diff --git a/checklists/avs_checklist.en.json b/checklists/avs_checklist.en.json index e14903dd3..2aa2af38a 100644 --- a/checklists/avs_checklist.en.json +++ b/checklists/avs_checklist.en.json @@ -1,674 +1,677 @@ -{ - "items": [ - { - "category": "Identity", - "subcategory": "Identity", - "text": "Ensure ADDS domain controller(s) are deployed in the identity subscription in native Azure", - "guid": "32e42e36-11c8-418b-8a0b-c510e43a18a9", - "severity": "High" - }, - { - "category": "Identity", - "subcategory": "Identity", - "text": "Ensure ADDS sites and services is configured to keep authentication requests from Azure-based resources (including Azure VMware Solution) local to Azure", - "guid": "43f63047-22d9-429c-8b1c-d622f54b29ba", - "severity": "Medium" - }, - { - "category": "Identity", - "subcategory": "Identity", - "text": "Ensure that vCenter is connected to ADDS to enable authentication based on 'named user accounts'", - "guid": "de3aad1e-7c28-4ec9-9666-b7570449aa80", - "severity": "High" - }, - { - "category": "Identity", - "subcategory": "Identity", - "text": "Ensure that the connection from vCenter to ADDS is using a secure protocol (LDAPS)", - "guid": "cd289ced-6b17-4db8-8554-61e2aee3553a", - "severity": "Medium" - }, - { - "category": "Identity", - "subcategory": "Identity", - "text": "CloudAdmin account in vCenter IdP is used only as an emergency account (break-glass)", - "guid": "b9d37dac-43bc-46cd-8d79-a9b24604489a", - "severity": "Medium" - }, - { - "category": "Identity", - "subcategory": "Identity", - "text": "Ensure that NSX-Manager is not integrated with external IdP as this is NOT supported at the moment (even though technically possible)", - "guid": "53d88e89-d17b-473b-82a5-a67e7a9ed5b3", - "severity": "High" - }, - { - "category": "Identity", - "subcategory": "Identity", - "text": "Has an RBAC model been created for use within VMware vSphere", - "guid": "ae0e37ce-e297-411b-b352-caaab79b198d", - "severity": "Medium" - }, - { - "category": "Identity", - "subcategory": "Identity", - "text": "RBAC permissions should be granted on ADDS groups and not on specific users", - "guid": "ab81932c-9fc9-4d1b-a780-36f5e6bfbb9e", - "severity": "Medium" - }, - { - "category": "Identity", - "subcategory": "Identity", - "text": "RBAC permissions on the Azure VMware Solution resource in Azure are 'locked down' to a limited set of owners only", - "guid": "d503547c-c447-4e82-9128-a71f0f1cac6d", - "severity": "High" - }, - { - "category": "Networking", - "subcategory": "Architecture", - "text": "Is the correct Azure VMware Solution connectivity model selected for the customer use case at hand", - "guid": "9ef1d5e8-32e4-42e3-911c-818b0a0bc510", - "severity": "High", - "link": "https://github.com/Azure/AzureCAT-AVS/tree/main/networking" - }, - { - "category": "Networking ", - "subcategory": "Monitoring", - "text": "Ensure ExpressRoute or VPN connections from on-premises to Azure are monitored using 'connection monitor'", - "guid": "dbf590ce-65de-48e0-9f9c-cbd468266abc", - "severity": "High" - }, - { - "category": "Networking ", - "subcategory": "Monitoring", - "text": "Ensure a connection monitor is created from an Azure native resource to an Azure VMware Solution virtual machine to monitor the Azure VMware Solution back-end ExpressRoute connection", - "guid": "e6a84de5-df43-4d19-a248-1718d5d1e5f6", - "severity": "Medium" - }, - { - "category": "Networking ", - "subcategory": "Monitoring", - "text": "Ensure a connection monitor is created from an on-premises resource to an Azure VMware Solution virtual machine to monitor end-2-end connectivity", - "guid": "25659d35-58fd-4772-99c9-31112d027fe4", - "severity": "Medium" - }, - { - "category": "Networking", - "subcategory": "Routing", - "text": "When route server is used, ensure no more then 200 routes are propagated from route server to ExR gateway to on-premises (ARS limit). Important when using MoN", - "guid": "563b4dc7-4a74-48b6-933a-d1a0916a6649", - "severity": "High" - }, - { - "category": "Governance", - "subcategory": "Security (identity)", - "text": "Is Privileged Identity Management implemented for roles managing the Azure VMware Solution resource in the Azure Portal (no standing permissions allowed)", - "guid": "6128a71f-0f1c-4ac6-b9ef-1d5e832e42e3", - "severity": "High" - }, - { - "category": "Governance", - "subcategory": "Security (identity)", - "text": "Is Privileged Identity Management audit reporting implemented for the Azure VMware Solution PIM roles", - "guid": "c4e2436b-b336-4d71-9f17-960eee0b9b5c", - "severity": "High" - }, - { - "category": "Governance", - "subcategory": "Security (identity)", - "text": "Limit use of CloudAdmin account to emergency access only", - "guid": "8defc4d7-21d3-41d2-90fb-707ae9eab40e", - "severity": "High" - }, - { - "category": "Governance", - "subcategory": "Security (identity)", - "text": "Create custom RBAC roles in vCenter to implement a least-privilege model inside vCenter", - "guid": "d329f798-bc17-48bd-a5a0-6ca7144351d1", - "severity": "Medium" - }, - { - "category": "Governance", - "subcategory": "Security (identity)", - "text": "Is a process defined to regularly rotate cloudadmin (vCenter) and admin (NSX) credentials", - "guid": "9dd24429-eb72-4281-97a1-51c5bb4e4f18", - "severity": "Medium" - }, - { - "category": "Governance", - "subcategory": "Security (identity)", - "text": "Use a centralized identity provider to be used for workloads (VM's) running on Azure VMware Solution", - "guid": "586cb291-ec16-4a1d-876e-f9f141acdce5", - "severity": "High" - }, - { - "category": "Governance", - "subcategory": "Security (network)", - "text": "Is East-West traffic filtering implemented within NSX-T", - "guid": "79377bcd-b375-41ab-8ab0-ead66e15d3d4", - "severity": "Medium" - }, - { - "category": "Governance", - "subcategory": "Security (network)", - "text": "Workloads on Azure VMware Solution are not directly exposed to the internet. Traffic is filtered and inspected by Azure Application Gateway, Azure Firewall or 3rd party solutions", - "guid": "a2adb1c3-d232-46af-825c-a44e1695fddd", - "severity": "High" - }, - { - "category": "Governance", - "subcategory": "Security (network)", - "text": "Auditing and logging is implemented for inbound internet requests to Azure VMware Solution and Azure VMware Solution based workloads", - "guid": "eace4cb1-deb4-4c65-8c3f-c14eeab36938", - "severity": "High" - }, - { - "category": "Governance", - "subcategory": "Security (network)", - "text": "Session monitoring is implemented for outbound internet connections from Azure VMware Solution or Azure VMware Solution based workloads to identify suspicious/malicious activity", - "guid": "29e3eec2-1836-487a-8077-a2b5945bda43", - "severity": "Medium" - }, - { - "category": "Governance", - "subcategory": "Security (network)", - "text": "Is DDoS standard protection enabled on ExR/VPN Gateway subnet in Azure", - "guid": "334fdf91-c234-4182-a652-75269440b4be", - "severity": "Medium" - }, - { - "category": "Governance", - "subcategory": "Security (network)", - "text": "Use a dedicated privileged access workstation (PAW) to manage Azure VMware Solution, vCenter, NSX manager and HCX manager", - "guid": "3d3e0843-276d-44bd-a015-bcf219e4a1eb", - "severity": "Medium" - }, - { - "category": "Governance", - "subcategory": "Security (guest/VM)", - "text": "Enable Advanced Threat Detection (MDfC aka ASC) for workloads running on Azure VMware Solution", - "guid": "9ccbd869-266a-4cca-874f-aa19bf39d95d", - "severity": "Medium" - }, - { - "category": "Governance", - "subcategory": "Security (guest/VM)", - "text": "Use Azure ARC for Servers to properly govern workloads running on Azure VMware Solution using Azure native technologies (Azure ARC for Azure VMware Solution is not yet available)", - "guid": "44c7c891-9ca1-4f6d-9315-ae524ba34d45", - "severity": "Medium" - }, - { - "category": "Governance", - "subcategory": "Security (guest/VM)", - "text": "Ensure workloads on Azure VMware Solution use sufficient data encryption during run-time (like in-guest disk encryption and SQL TDE). (vSAN encryption at rest is default)", - "guid": "85e12139-bd7b-4b01-8f7b-95ef6e043e2a", - "severity": "Low" - }, - { - "category": "Governance", - "subcategory": "Security (guest/VM)", - "text": "When in-guest encryption is used, store encryption keys in Azure Key vault when possible", - "guid": "a3592718-e6e2-4051-9267-6ae46691e883", - "severity": "Low" - }, - { - "category": "Governance", - "subcategory": "Security (guest/VM)", - "text": "Ensure extended security update support is configured for workloads running on Azure VMware Solution (Azure VMware Solution is eligible for ESU)", - "guid": "5ac94222-3e13-4810-9230-81a941741583", - "severity": "High" - }, - { - "category": "Governance", - "subcategory": "Governance (platform)", - "text": "Ensure that the appropriate VM template storage policy is used", - "guid": "3ef7ad7c-6d37-4331-95c7-acbe44bbe609", - "severity": "High" - }, - { - "category": "Governance", - "subcategory": "Governance (platform)", - "text": "Ensure that you have requested enough quota, ensuring you have considered growth and Disaster Recovery requirement", - "guid": "d89f2e87-7784-424d-9167-85c6fa95b96a", - "severity": "Low" - }, - { - "category": "Governance", - "subcategory": "Governance (platform)", - "text": "Ensure that the Failure-to-tolerate policy is in place to meet your vSAN storage needs", - "guid": "d88408f3-7273-44c8-96ba-280214590146", - "severity": "High" - }, - { - "category": "Governance", - "subcategory": "Governance (platform)", - "text": "Ensure that access constraints to ESXi are understood, there are access limits which might affect 3rd party solutions.", - "guid": "5d38e53f-9ccb-4d86-a266-acca274faa19", - "severity": "Medium" - }, - { - "category": "Governance", - "subcategory": "Governance (platform)", - "text": "Ensure that you have a policy around ESXi host density and efficiency, keeping in mind the lead time for requesting new nodes", - "guid": "bf39d95d-44c7-4c89-89ca-1f6d5315ae52", - "severity": "Low" - }, - { - "category": "Governance", - "subcategory": "Governance (platform)", - "text": "Ensure a good cost management process is in place for Azure VMware Solution - Azure Cost Management can be used", - "guid": "4ba34d45-85e1-4213-abd7-bb012f7b95ef", - "severity": "Medium" - }, - { - "category": "Governance", - "subcategory": "Governance (platform)", - "text": "Are Azure reserved instances used to optimize cost for using Azure VMware Solution", - "guid": "6e043e2a-a359-4271-ae6e-205172676ae4", - "severity": "Low" - }, - { - "category": "Governance", - "subcategory": "Governance (platform)", - "text": "Consider the use of Azure Private-Link when using other Azure Native Services", - "guid": "6691e883-5ac9-4422-83e1-3810523081a9", - "severity": "Medium" - }, - { - "category": "Governance", - "subcategory": "Governance (guest/VM)", - "text": "Enable Microsoft Defender for Cloud for Azure VMware Solution guest VM workloads", - "guid": "48b262d6-cc5f-4512-a253-98e6db9d37da", - "severity": "Medium" - }, - { - "category": "Governance", - "subcategory": "Governance (guest/VM)", - "text": "Use Azure ARC enabled servers to manage your Azure VMware Solution guest VM workloads", - "guid": "41741583-3ef7-4ad7-a6d3-733165c7acbe", - "severity": "Medium" - }, - { - "category": "Governance", - "subcategory": "Governance (guest/VM)", - "text": "Enable Diagnostic and metric logging on Azure VMware Solution", - "guid": "88f03a4d-2cd4-463c-abbc-868295abc91a", - "severity": "High" - }, - { - "category": "Governance", - "subcategory": "Governance (guest/VM)", - "text": "Deploy the Log Analytics Agents to Azure VMware Solution guest VM workloads", - "guid": "4ed90dae-2cc8-44c4-9b6b-781cbafe6c46", - "severity": "Medium" - }, - { - "category": "Governance", - "subcategory": "Governance (guest/VM)", - "text": "Ensure you have a documented and implemented backup policy and solution for Azure VMware Solution VM workloads", - "guid": "589d457a-927c-4397-9d11-02cad6aae11e", - "severity": "Medium" - }, - { - "category": "Governance", - "subcategory": "Compliance", - "text": "Use MDfC for compliance monitoring of workloads running on Azure VMware Solution", - "guid": "ee29711b-d352-4caa-ab79-b198dab81932", - "severity": "Medium" - }, - { - "category": "Governance", - "subcategory": "Compliance", - "text": "Are