From 9a9fc83586a2f8c7ed4d5ee8b8da3270cffd8c80 Mon Sep 17 00:00:00 2001
From: erjosito <9462396+erjosito@users.noreply.github.com>
Date: Sun, 29 Sep 2024 23:06:24 +0000
Subject: [PATCH] [create-pull-request] automated change
---
.../appservicewebapps_sg_checklist.en.json | 22 +-
...ureapplicationgateway_sg_checklist.en.json | 22 +-
.../azureblobstorage_sg_checklist.en.json | 22 +-
.../azureexpressroute_sg_checklist.en.json | 22 +-
.../azurefiles_sg_checklist.en.json | 22 +-
.../azurefirewall_sg_checklist.en.json | 330 ++++--------
.../azurefrontdoor_sg_checklist.en.json | 22 +-
...zurekubernetesservice_sg_checklist.en.json | 22 +-
.../azuremachinelearning_sg_checklist.en.json | 22 +-
.../azureopenai_sg_checklist.en.json | 22 +-
.../virtualmachines_sg_checklist.en.json | 22 +-
checklists-ext/wafsg_checklist.en.json | 476 ++++++------------
12 files changed, 357 insertions(+), 669 deletions(-)
diff --git a/checklists-ext/appservicewebapps_sg_checklist.en.json b/checklists-ext/appservicewebapps_sg_checklist.en.json
index 1b7664bd8..6c3d94c9d 100644
--- a/checklists-ext/appservicewebapps_sg_checklist.en.json
+++ b/checklists-ext/appservicewebapps_sg_checklist.en.json
@@ -189,34 +189,34 @@
"categories": [],
"waf": [
{
- "name": "performance"
- },
- {
- "name": "cost"
+ "name": "Performance"
},
{
- "name": "Operations"
+ "name": "security"
},
{
- "name": "security"
+ "name": "performance"
},
{
- "name": "Security"
+ "name": "Cost"
},
{
"name": "Reliability"
},
{
- "name": "Cost"
+ "name": "operations"
},
{
- "name": "operations"
+ "name": "Operations"
},
{
"name": "reliability"
},
{
- "name": "Performance"
+ "name": "Security"
+ },
+ {
+ "name": "cost"
}
],
"yesno": [
@@ -253,6 +253,6 @@
"name": "App Service Web Apps Service Guide",
"waf": "all",
"state": "preview",
- "timestamp": "September 22, 2024"
+ "timestamp": "September 29, 2024"
}
}
\ No newline at end of file
diff --git a/checklists-ext/azureapplicationgateway_sg_checklist.en.json b/checklists-ext/azureapplicationgateway_sg_checklist.en.json
index 53c12dba2..8df92d4fd 100644
--- a/checklists-ext/azureapplicationgateway_sg_checklist.en.json
+++ b/checklists-ext/azureapplicationgateway_sg_checklist.en.json
@@ -237,34 +237,34 @@
"categories": [],
"waf": [
{
- "name": "performance"
- },
- {
- "name": "cost"
+ "name": "Performance"
},
{
- "name": "Operations"
+ "name": "security"
},
{
- "name": "security"
+ "name": "performance"
},
{
- "name": "Security"
+ "name": "Cost"
},
{
"name": "Reliability"
},
{
- "name": "Cost"
+ "name": "operations"
},
{
- "name": "operations"
+ "name": "Operations"
},
{
"name": "reliability"
},
{
- "name": "Performance"
+ "name": "Security"
+ },
+ {
+ "name": "cost"
}
],
"yesno": [
@@ -301,6 +301,6 @@
"name": "Azure Application Gateway Service Guide",
"waf": "all",
"state": "preview",
- "timestamp": "September 22, 2024"
+ "timestamp": "September 29, 2024"
}
}
\ No newline at end of file
diff --git a/checklists-ext/azureblobstorage_sg_checklist.en.json b/checklists-ext/azureblobstorage_sg_checklist.en.json
index f64d13603..d348fc441 100644
--- a/checklists-ext/azureblobstorage_sg_checklist.en.json
+++ b/checklists-ext/azureblobstorage_sg_checklist.en.json
@@ -213,34 +213,34 @@
"categories": [],
"waf": [
{
- "name": "performance"
- },
- {
- "name": "cost"
+ "name": "Performance"
},
{
- "name": "Operations"
+ "name": "security"
},
{
- "name": "security"
+ "name": "performance"
},
{
- "name": "Security"
+ "name": "Cost"
},
{
"name": "Reliability"
},
{
- "name": "Cost"
+ "name": "operations"
},
{
- "name": "operations"
+ "name": "Operations"
},
{
"name": "reliability"
},
{
- "name": "Performance"
+ "name": "Security"
+ },
+ {
+ "name": "cost"
}
],
"yesno": [
@@ -277,6 +277,6 @@
"name": "Azure Blob Storage Service Guide",
"waf": "all",
"state": "preview",
- "timestamp": "September 22, 2024"
+ "timestamp": "September 29, 2024"
}
}
\ No newline at end of file
