`-y2UsaJuP^(+J2(~IhlnSaCtB4*7+ z%#MMS?IIjK+i+TQhp2O(Kz-ovqVY5ibc_C$s%sn)sa=Ed9M$cnF;vMd5IA1hvfe*y zI-?+H=~>SP_vf;gIA~;GY;D!WLZ-WmufJ>>nz>5-6o_gv`Qy#rLMl}s82+pIsXfEK-YW?6}Wc#-NNe-K~Y zGei@J4rieZ3GXr9a-2A+A9*i#a{RTnvF4OQ)3TOYk_x3*hk^^S@hQYC+}Vb=;7IS>$#*_+cw4Yum~C@VCDk4P{1CF|#KGM=xFJ!|Q&k8_C0 z)4Bh{_E4g*+YTGx+YXBObHB9!^!$hkacAibXN5lq%G+l<9QS-KaF1a=rb&WigXw#Tg?s(#tNT{>>lXPm&x+HGuSt4yTiG|+O2bn5AoL} zt9S@^ocBFu-lw;7?8niY>bG=Md>adI5clp|lkI-8HhF3{t?Irj{fGd~E4o29;|f$lQpKt(5Gp3B15E>bDZuqDE-ltPiR{ zYm+3dLR@>N|zhT!3L{+CSVIol5*R!p{ng zj+ZKqAT;ck^Qheu;yluOzz~WO)*)ac+#!J02t1E93@v0AU70}rBjr<$)V1;GCp+ZD zx&x*A{0t)(*Gh0N!8o=dU*>eGRZd{r36{_$!zk>FGof&P{vOz!u ziKCi($q|OQ3C$_iraIrdrKI2UMW^$KML+M`mAV#5Wt?2m8xxXDoDp4v-o|QL<98vG z>iL5Gx{+X3diRuAZ*+mj_+2wl6b_14F1x%-Q1rh@8@g2OTThPQffu7`-dk1@3lA>5 zG*$|%JjQKbIF0GP*QyT5cn}mo2QgY!GB_bjjTDv*F-1}s7R!qeDv9Yy*pwy-aj%m1 zyZ3C-Imvf}(I$3tCl6Za=H6f~b(HUHAh_aCl2qQgYgO)XEZWX%L0BTt5wkbz@9+Ve zjJ$OB`!mnMhx3x5^hg&jzgQ#%f5Aw$G-~xf6sC$u)x8jXXlZFO`y8Y{ z>8Bm?-Z~r5EznVgbSLXj~!Y`dJ$wSBuW&32*XX?V@1McmTUTDY*Q&cwIG z-%p(BhuOkdxaNtbF4*VC=hNTC2wOa`LY0F;xEoWfhuSvS+0>qYuarfmwtlhk;dt~5 z?+UB++&3x>>3$$b8utqKprPF(N2=D*CzW~OfM%LcJ3_~zgp|)Ig^S6x0px(dlp836!H?Ziocl!p1};HB8?f zVO>+Yg=F@W&}zye!iul;*D6P6!-zDCgWq+uG7sXRFfH<7+rsd8$uCjndR6wx>V`{B z?gPK&@;yU#Ti!Aypybb0=&_Q;E$zW^A;v~5i>5VX1;`C(`#A#JX>Z)^CabI;oUb`i z8?1<`cVJT)18@WIi$t22BEZzq7vs{^zk!Wsl=8O*;77)u)lLhr^OO|5+qU9bLSl#A zL}Sp};8g3aek9JrE*a3fO5!*Jp$^+HHNU=glQ_P!tllN4xYjk1I51o~Yk$=0Qb<31 zD4x0w(t2Uat0CTb&P;z5{-b%WP(|8&gKYC@_L9(B`wldy{XK@ksi6DAMnEJM^J(dL zQeAHTe|Z!Auj(Bh48dGO$J^D}PC}}#4<*MCQAhhk0-_k;M58MSj2lHHFw;K`?6mM| z-gd1WG($=Z@!jI!_$S!szEL!8u~Dae5MDB~{D7*y&Y`5G&Kp~a(Gk#;(*^$qHAble z+IkbsAQ3o}hW$k%roS%Cq>%YTPHB4VT7-9q)i{pR5M=@N_e1094lHaP3lJncBw~h{@n)siu+_G(fZ-{GZBNjS}(RYF4)V4?k4)D%sK zO2Yi0lGH9V%TRdOWBlp~aEn41bAW?U{ZA_D5CSYFg##@Vt)0xXsrB>KY0Q*p^p}H5 zneFP|CarsgHWUEVue{nY3Z@F$<^xxjT5HW%=4U39U5@Jgt#B@4t)nQst0gLK2$G|Z z6d))UI*)3Sz9dDPFBEfDtG!sjVgL1LpBR}e^hbEvFYjdgytwHeW#3x*JkHQ*jlj@* zYL=rTnbnPH7}IUld>gw*+&Hb_lerJgxX|rpP3Ngl{+FMb#xI`D3kS>=uNE(S2DJ4( zoKRw9mP5fO)iph(sKKiB&gUvGAi=&)yA!|Ta(|SME3ac1T^!ztXF0#myIjV4VmRO zy#`_MpWM~Z7Hr@OBgiq|`Vt3H*sI#?#cO&>==c-Am#Dk%%g}?u2gXXorA7sTz^brU zr{c}MR=50)vd0SFm=4cZo=zC&BiMu|!JMOvv%9B*GwiB1&Xo=k%6)6CZM)nKM{*0DKv&4zAJE5Cjz1f8VaHx zZZ({$H6#IwBYn374%ARRer9h|&t=m14?=KrKC@81RZ%!)ZwCXNJbk!6!A^s^E!Lue-Fl13XKyH~z(1!W-r?au~z#L3J5G7NzWTDC}hMD8e4BpJhOzayH48kG-E0 zVY;N4B`L+66bmsiJ_&Cyh`;ND!eSSK_y}5x__tHbqt1RVBFigSgwb>ufl9nu=RZD6 zSe~=m;0u}3KG#_Q2C+&PRhtCGPL=cB#SiCC3^Q+|{vJ7XaXEQ92QKr#9g@r6qrw1T zxWB_Rf#j(VlP@|ypVwU(+d@w}L`5em`-p$E>@^{%KCpfvx$!@Cj<$3b~j z26{CwH+Zub$Y2|Y>o)uR&^6YG!nNgkizD^r>j`{~w%MUGfPb)lqeZne|uFT?1t2fJYT`O&2j6YCV znjVBhMk=C$`My?qO{5GKI^e+@+4>WH1Rx@XKcDpuB|{GoYKty}>x$kq)pT|_cY(V4 zZNm>!1oOtdN1$=t&5t}WV$tJm1{rr^f4(>c&>>JaPD!l#F_O#%$!4C9I6M$>`;0AQ z^*)eLt~!K-U?yAYdr*Xsn)MRE=13f)5#>KgV;c4hYK=_5RB#8H|8xFxr|^E%7-C-M zPANU1PI=xiN^S@yPFxjTAnH#!^%@HCCpt=bwl9n*;50hI?@5`w&x0yk;lnB=tH(n8 zOfS>X-5DrBW}mvUSDJXyCH5A$PQ8%ElyTO#C6?M8$eb<7S5JGa`mL`M*2XU5ka;TK ze$~sgA!RQs(DnYb<)&a(PS+iu%l}(X(9<4+R~LO|bRyfit#Y~(_uYGje$7a-U#WyX zR|3sc?wld?Gg$IZx~)s#d7h6cIX2m%{1v%#M5+A00)se6z|8MFfFgkPusGZ-8k9V(N35xI#=u#Tak z6olD^G-$0@iEg%eg8~eVh3N-1PbM2!?kCMH32qQ<;a|#4e`yY56Wnp2Rgqg#Th}1g*Im_Ktz1=wllCF%lc( z+j0rF6a_Pg2C;sH5v94eV<@qf^ps~fP#;lSaCaH6c?FeE?G^!%` zsP~T+HsEJM8#yV3CB#{mnp2Ksm0xoL z;y$Rd>je`I9%8>}TGJ7G1VLgaH_&dG9<8Twa;pLti^b3{Ts8CElBUx_j_R*9HRWP9 zh=5Vj7bvFih_yTDts#)u?!^(t^e3<_+>|?HDjohor-4PI_>Trj>`zKt;m}HNOc`z~ zQOuFTGI}d=q||k`3N1F#ytixwcaVsX9l+ExnE`8mX2TNnHZNF3sYI@P$6duevb zR~W+%6_w{$Bbh|fJr^v+sghl)RlT)lHQ`Uy-C{N|x%$;zMI-USntHsOj|ue=dG0Sm>fye2T`uXm_UOAhvIXP#Mb z(b|Sf#--tXAl-6n`dVU;m5FDs1>DDPZo&=WT8`d!M8GEm&B(iZso`I~oyI4mU9)r^ zGA}=yc^$r?bovOX(^Cpvm~GaR@>F*j1DjNQ}@Iv^eP|><+p=Su6b?=LZX#Kz)eMrz6ToiFo_?)uolC?>cEXxuK zoa&ES@tWqD*^~OB;jOAgG!I5#t_@z`Lh0~)CMg6e+!*?b;Plt2;OAMEPwN%avCv|{ zE%Eqz?dUY{1zCQU<%}9QVSf+|)Dx`j{=U!;?w*<0C-;zh%lsGB$9%^}OfeyE=ism7 z;W6GxhG}lOnu>29PpT&l1_C8{5giZGDNFn~mdorC;JfclzxnT&hlDzx@%8G68Yz?80Cpa#O@n1(9uYQTjm}zgdKB}9; zkib9$S687J+p8c0zay-Fx-A8=xqmyaSp>jpCKzWHt#LI%AxWtt2IpXPW`0h1Gs}k@X1AP%n^e)tlQ#O zbzvcmv@jL?u5t)h=9xk)%jMQf&BZSQxQ!HXZe%QnDdk~8e+nCBY=bB+^@=coz)Z9z zW3_p14~t}Te?w(=HO`yuOpSYdySD4|oN%f-+MFoTM#q`#$_hex8&rRfr3+p$BzQ2dE+l1a-ePmcehaQMFRQ2*#^k1Xt*P(b`o1hWa;?>A*hW z_Z4H-PrfbILA-Y0AP(RMCsc@=l2td8B$^+Pa##ufgHcY{nIw{EB_N!k1Zknsw4My* zk6pH##?1RQVvCa7_~eI6dIMUzhGAH6>-f1k=3yU*VKb5AtCvIYA`d}i#a>K&BzCJy zM2Xz=fDBFvXg2aC)v8xT*4{|HYeUgA_$SY>Oo*vpG0;-q=z(QYF_vI{nrDHt`vOl9 zcXC+HgSC3qtexD+QGV%BePUNIlH@dLKH;#RN9Y#=hLI`{Dhy6IWD!cvk@l7bD=1+k zE=*0My2l$yV}9j5%=wHNMv;aY z?c!#LoGjey*$=b9IPU+sJI(#qjUYZU(O@80w@c$^jCUOT*_xnVnuemk!0iiWbQ$;< zzz0-q;7!Oo{Om9b*Zy&n8mr85=#f@DK?Iout`Z+=a*9nM=Gh!nFv z9-lo~Cu~*{7gl?8a#HlXd*W<&5?t$EQ^J5*uElDG%)&%+wa9|L192^v2-$3pBlX>E0k2t-G?ZKc}w5r)H~3l+cTC z%-8$FS6SL#-pxC|vk%*A2B3S%H}%b0)(v{J*}EP1fmg%#d3zqy+#l|{Ss~Z=bgB1lw)T-aAm#_a(VR(m&dd&nOIa6W9UVQXv$sCt z_18eU!tLR|>VMfTZ{VFOzv5MV*qXQWf9vsVk*opo+Y^_+*FRNEdiiHY$!9B#r|2HiA45=v7tM0<>dDJde@P^8eJ$wH%|nEDyf(|m0< zjdb^4x?B_{+K}&W-QK1NoE~Oect69pw%922$rtb_^whc*IeJ-A6~PB#a9VF)l|9>r z<<_{b5GAYx18F@7mR{PX&7PXo9-M1;9DBF-umiKhFmFwD*n(du9ph4V6Pgd@;(md! ztf`NS!!UEIl#sjb{UAI=#M|TJ#$Lfq!`<`wQ_%#>{p1`Rf(RN>{yN=s*t4$l%9irn zjydKBmzuqPt)!ye zjQ7?W;rwHpT_tnkRL#rCX-lGcT}@lsa&uyT0bV%X@0wtHZadPjn`EyZDAaNMmj~PZ zudrusOV@7e51nk;Tk1Z$YDRTK2=fh@FD~N`?L5yB#SQe2&QH5d)3;N5oGze=tUL?w z^tJBg850{X;a+?X8#qqoTMUQS57#q6l_RqgxbZr$UJ%DrXC2odbyk=Lq$~5S$1ELi z2zr}X%!7{J+1hv27!fW%pL?o2Cf6W8UkF#$339SYCuF}6tgjSdT5m@~+CAJ%=$J3W zUxE~I!$z9eTugY`9O2$Zbx2&D{5r-!W|T{k0Df2 zM&UAndsi7x-TV{kc9S{G0M^o(EHkN~sc*Q&6Lm$v3o}~vi)XRW+^hCAwxVMf-d4}~ z5M<4_iB^8Z%$%YYBhS-Yxx8iT4{xKnvwO3AAsb`8R*inZ;O>5IGrJaF(zb4XKHpfj z*5TwG2?sED#M72duLwp>_dGWrv_pRdW%pC3=|Pf3jE>IF3OONma`M3Wg9UHE$H}lR zjzhLm`=uzw1HHb?LX%+qAK%VH;{vd9dS_sVi8`KVQj9MZv`$WIh$4;NN|3k#*Gm&B<$SHhaFjVmY!CRffugkTrbMNh_S-Ko_DL4q9glK^jG71!UE5$RIdPrP z2x$N*Az6W`}N`4JSL__ zG7SNZqYx~~J1M94 zZ_FRHuG?E~sZTOzg%lKdXoK$exS4i7!=b&Bms*Joc9Zk3l^(1SZ2KE=h0>vzG0%cR z;n&=gh+CqLxIOv(L8`Le7EnZ;j0-!y5;U*LYrZ796=yln)#Nr%ts)W$artz`lXG`J zXLzT+c8zV`5$v}`q25S-XTGyYLonu~b)xG(i$lZ}CtV_m|2wx;#VmpIV)4GC@?}jW z>#^hY?&$R#S?A?q_|g1Vb;on?s|v=;rlb2tPcQ*HPex za});lUeEz5T`FP!ni#QOj@Kl?dTW@_@Gx6qscxmjwi%m@>N>cvswkokDyBGl-xvCK zycm!G8JqG(H+{(}*$wzC9_bEkF}4RU5XjE z((MV0T`c^6S*LY=i|=le3w!|9DWA~WrZ_x5;03GidTY!OFwEoboiX0ZdU^6;Vt&ou`#MAO2WgPzv+=9J{>QcDSf3rvM)|`hvpIZ|BgBDUY9p`350cT zsV(H2Hx->JtO;Crh=bRp%vJ)Z@69UR4Xr7as+8ku0yX(7=g-&bAtjn&w2hY=S|8W^ zJ~SkUId1~Hn0xk7ek#uTyqeAFf8$Nn2olFFqz}(;^vl@7lpN_a%tLlm{J{kyVejaN ziU9KN0LOWcGf|XTK+$g@>2#Q(n5ZS`I=ZzxpP?tg2=am3hd& zcB&rFOm)l8mpc-n*h5ulSsXBo06(^qlgv^GK*k0sDz)5>qtIu#Z&w+uY7KVXl`sX- z_UBSf&a-$fjN@plmB6^-= zGT{0IjgBFHSSYL+b8(-AA1r)5XK(}3w|wGEi0l^)K9<$Pw!