the applicable compliance baselines added to MDfC", - "guid": "c9fc9d1b-b780-436f-9e6b-fbb9ed503547", - "severity": "Medium" - }, - { - "category": "Governance", - "subcategory": "Compliance", - "text": "Was data residency evaluated when selecting Azure regions to use for Azure VMware Solution deployment", - "guid": "cc447e82-6128-4a71-b0f1-cac6d9ef1d5e", - "severity": "High" - }, - { - "category": "Governance", - "subcategory": "Compliance", - "text": "Are data processing implications (service provider / service consumer model) clear and documented", - "guid": "832e42e3-611c-4818-a0a0-bc510e43a18a", - "severity": "High" - }, - { - "category": "Management", - "subcategory": "Monitoring", - "text": "Create dashboards to enable core Azure VMware Solution monitoring insights", - "guid": "e43a18a9-cd28-49ce-b6b1-7db8255461e2", - "severity": "High" - }, - { - "category": "Management", - "subcategory": "Monitoring", - "text": "Create warning alerts for critical thresholds for automatic alerting on Azure VMware Solution performance (CPU >80%, Avg Memory >80%, vSAN >70%)", - "guid": "6b84ee5d-f47d-42d9-8881-b1cd5d1e54a2", - "severity": "High" - }, - { - "category": "Management", - "subcategory": "Monitoring", - "text": "Ensure critical alert is created to monitor if vSAN consumption is below 75% as this is a support threshold from VMware", - "guid": "9659e396-80e7-4828-ac93-5657d02bff45", - "severity": "High" - }, - { - "category": "Management", - "subcategory": "Monitoring", - "text": "Ensure alerts are configured for Azure Service Health alerts and notifications", - "guid": "64b0d934-a348-4726-be79-d6b5c3a36495", - "severity": "High" - }, - { - "category": "Management", - "subcategory": "Monitoring", - "text": "Configure Azure VMware Solution logging to be send to an Azure Storage account or Azure EventHub for processing", - "guid": "b6abad38-aad5-43cc-99e1-d86667357c54", - "severity": "Medium" - }, - { - "category": "Management", - "subcategory": "Monitoring", - "text": "If deep insight in VMware vSphere is required: Is vRealize Operations and/or vRealize Network Insights used in the solution?", - "guid": "9674c5ed-85b8-459c-9733-be2b1a27b775", - "severity": "Low" - }, - { - "category": "Management", - "subcategory": "Operations", - "text": "Ensure the vSAN storage policy for VM's is NOT the default storage policy as this policy applies thick provisioning", - "guid": "a91be1f3-88f0-43a4-b2cd-463cbbbc8682", - "severity": "High" - }, - { - "category": "Management ", - "subcategory": "Operations", - "text": "Ensure vSphere content libraries are not placed on vSAN as vSAN is a finite resource", - "guid": "d9ef1d5e-832d-442e-9611-c818b0afbc51", - "severity": "Medium" - }, - { - "category": "Management ", - "subcategory": "Operations", - "text": "Ensure data repositories for the backup solution are stored outside of vSAN storage. Either in Azure native or on a disk pool-backed datastore", - "guid": "0e43a18a-9cd2-489b-bd6b-17db8255461e", - "severity": "Medium" - }, - { - "category": "Management ", - "subcategory": "Operations", - "text": "Ensure workloads running on Azure VMware Solution are hybrid managed using Azure ARC for Servers (ARC for Azure VMware Solution is not yet available)", - "guid": "2aee3453-aec8-4339-848b-262d6cc5f512", - "severity": "Medium" - }, - { - "category": "Management ", - "subcategory": "Operations", - "text": "Ensure workloads running on Azure VMware Solution are monitored using Azure Log Analytics and Azure Monitor", - "guid": "925398e6-da9d-437d-ac43-bc6cd1d79a9b", - "severity": "Medium" - }, - { - "category": "Management", - "subcategory": "Operations", - "text": "Include workloads running on Azure VMware Solution in existing update management tooling or in Azure Update Management", - "guid": "24604489-a8f4-42d7-ae78-cb6a33bd2a09", - "severity": "Medium" - }, - { - "category": "Management", - "subcategory": "Operations", - "text": "Use Azure Policy to onboard Azure VMware Solution workloads in the Azure Management, Monitoring and Security solutions", - "guid": "17e7a8d9-0ae0-4e27-aee2-9711bd352caa", - "severity": "Medium" - }, - { - "category": "Management", - "subcategory": "Operations", - "text": "When ANF is used to extend storage for Azure VMware Solution, ensure it is used at the VM level only for now (ANF as NFS datastore is still in private preview)", - "guid": "ab79b188-dab8-4193-8c9f-c9d1bb77036f", - "severity": "High" - }, - { - "category": "Management", - "subcategory": "Security", - "text": "Ensure workloads running on Azure VMware Solution are onboarded to Microsoft Defender for Cloud", - "guid": "aee3553a-fc83-4392-98b2-62d6cc5f5129", - "severity": "Medium" - }, - { - "category": "BCDR", - "subcategory": "Backup", - "text": "Ensure backups are not stored on vSAN as vSAN is a finite resource", - "guid": "25398e6d-b9d3-47da-a43b-c6cd1d79a9b2", - "severity": "Medium" - }, - { - "category": "BCDR", - "subcategory": "Disaster Recovery", - "text": "Use VMware Site Recovery Manager when both sites are Azure VMware Solution", - "guid": "5e6bfbb9-ed50-4354-9cc4-47e826028a71", - "severity": "Medium" - }, - { - "category": "BCDR", - "subcategory": "Disaster Recovery", - "text": "Use Azure Site Recovery when the Disaster Recovery technology is native Azure IaaS", - "guid": "f0f1cac6-d9ef-41d5-b832-d42e3611c818", - "severity": "Medium" - }, - { - "category": "BCDR", - "subcategory": "Disaster Recovery", - "text": "Use Automated recovery plans with either of the Disaster solutions, avoid manual tasks as much as possible", - "guid": "b0afbc51-0e43-4a18-a9cd-289bed6b17db", - "severity": "High" - }, - { - "category": "BCDR", - "subcategory": "Disaster Recovery", - "text": "Use the geopolitical region pair as the secondary disaster recovery environment", - "guid": "8255461e-2aee-4345-9aec-8339248b262d", - "severity": "Medium" - }, - { - "category": "BCDR", - "subcategory": "Disaster Recovery", - "text": "Use 2 different address spaces between the regions, for example: 10.0.0.0/16 and 192.168.0.0/16 for the different