diff --git a/checklists-ext/azureexpressroute_sg_checklist.en.json b/checklists-ext/azureexpressroute_sg_checklist.en.json
index ca515369a..8e8aab389 100644
--- a/checklists-ext/azureexpressroute_sg_checklist.en.json
+++ b/checklists-ext/azureexpressroute_sg_checklist.en.json
@@ -205,34 +205,34 @@
"categories": [],
"waf": [
{
- "name": "performance"
- },
- {
- "name": "cost"
+ "name": "Performance"
},
{
- "name": "Operations"
+ "name": "security"
},
{
- "name": "security"
+ "name": "performance"
},
{
- "name": "Security"
+ "name": "Cost"
},
{
"name": "Reliability"
},
{
- "name": "Cost"
+ "name": "operations"
},
{
- "name": "operations"
+ "name": "Operations"
},
{
"name": "reliability"
},
{
- "name": "Performance"
+ "name": "Security"
+ },
+ {
+ "name": "cost"
}
],
"yesno": [
@@ -269,6 +269,6 @@
"name": "Azure Expressroute Service Guide",
"waf": "all",
"state": "preview",
- "timestamp": "September 22, 2024"
+ "timestamp": "September 29, 2024"
}
}
\ No newline at end of file
diff --git a/checklists-ext/azurefiles_sg_checklist.en.json b/checklists-ext/azurefiles_sg_checklist.en.json
index 106a80bb7..ecb193fea 100644
--- a/checklists-ext/azurefiles_sg_checklist.en.json
+++ b/checklists-ext/azurefiles_sg_checklist.en.json
@@ -237,34 +237,34 @@
"categories": [],
"waf": [
{
- "name": "performance"
- },
- {
- "name": "cost"
+ "name": "Performance"
},
{
- "name": "Operations"
+ "name": "security"
},
{
- "name": "security"
+ "name": "performance"
},
{
- "name": "Security"
+ "name": "Cost"
},
{
"name": "Reliability"
},
{
- "name": "Cost"
+ "name": "operations"
},
{
- "name": "operations"
+ "name": "Operations"
},
{
"name": "reliability"
},
{
- "name": "Performance"
+ "name": "Security"
+ },
+ {
+ "name": "cost"
}
],
"yesno": [
@@ -301,6 +301,6 @@
"name": "Azure Files Service Guide",
"waf": "all",
"state": "preview",
- "timestamp": "September 22, 2024"
+ "timestamp": "September 29, 2024"
}
}
\ No newline at end of file
diff --git a/checklists-ext/azurefirewall_sg_checklist.en.json b/checklists-ext/azurefirewall_sg_checklist.en.json
index bcd244231..27d2aef27 100644
--- a/checklists-ext/azurefirewall_sg_checklist.en.json
+++ b/checklists-ext/azurefirewall_sg_checklist.en.json
@@ -4,403 +4,275 @@
{
"waf": "Reliability",
"service": "Azure Firewall",
- "text": "Use Azure Firewall Manager with traditional Hub & Spokes or Azure Virtual WAN network topologies to deploy and manage instances of Azure Firewall.",
- "description": "Easily create hub-and-spoke and transitive architectures with native security services for traffic governance and protection. For more information on network topologies, see the Azure Cloud Adoption Framework documentation.",
+ "text": "Deploy Azure Firewall across multiple availability zones.",
+ "description": "Deploy Azure Firewall across multiple availability zones to maintain a specific level of resiliency. If one zone experiences an outage, another zone continues to serve traffic.",
"type": "recommendation",
- "guid": "833670b0-5f05-4810-96be-dd79df30775d"
+ "guid": "881f08f8-32f0-420d-b4f7-f0660a0402cb"
},
{
"waf": "Reliability",
"service": "Azure Firewall",
- "text": "Create Azure Firewall Policies to govern the security posture across global network environments. Assign policies to all instances of Azure Firewall.",
- "description": "Azure Firewall Policies can be arranged in an hierarchical structure to overlay a central base policy. Allow for granular policies to meet the requirements of specific regions. Delegate incremental firewall policies to local security teams through role-based access control (RBAC). Some settings are specific per instance, for example DNAT Rules and DNS configuration, then multiple specialized policies might be required.",
+ "text": "Monitor Azure Firewall metrics in a Log Analytics workspace. Closely monitor metrics that indicate the Azure Firewall health state, such as throughput, Firewall health state, SNAT port utilization, and AZFW latency probe metrics. Use Azure Service Health to monitor Azure Firewall health.",