^Z#R!o;L7Pc0 z^#@{BwyDbb`E z&jd{)yx9ynZ}8pw_^iudCSYY5gUvWcd8KvcCX}>p`{FNA^jVTC6zplw z=Xp@DdREJF7bUlN&R(-Gw%GSTYOhujPH8Fx*4nGu7hCvGPl*_%4}h=Cly71S)$A<) zEzH>;kFm~f3+NPHCMR5qa^zU^@y!blREqn_^b5KWkn*4e=SRZ`vz}-9Zk%;}eN8yq zicQiFBUeVhF6A@vDajmwwNAm~vudVyxS6k4)bih%hthn{mqmZkEGS{AZQ0Z}(^oaG z@)fP8C~|ghS{$@}W_J9-qT^Nng7xQx)9wSW=WBl9%zrNmfLN9snL!I2$(z}uy3X;^ z#Z4@eP?)EF8jc3FPyK;9|2_YIl@+0>2uuqH!psYb*0-4-^DbCh*;A0yAbFg`POIU}kwxw(`u(P+7iYQkRPS5djgmpt3Y|8;l1PJ}Oid#b`pogn)Aw zOkq6A9tu5O&ABog{}3e_gyF&RDKMm?g2p_ocW$C`$SIbg1r!&$)o74SE|}%gA}U2w zE3yx87{_1rN9)>4nO?+Hf8L_~yu9O4?!ciz8Tt38(Iss8wW|}m5zw6y{>R6RC-Chj_1nmirMp2 zV1(0KN6J7y<57wxVu;B6)bJKghTmfPgFnMckOvjfYv^Lli|C{n`xWk4b!ha3;*_-I ziADU!ZBD4(@yh2XKF)M4MNY{ZBUYC@db4vy&IPpzkWG=6dHi5EYw{PPe74`mXilP#ZdfAb>ne0 zCK@#2_iZJEWl6)8vlav zYkC*^-djKTJV(fsDJkhv0t&UhQ<>s3Wd=$#QpzUL?7U%bZvKkQFN*_xRz0tlkji-&4|61K|t2-U+L8Qh=X3h{gS$<4Z2iQ^?B$VOBN zSHk$Su*K{Z?(w?u8X-{Ld2r$FKi4lBK-XLLsAgaV3rDeM8f)wM5g1%?OL*KvWk=3lz7Q48yX_q)v3ibUfB6D2WIbiZSNv3!jk>|%Bx*Uto#6v&#=G> zH+x{QBbvy@Ta~3d6hhGg47_!&!m1$Hy18+aBTvYH|M2-f*lFZeix-%T*l2Wm&%vX^ zLR6A@xNN*SDz;cHDR+io<)vaN^1=5`zr6`&nt=nZ7AJrNOp-QfPeJm`RqugO{W!jJnz`b^&@(=44k z9*cHF#Z2TACY&dlQSovl+TpP=h&_n}jZl}kca3_~ul}Ve?H{ zArFGtE@b;P2_UV8Nzx<92C2~NTcO%_p3XrVsITt?E!^|@y%FU1Mo@!&o-I6faAD!u zP@$(+63e0Ak=7t-Fl&sn(opq}SrxrU18CTn(GHiY#}PxUrFJuTFH#M&$Tr-3)jmO8UQ92V6~t z*i+NF`GH>#&LSxvl68#&U>V82WHp=i4YT?G`lvnVf|F1td3e}NL8_47O6hvLlT^44}%_DfcGA%?N`xmM|z9_utgR0nzh9mMN zz>%*-M|5aB+3AI)WOfjyeNE=tZ2Rc0y3FZZ=L5))7H-6eC#;$C7gEt z@v4&-LCY7Les;O}e-8*+b~ zN?VzBD|J>|Kd+;N@$sIdbEqX1>-q9K$^(o=JH1>9*ZUx4eryULU;c{J8dR!0FmW|m z2U*PHZ;y=LEiMjCN+Or!xbxu`(mrN|`a8Bn(Z()Tt_cSyza@A&0!?JEu*lPaWFSqo zMoM$vNVpI6I)mCeFb&SFfA~-B8;TO*_ZB&VtC8jSOdL2h*QnKHhQ?shcoYO#GF~or ztNg7b+BPPI;#nKiq40g)6p9CO+RoPD6w7NI@6pUp3=Etk=1*^7(#GnrdhAuWg_d|w zYUmz+Q(rFJYy$ahoS13?E!duiE$STQQ7YHJ^ft`O4&8lr4!s2vHM}J&R&=VuslY4e zwsz6b2DMLsErMd54p3IgCse@^%Ai19;q-p8FMu1(J7Q<0*G8PhDPY?&b7Amnl$H3! zF^t>i?Q7gbQ;uOt{5eRusxW-EUHR_G@n&VbeeLth_VSL!*viA(wWv{$g>qBDD@oTD zk=@KFC$YBc%mMScs z;#zgoR~I_`kOik{)Rlxz)$pB?k!6R`deAsI;c5z~_B+Dl{v%JmLn*<)5d*XbLS?8O z?hc1d?{^7J4O~f2TsmaUJoF%7y8AS;#;dr>QHc&yHU(tqNEXbisD39I!tDMOt9fo~ z6NA=>4>~tX`sLWSL+!ZBPqwER-&XlXT_xDrZT4jv7vnQ})qz8%S99N@t{sn->y69G zg;x9}-dao?h1Lcn*O!X{%$kV`!a71GS_rY*UD=3+78^)clWwPUc$-f&8jsRV;le8* zZ+^9(-M=U*)pfkw`g(iKzDlAgYo)KAoE_-2!wbjV(;Mf(5*>{8`&~?2sVORHZ-U#( z_38G+1{i`8Kn6GV-rkPCk7%m__g))p`89MIC=8QVGC7xTO1VasTn<1c+CxWdJ|e=xyH{Gzw%!T2^#){ z4chW8GR~qFV^g@TJ{mePQoj`w9TVEmYJXeX*GW1Yxl~*|ZpvlyE5+SQkg!~>uwIs? zd`!SEN63Y}QK$bXa&vG^tqSE*Ap&IhAsjvWb-l*$5QE^mVi`{#?2);SQ2Qrh5EsLt zZZc}s{vJQq*u7A?b-Ce45{iecQ81swS!z|QE@dMNi4PkwA85$ci(2xbeD>GD!T7Fo z#xhwib$u)xG0orRIT@W6! zzgq3$dN6%=k?`AD|4rbR*(?$qM*X)ARig*)4GaUCO-+Vk;dtqzIL2gSwEZ~6=N@6) z_&NuVYRW-ql3}01mK#Y%^2qe6bRLBXy2;?#x^arHSNy2|kIG@3$ryGTa=tezlMNG~ zxnGe8Ve<&ZhQGp8O%9baozj@ARwe&}sH0Sp_6^RgJyY=A&EnKHWo@fe(nn91g=DF6 z(3?<}%r0eXfHj@euc3ZM7WazP6tP?ESz3dsu@z9`;mnom;9xwdlAhQ0_S;E)p6UAe z)Qnda_q+0K?8)FPg6)xR;#dBp04nNjWU^~YHq8(-bXT6}d^*Xag%q*!vqdT0;<8o0 z9drxB{z6oA1oGp!CAVhIwC)gi8|W`s9|I#7B?G7Zu;(J4(p5AQ>0R<)zmWuAL$0?D z^2z}O63?&K%M_Va;H)vH@&=3)W=X&=bYzr@DZIikE!ZWt8UYH*Z=cIIUHiiXep5vW z9R!M}xu(joEZfzCT*l zRBXrf+C=h99x)?YioiJ%bF+gU3mmU|AOVF$3NEj?RmWa;C3dJm)vp&U;$L|yl6Zkx zljl%v9-9S*NDxqzD+`8R2}V@X`6>5AFfNMyw%^B8R_-iVJQV5ww||dpaFDn7;@kez z0#R1aAGf?iE!t7sD${`?*?ZAWq_Wtl`E8LEpP(|%SU;Mbln`^q4>vCZoz91TR>ZAt zmCZR)0~Zc#6-6m3GyC`lewCsU5L6Y4`?d2{NXog{?~!PlcHrtc|<}>S>U%FG=mt`m_YH^ zpJnHs5JSBL$*L3-`uBb9#*E;(n@%uE8b1>;)8)Uh{K%1{SUEU7c9h@0r6nMgplV;P zK$v11xN!AX&m1l+NVJ~oF!P!k6SLK{hPP-t!QyD%5pbhIWbsdB2bg(xiCG%)sLWga zdCc_tS6kD^gWCurnL$8!r&7rW%z)~j6IU=v5VoBJM;OGp2J&&zc^x5HuI_ftOD74b-7G5Z6-Hl?cGrMeLr((>R~N#uB?!Cv#oV$r-}_Cw*owg5=fCYUB*FxJ?>jj^`gAN!?t~ z{npNKil>LCCB9S8S}g&F-3F?df|q1Fy!94)7s`^jbp#^d|H#_ou|WsM&*Rs)hmFgt zyyjV=%{~hx`l(BN0wQe!qRlf6bGoR~a@eG!jHgErEapSOJi zP-74sf~8>4UH=_}gBo^cXw`6MNYVMa)~22-^$?^m(8v?f#stLs5R^n~OD3@~J)o@E z1{KY^NX2)>mp8@$VL?$BiArIsP6q7?d}Kf7&Ct06*aUxibeW)xH~jVuFsd)}SMQY@ zGLvhj`b9J*FPBIa9zW;|T-rmchP|drQ$zjVlg_LMr>UJ)r>Oxrm)6JUe#vuFIiygX zeX(%WXnx5tu(AXb;G{g#6JZ?#eFe`$ZvF(6*(=04R5YihW;4zJJq|q?)(r1I7|=0CGlao~~iV5%!JW6D;lAL?r|2 zK8M!AgL6NJMt;L3;Oe8dnsw=NWHACoWYpCm=@yDmH|-2YsfzdYlgyS}Ly?uU1LOLJ z#2Vbo%_uOxdZ3jVhhz&!>$ge1uxu;*zS#9VdlQ7f4R9Kf(utLu)#n6@vqUD@wpfFxNt5 z3J5y*Iazv)ESqk|oE_TNF3iq>queSb?Kg!6Rh%o)5-CH0$xDd=n!bX->Bye9DoR9O z*=<>yEH~&{&SR&AUc*Tf1=%GA+ffyh{Qnf+ap+MTd)N565;c)!G@_}B+~Eb4lxl`; zcAz-cPpWJ15dcTX7TtLda_HG56_Mrpff9;?h%C>li7Ww}X~iM%+I)(N2%cYcMaSmG zww@JgAY9{HPm>GB6TYjvQe@W_KxXoO=GbS|5F%+RMsChT}CD*k5@HumOl=Y}Qy=dE~KyQ24ZMmDL zt2|062aN2O#4DCYc>I|N{awd=ZT1_`oMS&xDh-_u>t{%Q33k;~r-v;Q$A5UE(3i1y z5+ffZTxjVF@l@S;lZp^X_)(soE+%PNi2T@8vBdUaU*ZV55cz=`@f6wr5EwZeEXmZW zA<2}YGZS1!c|xI^NgvF3J`H4|gl=5$Q}?;D_u{<~HVKV;A}cx7Kn8jylOtr(Y^O&i z6GzV5w)HQsA303N^WtwmWjf#(2c8LMBoe`@ekR6yYke8i&95szpu0QQ-wfh8ZgkYJ z|3mIC?5%srm3h;qGH=>ckv8+cZC&Q2H+!%I01`3iI51+~%Cbrk(}04Lc4ng`bZ`b{ zo}(Ea9pAqSEb_6#=VMa~cfKtO^mdL6gIp8M6)-18!5zIyY9>+h);$(`7U|B6IMUx( zjv#+w>i;l6Ker-*d$JON0x;GTrx;%QJ5UJW%y~?Csk^3(vWQ$$okbDPU%~7*$~GLr zfTe~YYK?LDObS-)Y}TG++x^6G%*uBkPGA%#Ko*W^U~cA267Eyu1zCP)wDq_Wxw z+?;u zD#d^bIVwojvffrU!FZrh$u+jo-}g=m?mGw!A%PkKX8HBi_H{S#Hy*UvLR6hHKzliw zz^VoCmE)hWYzC#04=ITpem~*~Zc`<0dBFo0pmssS`bb1bJyut7Ydd|3Qy`@1ZcYX- zI=FWDiMLzSxi~YTnb=!f)b-k>@*Vh3u255$7~Qe&jW1-|I3GK1NS#o{6L2Q|xV zZf@^>0xic#^FeSVc745XF6CIH*x*_yxpxZAS(7vnYe&>8YvklN>%I@riRk>lYgyS+ z<%1Y$^9x!(T1JlG*%UDYKvs;GWJI37?t3*(GLbU;uzzcK{aE74UI_7O`F(J=57W8p ze(9O8cp2v4DuA_wr0hYMw!XKtpQ&1cz2bR5IcWWp&WOwi<)=zhB%|iuu>)iP+0&Lo zG$Rvm%@e9-rqTzqgEb^-Mtwobf_#pN?HGP(c<+72j;|6|_H zz@|jL(x7xz_YRk!9}BY&aMq7dMklM9a)<0iNI`10h9H7@&sQ>2JSHONd8Uh=`CsZJ zN5sf{GQ-GJbB7{Ft$>s97T#Wm`?#CKDk$)3r=GjfL%l-RNAp~C-g%rVJvYN7&P>Im z)^WmHnc{Ei+{=itn73mMXrSaHK>L*8(o)~b%2h-w1lazvqPZ_Cd#>!R zHk-K%r_n%PGmAITQ-+*f*b8NZ8)1$9pQ6)pt>?PRtrH=N#)T-FP3(B~(zb_FaI^O* z;nJ2P9h6yG%TOT9ia;9R=&cu>Si8(Mbg0(hmSiL9m%oz#Xpg zzn8wVuoPq5Nem+A#SDvl>F&?)yc8ueT=+{Q}ut)igL_z$V;yW%?QA+nicWZ^PKoZ@Q@T6%Ud051yF{?U8&?d04jO43RnmE4f zdQH&mo~+6AYY2AdC@R223W+Uv(v;t1I{1+oE?m$G0CFGrJzfFnlX`NyyuQ>Jewg7B zTBwvJ48hx%>BwD2@C0j>2nmLEc%xA)`u5`GK<0dpkI^(YfqO;Sn z4Qg`*>vm-)2u0qg4YtdB2~5xVj5PZtzH=clr$_;NLZhxyGA^wVu0TqwyQU)W)eH|( zK*|339^wjomZo1<>r>f1r+&V{A_JI8^7GOxV(Ik`@pTt2MY%Nob*PmeIS+< z6We7bi(Z-R=KH$LZu+pJ{Y+0pB^~XUoN+e}@O<#jiNKk}`zD0C>*_Y&Y!&jKOm3gs zDvvdfFi??VLMSug75GC&+6dR4f7PA=kGF(cyM%kMlkg(PPfUxC?H!B~c`78`JDyIK z%e=uHBmKm;5iruY=Jq|cY+v69hYfO7$tFW9BhQymt)qvf0_kf#U%=a3KlaGcBEdau;?!u5)C*>6GzWAf?HP|;qk8Qc>g3d<~fF)E0IQ3f#li!*Aa zJqNvSo2d~#8eV=K zmEFTII7kV@lYmy)nraID{j!dr9U}#kKK!gD^)BTd0he669T(|5S9h)k%qWO=DwKoP z-_<*rc`3bz@GaUCWQ#%{it=#C`$fw=9!^bc3MGOWq5bcA-2b|`&8Ql%%64=;^SiA_ zqLob%mclZN8{~GcE4OH~jG)&zG^$J;ckh60=fNia~L6Xt(5s zlWsK6iuIK?#rMw3g^L|V`gEB`%TB}o+!Q#CJ^?jfjqU;Iem%xA4^%VZG-A}mAE>@x zU!vdnkm-TA+4lDJJONIIl&jDbwJYa6|E5SK(e6V%Ku_yAQXQ;_oLcYV8?VWI?v^f} zZXjjXZ{@TOHA7@gzM%kW-jF?)eYjUvFW40B5x2EquMWK_xv!y*_P^Wq`TUo>nn)Q7 z=BI92c?