regions", - "guid": "6cc5f512-9253-498e-9da9-d37dac43bc6c", - "severity": "High" - }, - { - "category": "BCDR", - "subcategory": "Disaster Recovery", - "text": "Will ExpressRoute Global Reach be used for connectivity between the primary and secondary Azure VMware Solution Private Clouds or is routing done through network virtual appliances?", - "guid": "d1d79a9b-2460-4448-aa8f-42d78e78cb6a", - "severity": "Medium" - }, - { - "category": "BCDR", - "subcategory": "Business Continuity", - "text": "Use MABS as your backup solution", - "guid": "33bd2a09-17e7-4a8d-a0ae-0e27cee29711", - "severity": "Medium" - }, - { - "category": "BCDR", - "subcategory": "Business Continuity", - "text": "Deploy your backup solution in the same region as your Azure VMware Solution private cloud", - "guid": "bd352caa-ab79-4b18-adab-81932c9fc9d1", - "severity": "Medium" - }, - { - "category": "BCDR", - "subcategory": "Business Continuity", - "text": "Preferably deploy MABS outside of the SDDC as native Azure IaaS", - "guid": "bb77036f-5e6b-4fbb-aed5-03547cc447e8", - "severity": "Medium" - }, - { - "category": "BCDR", - "subcategory": "Business Continuity", - "text": "Is a process in place to request a restore of the VMware components managed by the Azure Platform?", - "guid": "26028a71-f0f1-4cac-9d9e-f1d5e832d42e", - "severity": "Low" - }, - { - "category": "Platform Automation", - "subcategory": "Deployment strategy", - "text": "For manual deployments, all configuration and deployments must be documented", - "guid": "4604489a-8f42-4d78-b78c-b7a33bd2a0a1", - "severity": "Low" - }, - { - "category": "Platform Automation", - "subcategory": "Deployment strategy", - "text": "For manual deployments, consider implementing resource locks to prevent accidental actions on your Azure VMware Solution Private Cloud", - "guid": "7e7a8d90-ae0e-437c-be29-711bd352caaa", - "severity": "Low" - }, - { - "category": "Platform Automation", - "subcategory": "Automated Deployment", - "text": "For automated deployments, deploy a minimal private cloud and scale as needed", - "guid": "b79b198d-ab81-4932-a9fc-9d1bb78036f5", - "severity": "Low" - }, - { - "category": "Platform Automation", - "subcategory": "Automated Deployment", - "text": "For automated deployments, request or reserve quota prior to starting the deployment", - "guid": "e6bfbb9e-d503-4547-ac44-7e826128a71f", - "severity": "Low" - }, - { - "category": "Platform Automation", - "subcategory": "Automated Deployment", - "text": "For automated deployment, ensure that relevant resource locks are created through the automation or through Azure Policy for proper governance", - "guid": "0f1cac6d-9ef1-4d5e-a32e-42e3611c818b", - "severity": "Low" - }, - { - "category": "Platform Automation", - "subcategory": "Automated Connectivity", - "text": "Implement human understandable names for ExR authorization keys to allow for easy identification of the keys purpose/use", - "guid": "e2cc95d4-8c6b-4791-bca0-f6c56589e558", - "severity": "Low" - }, - { - "category": "Platform Automation", - "subcategory": "Automated Connectivity", - "text": "Use Key vault to store secrets and authorization keys when separate Service Principles are used for deploying Azure VMware Solution and ExpressRoute", - "guid": "255461e2-aee3-4553-afc8-339248b262d6", - "severity": "Low" - }, - { - "category": "Platform Automation", - "subcategory": "Automated Connectivity", - "text": "Define resource dependencies for serializing actions in IaC when many resources need to be deployed in/on Azure VMware Solution as Azure VMware Solution only supports a limited number of parallel operations.", - "guid": "cc5f5129-2539-48e6-bb9d-37dac43bc6cd", - "severity": "Low" - }, - { - "category": "Platform Automation", - "subcategory": "Automated Connectivity", - "text": "When performing automated configuration of NSX-T segments with a single Tier-1 gateway, use Azure Portal APIs instead of NSX-Manager APIs", - "guid": "1d79a9b2-4604-4489-a8f4-2d78e78cb7a3", - "severity": "Low" - }, - { - "category": "Platform Automation", - "subcategory": "Automated Scale", - "text": "When intending to use automated scale-out, be sure to apply for sufficient Azure VMware Solution quota for the subscriptions running Azure VMware Solution", - "guid": "3bd2a0a1-7e7a-48d9-8ae0-e37cee29711b", - "severity": "Medium" - }, - { - "category": "Platform Automation", - "subcategory": "Automated Scale", - "text": "When intending to use automated scale-in, be sure to take storage policy requirements into account before performing such action", - "guid": "d352caaa-b79b-4198-bab8-1932c9fc9d1b", - "severity": "Medium" - }, - { - "category": "Platform Automation", - "subcategory": "Automated Scale", - "text": "Scaling operations always need to be serialized within a single SDDC as only one scale operation can be performed at a time (even when multiple clusters are used)", - "guid": "b78036f5-e6bf-4bb9-bd50-3547cc447e82", - "severity": "Medium" - }, - { - "category": "Platform Automation", - "subcategory": "Automated Scale", - "text": "Consider and validate scaling operations on 3rd party solutions used in the architecture (supported or not)", - "guid": "bf15bce2-19e4-4a0e-a588-79424d226786", - "severity": "Medium" - }, - { - "category": "Platform Automation", - "subcategory": "Automated Scale", - "text": "Define and enforce scale in/out maximum limits for your environment in the automations", - "guid": "d20b56c5-7be5-4851-a0f8-3835c586cb29", - "severity": "Medium" - }, - { - "category": "Platform Automation", - "subcategory": "Automated Scale", - "text": "Implement monitoring rules to monitor automated scaling operations and monitor success and failure to enable appropriate (automated) responses", - "guid": "1dc15a1c-075e-4e9f-841a-cccd579376bc", - "severity": "Medium" - } - ], - "categories": [ - { - "name": "Identity" - }, - { - "name": "Networking" - }, - { - "name": "Security" - }, - { - "name": "Management" - }, - { - "name": "Subscriptions" - } - ], - "status": [ - { - "name": "Not verified" - }, - { - "name": "Open" - }, - { - "name": "Fulfilled" - }, - { - "name": "N/A" - } - ], - "severities": [ - { - "name": "High" - }, - { - "name": "Medium" - }, - { - "name": "Low" - } - ], - "metadata": { - "name": "Azure Landing Zone Review" - } -} - +{ + "items": [ + { + "category": "Identity", + "subcategory": "Identity", + "text": "Ensure ADDS domain controller(s) are deployed in the identity subscription in native Azure", + "guid": "32e42e36-11c8-418b-8a0b-c510e43a18a9", + "severity": "High" + }, + { + "category": "Identity", + "subcategory": "Identity", + "text": "Ensure ADDS sites and services is configured to keep authentication requests from Azure-based resources (including Azure VMware Solution) local to Azure", + "guid": "43f63047-22d9-429c-8b1c-d622f54b29ba", + "severity": "Medium" + }, + { + "category": "Identity", + "subcategory": "Identity", + "text": "Ensure that vCenter is connected to ADDS to enable authentication based on 'named user accounts'", + "guid": "de3aad1e-7c28-4ec9-9666-b7570449aa80", + "severity": "High" + }, + { + "category": "Identity", + "subcategory": "Identity", + "text": "Ensure that the connection from vCenter to ADDS is using a secure protocol (LDAPS)", + "guid": "cd289ced-6b17-4db8-8554-61e2aee3553a", + "severity": "Medium" + }, + { + "category": "Identity", + "subcategory": "Identity", + "text": "CloudAdmin account in vCenter IdP is used only as an emergency account (break-glass)", + "guid": "b9d37dac-43bc-46cd-8d79-a9b24604489a", + "severity": "Medium" + }, + { + "category": "Identity", + "subcategory": "Identity", + "text": "Ensure that NSX-Manager is not integrated with external IdP as this is NOT supported at the moment (even though technically possible)", + "guid": "53d88e89-d17b-473b-82a5-a67e7a9ed5b3", + "severity": "High" + }, + { + "category": "Identity", + "subcategory": "Identity", + "text": "Has an RBAC model been created for use within VMware vSphere", + "guid": "ae0e37ce-e297-411b-b352-caaab79b198d", + "severity": "Medium" + }, + { + "category": "Identity", + "subcategory": "Identity", + "text": "RBAC permissions should be granted on ADDS groups and not on specific users", + "guid": "ab81932c-9fc9-4d1b-a780-36f5e6bfbb9e", + "severity": "Medium" + }, + { + "category": "Identity", + "subcategory": "Identity", + "text": "RBAC permissions on the Azure VMware Solution resource in Azure are 'locked down' to a limited set of owners only", + "guid": "d503547c-c447-4e82-9128-a71f0f1cac6d", + "severity": "High" + }, + { + "category": "Networking", + "subcategory": "Architecture", + "text": "Is the correct Azure VMware Solution connectivity model selected for the customer use case at hand", + "guid": "9ef1d5e8-32e4-42e3-911c-818b0a0bc510", + "severity": "High", + "link": "https://github.com/Azure/AzureCAT-AVS/tree/main/networking" + }, + { + "category": "Networking", + "subcategory": "Monitoring", + "text": "Ensure ExpressRoute or VPN connections from on-premises to Azure are monitored using 'connection monitor'", + "guid": "dbf590ce-65de-48e0-9f9c-cbd468266abc", + "severity": "High" + }, + { + "category": "Networking", + "subcategory": "Monitoring", + "text": "Ensure a connection monitor is created from an Azure native resource to an Azure VMware Solution virtual machine to monitor the Azure VMware Solution back-end ExpressRoute connection", + "guid": "e6a84de5-df43-4d19-a248-1718d5d1e5f6", + "severity": "Medium" + }, + { + "category": "Networking", + "subcategory": "Monitoring", + "text": "Ensure a connection monitor is created from an on-premises resource to an Azure VMware Solution virtual machine to monitor end-2-end connectivity", + "guid": "25659d35-58fd-4772-99c9-31112d027fe4", + "severity": "Medium" + }, + { + "category": "Networking", + "subcategory": "Routing", + "text": "When route server is used, ensure no more then 200 routes are propagated from route server to ExR gateway to on-premises (ARS limit). Important when using MoN", + "guid": "563b4dc7-4a74-48b6-933a-d1a0916a6649", + "severity": "High" + }, + { + "category": "Governance", + "subcategory": "Security (identity)", + "text": "Is Privileged Identity Management implemented for roles managing the Azure VMware Solution resource in the Azure Portal (no standing permissions allowed)", + "guid": "6128a71f-0f1c-4ac6-b9ef-1d5e832e42e3", + "severity": "High" + }, + { + "category": "Governance", + "subcategory": "Security (identity)", + "text": "Is Privileged Identity Management audit reporting implemented for the Azure VMware Solution PIM roles", + "guid": "c4e2436b-b336-4d71-9f17-960eee0b9b5c", + "severity": "High" + }, + { + "category": "Governance", + "subcategory": "Security (identity)", + "text": "Limit use of CloudAdmin account to emergency access only", + "guid": "8defc4d7-21d3-41d2-90fb-707ae9eab40e", + "severity": "High" + }, + { + "category": "Governance", + "subcategory": "Security (identity)", + "text": "Create custom RBAC roles in vCenter to implement a least-privilege model inside vCenter", + "guid": "d329f798-bc17-48bd-a5a0-6ca7144351d1", + "severity": "Medium" + }, + { + "category": "Governance", + "subcategory": "Security (identity)", + "text": "Is a process defined to regularly rotate cloudadmin (vCenter) and admin (NSX) credentials", + "guid": "9dd24429-eb72-4281-97a1-51c5bb4e4f18", + "severity": "Medium" + }, + { + "category": "Governance", + "subcategory": "Security (identity)", + "text": "Use a centralized identity provider to be used for workloads (VM's) running on Azure VMware Solution", + "guid": "586cb291-ec16-4a1d-876e-f9f141acdce5", + "severity": "High" + }, + { + "category": "Governance", + "subcategory": "Security (network)", + "text": "Is East-West traffic filtering implemented within NSX-T", + "guid": "79377bcd-b375-41ab-8ab0-ead66e15d3d4", + "severity": "Medium" + }, + { + "category": "Governance", + "subcategory": "Security (network)", + "text": "Workloads on Azure VMware Solution are not directly exposed to the internet. Traffic is filtered and inspected by Azure Application Gateway, Azure Firewall or 3rd party solutions", + "guid": "a2adb1c3-d232-46af-825c-a44e1695fddd", + "severity": "High" + }, + { + "category": "Governance", + "subcategory": "Security (network)", + "text": "Auditing and logging is implemented for inbound internet requests to Azure VMware