Skip to content

Commit

Permalink
added ARG queries
Browse files Browse the repository at this point in the history
  • Loading branch information
@erjosito
erjosito committed Jan 10, 2024
1 parent 04985ae commit a477dcc
Show file tree
Hide file tree
Showing 14 changed files with 4,937 additions and 45 deletions.
3 changes: 3 additions & 0 deletions .github/workflows/translate.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -105,6 +105,9 @@ jobs:
python3 ./scripts/workbook_create.py --checklist-file ./checklists/alz_checklist.en.json --output-path ./workbooks --blocks-path ./workbooks/blocks --create-arm-template --category=network --query-size medium
python3 ./scripts/workbook_create.py --checklist-file ./checklists/alz_checklist.en.json --output-file ./workbooks/alz_checklist.en_network_counters.json --blocks-path ./workbooks/blocks --create-arm-template --category=network --query-size tiny --counters
python3 ./scripts/workbook_create.py --checklist-file ./checklists/alz_checklist.en.json --output-file ./workbooks/alz_checklist.en_network_tabcounters.json --blocks-path ./workbooks/blocks --create-arm-template --category=network --query-size tiny --tab-counters
# App delivery
python3 ./scripts/workbook_create.py --checklist-file ./checklists/network_appdelivery_checklist.en.json --output-file ./workbooks/appdelivery_checklist.en_network_workbook_template.json --blocks-path ./workbooks/blocks --create-arm-template --category=network --query-size tiny
python3 ./scripts/workbook_create.py --checklist-file ./checklists/network_appdelivery_checklist.en.json --output-file ./workbooks/appdelivery_checklist.en_network_counters_workbook_template.json --blocks-path ./workbooks/blocks --create-arm-template --category=network --query-size tiny --counters
# Create the PR if any change was made
- name: Create pull request
Expand Down
67 changes: 35 additions & 32 deletions checklists/network_appdelivery_checklist.en.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
"items": [
{
"category": "Network Topology and Connectivity",
"subcategory": "App delivery - Front Door",
"subcategory": "Front Door",
"text": "If you use customer-managed TLS certificates with Azure Front Door, use the 'Latest' certificate version. Reduce the risk of outages caused by manual certificate renewal.",
"waf": "Operations",
"service": "Front Door",
Expand All @@ -24,7 +24,7 @@
},
{
"category": "Network Topology and Connectivity",
"subcategory": "App delivery - App Gateway",
"subcategory": "App Gateway",
"text": "Ensure you are using Application Gateway v2 SKU",
"waf": "Security",
"service": "App Gateway",
Expand All @@ -37,7 +37,7 @@
},
{
"category": "Network Topology and Connectivity",
"subcategory": "App delivery - Load Balancer",
"subcategory": "Load Balancer",
"text": "Ensure you are using the Standard SKU for your Azure Load Balancers",
"waf": "Security",
"service": "Load Balancer",
Expand All @@ -49,7 +49,7 @@
},
{
"category": "Network Topology and Connectivity",
"subcategory": "App delivery - Load Balancer",
"subcategory": "Load Balancer",
"text": "Ensure your Load Balancers frontend IP addresses are zone-redundant (unless you require zonal frontends).",
"waf": "Security",
"service": "Load Balancer",
Expand All @@ -60,7 +60,7 @@
},
{
"category": "Network Topology and Connectivity",
"subcategory": "App delivery - App Gateway",
"subcategory": "App Gateway",
"text": "Your Application Gateways v2 should be deployed in subnets with IP prefixes equal or larger than /24",
"waf": "Security",
"service": "App Gateway",
Expand All @@ -73,7 +73,7 @@
},
{
"category": "Network Topology and Connectivity",
"subcategory": "App delivery - App Gateway",
"subcategory": "App Gateway",
"text": "Deploy Azure Application Gateway v2 or partner NVAs used for proxying inbound HTTP(S) connections within the landing-zone virtual network and with the apps that they're securing.",
"description": "Administration of reverse proxies in general and WAF in particular is closer to the application than to networking, so they belong in the same subscription as the app. Centralizing the Application Gateway and WAF in the connectivity subscription might be OK if it is managed by one single team.",
"waf": "Security",
Expand All @@ -86,7 +86,7 @@
},
{
"category": "Network Topology and Connectivity",
"subcategory": "App delivery - App Gateway",
"subcategory": "App Gateway",
"text": "Use a DDoS Network or IP protection plans for all Public IP addresses in application landing zones.",
"waf": "Security",
"service": "App Gateway",
Expand All @@ -98,7 +98,7 @@
},
{
"category": "Network Topology and Connectivity",
"subcategory": "App delivery - App Gateway",
"subcategory": "App Gateway",
"text": "Configure autoscaling with a minimum amount of instances of two.",
"waf": "Reliability",
"service": "App Gateway",
Expand All @@ -111,7 +111,7 @@
},