>-fE-PaWZiKykEAk^7Y(*_&$Yd}`j<7ysVKwg4A{4Hw7|MkV4M2vYd*l1! zW{I%DZ=QbEzVU_B2(S|~zf~)`t8{*4ipyrpJc)W~=@cXED#&cv#vlbvd}DO-IRO;E zWi^ZF%YtCS#Qn09f0&S3w^k1Z6V6*m>gRfRk+AZYv8sT`Ae<^~lq4M4T|mM6JSixQ z_(sZVsh=-CrHY3q^D|&n=4Z*7B_6LVv|GfHOixZW#jrtlLt@M*9~ z(2q-pE zMUr$h;YoV`O3yur(88$a?ctUeNkq^whIW51Sikz=xE(t=ez79oQv;X2T42u&CM zNK*nCoJ18P#n&S1c>yOSnIFh|y3NRY)ZFVcGYe2D&I^^f$-$&pOv;(HyX#yrc%60# zz+~e`<-;$n`C3J)&rLBgnVS!ETZG2`n3;_1=4C)0!^4Qbsk0*1@=1Kc#?UgyRTl>5 zl~%e3Hc(GBq8rV>Lu<~JbUR*pH95;hiM$+Hczm1dN~Vj>pQcY^1hbp)zZ~{kwA;W@ zyPI&Hz-i1cSue)=vEo{Sa^i?uSM#liMxrN=nhM^3Q9=WU1g`lBvDwwF=2)&#+m`p+!h4 zHZbU@ASVG?k!g|8CnW)7j+o#_{Xd4miA2bKc!`sSv0OR&_HwzXqi8yJaaW;KifM31 zc=30IZoBK%ke$68mTh2+cZZea;RB5WPW-Zhh)?c;IxCegXzRY|1JnuZV~$%aX%mjv z?+3&;Y+J~-UKZeYu55yY15v={gvtY>iqi8+BDD$GWzf?V?7Z0Xmlefs3a<#{Xiwwh zVc*X8hy+uAIQJ29Q%A-^bdkAh@z<5s4ta)g#1U8^j*RxUq$SjA)2146yZm$%c^JBR=x*ycGSDCn-fLo4lkH-uaw)b@ho-JF zZZZ|8*3YVjXVvJ_9;g))Q`bsz-6n+z$`yYV`m&0toG87*Hqdw__>MPt$pB}SS?&mvdLW5Yk-_!IK5hL zeF`;R1R5fqEZT}yVaQw=>vr~WMT(?els@hSS5{a$50dz_JTWBUZl~;zZBk;NVSd)R zP!b8wZ(Q;`-;END`;1A~>odeC9J)&CmG3K#;53QF5BS>|*lr9Z6ct&z6<-ze#)fA8 zxh$)^M=fIdSiI@A@0R*52Xf8WXWOhA+Z!+)%~0c%>e(QXq7ymIb>8s-s7@$paq8%3 zd_F2cr1j0ZhU;PxKNn`y1dhq&#x}6Bu&e4YUP8|VhbV&)Tu^Ggm{Cj$Bin+@ z|Eam+qL;wJ0b5{oKNB>0vpo9^X|Af|61%?I$;PoGm<<}-&+OCN@W5@P(tZeRiuOD1 zWK7jF^DElyykF*(N$3I_8D935(PB?JWR}h1IYo^%2hNAiA-q*~*?U(>X|c9s5fmz- zahV?~gVOI5lwlc+$<6eVQFtJ?Xa3kS+x?;De*G5FnW-pG%yhu#JAShc=l#x3Zkc8G zCv%j9H2rFnTnB;0yQ`a0vL?0*zgg)hwJ(U-koyRv#mWoy&YG*{pEsKA_Q)D+4j&-L z16x~&jy{BsD=6fwf5GR^x~9X>Ezv^npEIeJ`vL^@9sFsndiAs^0ghF>p&umq7 z)iEyR^%n|V`21bz(ycyYsPDZDuzIyta_VN7y@sX`*lg$r)ucBO9OIlOcz_n795j6v z&p|t5v%i1u`Zfghrfp=4$o*KxY+#eaX1BP^^j1dIn~tLtGk2mR_##jo4s!eKsT4;> z6_mtZl0nWX81+^KLrOH_9Tyqf4<)CM;kgWoNfdPNS)}~cATPI9GfS zvbIdt_Un9){Wp?VS*9O|*p4SOB3|cza`g@37-juHotd~W7^bk*X6z=-I zdCgeJeAshUnqG6Ar+?9vleRIo-Be%ZB{Z9)#e<>KByntZYflv&Knul))MdBdc(+;An5|u%kbf6+5j(86 zo-eK%stHL^ua*U6ZF_(oIa^Doi`es*roo`oJ!ubjyOu#~zAv^q)u9U|78b6Td&diZ zf#P+aqeSO9g2H>uAa5zEUubc^)znC6-)Ks4GSX{n+~dgdcl{3Fq7t{$$$pr+v85o0 z5FzaU*F>Dbq50K2O7jcCWX+K1bbaEMy2^1jA;7;&V}nT|qxDE8D~rKt;B~_s=VgbD zFyS=3i2lo&opLs07$U0xpB41Q3o3Cb8+|=yXnd5;C=E+T3Vdr;_S)HwrJi!C z+P!1r=y$6T~N{l{b=JiL?5Ymm%YIUOROpCjD#ZxgYfPT!I;|{(8i$ zv3YL4_L1L5dN=Q-PI-5lN95#>ooz>yAfUkH9+Kd_u4^bK@l02YPE@htX;!Jm4F5(q zJEQf@l0msnrvoCRHQNy3qnlJqX#&#yrFiDSAh?}B!=Tggp!HJ;VQXpV#Y~a9tLCx8 z+G*EqXYRNn&FUIc#be0Z%`PlmkJAbn>6%Kz559xC`WzCcs_rrO*GGO?0$(LL!9x5I z7nDpIxB0S3oBQiT{6Pt@Hdi%i1DI)_DC*n8^`d#B<*)zspg(@DaP6x{6%7I1WE`v{LaYb=zvHz`-Me0&Q-UI!j z;P0||MuD=QmtnC=dGGaP8YK2rN=fLjOn3I#=i2BaG?rF8qd1SSwZEPo2nIxrL)IzUv5LV*N)%M>NfvyF+a;PQ_Oz43D`=83vT%wBoTeryrDt5L^ z7d8wms;tj-G+kdODbeDjC3CUTO|Hx@56dZ`*A$&o%j`O; z%8YNDL>2xO$~!)pxVN1{sLg>d>nY1ElOuJj?N8Ksg6^MUHW}T9vG4Vno8hVX#22%} z#chb*U>hu#{|e;A*qTED67QVHrauerZ8R*~;Y;H^&}M9GG!ob>k$pMOO8a2gRGm#Q4epYGz1|fDpvX%dD*LO88pF-xF2pr?B~IuE6Oz zfND#NnjQ_O?f`CtfNScIVQ{ z>nPD*EkE$S0T`t)bY}p3=O{S^L5pE{C9;GYqahlkx3YtaoZzPmD}9{BoLwOJw{#JZ zw=vtsl`s5kPXTzo?x)x9_G<al5Ug!OiZKL4U3M$FPp_Sh-EF6m8o*hMz z8{Tr!!V2)HdgB;J;y5E}51h$0Vpzm;qM;;6HH=XkH(s(BU-sOVn*VeTUm|kTW!PV$ zLd4&>ASmQx()r=CB1xspwdCI4O?7FFbQ)weZ&@1qIOn^0p{LHH9uR&`?{dPkvh7Hz z=p$V%ZdYFeo(Q`+Vdo0$NPcu(v=NNVJWbJkLtpYv!uNovyHSV}SAe-SWGZG_aHZxB z)~^~5@3{ZbIP17=F@*09;gN2S$U5ml@=?Rk=Z5vR`+i5bEnf5Nyjydlf^2gcRoDDD zdub^;CFR?@!Bhhw)s#)#;okaWy3n3@abcAjzG77hF$0Rs)VHaeaib0|TIX?CN!i?9 zHSo=A{m9s*Oz=aMa=Kb|3(0rUYl`ssGh?H{*?j=pQ}Oxn(X;2_yoD;9&rnJk2=`l+ zK!jOOOdPFIV%R}F*Ru+?<&5zUbHxZT7h4^+nT5p!^rot!h)?FEcy3+yBMX$~`1DM? z6YT+eYkRNUEl106PylzFFCrHW+w63CEcq0&QS+e6@ z_SBL_uggBD486Nuy>SS?f9X!}RHcYVzde6kKck0mv^F>Wg}M!i9(S>Krjl2^tl`e|d9cLNM{!h%XWSx`!A$e1irbQ+^0`Z z(1cU@{a?qgVV>*No;2H_et{L_^ftrtScYYl>zL5Nh>CRIi{m4uF>=YI&|weS1K54hyWs28jY0zhZ4EarYWJ{e&D70>rwK4fV<~+U<=sCFkTEkI8?&$MDm&;ZS?$jGkNS9IS#&P znydvBrC}pM+ap#;pg9OwwZ(3cFWLA*2)CEu=UTsD`mS~>^m)t-yFzVf0h zEzr*NHV@+Zu4nG4SufZ*g{9|8u`jdfrY49Z-kuoJmUL@3w3 z;-iz66cWC2RRWUF|4S7)_R99#R*3M^8Zpe0U(hY2zxSi;fy97!@kZd>q)AQ z_x=cxim@zv5hL-cv5}{x;?GFds(?P&&NQCKDrBmp^hW=?s{}g=Nn8VgmkppS% z5erP?k_(WJqo>8VTl5dD=h92gPrjRvJyk@zx7?+-ZLwSHZmsy5yXv}9n^_rcrXgL3 zBW5qAAhQzLPY>M9{};dKlta>8c{iB~4IT66A+4}!#4Iy`v2hFEe*zfZV&=Q{0AeZS z*x)Rj$N^FV(uABpv=#h^r2dm75!rM3mwJdK^b~m;f;^A%10hb z8e95^~xZHur9;QfK!oxHLPdFlIx!)?)sYT3+msFQN#Po*##mxWN zXr~dEwWR_#0b(PrY24jg4C}GW_Kl1sPu`OhkQKF?wGL<6yUbauHs2{}HunxkHCs99 zLNDqc(zwbRDsChRSKj*Me?t=OHo0|V5CwZ$HM-`!g2qgzh-C)Is;HefhlA$2TgSyv zMgiyi9Zskwk=RoPS(jAn8)R1z2YGcxk(_;55rnXWm8+M4ljE22GAOoK`8Mc-n&i9T zTSR&4>aielB~C$w58u!O?3-TcK^p0K9B*uY z5pfr2{W$)mE-!KORPOV~Dc->pPY7tqyVh;@0@{?L+`QAOy0$`#42NTeq(^kT#t{TIY zN+HKAs#GvP%QQR=|5~3Gu<`Px+7;g9!hsgQ-WUuhHY2)u)t1pwWT$F?+wK|;^YJJ4 zd4yieKDTf1g-C>_z!*k8Q2bw9AHx^#J@aW!2_}wWL_%x@?<_ddLuU+@Q>AYxjW_c^ zt|e9w`;n(cWYwxK91hF!;w*C*Oa5b5js9|_ygiV^_?0z<>h;;OmV9j@vI#)8^cWY4 zn*$-Km+tIEUG@5b2Jm|JrS+V9u7z?PD=M;3{N0b(Sx zU7PHs4sTEC_?aH-;|#IJ$M8|+J!Gl_8UYqdEo`%R@eeWD1|>?R(amEcDr#2m(eI>D z`pI8nsCGp|udqp74-!M=6gqk36e~wlKV2sGrr&-zq_?eg-wIwZKF(UXnh!9qTOmNC z(48>3=2jI8mDY}N_U=SSW3&1by&JBlG&c#(f#HEtOye>W0kL%~GdO!_U8ba^q8gmq z3Bjb&$M92V`JqzCFA$)_G6HILH5>{;x6lX(lSws*mo%461S_T>wI5HAy6yUMcDoc_<~sxczT0;Aq#@!@yJ51JWB2ZlN3k7B^z=ww6KP_bO;I&T7J6;dD!sje-`E z*#}EfZJ_MNo|T! zF?w0E@9&&acS#&?vq)EX{tME=iV9hWvWmRcyqSEZ(>8RXZY!pxQ~%>zMbYsf6XKP3^i_$Uemf> zdgO~z1!4qL9p*e|HYi8gEOP z&ebi=bX+yg@R#ylhLg;{KGO*uI5%skEO2{I;Zb%;YO%T;31od_bK~|rThu1JC#&L} z?c|Xf2a(911YK3wN==X71L~?XV>U9^)(QHa3^wl%+dOuCkmr49vF4tg8Kbj`K{#2? z_7zWtMUgm9fb)Fy^g0im`%EX1Qr3jPWY=XIMs8F{k3rMjk^2H^wmYpko01G5w?7Ie z{0FJ7KJp1Ge8Ia3D27)RQBRc+rm#-9m&STi@nwJ|t0YJsd6W-c^gBDrPhVtpk{9=H zCDK(--Ox~nG#(gii~B-~Z*njBo;o)P6i!vlo3DV{u0@N?J_8;>I%N^VgkEOW@;*uF zj5GIzzQrRx2lF%Ftu1dB_+XPoU9ZG5pZOw7TMLEfq`cDQfQ{izq}lAx$CJUb#)+hd zh5}GtLhLc3!cxwm%o4IdJR(d#Eh>JsAz1<0B=7E@H40}lZVA)VT=_l%4Fx-X)3oU% zY0{QvwA%DvPj~9XUx{R1PdZE#>0{aX9JS)jcU%VQ#ALL~oUA5gMhAlf9w!zLjs^$M z>qX5Q>X*Y-Zbf(dSJG8z{8f_)Cy_=@i|3O#jOLo0?2k4TM;M1CJPOf%eMKgx;07$g zTXbUn%NzPrX!WUQt*JiF@2(wh903gC*NS^rf`PGIOR|VB@p2S(P9ly0vJFK6bs&NyGlyem!+b9HPd9cGj>`!O-pF(8LxR%SvYAU zc|x7CB+?h!xWpHm`<+KQV{9rMk6^N3A3p8kiQhzt%Igjl5u=Jb3o%0mtpKop2^E3e z?kMI0C z^i!NCCKIbNhhYWmUzq*SWft76K=FCaZX)>l$gKLBpNamAC+n9mJ!hoWdmjB!sMVf{ls-46O2(;4Lvm*a?e2YVB0QKSw7M~)p>Q=+CO3r@Y!>idi ze$29TheJJ^;A!}o!?mz@*w)f#irTfdYNKG-FC0C2&uDSktodDYqzOClrqqR-vZimOrkvMUHR+AM?N65Q;WDWK$1m?F!i&Y9BSSJd*F3pAt_ zG#Q;4gY9Qg1mO0p7@acCbo*GXD8E(~*sA_jM|4Qjy~@B-wjs7!jF<5=9E!1=g)W7L zu#m+y`}p(b0F4Rf9A+^=CUx4V8c&4rdC1ryz-M+Oap)0h_mN~1e$QZU6pmF)A(dZV zL5jW0`tE{^TQPVDj#WfKD?)6*DU&7hBtu*TGUy>?lN`u5Jv`xB>GC6t#98F!D_o5m zGnm>cGGdRS*M?H5Df3tKA4c{;(t;vw9PDgtev3git4LQtOFU*jr;j!34Y~jX@Y6(w z9$jl?ukywlIr7Lp?(seco2aCi)B+8&)@!~)>D2%d2G6)3_n%7 zghh^P>?_+0lsH16+(*@%e>hb{|88(pEyd_2)3Ky%lc_@QIwk}28!