Solution and Azure VMware Solution based workloads", + "guid": "eace4cb1-deb4-4c65-8c3f-c14eeab36938", + "severity": "High" + }, + { + "category": "Governance", + "subcategory": "Security (network)", + "text": "Session monitoring is implemented for outbound internet connections from Azure VMware Solution or Azure VMware Solution based workloads to identify suspicious/malicious activity", + "guid": "29e3eec2-1836-487a-8077-a2b5945bda43", + "severity": "Medium" + }, + { + "category": "Governance", + "subcategory": "Security (network)", + "text": "Is DDoS standard protection enabled on ExR/VPN Gateway subnet in Azure", + "guid": "334fdf91-c234-4182-a652-75269440b4be", + "severity": "Medium" + }, + { + "category": "Governance", + "subcategory": "Security (network)", + "text": "Use a dedicated privileged access workstation (PAW) to manage Azure VMware Solution, vCenter, NSX manager and HCX manager", + "guid": "3d3e0843-276d-44bd-a015-bcf219e4a1eb", + "severity": "Medium" + }, + { + "category": "Governance", + "subcategory": "Security (guest/VM)", + "text": "Enable Advanced Threat Detection (MDfC aka ASC) for workloads running on Azure VMware Solution", + "guid": "9ccbd869-266a-4cca-874f-aa19bf39d95d", + "severity": "Medium" + }, + { + "category": "Governance", + "subcategory": "Security (guest/VM)", + "text": "Use Azure ARC for Servers to properly govern workloads running on Azure VMware Solution using Azure native technologies (Azure ARC for Azure VMware Solution is not yet available)", + "guid": "44c7c891-9ca1-4f6d-9315-ae524ba34d45", + "severity": "Medium" + }, + { + "category": "Governance", + "subcategory": "Security (guest/VM)", + "text": "Ensure workloads on Azure VMware Solution use sufficient data encryption during run-time (like in-guest disk encryption and SQL TDE). (vSAN encryption at rest is default)", + "guid": "85e12139-bd7b-4b01-8f7b-95ef6e043e2a", + "severity": "Low" + }, + { + "category": "Governance", + "subcategory": "Security (guest/VM)", + "text": "When in-guest encryption is used, store encryption keys in Azure Key vault when possible", + "guid": "a3592718-e6e2-4051-9267-6ae46691e883", + "severity": "Low" + }, + { + "category": "Governance", + "subcategory": "Security (guest/VM)", + "text": "Ensure extended security update support is configured for workloads running on Azure VMware Solution (Azure VMware Solution is eligible for ESU)", + "guid": "5ac94222-3e13-4810-9230-81a941741583", + "severity": "High" + }, + { + "category": "Governance", + "subcategory": "Governance (platform)", + "text": "Ensure that the appropriate VM template storage policy is used", + "guid": "3ef7ad7c-6d37-4331-95c7-acbe44bbe609", + "severity": "High" + }, + { + "category": "Governance", + "subcategory": "Governance (platform)", + "text": "Ensure that you have requested enough quota, ensuring you have considered growth and Disaster Recovery requirement", + "guid": "d89f2e87-7784-424d-9167-85c6fa95b96a", + "severity": "Low" + }, + { + "category": "Governance", + "subcategory": "Governance (platform)", + "text": "Ensure that the Failure-to-tolerate policy is in place to meet your vSAN storage needs", + "guid": "d88408f3-7273-44c8-96ba-280214590146", + "severity": "High" + }, + { + "category": "Governance", + "subcategory": "Governance (platform)", + "text": "Ensure that access constraints to ESXi are understood, there are access limits which might affect 3rd party solutions.", + "guid": "5d38e53f-9ccb-4d86-a266-acca274faa19", + "severity": "Medium" + }, + { + "category": "Governance", + "subcategory": "Governance (platform)", + "text": "Ensure that you have a policy around ESXi host density and efficiency, keeping in mind the lead time for requesting new nodes", + "guid": "bf39d95d-44c7-4c89-89ca-1f6d5315ae52", + "severity": "Low" + }, + { + "category": "Governance", + "subcategory": "Governance (platform)", + "text": "Ensure a good cost management process is in place for Azure VMware Solution - Azure Cost Management can be used", + "guid": "4ba34d45-85e1-4213-abd7-bb012f7b95ef", + "severity": "Medium" + }, + { + "category": "Governance", + "subcategory": "Governance (platform)", + "text": "Are Azure reserved instances used to optimize cost for using Azure VMware Solution", + "guid": "6e043e2a-a359-4271-ae6e-205172676ae4", + "severity": "Low" + }, + { + "category": "Governance", + "subcategory": "Governance (platform)", + "text": "Consider the use of Azure Private-Link when using other Azure Native Services", + "guid": "6691e883-5ac9-4422-83e1-3810523081a9", + "severity": "Medium" + }, + { + "category": "Governance", + "subcategory": "Governance (guest/VM)", + "text": "Enable Microsoft Defender for Cloud for Azure VMware Solution guest VM workloads", + "guid": "48b262d6-cc5f-4512-a253-98e6db9d37da", + "severity": "Medium" + }, + { + "category": "Governance", + "subcategory": "Governance (guest/VM)", + "text": "Use Azure ARC enabled servers to manage your Azure VMware Solution guest VM workloads", + "guid": "41741583-3ef7-4ad7-a6d3-733165c7acbe", + "severity": "Medium" + }, + { + "category": "Governance", + "subcategory": "Governance (guest/VM)", + "text": "Enable Diagnostic and metric logging on Azure VMware Solution", + "guid": "88f03a4d-2cd4-463c-abbc-868295abc91a", + "severity": "High" + }, + { + "category": "Governance", + "subcategory": "Governance (guest/VM)", + "text": "Deploy the Log Analytics Agents to Azure VMware Solution guest VM workloads", + "guid": "4ed90dae-2cc8-44c4-9b6b-781cbafe6c46", + "severity": "Medium" + }, + { + "category": "Governance", + "subcategory": "Governance (guest/VM)", + "text": "Ensure you have a documented and implemented backup policy and solution for Azure VMware Solution VM workloads", + "guid": "589d457a-927c-4397-9d11-02cad6aae11e", + "severity": "Medium" + }, + { + "category": "Governance", + "subcategory": "Compliance", + "text": "Use MDfC for compliance monitoring of workloads running on Azure VMware Solution", + "guid": "ee29711b-d352-4caa-ab79-b198dab81932", + "severity": "Medium" + }, + { + "category": "Governance", + "subcategory": "Compliance", + "text": "Are the applicable compliance baselines added to