{
"category": "Network Topology and Connectivity",
"subcategory": "App delivery - App Gateway",
"subcategory": "App Gateway",
"text": "Deploy Application Gateway across Availability Zones",
"waf": "Reliability",
"service": "App Gateway",
Expand All @@ -124,7 +124,7 @@
},
{
"category": "Network Topology and Connectivity",
"subcategory": "App delivery - Front Door",
"subcategory": "Front Door",
"text": "Use Azure Front Door with WAF policies to deliver and help protect global HTTP/S apps that span multiple Azure regions.",
"waf": "Security",
"service": "Front Door",
Expand All @@ -148,7 +148,7 @@
},
{
"category": "Network Topology and Connectivity",
"subcategory": "App delivery - Traffic Manager",
"subcategory": "Traffic Manager",
"text": "Use Traffic Manager to deliver global apps that span protocols other than HTTP/S.",
"waf": "Reliability",
"service": "Traffic Manager",
Expand Down Expand Up @@ -185,7 +185,7 @@
},
{
"category": "Network Topology and Connectivity",
"subcategory": "App delivery - Front Door",
"subcategory": "Front Door",
"text": "Deploy your WAF profiles for Front Door in 'Prevention' mode.",
"waf": "Security",
"service": "Front Door",
Expand All @@ -198,7 +198,7 @@
},
{
"category": "Network Topology and Connectivity",
"subcategory": "App delivery - Front Door",
"subcategory": "Front Door",
"text": "Avoid combining Azure Traffic Manager and Azure Front Door.",
"waf": "Security",
"service": "Front Door",
Expand All @@ -210,7 +210,7 @@
},
{
"category": "Network Topology and Connectivity",
"subcategory": "App delivery - Front Door",
"subcategory": "Front Door",
"text": "Use the same domain name on Azure Front Door and your origin. Mismatched host names can cause subtle bugs.",
"waf": "Security",
"service": "Front Door",
Expand All @@ -222,18 +222,19 @@
},
{
"category": "Network Topology and Connectivity",
"subcategory": "App delivery - Front Door",
"subcategory": "Front Door",
"text": "Disable health probes when there is only one origin in an Azure Front Door origin group.",
"waf": "Performance",
"service": "Front Door",
"guid": "0b5a380c-4bfb-47bc-b1d7-dcfef363a61b",
"id": "A01.19",
"severity": "Low",
"graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant",
"link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group"
},
{
"category": "Network Topology and Connectivity",
"subcategory": "App delivery - Front Door",
"subcategory": "Front Door",
"text": "Select good health probe endpoints for Azure Front Door. Consider building health endpoints that check all of your application's dependencies.",
"waf": "Reliability",
"service": "Front Door",
Expand All @@ -244,18 +245,19 @@
},
{
"category": "Network Topology and Connectivity",
"subcategory": "App delivery - Front Door",
"subcategory": "Front Door",
"text": "Use HEAD health probes with Azure Front Door, to reduce the traffic that Front Door sends to your application.",
"waf": "Performance",
"service": "Front Door",
"guid": "a13f72f3-8f5c-4864-95e5-75bf37fbbeb1",
"id": "A01.21",
"severity": "Low",
"graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId",
"link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes"
},
{
"category": "Network Topology and Connectivity",
"subcategory": "App delivery - Load Balancer",
"subcategory": "Load Balancer",
"text": "Use Azure NAT Gateway instead of Load Balancer outbound rules for better SNAT scalability",
"waf": "Reliability",
"service": "Load Balancer",
Expand All @@ -268,19 +270,20 @@
},
{
"category": "Network Topology and Connectivity",
"subcategory": "App delivery - Front Door",
"subcategory": "Front Door",
"text": "Use managed TLS certificates with Azure Front Door. Reduce operational cost and risk of outages due to certificate renewals.",
"waf": "Operations",
"service": "Front Door",
"guid": "af95c92d-d723-4f4a-98d7-8722324efd4d",
"id": "A01.23",
"ammp": true,
"severity": "High",
"graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId",
"link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates"
},
{
"category": "Network Topology and Connectivity",
"subcategory": "App delivery - Front Door",
"subcategory": "Front Door",
"text": "Define your Azure Front Door WAF configuration as code. By using code, you can more easily adopt new ruleset versions and gain additional protection.",
"waf": "Operations",
"service": "Front Door",
Expand All @@ -291,7 +294,7 @@
},
{
"category": "Network Topology and Connectivity",
"subcategory": "App delivery - Front Door",
"subcategory": "Front Door",
"text": "Use end-to-end TLS with Azure Front Door. Use TLS for connections from your clients to Front Door, and from Front Door to your origin.",
"waf": "Security",
"service": "Front Door",
Expand All @@ -303,7 +306,7 @@
},
{
"category": "Network Topology and Connectivity",
"subcategory": "App delivery - Front Door",
"subcategory": "Front Door",