>e0zf9K=Kz}`I zPkRl~bI03h!u7Ofjo*Wfh3}QSpp6h*$6ckThwoCO>E|1yr;95l{be{b7?F*gc{HM(iEe0RDv>@2aF+3Wt&Mnq%^X5|ciRaEkEnI(SlE z(zh=zhgQ4a_@1e&;ypw?q`dP_L=FP2-xUNTE2@aY+fL8E%xFvBBMTSN%uAw{?p({L zx-9WWl07x7m9IhzWi$HJJyjTLd8--q4SRL5G5{EzuLi6iH5*88X*xSp@(M?(2spqD zjf8@A4$Fps(laxVt{3m&XBEL?H$l;7_m3Qs31c31532N_z>so^fgPr6<~i){rliX| z9nq;A2-gc@QUeZ#5%z7+5lSq(fTE;8Fbf@?KkBYx4ld~+%@w@5_EKXUD7nyLjnPmg z3(WU63qvfE9>_ql*L+NG@VdE<^x= z{-P(z6Q2cl+9qehHrWU$(uV2 zu~*Vj$c=8p`v}DUAY0uUApUd8c(w7`jke}Yn=3WVi7k?H%(`qKJ^~;Z-()jAl_O5) zJ=sw@T2?hxsSL#fv58TlhIZzjuln1WQha66m({k!q-H+$&Tc+d&HWaWZXUe3%XzNp z!vV*YQZ^qeDrr9KJkw<;`YW#-v36Fh)URw+5B}%nD`jz&M&i+cyELi4+M~FTAC*A5 zkD+(*OW0h(dgLKKA}t-tP!b>T{S;optS>LGX$T<;FES3pdI$!o(lD~8ASVg_g!-F4j0^j_{j{23PCvlABIS7~y^ zcRZV;sO#bI>keF{aW6Rw^?*#GkMpXDOy>q~e%`X=`&x2T^j1ngV1Mq&@@Bs`QypB$zsw?i zCcjL`tN6)l+cF(JH9HXybxs@6CeJ zAeVwI6D$}m;CU3e#L_e#-Hn!`g95^VhraFy@T%WeYc6v%n2r|B)xHey7ZYXZ#JY_R zYFw!t@{&by9}6HBboNP%r@`|Qxzhg}<(P-b9G}x|=PZ#GhWSS2T(U1t(C4kp@V7|i z4b=^ICORcXhPGFra=gd$kfW?KQl@y5%;_;87yLex_~UR6=r!QS3s0g7V?^r+QJ*73 zWEkQ4LVPF?UByyk!iHh9EyDZ?l{0Nu_;{@FS~=nMz6w36#5fP5^HF{K$Z>JkeCw~` za1rJbyJ#u9k`N(nK|^bVzv!ggPh?M_#cY4a&O}jcEgfxpBVR!tj<3)GTthW!lDzBN zH@55LbJI!ljm?Xj^z1)bI6p;r0awGlAhK`@)fcY4N*VwbyVzC6+~};%!2O2-dI)sJl}?t{4s`bH?8Nv-MLa6fJUm)*e56^-P-?l>bpDQ6e@J`FO>3f$ z&|XSgv9ajM@pU|O1mneE%eG~D5QFJK-pBzl7ze~)^#y+EAmPbnJkeDF5Azg{0zog0 zEuW6f3fHZe05~MJ3PwMhG8Df<#WXPZO-hC72b;-H0&iMgi_OaL!ymodv(fpN-#)CV z%&t(cGaQ4@Flw$pELjXzB)+TIK-nMdn~-)Os8GKX@=^uYu~SsmRF@e>U$FGL*H-3N0HvkdVQEWdsDCb zX5(&&^2oqpex<9Gh{p9;ji?t*$oGwMpGr&!IP5N5>t9C@tx2s9{&D0%yOeT~lx5*S5&x0Q_ zp_U1b$c7f06NuBhQXtN)`6|W4Klw+IYl@a=HqupksOU1u<0A0aN|rvlX6oAF@y_sC z7#?C-W%D=QnlHc5hKhu}{jGQ>DS!N-r3)2_(*>!W7LhrtW!W(nWV6>9jJ{}u$fkbU z#9Ni!`mRx3T?}Wui+Z(9B6rEO(}G#er7yBsH%k8Fr8JaZUHjj*_JT_u3cxcblxlNmL+N&`-uk=dPH_nb8fb$Zjlcc3P??hHz5 zI!I~U5auS*M;)4lL3OX_;yzn36+S-wDLj^I+OaCY>tUUg+X}oQ)pl>?%|=K0Ty%cs z&f9TOOp8qIZq`V%A|m2dBcLaP9Cd#6p%wQr%5(HmIQy{-6c1MU$pJLIrFgRHL|v%Q zJkI_^ZW}Xxt=Od0Bj6KZ@c+0bc zYW~hzjNDA^-OGdOOx>Y2!xr`qh<<`GRsfX< zY`*Wa(emT!?&O?XtTmzMiHkrThq(oXH$0AdCXKoW{yatI^XGhoBMJ$b9zG`1ea=+?HI*!EAyjrAef zzq`(t+B2Z(Ok*1jaI+k-B!2Y4i69wOq551N5iQOc#jM;4w`A}4kc9_s!5Eg=38gaj zV8Q*0*JfS%adjf{z`q9XB3k+}XA)}sI*J}8ZCIWjrB2(vW9Z?a>_)|w%IFRi(lNBO zD$2;D213ufKV6>P>>SJo3l+lT4}V^yFdI4;1!ymq;U7fEhNGsT5K%5L(o)BWJp`OD z%X?^Xz?%H)Y+shh-=&Yd8$N>_nH+_aX*?c!%Ef}$KGAsYLf&=}j1s*HD){y*<>OT* z{rkWVf5v6N8!Fgb!#=Jj3)_2Cib&1I7di+*o*%HVU3zJ{;r5n9VvhKzMYGAjsR3Ql zDdeEk`;Wvpd^I$jaD{cPt7VV}{?{2EPGA1jQ6dw25>3oFjZ4N@P;y)^z=P*z=qJfP zezAH%M#P}bRHW@AiP3yzf5$X`T(Ty2gS>3?n%Iu6v4}(W6>R#SR^aEZf>+f%QuH^F zmV4@fnYL}L88ekgh!oQ3E6P;SEi?-wDzg!>OvvW8Bc)9kjn^J}1ppc|bhyx~>i7Q% zBb~jP-&OMdk1+h?pGA*uW1}`3JVJuuaeM$@&ufp)>&=TWVAImQHN&7tu6t_*z*fxH zlgXg&zb&@==VyvzJi-NOPmu-69f_h4YwSfybLBKsx_#yTZDQ%!W|{nt+t_~t~Sv;fr4i#yYm+bb{~tH+s{=N39>6g*O=MV&2`K-K5{cWdpHFX_H`VG zCm|WnM_qxHrh;GIfi4&*_0!c%)+yQ<3)anwp6>t&X4x?*iSC~I7akW|2{+!iZ{$mR zd&Mm+CnC!uLMz2Ei3&eLb{x+g{Kyq!G9-rm(@1UEC^%nH2AKRHW+1AR@;6pDIXN!t zBz$O_2%9m(zw^{v+&}{RE*Z#n?_Q{TE$R|}?nw}E8J()#+|oXfC|WnaQ76o*I>z!b z##+};Y1_Ta8{;$ZC8!FCJ<#4%aX(v+$h#>o+5~t}9ZSE$OKMW@^V`6);V;SSkHESW zHT*6+Fkcs4MBw+FJwdb6RyPtWD1t(%ot%_Wz%o0?1O$UfC>76w$z0ePLv9JrAIA5aM-CLvG38vlz)%f=r} z%@sc&btf_IyiQQJH8reKlo};2&v&K#^e)`~QU&UAM)qs+AQBpqTH&M7IAYUIOXR=Z z)v(X9)1P>MJ<{*FRcmuD{Ro!$It2Yzgh30OTmCVthH5$`{(;PlbX+C5UpYR>L!CXB z7sU;dc*;Zdko*269&NjpPma1Rki8nh8l~(q3&(T*>e+CviQP)s;;H4qCL4|7Eo0(D zitoR}GwP@E-4$uj(4nM#R1q1m4cr431pcM8<$?A%@0 zCBaHo(1{h2rp^m2mefyOOf0XtxsBdGGFUumv|s-+dCy0V`;5ed;@h*DCA88vIo;I@?Oj?5ky*rO zReKTdUAg(+x=`3-Sg-y6ru43@qqVntWQ4hW5noc-kZ_?K}JHqF3_ZD>V-79AL zN)zVxzAA}%X*C5Q%}Z{c+(;x;CK&iOd(U}2?EyouHn22l07$9<6z|C*#VMNaX4wDo z2z!RnzmZVlqL>HaSur}1RpcGD+j`z>W$nFA@W7r|3AVx)h9L_Leg9H}+z#5I;B?7| zxnVpPS4utcPhfuaQ==rBD^&tro{aC6-MU>RuUc$?RY(iF68ZV6x7Vh5Gnza#yKSDm ze&%#S@9nKEg);9`y)~M+xbtWDE5xqeWbe>pP{$2K&W6>%4Abf8v&-NRaKO$cY=C(KdlM^LU&zGHM^L@hBMuGY8+5{r9IH{Nf;Z-NW+}P%KIziA($6iEnAei->M&Fa`yL3lm$4)9>o44HdCs3 zWzVKU&nPXXE<}X{Bi`aAULM75V>ycwaV@lMUq=fXhwh*IAVe!REV}${#=0{Z=5M)b zg+W>`@|h!JYI)9z5ZaYYONYYx5y#@g=nS!O`*2$M<&NH*P_lgVf$d8tHc_K-0&*fz zoyYr%P(*1R<#*lnq(K}ME3+h-N58(5z_o5@r2ijvZyi=gupVZ|Qf9g#RcFv-ks|vgI|VxD55_*o zm*LIN?fW~flU!6a#a7s`AlH-_S1*;%(>E@*GzOil*Qms1lF|tBfM7&sL&mLJk)HiF z9+$jE8CJOTc ziY;kiWfv_SNkwhd!iKUKG*t92&y6_;x~}Z8pN7Tjq-3f;gS7%N?c?c&{G@)dzMH)5 z&7t|EmN11Ko1B>_uMqY^lAs6u>)+1C@%Mz1!x9Rz$e*NRr2QfTBuPQjd6DjII4+uu z2qh6q8|7#rMK4d9Ow>Fa7$UNx88G@P75_wW7d2y`7T-H|02UM1IDhP?p^> z9K)7W(HTUyX40FhZ&^s&rS!8M=Mw1Q2WNP!*OU- zrjZ2EE3zRqtU--3g4%D%J04%Ficf%VPH8|vy^H9R{af`^>uv*dDX(0SDuAk|15~}{ z9Cqs39(vv{(LocoxpzX+y0~14>oF-q5U)uUFt&H1xy)PRV4lqU8t_)aeW;&OSQ4XG zdU&GB$c&5*CxjRHJW0Nkv^3k`iUO7Kb6bSym_OmH2#La)k{CLa%dRkqg(ydeo}al$ zVha-%^K)pcrgU^K_d2vE(opbq-d6$I>Mvlr%gmOLy;1dR3A6lA9r1-Y<{uDDL_u*%!nPrlvOyd6 zGToGY*dn3Fth4H4Sfj)pNCoW+8Xx?hrWs=p>>r>S!a^icN}Xp-I{YC-v<8MwC7Eo_ ze0wfqi1&SY-FDZj>KM<8$j?qOtQ9kaGEki9DClEw#@IM9fhVHGzXKClL8s_sIgwFl zUfl|I^mMQ#_KaT#CI#5ed>E9D)H0Ml>An_xi$j)!`e#KbFNyIQ-iGlyi<^SxwdS!< zt>=3T@<_?%B|_(omgJ^uKbsU)U2w0H3#RpSQd=R;*;l{)xR1g2{%p^UXFTuVo~9+) zk;Z%ig73*GPKl+dR$moUtR`2e1i8h3i5dJzi7$IHKI&Ht87dGId=LGnsl_+h5$M$1 z5hz3{l13dTNiqbz z^kc9PO_N;8Fs{Gv(^za6jrDDCu#m7MQj8Ho{JeuO7Qf=p zfx&n%e}tQvgb8(Oh6xp-NTdwo_{%YJ4Bt}`8SUNCz22w`Fw@LZ3p7S;D!a(Lsh(vs zd&4*4o+(mB;9&(X$OgI=QV)!=Y(0hk9e?xjt$;A-8XaRCRe%ASXquHiwpj^MJ*k?_ zN=XSPUR@!K233TFLn8RCz~6diRCh|=Tzl%j9n~x^q5)GKZdz1r*7|Uj7k&RC+PeuW z4s~1AT7jVE=H=emxJr~$Y4>_e=k2M}#u>G#6;a^%TgFk{wX26Mulp@zL1EB^5dNna z+t&SmXcWB3FDyLI`uYAmYGK)+tuEHPz8)ddZNFw}>8SpMKK7ZGi$aafP4X zspX_VPEG$fclb)76oil8TeUy7O=iwuBpiYf0ooEz{j|wOB zwwg{ph3X53pt0$D z-F$)4RDC@KF%8kH%VLMrok%XubVAAfJ8}mHEkq`gOZ74iRIu)p+!t}Rwou@&ZSkXR?k|aG3eH5F?l*DwY2Q* zv3(%$VASkLIVT*np5y6N{`so(K1}1nCMzw+keT5&=S=yCkzX zGl4y=+^gxjpHe9w&KaIrG7VpsYrooI#U1{ZWN5JZA@djav@>BK!?-$C6;+>l+5qSC z&bN$s9~>{x$;SV_;ZkPF(l^0mgvDJe$6?Q0UuzbK)GZvmS#~^YUEHd{->-40PV)kP z3vnM1-;^GnnSKKCv$ zWRL(l8Fr2(D49=}4(4fTWJv6@Fghum`&>jct>)Fdd&!QNwUL7Yvs_F4hN=@c*6gm& z^W&LC|LXG`nWxQQ(cjvL!OkBfEe@`mMq5~>$R7$nx##UT-T$~7qcD27k8S^k+k9YL z*Yd0D{&er^Lf3-dj+Mc6iW**NF%9MY)l53e_FcU3LV%q@RV5B`m;#~HFNG=wiNKLk ztpvHMCirNFKS7d3x;1NBV`XbvNzfl7q#Sh!K~df-JKS=xhGdNW{6-4beB&4ux$;EpU=E z`X##rj_fo|*m}L4qNSYHMmC5oA^@gRH*#8u*CssqaGzc>CkSH>qQM#TWT#p}D1VTrA%-yH{;Q+#~ZJZ2yYA?o#$)e5i!_&PD>|NXUGN=WcN845XQeekA7>w zj)CqY8hlAl)~zd)JS9OzmOv4|o}KU^gx4TD&J9bnb%mY;9E^5^`=_;G8^`ext;g|^ zCmat?W4zDNXjP`~skl}tdS2kfJQ|S!W)X3LAOls2dSQF!zZk}~{O~jlV29SB5=YXV zy)8-kDHE*UXOz2!5Y4Y`bsSDkYIaxTYl7nd&tH)_0x;I;l}8x`cIx~gtEF&j7FS&6W8DK?@*x+ zhOhQLdEFK^%KcAK6-B7xQqw!AQ!1>Xo~D2YNVoG%^BcDw(#x!?oTIMa+*(}tJ*>eU zBztF$o<@ASUhwIoe`6UO)X@0`B6J%*n(1$~v#HE`H&&MS4yblENsQV#8gt16QvGWO zF4ki9=K28>;>Pr8#Pn9kI)AI`BsfsBA8D~kc1_7S5pZv8xsteUv?1K%0JrVxYFdCfs^*Ke|5wl6)t1>{(^!()%)(tUXBz%XS4?P$REmj|y-&kgL1 zazD?D{iRu#XkxGUAotJ35eBg$WYYGTqGqKhA~$)hqp>&2F{<9r;e!l8y0Cu+(%$W0 z)t-8=syrcvw_aUCsQK*G2P^S2!