MDfC", + "guid": "c9fc9d1b-b780-436f-9e6b-fbb9ed503547", + "severity": "Medium" + }, + { + "category": "Governance", + "subcategory": "Compliance", + "text": "Was data residency evaluated when selecting Azure regions to use for Azure VMware Solution deployment", + "guid": "cc447e82-6128-4a71-b0f1-cac6d9ef1d5e", + "severity": "High" + }, + { + "category": "Governance", + "subcategory": "Compliance", + "text": "Are data processing implications (service provider / service consumer model) clear and documented", + "guid": "832e42e3-611c-4818-a0a0-bc510e43a18a", + "severity": "High" + }, + { + "category": "Management", + "subcategory": "Monitoring", + "text": "Create dashboards to enable core Azure VMware Solution monitoring insights", + "guid": "e43a18a9-cd28-49ce-b6b1-7db8255461e2", + "severity": "High" + }, + { + "category": "Management", + "subcategory": "Monitoring", + "text": "Create warning alerts for critical thresholds for automatic alerting on Azure VMware Solution performance (CPU >80%, Avg Memory >80%, vSAN >70%)", + "guid": "6b84ee5d-f47d-42d9-8881-b1cd5d1e54a2", + "severity": "High" + }, + { + "category": "Management", + "subcategory": "Monitoring", + "text": "Ensure critical alert is created to monitor if vSAN consumption is below 75% as this is a support threshold from VMware", + "guid": "9659e396-80e7-4828-ac93-5657d02bff45", + "severity": "High" + }, + { + "category": "Management", + "subcategory": "Monitoring", + "text": "Ensure alerts are configured for Azure Service Health alerts and notifications", + "guid": "64b0d934-a348-4726-be79-d6b5c3a36495", + "severity": "High" + }, + { + "category": "Management", + "subcategory": "Monitoring", + "text": "Configure Azure VMware Solution logging to be send to an Azure Storage account or Azure EventHub for processing", + "guid": "b6abad38-aad5-43cc-99e1-d86667357c54", + "severity": "Medium" + }, + { + "category": "Management", + "subcategory": "Monitoring", + "text": "If deep insight in VMware vSphere is required: Is vRealize Operations and/or vRealize Network Insights used in the solution?", + "guid": "9674c5ed-85b8-459c-9733-be2b1a27b775", + "severity": "Low" + }, + { + "category": "Management", + "subcategory": "Operations", + "text": "Ensure the vSAN storage policy for VM's is NOT the default storage policy as this policy applies thick provisioning", + "guid": "a91be1f3-88f0-43a4-b2cd-463cbbbc8682", + "severity": "High" + }, + { + "category": "Management", + "subcategory": "Operations", + "text": "Ensure vSphere content libraries are not placed on vSAN as vSAN is a finite resource", + "guid": "d9ef1d5e-832d-442e-9611-c818b0afbc51", + "severity": "Medium" + }, + { + "category": "Management", + "subcategory": "Operations", + "text": "Ensure data repositories for the backup solution are stored outside of vSAN storage. Either in Azure native or on a disk pool-backed datastore", + "guid": "0e43a18a-9cd2-489b-bd6b-17db8255461e", + "severity": "Medium" + }, + { + "category": "Management", + "subcategory": "Operations", + "text": "Ensure workloads running on Azure VMware Solution are hybrid managed using Azure ARC for Servers (ARC for Azure VMware Solution is not yet available)", + "guid": "2aee3453-aec8-4339-848b-262d6cc5f512", + "severity": "Medium" + }, + { + "category": "Management", + "subcategory": "Operations", + "text": "Ensure workloads running on Azure VMware Solution are monitored using Azure Log Analytics and Azure Monitor", + "guid": "925398e6-da9d-437d-ac43-bc6cd1d79a9b", + "severity": "Medium" + }, + { + "category": "Management", + "subcategory": "Operations", + "text": "Include workloads running on Azure VMware Solution in existing update management tooling or in Azure Update Management", + "guid": "24604489-a8f4-42d7-ae78-cb6a33bd2a09", + "severity": "Medium" + }, + { + "category": "Management", + "subcategory": "Operations", + "text": "Use Azure Policy to onboard Azure VMware Solution workloads in the Azure Management, Monitoring and Security solutions", + "guid": "17e7a8d9-0ae0-4e27-aee2-9711bd352caa", + "severity": "Medium" + }, + { + "category": "Management", + "subcategory": "Operations", + "text": "When ANF is used to extend storage for Azure VMware Solution, ensure it is used at the VM level only for now (ANF as NFS datastore is still in private preview)", + "guid": "ab79b188-dab8-4193-8c9f-c9d1bb77036f", + "severity": "High" + }, + { + "category": "Management", + "subcategory": "Security", + "text": "Ensure workloads running on Azure VMware Solution are onboarded to Microsoft Defender for Cloud", + "guid": "aee3553a-fc83-4392-98b2-62d6cc5f5129", + "severity": "Medium" + }, + { + "category": "BCDR", + "subcategory": "Backup", + "text": "Ensure backups are not stored on vSAN as vSAN is a finite resource", + "guid": "25398e6d-b9d3-47da-a43b-c6cd1d79a9b2", + "severity": "Medium" + }, + { + "category": "BCDR", + "subcategory": "Disaster Recovery", + "text": "Use VMware Site Recovery Manager when both sites are Azure VMware Solution", + "guid": "5e6bfbb9-ed50-4354-9cc4-47e826028a71", + "severity": "Medium" + }, + { + "category": "BCDR", + "subcategory": "Disaster Recovery", + "text": "Use Azure Site Recovery when the Disaster Recovery technology is native Azure IaaS", + "guid": "f0f1cac6-d9ef-41d5-b832-d42e3611c818", + "severity": "Medium" + }, + { + "category": "BCDR", + "subcategory": "Disaster Recovery", + "text": "Use Automated recovery plans with either of the Disaster solutions, avoid manual tasks as much as possible", + "guid": "b0afbc51-0e43-4a18-a9cd-289bed6b17db", + "severity": "High" + }, + { + "category": "BCDR", + "subcategory": "Disaster Recovery", + "text": "Use the geopolitical region pair as the secondary disaster recovery environment", + "guid": "8255461e-2aee-4345-9aec-8339248b262d", + "severity": "Medium" + }, + { + "category": "BCDR", + "subcategory": "Disaster Recovery", + "text": "Use 2 different address spaces between the regions, for example: 10.0.0.0/16 and 192.168.0.0/16 for the different regions", + "guid": "6cc5f512-9253-498e-9da9-d37dac43bc6c", + "severity": "High" + }, + { + "category": "BCDR", + "subcategory": "Disaster Recovery", + "text": "Will