"text": "Use HTTP to HTTPS redirection with Azure Front Door. Support older clients by redirecting them to an HTTPS request automatically.",
"waf": "Security",
"service": "Front Door",
Expand All @@ -314,7 +317,7 @@
},
{
"category": "Network Topology and Connectivity",
"subcategory": "App delivery - Front Door",
"subcategory": "Front Door",
"text": "Enable the Azure Front Door WAF. Protect your application from a range of attacks.",
"waf": "Security",
"service": "Front Door",
Expand All @@ -326,7 +329,7 @@
},
{
"category": "Network Topology and Connectivity",
"subcategory": "App delivery - Front Door",
"subcategory": "Front Door",
"text": "Tune the Azure Front Door WAF for your workload. Reduce false positive detections.",
"waf": "Security",
"service": "Front Door",
Expand All @@ -338,7 +341,7 @@
},
{
"category": "Network Topology and Connectivity",
"subcategory": "App delivery - Front Door",
"subcategory": "Front Door",
"text": "Use prevention mode with the Azure Front Door WAF. Prevention mode ensures that the WAF blocks malicious requests.",
"waf": "Security",
"service": "Front Door",
Expand All @@ -350,7 +353,7 @@
},
{
"category": "Network Topology and Connectivity",
"subcategory": "App delivery - Front Door",
"subcategory": "Front Door",
"text": "Enable the Azure Front Door WAF default rule sets. The default rule sets detect and block common attacks.",
"waf": "Security",
"service": "Front Door",
Expand All @@ -362,7 +365,7 @@
},
{
"category": "Network Topology and Connectivity",
"subcategory": "App delivery - Front Door",
"subcategory": "Front Door",
"text": "Enable the Azure Front Door WAF bot management rules. The bot rules detect good and bad bots.",
"waf": "Security",
"service": "Front Door",
Expand All @@ -374,7 +377,7 @@
},
{
"category": "Network Topology and Connectivity",
"subcategory": "App delivery - Front Door",
"subcategory": "Front Door",
"text": "Use the latest Azure Front Door WAF ruleset versions. Ruleset updates are regularly updated to take account of the current threat landscape.",
"waf": "Security",
"service": "Front Door",
Expand All @@ -385,7 +388,7 @@
},
{
"category": "Network Topology and Connectivity",
"subcategory": "App delivery - Front Door",
"subcategory": "Front Door",
"text": "Add rate limiting to the Azure Front Door WAF. Rate limiting blocks clients accidentally or intentionally sending large amounts of traffic in a short period of time.",
"waf": "Security",
"service": "Front Door",
Expand All @@ -396,7 +399,7 @@
},
{
"category": "Network Topology and Connectivity",
"subcategory": "App delivery - Front Door",
"subcategory": "Front Door",
"text": "Use a high threshold for Azure Front Door WAF rate limits. High rate limit thresholds avoid blocking legitimate traffic, while still providing protection against extremely high numbers of requests that might overwhelm your infrastructure. ",
"waf": "Security",
"service": "Front Door",
Expand All @@ -407,7 +410,7 @@
},
{
"category": "Network Topology and Connectivity",
"subcategory": "App delivery - Front Door",
"subcategory": "Front Door",
"text": "Geo-filter traffic by using the Azure Front Door WAF. Allow traffic only from expected regions, and block traffic from other regions.",
"waf": "Security",
"service": "Front Door",
Expand All @@ -418,7 +421,7 @@
},
{
"category": "Network Topology and Connectivity",
"subcategory": "App delivery - Front Door",
"subcategory": "Front Door",
"text": "Specify the unknown (ZZ) location when geo-filtering traffic with the Azure Front Door WAF. Avoid accidentally blocking legitimate requests when IP addresses can't be geo-matched.",
"waf": "Security",
"service": "Front Door",
Expand Down
Binary file modified spreadsheet/review_checklist.xlsm
View file
Binary file not shown.
3 changes: 3 additions & 0 deletions workbooks/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,9 @@ To quickly check these out you can import them via ARM into your Azure Monitor i

[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Freview-checklists%2Fmain%2Fworkbooks%2Faks_checklist.en_workbook_template.json)

- Network App Delivery workbook:

[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Freview-checklists%2Fmain%2Fworkbooks%2Fappdelivery_checklist.en_network_tabcounters_template.json)

The Github pipelines in this repo automatically generate Azure Monitor workbooks with those queries grouped in their corresponding categories, for easy consumption. In order to deploy these workbooks to your Azure Monitor instance, you can do a simple copy/paste operation from the corresponding JSON file (for example [alz_checklist.en_workbook.json](alz_checklist.en_workbook.json) or [aks_checklist.en_workbook.json](aks_checklist.en_workbook.json)), and copy them into the advanced editor mode of an Azure Monitor workbook. For example:

Expand Down
Loading

0 comments on commit a477dcc

Please sign in to comment.