}nsD(koZX{10b=ONks`vm-YYyej7lrl=3M-y1Pq zCoR-0ZIPsyXwzQSrsNY3VIea(8iHIzlfxT7T{Y4_4W67|zAgWZClBfY-Ypvv7~S~q zjn&{7fR5!cH=}xdFmGRgZV1|2c69Pknm<)?Ewd~*)TS&rhnwQ^jV6j{?e3*20a({j zEChAly-m|)4K3wN%);#Btr1^aILbh&&$PJWPPz739h(t{7yUBo7z(l64=4qUqpfawk7DIxD^A%Q+c`cuthC!{dpU|KvDv57PB zdzC&i)S{o`@NT zWS%2y1;!cl)w2|H2O1f2>14X#HMYp0{x)N4MU1w9hPHr)Zrqy7pjrm3 zHfO5b$`Q+2i)P(v@sP(PDl8G<<1WwF(YaS zs2eW7O=cpsFW?ky02Kyza+>=MpiX&W+j4kOvJM)^R}WlF6qfFM41#Q@1d0CLxU5yB z3_2=P1}Oz~6AfD;j43bA<5Va+BucaxObR)3;qkn0HQ;Hd0lfj?e_%6jwTFLt{`i43 zK|mjnMwm;9NwUhiA78UmV&*2zrkw|*Izl|Rq-N6W$_|PK`^-{ zgCEPUmj;phtmpTNc7;JAaln9TJ?!Iek7);+7WSs?l7U3DD9i{!q=>h2@} z*1}&_yFI0OzdF3p$!lqocQI&v0NXn9gRE!Em6p(|Dr#|X`^`ZK&e-;;kJV2ZFY7T2 zlph28h8DdwpEF=`joEbFpSoCIYj&HQ$Etd@Y6uJ?J`KDI?Q959ryxtel~pPYcWd9K zfX^uo-$9y#kU&F5{qr6k9|s>&)PoP@2r+8X%6?{RyeKP8>2(e&m%J&|>KU_pU1`yr zXZ`a?H8hcjLp22%U4)az1457&)GRU^iec00`n%^H5)|x$0cws#TS@0UpP-{-ry8eH z>@LA%%t4-PGgi*X`*5Ht*s%qJe(-0WgZ9YsNXFjc2xW>?sCjmUu-G`0OK=&)pV6%A zea)+d!v2ErYZ=P&Id}G_D=)&v)i>#6HzakvXIt^p#1jW2)QVrK%a)4b36EW|f^4pr z#>`arUhlnrSG%;lQ*4%hbGPrRRr1YuhFYkbe=@eC_p0Bs2=!?aA{Hz9nu36omNejJ zZJa`d>fpjOK0n=veR^r@z%~#a80U>*Sw#_y_UzBQOu`&dKSmQ#zYql>W(22Gj&aXJ zLtLG(#`nxk(>A}1;bbLK$M%g-07u*vJmv-J08 z+4U(Jt)ejl-VP+PhD1kr@Why)0;oUlDXAJKy8bdJI-nwAzAsTKOmJ_s#Lcd)FFz|E zEE-j|nub+=XqiCx$wQ_ysp399v1aix1Xb@PnO?ROD6!xKmf>ltWB3iIJqC>|-e)~N zZXediqvmxy8}~4@JXpPdTuHW{4e4}hBrQbjb*+?}lBD2i2FbvSKMkQ1OkEY#*V?L& z+flYK)lR^fR(tTR169lWtYIrAUQxO|CaZi8y{VDR%~fr@Ww@g@rK5MXO&WYHh|e#f zKolbCAw$h4lx)Apg9vCLQhslZFoemvzUqp`zg3Gd4Kz)OEB$3WG#O4mE=47soCom} zEd=RLWyBas=%Wa*U0vM2tmJ9+nJ;Nt+8Q4CbZiWm>BkrOLi@8)Uc8DbplwcI>8S3*ztY3fx!|Meq_O=_!*ujo}iAcC~o~TfZvQ7?`r= zUjGnI-r)ebcSPcj`^WOUh%y%m`1EgvMJJO4g41)*azUndin<&}(y9IgJq!<%(y?g{g$F z*buU#ij0%OBz0xW8&Vp!>89y>lJXWdj3+>L7?4i;m>|+WL(=@+YHR?%<;rjqyl;B0 zZHC&;zr8c6E!KZ0#ykZbnFxHCW+e6?FRaI=%7l zrb<0nA-^|mh%AoHJ3S~Go}43fYal&aN?o0rKg?e)Kq79#8%pbiBwF5I@3Rf63{V7Q ztbQ4CH*cx5*n>km8A+98MVSl_bE(5qbm_SyX+tNb~5GoYfB?adrl>LVvSIG zks`fR>o%XN|2k|YgZrm*YLMH7aT%)oY2f-z*S@Dqn?NQLTpZtO6DB$~^mF5Yly^6h zJ;jkt!{v^5Py#wfFnEI-^v>UOdGxO)uz0+tWfI6k(^=QQcZF~deJ)fdP>FwjYu;bQ zjVTq(7Cu1|Y7aS_8Eo)(aY8L)E;KzZDu_2`4cL(}SW(+MY+rolVSK5tz3n&%{Q*hj z)O||Yp?GlAMwknrf{E$%t0Ng;5hJ&?|DD5 zC%-M~()3*p7K8uOz+G8c1SnKV&8%KZJBpv&NP0kcW0nadJ(mk*-CL6NfiFhf-=1rR zNGuBAHJ>d>Y}F~6+DmbEXKY@|I1_H--?>&xw13`Itz$r}>l9SHI9c}X!gcAuC1~Qy za*~1K>UDW{O||Nh2ZY}8wDS&6w=2VX)bFtl|4%WiXatf)@B?Jn&M_hD?+~^Kbu{ z-Kt+j@@*i|4tvPHX{K8qpYJGzljgVgty|*>N=usZcg{;9h?yn7EOGNMX65Lr-&edL zix9gijV0QDK`(=WJ6`UDlEG|{n?Bmo?8y3RlACRD3Jk-Wav;nVw>{|&%SDG+Cj8k> zD7D{t-MV49#Pi&Q9m{#Atze=A*zj05YQ~q+zgYZGdZEB=gW?uT9q0OPV{k+P@Zq?Qmdy4Y!Us*fHMe+GNW{)c z6LcE|svI^wGA0WFvlKx=iFifOkG~7Y-h(&|c>$Z-U%YpU@_v=q!X0XYc9_f>3+`Q7 zN+jAuPtU`2q&9xRw6dHOaeH9Z}o- z0VRKC*)58@eRskEk9dJkV#kiS`@kIXT+ge#wk0;FRzWyD;@okWL(N9oe=E^RK_~sa z_}4AyUzC|7I8qy7u!kX* zil6`D6ync=uVT!tUAJASd%m@KW@&#Oy7y);9R-RT?0$c;9LYRnj;2Ltu2^8vGbS-Z zU*R=U?fv}#H+Mj$rQouR8D~Ml>kOlAzVQtv9G*KrX|fu(E^RWIWdEs|q(t%6S(qsM zOG%aVsnPQf2zMp=LFvLt_q3J%?)XvSAgpBC?7q@mxs8hvHDwF^cRIyW<~a$WX38eK zp}7=MPl&&j9^FdRMAG2#--)v%iFu5@~Z9 zr4Xj_h$)n(0w6Kja2TE&_1kOr^F(&3*=LxzK^e(QqEG$Z{v9)@qMaYWe|YrEy?FoF zJq*GgeGkqa-%Pw>QO+XcI;U$g`+DBxz~>oW;3i{{jW~7bmHWHjwqWJd@3K-Cz_%FV z#Yt#T($X83nv`+&sjt5$9n5KnV6WXp6iSE7ssFQeMp0(geK1aLwIy-A`}APlox^?h z({>2eM6T4Bz)jCS?m=($JLrpyeU#J&FtTm#kFT@x6Ui}R8@S_X@srHHQfP*XR1_3L zp#0h^gWvl#@=3@(0y@AVuzqH~s|?9AlE)}Y3Jb!ff7gQ8)5SY*ONFWs>=%rO@uzvG zNt!k23y(q7krpbZj`53R5By9rwWzrjQsJIyH0_#sO_NzxzcVrS%U~<=VII0I_mv0T zv5Q+FxYzlOr)l0Bb(D22YcFoy@tiFp-dqy2Mf|0kmFnx=qt7nRjYEe9^H%qLjmtS) z$!VB6wLApB?Ak0&I+yzi=flqQFYyE~jtnEWWRMZ0E-YKCFdmmh9k!NS_HsNTzi#qB zMz9Q201*%zCtmU;%9c!yD~TUDlm}AT`k?Tk&BoY3>Ii>&$d2{#@%ZZKhvtm}%1Xe= z`lgMsFNXK*v@Mw24~E?9nhp-{-!rNx>DpZk10P0HOAVR&{AFnugq*f$9F=uQZiU!c zef3=YceDzAj_nXyprIHIfykIqP8`CCA~uZ}ucE~Q3#z(;==P}owgbWfYad!5`Jevj z@sJ9qiP2hHiQBo7-Ri1Twwst^y=mzJ^7UKi9ma^JPss{v=Y!Xk^V^fy%q=Hln|efG zmmsF2!PGl%If?%eKw}X37(fF`OW$HhWln{Dno1-itNMx*J!~9cSzdbLD{j~G0^c5| zpVzQ+)F5F!I{21~?&YQwsfdxopZ}yJNb_}~eEe~@L^EG$$#R6M^}HP6xMy=G*+Fih zOp|{}(8YAp_dfs0prFQzDz8T3qGSat&aOq(a!|E(9Bj+QW%>sbg*v`LuYc0JGsv-cQ>k z@SJKK%p#xp|ClsDpt&83P8QnBzENb5X~962By#$_-}7UrU~fy|FA}I-ho35`)w7GP zCnwYg6vXFL$<`kJLqPSN!Kl@mtwIvN7oH7{jl7 zYSU=T0~r*I4D$?LPB^{`G=*aNP^E>RL;ZIdW^UF!Cj2{yH^W(WDpt!7U5F}>l$tMEYN4)b`SnNykmM9|nO7ii`y6ZUuuj~5g%hh$?e8)V%6ygQt3*!d^!*My- zr%8~IAb4dqP+<(ZaQv%&FE zyv0gg245zr^vsD!)GyGk+!Q-MCf-b^`m>~YETL5Q_Xz$R<-fu-W;No&F@kwhRAl2z zABEB91RVek&DQW*@aUrSMCNj3+x;!R9+vU){*DT9W$gvc>!$G(bmi0fd2l04=mK~> zAvlBA$2+&xvSDp*QP*}^Gpm&#Z`adm@X~@h&MT!3h~8%M`;18K(P$r6Lb;Tlr%Y3f3(6JSg)(2EP$bm%ww1$m6)|)=%jsjrl(jpJ}ojV zH3K$xo^V`PbzRAAMP51`-9Qw38sjC3cug~*oF#>c7!G~e%KWCxVEk=`ElfR5l~%D@ zug9n`*3Q^C;alf$HUWD0-^q_4%Z|4)MX!j4vkSJxfIrg@v@w5#)l;EMv;o3vx$^Yv zB_(R?FD=#&;=~3nJ~Z7&g%8IgOKUJ{L4D#hH)!DD#7N(#6_FjZtG5w-;`YM)WPVi$ zw=9Nkt3izc#=}*TVhjj7RSYEz{hZz0ApXD845ig;`^g-(X?77`DF4hjQG+w(d=Xg}o2!)whR#1FuT19G zoR||cNCGoD(3D>{AcmYQ?$(SfjsQLTS1>#!HHhX5O-WiNbo9URMB}qK*}npu4aV{m8WM(Nm@%V--MZ6Gq?q0pN9t3MLw(+`tlISa!MUwvc zUc0|)uxCQ$Id{u3l~)Ze=JvZtv0k$(^18be=CSmq8;%{*J#-!9wO|=5^Neq4pcGpt zPX7gB=lmh6S9jz&FYPT^sz#?5e=p?DqAvo0aMt$1E|@p^r6y_|Yhp!4^6?Z56C0#v z-!G-*`bml)pCEr15qInMsi;9Dk(4}R+IAB2P*Lf0#X&LY1I~uyQLg6JlZwS;pJaC2 z+jwlu)AzQ$T_&Gfrr&(?xVX20$V3xDK0BkyTt_tj-G0diXHkj6aBz_pA{gWKW^44S zs29U>NOXgW-uCQ#e!fD5;)+7RxE`GKce?D#2+`bLc=||)RIEUDi3**g)MQUx!jN6YZk<=89vSb{h6D445 zQO73!{?jfjA9scG5Dm5z6q^;I+<#dDyW3r@^9c&%-1Vk&RXv==x_s}i8~PSL@{>>E zBiKY=F_Wzav3cXh-&5`+ii!Jn{%Ea`C`2N9ekt9n=wX#C^rh34t_C>-E7sVO9BP0} z)Jg4|-%&;iAdgt`xzx1pOBCK%#$Wr?FppA1&8XBfl=F_P>A@x)~96TROZChs$?-<^IX0E zBo0=nzbimhL6W4+F=EsHZ-ue1W1^-GAd1XeP*mnpf}>a~jAL+DryFu3w|MB4`sD1z zXj%^=0VCo?Kk)g=9{;H;Y=S|S2(0t9|t0w@qj%$#o~D&mOnCB)@vu==|NXo#0ifUId2$ ze!MgxSn5D#JH0>Dcso-{MFQhcYI9hEdiXj+`<4HnMT`{K*Te8my@qDzAU@<-NHO-D zB7US@m4K!9EyQLZj(wvKu_IK?q^n{A4qc@O2G( zBQDP~M^Teb(uHRVARXEiF9QgF?~U5x`LyfuJl(fdw9*CsoT!7JWJVn32E79Zcj!vy zr{N5wL#rbE%`3fqm*>QvJAcQadlh`SlgUz)ONA>F=!w10SD6ie^- z(TS}SL*517txq&zJc9HN(08Hzyg-%2=$3XJX$M$K$3&0PDrKS9y$cTWIl`aLMV)X- znLogqyYT#_Ztevn=Lfh$XEH*7 zJ%EaTdjGA89u-W!uYLbb8P9?~CMDlp;Sax`juA1!@8Fs9^j7|*cW&dVPWOAdPW=Iq zJJKG>74pn)?oQ~eZpIM6z{n|5qs5KQ#Vg{$jQ^bU<|OF;&DgCc7#F{FZw=L_@Rvz7 z=Y7XKF}SJg`c&Gh?L}Cf<%!HJ<--ZXYoEjI}3Zn)iic&|aO;CEuGkJ`1d0(M!eMLil{sgtOy)r))X0ook|F*1Fr6fV#6!ZF47a zyL9LNhUYA{l|DZ5GAZCdI6YO4Jq!5j${thQoD7IUT;1H0L^kHEZMymCJ3?DHWR%` zmBsl+n{#UVc6y7z?m2g2U|rv>{+Go}+03}T6&VztTU*XulyhQf$&~t+U+$!RlrO$t zr)?aob+p~-d876ET&>Ov91E2AP;@!KF7mXhT`UquJe*ft6i;`VwA>BfUx1;RCXMVa zPc)E!>C3~di?iQ>tiAkr1hT0of0Ae4kbgLf?z=;`_M&k1p{U`HX%N6rCzeQQJQ+WUPRCEjYRW}WP7BM zd!&h6aEhOE2JPEL?AoCKJZD!48hg2_dbu1U9gHF!HiT}NCeLI<5yNJcrw3$@`K;JLDT+WdW=8+C7L>rR;7rv1qfQv`k#Mte@ zf6P(zNW;9~EI8++23YLb$t-t`nCyf3&(Z&K%7m^zPO|B3O&i7WnP_9b9^F95cMG?ZwbIx_SD1!