ExpressRoute Global Reach be used for connectivity between the primary and secondary Azure VMware Solution Private Clouds or is routing done through network virtual appliances?", + "guid": "d1d79a9b-2460-4448-aa8f-42d78e78cb6a", + "severity": "Medium" + }, + { + "category": "BCDR", + "subcategory": "Business Continuity", + "text": "Use MABS as your backup solution", + "guid": "33bd2a09-17e7-4a8d-a0ae-0e27cee29711", + "severity": "Medium" + }, + { + "category": "BCDR", + "subcategory": "Business Continuity", + "text": "Deploy your backup solution in the same region as your Azure VMware Solution private cloud", + "guid": "bd352caa-ab79-4b18-adab-81932c9fc9d1", + "severity": "Medium" + }, + { + "category": "BCDR", + "subcategory": "Business Continuity", + "text": "Preferably deploy MABS outside of the SDDC as native Azure IaaS", + "guid": "bb77036f-5e6b-4fbb-aed5-03547cc447e8", + "severity": "Medium" + }, + { + "category": "BCDR", + "subcategory": "Business Continuity", + "text": "Is a process in place to request a restore of the VMware components managed by the Azure Platform?", + "guid": "26028a71-f0f1-4cac-9d9e-f1d5e832d42e", + "severity": "Low" + }, + { + "category": "Platform Automation", + "subcategory": "Deployment strategy", + "text": "For manual deployments, all configuration and deployments must be documented", + "guid": "4604489a-8f42-4d78-b78c-b7a33bd2a0a1", + "severity": "Low" + }, + { + "category": "Platform Automation", + "subcategory": "Deployment strategy", + "text": "For manual deployments, consider implementing resource locks to prevent accidental actions on your Azure VMware Solution Private Cloud", + "guid": "7e7a8d90-ae0e-437c-be29-711bd352caaa", + "severity": "Low" + }, + { + "category": "Platform Automation", + "subcategory": "Automated Deployment", + "text": "For automated deployments, deploy a minimal private cloud and scale as needed", + "guid": "b79b198d-ab81-4932-a9fc-9d1bb78036f5", + "severity": "Low" + }, + { + "category": "Platform Automation", + "subcategory": "Automated Deployment", + "text": "For automated deployments, request or reserve quota prior to starting the deployment", + "guid": "e6bfbb9e-d503-4547-ac44-7e826128a71f", + "severity": "Low" + }, + { + "category": "Platform Automation", + "subcategory": "Automated Deployment", + "text": "For automated deployment, ensure that relevant resource locks are created through the automation or through Azure Policy for proper governance", + "guid": "0f1cac6d-9ef1-4d5e-a32e-42e3611c818b", + "severity": "Low" + }, + { + "category": "Platform Automation", + "subcategory": "Automated Connectivity", + "text": "Implement human understandable names for ExR authorization keys to allow for easy identification of the keys purpose/use", + "guid": "e2cc95d4-8c6b-4791-bca0-f6c56589e558", + "severity": "Low" + }, + { + "category": "Platform Automation", + "subcategory": "Automated Connectivity", + "text": "Use Key vault to store secrets and authorization keys when separate Service Principles are used for deploying Azure VMware Solution and ExpressRoute", + "guid": "255461e2-aee3-4553-afc8-339248b262d6", + "severity": "Low" + }, + { + "category": "Platform Automation", + "subcategory": "Automated Connectivity", + "text": "Define resource dependencies for serializing actions in IaC when many resources need to be deployed in/on Azure VMware Solution as Azure VMware Solution only supports a limited number of parallel operations.", + "guid": "cc5f5129-2539-48e6-bb9d-37dac43bc6cd", + "severity": "Low" + }, + { + "category": "Platform Automation", + "subcategory": "Automated Connectivity", + "text": "When performing automated configuration of NSX-T segments with a single Tier-1 gateway, use Azure Portal APIs instead of NSX-Manager APIs", + "guid": "1d79a9b2-4604-4489-a8f4-2d78e78cb7a3", + "severity": "Low" + }, + { + "category": "Platform Automation", + "subcategory": "Automated Scale", + "text": "When intending to use automated scale-out, be sure to apply for sufficient Azure VMware Solution quota for the subscriptions running Azure VMware Solution", + "guid": "3bd2a0a1-7e7a-48d9-8ae0-e37cee29711b", + "severity": "Medium" + }, + { + "category": "Platform Automation", + "subcategory": "Automated Scale", + "text": "When intending to use automated scale-in, be sure to take storage policy requirements into account before performing such action", + "guid": "d352caaa-b79b-4198-bab8-1932c9fc9d1b", + "severity": "Medium" + }, + { + "category": "Platform Automation", + "subcategory": "Automated Scale", + "text": "Scaling operations always need to be serialized within a single SDDC as only one scale operation can be performed at a time (even when multiple clusters are used)", + "guid": "b78036f5-e6bf-4bb9-bd50-3547cc447e82", + "severity": "Medium" + }, + { + "category": "Platform Automation", + "subcategory": "Automated Scale", + "text": "Consider and validate scaling operations on 3rd party solutions used in the architecture (supported or not)", + "guid": "bf15bce2-19e4-4a0e-a588-79424d226786", + "severity": "Medium" + }, + { + "category": "Platform Automation", + "subcategory": "Automated Scale", + "text": "Define and enforce scale in/out maximum limits for your environment in the automations", + "guid": "d20b56c5-7be5-4851-a0f8-3835c586cb29", + "severity": "Medium" + }, + { + "category": "Platform Automation", + "subcategory": "Automated Scale", + "text": "Implement monitoring rules to monitor automated scaling operations and monitor success and failure to enable appropriate (automated) responses", + "guid": "1dc15a1c-075e-4e9f-841a-cccd579376bc", + "severity": "Medium" + } + ], + "categories": [ + { + "name": "Identity" + }, + { + "name": "Networking" + }, + { + "name": "Governance" + }, + { + "name": "Management" + }, + { + "name": "BCDR" + }, + { + "name": "Platform Automation" + } + ], + "status": [ + { + "name": "Not verified" + }, + { + "name": "Open" + }, + { + "name": "Fulfilled" + }, + { + "name": "N/A" + } + ], + "severities": [ + { + "name": "High" + }, + { + "name": "Medium" + }, + { + "name": "Low" + } + ], + "metadata": { + "name": "Azure VMware Solution Review" + } +} +