$*2NJ2H zy|IxGf<5&?Y;eNZ%S3|&@G71jEDj`E_<^ciEGxMX^l)OHSO&?7ziuaKBo9BZ62oe& zb8rb@NAknM2IVGo!F}Yz6D8zl*^g~N!n?FHT8AbVh#2Dw3q8uznRR}^?6e|Zot#7{$(&}k?VU!=~XLMTIl z&{-&wU?eelO^AT#4jOAjUqLoJQENyv$!EDUj1YePdRQ&6f}HrERWBG*7o$^6Sm6OZ ztS(qVIsEXP1_*e1e|Z92h!4grp}(L=YLLXfXhFavcF?3C`W~|3^*BJH={?I0W`YnN z(!-j76^z2~UezWrbufQ*E|`TMPSykg&*3j`i3`zT!V)HtKM$xk*ko0|LPIcH*c&0SV4#v;bgTC@IwCb zr8p2mrYxagC=w)Ou_Fx#n4At814LiBS9m>^kZ9r0wp^#t@owZ7a3CPfSV9+|NGOoU zkBF#P&T}^zAv(wPu-ae+^#E>wY101kNPuPlYz2yh7g@{>Fs-nICI-I zvs_aqh|WnptWj9OtQSVBghqP1;;euHB^@-yh`zP}%n1^$@>y;l-~q567I50l_ZQ(g zfYqAP+~hlo?K6=%?GW(VfDiE?IxJX1VW3Gok;T5~LBLdY(7ZtMMN5e6?0|qbxS}CK z@?}YggzAKVH@c!BL-LhNh!h4ACRa36NWP}v!dJ|hP@U@h&k3PPGS+fuSRtS^_@5I& zljN-BZn8oM0|{bilKi#ROLTbiD^72i91Z>m;t!Pxk*ne)uweWx7 z_3w2t<<)7Q5&!+@1)hZe_mp1|f718AD8fzqWV}4pqw(B~Pl+!yPo5Bc@&v=cqwxmv zPt3xe!AV*3``+LZ*cmh zFcwM85rCWN zV?pFcW~4y5SC72@Ux2!Zu6n%2DucX9!Iiz&A$nRc~7zE^Q24X-cL9?55b{FnpO(s~J~WdW#VYXzuP{-{kJe#6TGt6!C;ez0!lQLR0T)m`y5J8emRT_Lzk_@PNk6iqePq`Iu*-jB zhXt@pePpNjDD(e!P|dXF&$$|0Er6(MU7-NWe*^WLdmO5*y+zE8$I>!f=bniZI?ikJ zY3Ggf%NsSgI#*%^4X>|c9*GJ-{bjul+d_^tSz^p?q@H3xz*)SsKra~=9RgR z#1;R~S*Z`L-L=R90JE-0Rjv8MRqW~4x2`?^D_N_pn?Rxcut$ad_43rCr}h(12Eh6I z0RVbTBHuj%b=HC8#c-%a>dW^%wRbfRDiM73BS6vvNDdEIugtCQtJ_&Q+>|!dWiJCJ zZC(H-UAF)xc>^Z>BWsS%aPwl0?U8Ul65&T8`A8HViH2eD*_^@ZT6C0Q8!txPLXvnV z_~q(yA|vNVwu&-Nz&VUuACW4`xISK$Gjao@jNAK=XP{~ot}VBe=VN<0BkyDSOHg}x zgEL7beK{fgZm0zuRMX1bhks_J<9ds8oySEqICCzCSp>y40T;2r#Y7!&Vf9~Mu#na_ zIR7iT0SdD`ktyIRw5^5UW^h?2g3n|KXBy>+>{r$_I3Fr$hglR{`NSD6-!}c4F_g5h z+ta%@x7)L=ZfkIEh}G5NS!iG`C){7aokpqO2bA%+=&9`*zFC>;a8O|^CzKNTCs{x= zwcGolBN%1@7pwd~lM5&ft)`?lfHdHKUzzKP0|TVR7iXHuLu%Kr-hs@4qHbB~~64!&NQQ1mv490-^&J{z;ycSlA0>GwMecWiF4V`yWDpa&~(w+-_kOi67CYnUKlLwO@#7HN6UNa5lpO z?wGp+cgBG`z5UO|sftT;~jf zAr`og$SOhVa_!ff-L-?y(;J*;voWWc-Z_G=xGcxiH#Y?94D&Lf=OXfe$Xg!pHCOwd z+U|y6y1-0cTyNSlIfh8$VY_YrHpD7QRdXl{r@HMC8^c0I(} zLp7{T!45;^Ea+#E#vf1!c)_sTzK3dfn}VI>7~TYOt^u9I#9iuWh(4Z3?}b=yk66=S z#}0dYZEON=01jb_*o@zi>jBhxb+8lt@=;hx+z%}UoAFGSqPDH~Kh zUT_;<)R7wGh3_{DgazoA6&$vxw#_&leBX~WU@v@oE$|nhi7T9JQGJ_nI{DC!H4rX* z`z&Y|pvfz0ZBe6u&>> zE1Pk8_`V-&U|;wSTBt8TGgmm-p|&^UeB(nq(ZIj(9kMW6fM&0#wL|^hjMK{}ccMXf z;X7>MwgCO6;>-^9M>9?zU(|^P>4oozMaTj)PsMC9;ROeeK>Wh+h%BQ^^@-x};_mH& zLt^!zlH(g50lf|2X5KPz^XT#BJ#Z7t7s#jlF+3994wS~e1A zD(e7p2tdvz14xk*0BHswrG^1y*%cu8H2?xXf)*Y@sQ}3T5oGrW8UaAVk091?_jNA_A2Ak)+qO_C8W$ zvdK4w;oi>|i5*TAx9{;jXBu4eQryKg35abK{J3L%CqQ`+seeuD?jtoJJ9}f8=KXw` z_~g{kl^dpbb&&|=`Xq)Fn;!>I1< z&Gbc^*WLc!eByNGvOt@U+s##wtnPAai_gvN+TDbUu7J-iPTRwAEPuHAD^4^4P9?{FRzDT0Z6%b&@fmK5D@SX*u`qgC9{i-y@i9Rv9Y5Av#!0dr33R*f|beD%980Zz2`L_v-;M4t)d3G z?5sw<&}d23ymsn*sMLt3IwhTGONiM}h~#Y!reGEtM75f3+rC{#;2TsE6KuX(3$V6? zA4MPL^eWMQ@55F_agbX1&$ja%}f!3uVa@q3L2j)r3Y`V?^0h zWre|0iE<^jhsz@-vu_udivkZ5ml*=LR+=SAJlkt*vQr06bMeLIs0*CxUFj)g6&cAvC# zoN+F*wpWLbt)Tm|c}#}s^d1beuyX-X-<#l^KSkNBH1IrMn<`@xj0SJB1l=iOSZ6WK zNvn9{#J9rR6~@RBZu5`{^16_bf72+pzM;Z2Bx_wH8J6bj{y>y9AgMa9;8NM+C`xLS zLT6}l_|3RgI0;Ud+E<_%?#Hh_{)%eiWm*&Eeo;sWr}(wYK(kpU2l#?kN>}frn$0jlX^&|GJOEV%>Gt z0K2oTZCeUmrk}x$@lwD!z9_GltsQb1_Fc(-Rr))~LUgyO*W5efc!NR2*?yY8?4xl7 z!@fnfd|^K=DBaPvW{rKBjQbN>*C{VxYg^+D;}p^@9@rwKqfo`M*1}iJSUbL-Zn3ig zO>>chhxp^7W$c^APF-0JOabTf6qC*-{3a#{%HF*1HO}d8&%}Nfs~hXtzPRLUMm&g9 zB^;irxJ2jjwsNFh2|7hOchCKNd3ovDl(g)r<(=eHX)8@1-6Q-GIPQnVOu4cAhZ`xI zDH~!P(=X@jvseqTU^r3|bk$7fduat1TM0huIQEa2kVtKA6%Mp$X?V+FLbf@M%+ESP zLSWHGdPp;V9ZQ5t)w2}P;HAA)UB)eDI>oV}!>I)MekJ*!+EH52ZcC;DiNpYW%giOZ zy-_<$-`Ax;&Td5lhR!VN8TOSz-h55g?lc#*xd`cwhV}rwv%p5Ts7`aE-7y9_Uv;Mg zwS;ivdcyL;xLDq;0)GF)@HqPaDIb?*z3s{#h zhRR6B23KV_baA}jj}oyd12fKI5)?s6VW@A$M9x}DIxYWtN6h=48*4}{Prq{s(Zsv%vFXS`9 zRyzXs>Bu*ORggMarMxXCItEfw$VIrTKz?Ua_70)l@&i6!YATY7Dh`sdL%je zciMpkxibXMF@VpxLKl56`t)*AdunBOTwCN@_|nlT0pwK9cSJl_Q%93xxjjy)Z=w$h zGnYrlj+kmvs0mRW?5ANaA!4Ia;VD~Bvzp90eBC((1 z>Qw_sZu*CxBV~IzYG?E+nGdD9CG}T9s-=eX6&khXyV5b(g6;|JuUa++1#ovfYjH5y zNg27rak5_D@pyZRy>2(uh_4&z(<~OtW;gYmrBJ`(D0;0>N(mcf!BaGG_>_i2BZOSM3+b2>xPdgUNi`&PX`r)|GXf^C0>@^2d1n z7?g&(Iwp#ccncF4%FN2e%I#zAbUhJyA~1*AuKPgbYD7(c8~Dcaa(L6c4pZW~StY)G zvI%=B%A7#v^qIpRhWbXf&__^X>wM;k^PT~786HYt1W(Hs-dB!oxGI%|iBLUe_EsiU zgU5B$2s6DeuSt$R@SV-FB9>J~*HiQ+=QlL=8zj7bj%*%c14Le>d)%XV<}AdCKJh@M9SmgbA7GQF}b9AbOqySS@7abdGOIk6#} z7YiSftJtjc!Qy>MeD*oI)ZbjPRh-T2MLe4MVC}FWm^9~DPy0eVy>Q#pTxaFm^>>bL zu!akXxLAw*O){!A65Uvn$_0rz4kffuP-u=p6hLprbH1-Jf&2G&;SwR?N$! zhjir$Y_=d93UbGZT~#io(=k z>b__#oDarpSQs9!Im?}-^7Za+6k#43@@uGf6GSD2Y&q6{PzXIbI`u z6pFW^a$~o%O0tw-6fG}G>Z~aH~#~RKy<%~RjV#XjHI6BN51?n z8sjK+E^G;r(L+}s*>k+Z$Gk6?pqwb2M=I+ig&U%?U)I9tqO*5QBF{9gKJuesRf)CWfR;Kuh9+wt>(n#sXGV`cJ!mE$`h}yG48R+0VQJID6oh4vXOXDKs0&Wr^ zKOQwsVwz|MHmWXq>*_1*F1TW-j*Pv9W3|vSgInyyDB46V5*I(tqrTK&4Vp%Gt@6VW z4Z@|TeA7+E`9(*c2mx@l^OKVJ`4J&JX0UO>$x2nKk;T3^RWx5CwX|-7k=y)m>KO@}A9Z?-WWm+N z^o*aMpLfuJIf)X4)hfw!ic&o4Ir-HSzCR)16Q5R%ve6et{Q9R))}Hyd3UiNyf1mjo zx_kB06^WV?VR~axjVo4?$HxR4G%P_;TA5d@#E##*ueej5y3t?q5@7+oOYP(vq8ll6 ztn`rI9vwf*a}mRYmAvv77O%J zRLO!m=m%6^>O!NNy3k;Y!6bu4%Ct@AoY%Een>1pv_2)`d@buNiG@!9?6q<@%1xv~f z*7i1OI`90FH5S|oXJcS+Rv31d;2K?G3XCn)7D{v(hdrE!`p=s!jD`}e^`^x^j$$gJ zPUcthk9U~zd%A^KDNLW5$#tX3yaSvj6C2WIW2HI$hOqdtC;C)7vhc_&RXl%%rmRd0$^X+*i|#C((AY9PE_(|)7T-oLBmifo0zb6tU4!79~#+jwL2M1(L?$j zP%gR^qS3wsiZw-RI-6hNin?LKu{(LS*(jK)hc=*V3|$r5_=e!ewvKuyG0kL~;0}#o zG01XkT_k-X8~nCW#WT^4ocUGQ0IoDZUVfr^PC?}yGmp5`T zh3`X7)HipZG8Fng=M-zaH^?e3m-~vZ_;*i#Fiix7bfd(~uNaDcAB^9Ysj1L=6kk>9 zilKD(IpcFgSMYFkkc1*}^P??ioT^42qF+qT`_STAH+hQTW^iNG7_0Zw;%-TT;73#n ztlGKOol()bgbW3_yE;R$7OzM>st;4k79*`zF3LJw7w-KgI0Jn+){paF_TORa_{BC2 zLq+fDWGrMU9f>Q7s4bAAE;k_Z>tkYfJ%8%puT3*#Nqqch&9ujWbSwDPl@;SzI(Q@~ ze!OMUMF~3SgXxZsMW%qRZt)vQZ2TyUPf8NcxY)q*GX%r;V={UHxfF{T`C30&P``fq z3!abIC*s$%$!ip;18VZ`E$-qu@U*s3DnYH_? za)Ya+`zzM^S+rW@B{~gJ-=j~_Cc*JzE(U$vl`4FYL0CWHry4&RgJC^mO91+&K%QyC zeG;caMOnp!?;6t}^%qRp#=L^eQI_H7numBUvfKfQ9jy7Pv5lXaILX zNJDCpTug)emGPD^Lv>e$oDMu!_Btg2JAASItysHD;SbGmp#n?MawHdVd3`^>wVNi< zMhv;oiNe2u&Ehm}8{NTnWY$`foSmT(ca~`rf`8Ecz4JVpMX-|NK7VcQw_IIoSiW3l z$2e4k#LtjLeNX%hHMuEz<>h&zhd3)mZkkn*a5%B4wgK}QDSoNZ?P!wmk%!-QLjOI> zDtTe@IV;KSW3l2voY;?3Y?Ux%LlfBj+MPe2VZ1U_=AHyUi~z5@g)p^#f?kL2o|Fb9 zQNE)CFc-+f$!_mW>JVgXGgyCpeN!9AZ%;Av zR#+WS66M9J$*Dd8vC^0|2;1=OE#}yq{=w|Uu3w{kG{2bS^^3dXQViq8KbRkBhz|!P z!SUk_r?W0eK>Ucqs{+jDtOTXM*@4#lV$#wuN$P%KuxgjTe)`Mb|K-#F{`B|1{OQx* z{`hZy{d1DuWcTU){k2@)$QyN=E!1LhcYE`Y-KlwYv%E>v_0`o?Hiyf%_g5dUZXR#1 zKBg&Z#N6C1me$WU@Mw!Jz{iG`K@4u4m!Iw-NKh*Zex%~ilBVSniTCH-L5VMk< zHlK_B1^_#tGD%1T6)0NgoowUk(?J^F<%EAO>;+(yu;JYOj7;*U(M9+lr}*i1VW?8= zEgfj1{c+)9ixMxTq%uDc9CrIb_#BCuL6ZCn0yjTx{!>><{K*AdiN7gBu6-BNu=eWk z{qmXCh(Sk^1kH~YeFxB-Ska3>_lz)7t!~ax zuKJrp=69%cPTbevQba?rvay^l^sDp{CS(KfJ9~Po!q#(!iq-p-*TWnTHvwnp+>XYedlw0WsQ*H4caryqhr0Jb(fvj&)?PpvK{ zRn27_a8#l`ytxjWs=$S=1V9BC-mM!4QNlrURsz-IDvbL}_cT0@1jdge4Ui_9uA?XM zrQuqIU26%1I#ZTcf?VixOX%vyzo|j-kCkVGB@+ zO=%_p!9AT&SOWfqA;EK2n$!I=aea5&6Q*Ieg@0?E!&eP&+!$ucK znxL`<*tr=N6MzZ*vW4wp0@WuPWWd@xD#ThFTd4(;8fZ}bxYH=*3YKLIaZzFfltjdj zE{(e>%*Fn6My!=AU=vOwRBh%Q^`yt(tZT`iY?D|xF{J|w%xDt{hrGB&bZzjgjgiOa z3C=kxK=1eAUd^wWe_&xF-M1<@RYBwB$A!jA%;@o1%M3pfW-g;bM5Y)QVj^)dWHGO{3K*(APe3`p90sVlN|a&Gv+|HLOmg;q zNfIbOZgQ~qc8cxbQ{BYL%g-6gL60#yO+|5@%b%e*^Z`u6qLN}+Dd<00m>Dwbh4Y{1 z=}ym5xEU%x9~`gFh{*bCQR8!}ALqZ|T}h}6>CC|mBkfG9%i;WWX3MtkGyn>s)?HDE zyhQ72*}x|pI~vYyu|$Sx$qMIlhGNp=mKg__V)61-gJ_{gkCN#=EUn*%G;4^LlSbfZfp>cbA*X&sG~HywJb9_3Atrsmcnx25*XOjYnZQg?I(OOlB}%20Xw z45apEBt+g+X!pdePX)vQD`cIM_;?eV5!JI%S);1OA@|9s7VS~GC;9Q41CfW5OXJ=> zqf*wKp#t?AsqxM)raAp4rirX3M#v!8>KX!!mRLiCqpoxa@mbNMV z7Vt=Y#dTL1uvIYphMGb)6j9PEI72PwF*enTt`?KnyL5Y?356?ChF$*9=9H4?`QW1fWaX+{RWd z0WD5t5+pz3a~LGP&-i-n@SMcOj{|*!&f~|94ueEM7=B9v;zx^&LPOX88CQ**?TI;( z==c$%w?xN}_8dpIw;KpAokgPLM@o*Pw7ST3F{oUl7se9&x)Mj=u2qd3P=4?2gy@bJrnzy^kTq*^ywUP-G0`nih; zZ@uOy$$S(%ZZT-wVcr~`@@PzlC@iEl-_SjMF@tf<`df!do}fv67;;~N34i?Pngw=!4yb6!1Olx3hSLI>Dt75-hwJ?%;@JwzTTt- z3Sgn_TEnhJwg5k3_R<#cI>pYfECvJ7ott8=+p1C4`8@L zHRKeqxU2+2In;rg`MkhN`^*SzXnU}nMsOQ`#O`f|j8)30tsej0P?;{YR1+~&vu4*s zoJb?nCgQ|FUwOKEeKB?H7xcGZJyANRK_;!@rEIS+rhR>aLt<<@CV}H-pqp(1qjQrN zYLe105|XU*a>#Ze@$w^)dw3_|L%XlK3Q-2LdaO8woy<`pY}Xf4)PDOltRDw1Jb6|( z3Vj_p);=*VbWn^xEQEL&iDD?~y*DBrLq$`Kap8xgaTYu<{N>8 z%#RH2O@BOo#u8-qQD2ABUZLPIRO#M>XT|x>Q(3%bD8+rc3hJ|5icyu#DcYIA0gEYV z=&l_sKbzfEku}1u8R~M6-Cq-TSEGg|iir%pW+==(4L8JoOYBiYqfm#&BE$7*qsE!0 z;_AowFaF_th6No*Z-?%8AHn?z_dBvx_|Y`0r{Co1lYw2lLzia%z|*naVILe_set#C zctR23^I|CXy>C@u_qIA&;bBY9MZKHC@-z}9KWa9(C6m6oPS3exDF#Ei?~rm}>m{jX z_j#D-rKAy*i~kBhVx;ejI1C`+IWZ34IAhPeiuqH7hCZW7~v}LNJGz8wrpf zwR!Pj>~JF2dyc_u8APdPqY3QmeT*n>*5pfi8RN&1PL)lLCJ_AC&=Db7pn71RV+~Ya z0NV#pIlvT7hKk(2jJF5l3I{~@8$&_uu@7ZGk0BlzKQ6RakocU4V}_dASYul(WPwX# zGkq4{P5j8rPB#gI)zOj1#UCj!)YZ0bSoFf~@G~1kTVQFNHt4;$y)DGw1R1q)6&(^k zKi2b7QqcPj;J1xqcAP~v+q+`Rg{{MhFSj#ILmElBzoV)A55@pls>wKeI^V8_axYwtz8&&3AIa6QY zjfFbTNx@Jd{H%j>=ckF4IJ;)39e#AG%Z<)$;je{F(cjDDLhF2J2@*L!-gI)2vs*4O z(Ga{;;bTir`@Y8p*a8I=ZYGf}z>jAgZGj-e?Td%hjfOXf=e4pFxu3!Pz}vZ*7-IX^1)n$h5=0<7e&?o{W!;$$=MV_JrpT<z)qPjw|152s;5dnSK{keQRt{rTh|Ol-e0>y zjEXS@Zys`JBR2!nGBI_Ut{E!7UoaVnp=SJGQ#87>r4mcku60KDEI-~jVENo(u1hPM zHss#MduJKS!VkbEHPdoqIy8Vr*KDoJ2ub8?hDz~AhvIC0ZIrPGY`8yF5rIey)#G!nu%Ar&Tu$)#l}sNzhO8oL8BCHey{<9*G-<+VZ<) z8~R7$sawF$S15k-q%uijyA%b=WZitoHC1rphM`2f9YQr00TZU6TbLj5KmabiYtIQG z@Yi645Xu&~VW|JUU&Q>tB~;ZNi;<8x`B9Rif&3;_m27ftY!@q2d=*w`bI5me<%)5U zz!ymD{OAe-bLl78FzX5xmSpgW>i)t#4nj@?cfinH79u&yxE>RMFr%WJL4NRJy< z((7bWun#`Pqnu%XB_T4T4W9g%t!Y&$;(CgoljKD(`0r7}{JW5zzLdgxBvpuTUEGTRM9 zJ#oj$tvD4xw6c&gVo~793~+6GDveNWnh8~<&9;siXB@@5F~-&RhV_%#qnGJrvXRfJx((NiQwzU(2ya|iWR5(-ZS5nxD}kqG#a2Sk8_s?miv=d948 z^WTwp_|b@=N4&eSSxC||$56-m6my84F#KE&2n$^dHbs2UUJpkG0;>b0l5`qz6q=qc z1+&U#hr6JA!1@vZ;x}OG zR*eFEwSl+$BM#f2ZmEGGZH0KBX!QJ;$1Zx@p`it`9PjHo_T_N-k`Nov&{L6c$`w6| zc~X)??8-+K*NyVgW|>=sRC_iNyO?&gMfky+qq#nqc``b<0uuqx(-SKknON^=Q3&-V zH`aO}Ve(`*Hd$#W6fk$t&sp`o(sXB8UxNL{0wE1EvLmKRH3YW6`7HF!%!g^p~yP7c0amwx^}Ib z{43hRwP<9uqQf&7sv{$+z*R#fB@zZt@_@^IsHbD2XYz<1;mIOi1cfJ!c%|{cP}BG= zQ1PP-yZ)6d(*|QSTBo`aZNoBD9PT|~F=Z@oIBE-H#G`XJm&&Y#T$fO7Ak9W`V{^OU+xOV<4~B59*6uWgfn)_5>42=+UO^`>v)m{I|i{= zFlk5T&8)wWHFSdX4MXu;M75Nksb9`e$W}h>R`!ikAHTVnWbLr2;JI_A({QQ`cTmzO z7+&xid8EuwiWV6REL#{hyH0c9HnMK63r8w@7@N?hrnk zxMg`1P@9DM2pC@spK`^dT!M4R^7VeA`Nw~m|2Y38T)p~euaND-lVy179uvpIP;Rzg z+U=>csbp=|nzW-Bs>@muTkCc>q#!|XWefg{!lqY}AQ-ZRXp1)1f5K3=_3c42lw_TP z94+++U`hb9{Ys8khEl69JfdbOnz~ok(JSQGL^HG=;hy$qL?k&g6hM7>Fc?EIQ+ssw zglhG^s-II7Ba!f=5U-Z8V5lMbHn!b0xpi?fzH5P?leXx17ZKH89`~Z^+?lJ$ETzyRD*U9rbPuF5ox+)c5J9b4T za*?jJ#(W8vP>j7s&K`y;px9BLI}Iy{Fi)Ma`Ver#Sy&AHYv|jJTNfEBd#a7H6@&B4 zKXgAK#+|`X%X6H*y3kE4+y)+Vh{aICGladk{Ww#ZJ!;IXR4|Q)A@g{t-sGr!=$C=`3IMn?YLUQAN+1ll~(ne3ZA?2N8(p|_HU9;|0@1xR22K|#l$;Xm9Fvl zzQcM1JAK;TCQE5rSTEBjnN}}Q7E;v7&ByuO1IDWp zZNZSI?2l`w$(;-QS#HPpGAsMn7l?{Dv@^Xl7+$%GzVa6PyY^qds; zxn(F3dSc9;C&h5fP#n}76vDm(br$MImvt+ag?aiKPV~;obAcEm?e>cal<g|umWLyN?sLHSM=f=aAc6em&gV=bYluoPY<@z%01i5-nY1%;jSOA;nO zT5_Py0Q9e}7Fsr0gn4^0ZB)u*?sM8)xVZJ0TbC-DhJ}WI07wasR{t#+p0=oG*G53OO6)aA*21CK3u5fUoZwK#a#Ky{}g`=#i>uWTEPPfU$ zL|9LlNfvxjl<>h-C&4PJG(fitRZ)%{{_Y6RAEKl~jc9VXbJS>kvxBdT$+o_5l=lp9 zC-iA)g=DO=a#T`!2)_`)1akov_YV*BVCToG=#-6CuKL$~Rq5Xhy&*AFj6GUa)gIIP zrkIX`q;DCyfE{_0M@9VJauk^zP4Fz2t4bR{h=gku!74dw&W-?~JS478Q3Zc*8A`}L zsjb+^u4ofja#SOW8yqgwF&rn&}1u%c93!wQ;@`PfP zSvz84#Q28;FDX2pkM}9^I1(2D4 z-WN^AgA#X6-Nu&oxMir?e11bT$_3bk_%r-D0>eZ$Ko;mo5rzuSXSV@~kst4&F@^w> zne9s@rhm@SX}rCd?(;Xme;#mt^yz%yYu!3U{l)e?^b9ql&p@v$u(fT0Hv6HFXnJN7 z@Z)6DCWwokx|q=P8^hqvrXpc*k!(zsc4C;kuqhRFA-4;ypUmhSp_US(@iFVqh2ZyZ z5}$tm$G>l`K4d!mLL%lzlup;Jv}JGFJT*z3*FIbS?3{Im($nsgLt^mHHu1srkqJ~B zg{QwmAM&F<-vc#2-m@RkzK6;l??y;$-Eow-wug?XgfF%y*^L5tiF@vYldMWIT*tMT zR=m4oC3dYU(U};i`D#7UhMv_}e$rs9E#0l0SkB84hcxZrJj73&(+d1ZQpDh1DO-WK zh|40nW21WQ{{7|C-^8c?_%&%8r5tanREybdbkxw@#YC`A^p`Unv%FD`DahJZOZs9T zg+6juX4rvyR|SHni0~ap&Fk+4ogbTeR*MOmCA7h_EQ&-fGm|{aC5FeqdX#BgkTkq+ zD~xI}H=Bmbk49NAh-D`=ZYDQ6$5fVb;Ua_DM&d6B>A5yqY-kA*IX^0O6gkQaVGy{H zB}@U03z?|!u}#?R`yLy>suAfXUy(K9?=B{o{el)iPPr&T)ka?-PCTz+H;0A+QyH3~ z*a~D~4!q4pufmg6qdV&OUxjcil16*go8w=sL}sae6-qjWszML0hVjZ5ykX zbH`9$dvaihTLRnyD8K}0SJ|Wxt9fP@s#atQc_4|Gfl|{OEVHRz{oQO*6T8;F5Bcuz zom_p#Q1biR76!Pxm?ZdU{L6(*C8^m93m`F$t3&h4L81QZAZ2?W@!E=DLrUpH1Jl`?4@k9X;mxv92BTJ0SbQ z_p+8L9^YqO6DTvxdUQ;}GLLef1|{L}c*TE&YzlrXZKo;xl;7>=^UVf^66B|Q9hGiI z=@PNz^kO39FU8r|Vlc&!GAhRPm?*dx(-(j32sW*36>@Y@p_F3_-!y9#Dn`g=>k8P% zm8-vFs5Tzg1VaGJ%;#lRW+j@gpl9>NM95z{%6G)a!|B7!aTC#p9!^e^u+fg}1)IES zJ6VXJxn)vmrx1Nw%21^IWle{HBwIWgpH^uQ1#E?It-#iE%y?*0>*ux?54S7Xc>D+= zwYvHc>=kYx6XvGCqrTOi7(Jc+?fgb z@jE83xLjpeG*&UxiyzZ$hQfm5$6^GLLd8+zeShGJK~@#7+jzNnHwQz(_c6v%`HEl@ zkcb%a!4aZC`_+eTWIqh^XyBKs;5Vgbhkdb>Wj_RbeAP(vCV^h8gxbgX zPluZz#99{`79ep}6`?zZI_!r*PQu$p{GAH)8r_X*i;JnPpW7B8=xh9Hbkr9^N%g}h zUlIVuP!pYAw$2F#W2lAxO~a2FikzEmC2OFxLxOm?5<0byy0t2%U)rC3od3~&7XI#i z8m{@b4UfoH;m5wB1MFRV)&Ejk@gL|4CZRH9VEY3g)b0u|+0?~a!dMuYu+JESV(ad1 zbtfvNC{6LZi%Fv&0&hMS{SAO;paKRS!;jE6U=bBqp{<|zuB-)oQn+v}oc33DR$Ba< z%?(cE?F9oSOcg9ce7O0@7GTKfUeW@4#hPE%91Nw`&uR`!4_pQ@36&qWn+W9uxjiD zKF=#*t)QGFDhx&7UzvWzQ2l+f{rH6!Q=8qq90F3HgB#Tv5wyPIg?sN@98D(V-ix6yiNjcpruX zHbD9kyY~xNNlO|ECr0C;*dBTY2x|>%Ngt;!_U&I19Va%kyLJS3mdr})SU(#aKNd6D z4#rRRe0L-`PW)xJ=SIe3EF4Z`goZOd+Bx^CZ#TZ+g7|_3M*#1y($Z0Z7RRPI{ z;lye7XQ-#8A+T*|DYt=;=s0ti9^Kd_Wy3!602JJ0^x5B_$Sbi>`Vl4<{b zs5x<-gOkFQCLWI+;`on*%!v>Aj0_Cwz+i}M$8oo#s!2lQM2YIo+8s$+NU)$&cib^b zrW@JTGaGgJ-+uVvJ2n+3u60E6d}yr1`XdUL`#mdx_kLi&fGG58vWcU$hRYoM zAu(}cVUd_-Arix8En}T^AfzyAyG4QAI>zp~XC>j@$8sof+X@zYZyQ;aZW=E? z-qtJf$Id@i((6Q@`EDX1@#9P5N!MpJ?7D#l$C0g^aFTp}htbVSmL2ZW$Rv2bPwcfr zdJtGDE0mdwT)Y@+wA(;bScacQAt`t~kjzY8tuWa=UsZyPNV#XI&OU->58;xXZfy0F zBIVES8OpKm0fQOX7(eCU_vB?lqT)n}j-VQjV?uqGq~{EyqZ)iK-HV*)5;603hA9b+ z6C*kf4GeaZ9CGi_eaDXiy)8h7BI$g7T=a}p6ha#U!UfiY5` zJFJ;Li*|!C)LTCV%clLwCVR8|G0vXMY`EkR zemv=TF~=4B7d>)0%B&yg&pwpZr!|NJZxUIi$??lkKm7pSL-2x>4{G8}N=1{y_hJ(2 zaav(zjwfwaJ);LpZzT-H({TWf5^r{&$4^Rrl<2LN8-|SL`xFGeXDEFB-JtWMM{im{ z^PZu+`KbxJ&~1F~?ma_I^OLL5fvpp3TQ}-+hsP|I{S|qcw`LZuEp%q%*y^|zVJLfk zvb(1hRNJmnPK6nog@nqFFP(zwtCok^{Iio<{t0W%l<*^bSt1fNKfZJdbmM$zFrtwf z#%{$7mB`NrIh$V2R0{?z-M{aPU+v6aEC<)?a*6YzlNjoUpF$2$;p?%?kSjVAQ=QBc!Xq_DKeZ`L` z9m2Kil<5s#bj!?2ow>?8_{F%5AhGZ^FWCV6SQLHGgZJoJ1Bs9yRXT{!QD470^G+Cs#bLM^avZ{{P$u}oZe~(R+&}m3o3OfI`@HQ^sLym0}mLY6jNxfp$lY)wu)Y22DGt}AcbIOyIs#GJ-&8lUn zmAwz?`1B>=@ncNqz;g<-X9Tt~)Wtpv?-I5uycD9IUCBmz6!YU)2PURWpSs%Zy>8`6 zi+q+To2>?$mC31Jb2@K?+C$*Tamk6%d^?n! z7|uC^bXIq8!!sh3SSei}L)t)x+8spg^eKgomGrek=W<(z>iP8 zv;};%$h@%O{ljs8pYGhtR$&OBkw0^4 z7|ZRbv%U1QRk5?l_qnm9cHn-ld}xc6+OR+y9_B5SFwc1l2<=lV5`x7y)3w$`e=o8L z`7yq|CS0PA5WhkeX75!m&d`@FvJ)xJ=gmr7{0R1a{o451!H)p$XB8mwN&8^knI450=mCpG1M2~2RsmCCR^tv+? z9w%^mV{kHU@pNz?g7yu59H7A%h633Z44G1sV(mgJ%>egXsz#xT@A$Gwvhr(EZGaO> z0^tKg$#V6j1`Gzwly>?ADJ~XV)#?kD2!QK0UCr~tW@fcrt=Ob5-6-&5F6*a#RxooW zce64)c4Ta7%6s&{P?p@G@M=4sJJgP9Wz!D4Sd8D{ZM<1uu6FX`6^Wl8H`}Q|v-=z? z41J!ZvJ&}FqqkNr4J<7GSWHU8bu39_-3YL2F72FZ{V65cFbt{Nn0h8T%!JjtHT^yq zF2tU4J+P89A4A+-0g{o0=-y$vg-M&-?Hi#Ihs$QRF+xX%Qi%1L9sZu(;zu~5+)c@* zWXKlZYg6)Lro@WmF^5Hn1jvwd_LI&Lm76`RIgx} za!5P3Zoz7_DUJ2f*tiE}U9&4{tW(icHwO z*dpWdak6!O`x*I8ShKB40=#5u{WR2mnK(nq*5yav7Sh<`eg8Ll<}(z1--UucxhN6g z2Zn<0$K^LBnNvfNg0>n^< z{Uu~*9EH%ErX+TLgyp!O(4WAPnD{Z5BvgJ3==&|Z{5a91n_bT?!Op5> zyC%`_<38gv86U7QJwS6&8gYV%4-944#{fr<1r`b`w%#9GkOPsSoci(gMm1hZ&<;-$ z8b4|?iMJb8m)`am&Jm`qFghS6QNJhhGX%biQeg>HBY?&?bi4*b0rd$=)P}Utg&}%w z6eAWF#{a-jD18Far9xuYp?`f}u)`MKoAkE#!TOW%na!oc&kk$yWG@Z=d$OV46J(FOE9s$FR)utTqDocKbZ8vlt4ap9V+* zV#q$I5VkIh57A?&iax9wVTJ4~fM+q~qaGM4qVFyCp>#6vMYolapcoU29v#M1J+HSS z(<Lm=hs- zGZiEfHD8uAsX#6(7ZhF5>o7k?^pb^XeB8V%7CJlh;^C44q_c~m?)G>9xLrDyfUpwP z-Ukyr{mVv|HcQ-Ph(`*4KCqJ4-bXi4`0EAzNKkxf({9uU9%w6J(1efqo$M+{E7IPl7*?1U-i(x$HU~T3SGok2hh7>*l_u6R105&Yn2U3*!ZHs zP6Sk3{W$-{Kb+6d1wVQ_szuq4;L3$#fov7l6snYfrBZzwv%PinhW!52oR8PY?K!i6 zAM4ry`X6pw7dbZ7tgAEh5RTqBEto_$7C$O>xyJf|Y%NY)@9=5X&hxRI4c>l5hW;ES6MpZ7e5SydFIW!VjW|g7> z5FQ!oOh2iu*q{<|vQiZ+WYNk0j|`=ykAo5Iy3uW0&@v*A427ikah+B0`H`V&^s6E9 zBTKJ^#84pm)sXm6m{&vMM_=|Kg)poB6%rLc67%Yg;zvDR4T%$fICxBh2nXAU#KVt5 zc-=gw0ITiMD*BVm$g?((3jZ1jlOLnV)Dk1Q8fTlL5gaUg;SY^_Q6aDctPd)_SNXAx z18{9>$K<-JD{kO#ftgPD1`;Yi7IL^}E30R`mkvPTW2M_%sxonIlycQ1KIbzeyLLt; zeHP)64@v^$M^O5i=ll=}34tFWd9&kORszi9L-_;AQw=%WFxbJNoBu>0$It!B}dhczTUty9I!0Hkf z*FvXH3;iY9Nyt!A`RIAY=PtL$Ybj1*+m}mHRPd3Zka7UHDD=X|TpSPznC+xQ*?n^% zO`eLKkC08kkM|JA8`JY}Sfe+p(6v3)u!TO=YAePUi+rilZCa?AKfr?}YtiLJM$d3g zL}@>|3MRP|$xix5zM^N(_4U#+LJ}z}73Ob?loNLvBW;E{7URbQb{85DVwf?=YKHeR zK7#ImHZ{gvEjp7|nE3+Jrp>F4E|c-dN||{w80x+jAza_&jjrss0DEpUiHa*L+a2PW z%J7s2OKZb`p2-3WMhSW)XQj=23Sii@rwjRbc&9}^Gi!;8nBmPbO?6k%ZVOiG&aM?; zQ_4|69$0pUDzm-R(N4RN(D>0YS?6M$x<7d;RMTM516YO%n^)-zPm(zKv9cYUm@5Rc zwCy3e!HYj+hB-qR(JfTrTES`Nhv06tkwxduaCMW>6qTVq^iE@VU_jHXun66~oLJRC zL||E{Hvj5+$#gaDwiGIc($J?Tr&A%o(K>N_%z9~#7#osCx%wc*oDJPJjAw{zr{nbyQSa-yT4^8!74T4rwH%n*o#(X&71o zhj!?0P#PShOF%+8gb}1uQp%xA;v2o|Uf;|2ertWR)|vCqJkQMDzuafee$G$vD@i{Y zv-4j9AWdS|xu}`h_TwqozR03i`&nNmxC}J1c)3-nZbPNJ_$~oSDcizu5g%?&K_sOs zO2#yQy5zH~CI|bGGo*5p9s`zFHl^(}^?|DID#jQUXns)Gw9(opKR#nr$oN4MO_5#3 zF+1L^ohw<~xQ({@dM+0bmqW~Cb1Jk?XXDzEQq{bq)5N6a9~8Q1E>4 z>U_fPT}a=bLb~K9*1WpEgx`;yweig&F>D`4$h7Hop3()CO7Dm_rJ$P1=|PKndf$Uk zjq4PPkny@K&K(yQ#04lSRx}^vxu6qHiNLTt{|mfkow3PdQX)!L+MX;hJXMH-w1f_r zL7cFP>NtABi-qK()h8_&GMOv`3R!2@s%J;CK@ zBH)h^(-B|%3|~xy%!_zX5iSj=RlV_9{e1-)ja=8#V-o4~${; zXHsLTHlqqOm_NU^ajMYM9c)!|u#d0v46x9G7KDWl3;Lx ztUhFEdFHPpg``^s$VCuB#=*&(cz{wsPII_H^*>*>3SF*xF z#+2pSrlvwb1}XT$j41#Xt!D)>U}(MU*FKR!o-Ch=t2&tGyFZFcdvEQ^co^fu0CWN@ zse=AMtuSX}i6MwQ_W(wP1H}TY9-WyrGK2un+pV}CO%7YY1`z*hiz4+y4x^FCUZA#M zrAIzB*~6bj@mpb2jyoJ}3EySI4X{b3t$J4C`tbSS*yjO=`$vOGam1}?wJ*X>KDzq9 zlIZ%;mJYhbs9x{Z$dwK{Sh3Zg*RyOeP*Yg$dxwS*GBhYDc>Tmu_gtJ%aNqo3) zZh<%H)j3W4o^ws8L76j{byknFGQ2j`FuG0uecgchnDYmdwmRk)K>qF7wvJ@Nrrr06 zVI*Fl0H0gmIQDhLTC>NSx2T_M+C$FH zs+pVJh@-Bz$e4;>#a}xkVMz*C>4(c-HaqKgt&UHi>X$i5+u3wW!tSN z^fX)?_fXe!=bUG+D}C$D$bd?@<;g6zG0DwL$0D$6uNdW#9{}cEn{ug6t?lH$faLpN= z`;xIwbv~~8Au+4QxWwMaq`1@j>YNa?AS|fZk4kv3(?k-sH?31px40W#3-)-5NL&M& z?CHFUZEc~FlT2aRXUFGFQe)g~m%0w)ZiN+Px^tAvVd%mFG;vBvb>HNfYs+4py|Mhj zvrOemr~YF;i$7qDMlBC4JzHVlWHKtZZIDXMI!E4^|L#k>irsjsksJCsj0oJk749d( zt%x#+^*%jFKz$@mhKq&vo3cN7RgI+c#u|5hpl8nLqtxhm4mtVQ*x>P1Odi=mt_vh#lDQgMXZbRd-(ITPgVj{2!b{N4{HInFq$@z9IryKaOIXtFVP%GWh{#pij5)!A3 z2@LMx{DM6y8Pz<)r_)Zzq27DEHhQx~Hj#ABYzA7ZE&IaxY~C&3JI2F~{bWn7TwZ(* z4ujdr$!0Hf5>o{2*heaEE*4#&NyyxL6q|z!;Kc**ipdvgJRccCfdSb%!Gl3MiW_md z#>c6(5p!99g+3I|wCfE%5;l5py9BsBqSerJTTQnAwHErasF?vxk2l84YmPJaRwoz5 z9b~cY!}WSZ@*yFjVD@0oMNy10Qroh3GP;RlDS}b2cs%Uh6qEPW7$CwLbZ?KS0HOVpT?LOO-#*3R4!FWpF{JLAa*U~#s^X75< zFiWRN^hmSvAm%q&hEz6*0wD}9o)!ed=yjdtKXberblH7|133=UN{g-yGGXgQg^}{xU;0>cH6+q z`opVl<3nXxBH!4^&oM0vtk7_GM=zfKwND>nLnP_3t>$GeXt6cXu{Es+3XSNmODt|% zFuuP_N`5IoaXM9n)x6kZ?|KI9{$LL$GD( zGLKbKeUtK*jkd&r+EQO~@g{vxl2q@0Lkh#D`ny3-XDS=m2l{u~ZCqA1yjo=zvdtc6 zZc}xY^ZN28EO|_+h-b?}w<@LDVwz95LH1>3HNtZi8fhwg70TiU4lxRw@asy)43S_% z_!+0V*?^GQ(^sUFKPqZv{vE-#b7TG*Ask)J(S9FH|(nJ!^}fWQOLbfGlTu(IOvu<$qWwD#aom* zvQ_~Ck)mI?tUffTi11VG6j$6&`XT^+-51I=ZE~s&ujuRx z2}Sl4PU)_l@Gl=-bCfXfc4!s_3SX#Sl*h-5bpxqmy?oqUg~t8)Bd!aCH#$+k+r(WP z#9c>R2Z#P^4wO zzr)11B$hetp$OQXl^mfkc`Xn}YW|ZKdrY*|wy3sYsAS{k0g0>oauvGwsb1~R#fUTN zyjiSo$5rxQhw(3k;iry^JDsg_@a^3*X_L9)u3*uQnG1l^41eV_`vsq|7Y~{%c4=me zv3f3aRx)TF&PPPKuDyyqTE0jFLD$_*WE*pfX8KY+HZh+~;C0++#h!fI`$QD*74wWJ z@qs^%jAUy-x!BnfH&BzwM@Gh?b88>t0w)`9G-tG9YrpE!SQEt)R6rv=t_0kC9SCY2 z{WJ$6*lm82f>|a&&Mc@GlWb}Ng}jWYzIimSGCrG@dJ(Rzw6e`PoYxC)A+byDzWoYz zRJ&0v;>~uiKb)L{YYmVt46w}`iVJC_t#k0sCI*#{eX!l0Rm8ycA3BVPU1c0^%!CYF z(?JFu2(s+eAd4yTRhFvaWK((6>s8RN#|Nl=TWg-I)-h{mxZbgFITulpEDboUD=Hmw z`|#A5ucS%bwaMXiT4#7oqpsK_bW_G%MI^zz;gVy+@yojxHwsMiQ7z*4IjPH=9MZ`i zjWjCFb6M!FY8U<(0T7lJg@RQueR&`l(<{1!~etO77*_zK|eBV5H1xL4vAg+Z^)6io8kVk(S! zJyMj;7zx_NviuE-!r?Pzaszi9d zc=+gqELgC{m@8nA9+=aHnqatgoI^U)5w@0v25~+*!9KIsR*wiCT7T2l^ z)PD~Y^gY#~1PK7(Ky+^Sf93pN!p&B$u8zN(HQhOvIX;|gQY{Qv$ppj)lc*aloD7JK z(^9WOi#?Oi$k0qdWL|Q8sp_30PN99Q`moT~*SAo^ZXvJkG@iO%AaD=F0?G8syi^O` zxET|9D*wJg(*p~(rw5!e?yP@riW@%WBz>DLp`8t*khBr;$umit>-tLU(`bSYmV%>E2(dJu;-Rf!7mOx$lE_-s>9CpN;!Bnq}kA$QT@u|J$Ze3lL8o!j>@z=cWA1 zrhobGe_HmpFZU#BV1@7zC{+@H0Lso=`K3^oc`{xC&#TVv(Bb6mJ*ua*B4#R-J`9$r*wkB}m0~SU?FRlpNJG%#2<>3D6smA!YKx zqi}lMeIG@!ctj1S=mBYL4DU;o0sVMq&wRT*ied?9JRX_0#fI3bz}I^AJgoH*_o(i4 zS)*w{d@YD6$2@_BRv>z*WdIE=Gb$2ip^zX!Pu;C$kw3LfGVbv`$Z(26E>p(KL(Dv_ z*5K{Nm51NX;%DiJ^}7TDhM#yyA1pc89K2Cllz)DE`RNSmIeVUjB>a#Iim$DXgiM0+ zN6KBPPeUaIF_WJW2La;v`vpeKG5}!XYOM`&b@Sl0baVSPxp&cE=uQRZuTLU;kMM6O z;tWRW`cJgAE6Dc0!K)wP?q;AN(DZ+q^KS+)(oX~_LRH@LxvjJ9U+=%AtiK|L6EW$FJ2(%)sdD`)=?3({9fl>d*o{awPli{pO?gQlYH68>2# z-(|Vmp#Q^ylo9uvNqApQVjQvUhnf0v89;JcaV57;v8 qH~9a^OLuwhM)@BejdYa%7W3Nbs0c6mRlBhP69`w#$w1UM!2bZuaj`G}