+ "description": "Monitor resource metrics and service health so you can detect when a service state degrades and take proactive measures to prevent failures.",
"type": "recommendation",
- "guid": "5b0404e7-a3be-4103-aff9-903f9fe447d2"
- },
- {
- "waf": "Reliability",
- "service": "Azure Firewall",
- "text": "Migrate Azure Firewall Classic Rules to Azure Firewall Manager Policies for existing deployments.",
- "description": "For existing deployments, migrate Azure Firewall rules to Azure Firewall Manager policies. Use Azure Firewall Manager to centrally manage your firewalls and policies. For more information, see Migrate to Azure Firewall Premium.",
- "type": "recommendation",
- "guid": "182b6ed7-94f3-434c-be79-ce6a93d6560c"
- },
- {
- "waf": "Reliability",
- "service": "Azure Firewall",
- "text": "Review the list of Azure Firewall Known Issues.",
- "description": "Azure Firewall Product Group maintains an updated list of known-issues at this location. This list contains important information related to by-design behavior, fixes under construction, platform limitations, along with possible workarounds or mitigation.",
- "type": "recommendation",
- "guid": "d34dc09b-f98f-47d4-92b7-79f77b9a755d"
- },
- {
- "waf": "Reliability",
- "service": "Azure Firewall",
- "text": "Ensure your Azure Firewall Policy adheres to Azure Firewall limits and recommendations.",
- "description": "There are limits on the policy structure, including numbers of Rules and Rule Collection Groups, total policy size, source/target destinations. Be sure to compose your policy and stay below the documented thresholds.",
- "type": "recommendation",
- "guid": "86b20eea-4ed0-4f79-adf4-4ff5f7edc227"
- },
- {
- "waf": "Reliability",
- "service": "Azure Firewall",
- "text": "Deploy Azure Firewall across multiple availability zones for higher service-level agreement (SLA).",
- "description": "Azure Firewall provides different SLAs when it's deployed in a single availability zone and when it's deployed in multiple zones. For more information, see SLA for Azure Firewall. For information about all Azure SLAs, see SLA summary for Azure services.",
- "type": "recommendation",
- "guid": "7f303799-88af-49d0-ae85-73ce4bf33f76"
- },
- {
- "waf": "Reliability",
- "service": "Azure Firewall",
- "text": "In multi-region environments, deploy an Azure Firewall instance per region.",
- "description": "For traditional Hub & Spokes architectures, multi-region details are explained in this article. For secured virtual hubs (Azure Virtual WAN), Routing Intent and Policies must be configured to secure inter-hub and branch-to-branch communications. For workloads designed to be resistant to failures and fault tolerant, remember to consider that instances of Azure Firewall and Azure Virtual Network as regional resources.",
- "type": "recommendation",
- "guid": "69dcdc93-55e9-454e-9128-b9996b089e2c"
- },
- {
- "waf": "Reliability",
- "service": "Azure Firewall",
- "text": "Monitor Azure Firewall Metrics and Resource Health state.",
- "description": "Closely monitor key metrics indicator of Azure Firewall health state such as Throughput, Firewall health state, SNAT port utilization and AZFW Latency Probe metrics. Additionally, Azure Firewall now integrates with Azure Resource Health. With the Azure Firewall Resource Health check, you can now view the health status of your Azure Firewall and address service problems that might affect your Azure Firewall resource.",
- "type": "recommendation",
- "guid": "dbadd7db-ba2d-4b33-bf38-3251fe3fb6fb"
+ "guid": "a61daca7-ba87-4a5f-8d72-6c4e61f1f8a1"
},
{
"waf": "Security",
"service": "Azure Firewall",
- "text": "If required to route all internet-bound traffic to a designated next hop instead of going directly to the internet, configure Azure Firewall in forced tunneling mode (does not apply to Azure Virtual WAN).",
- "description": "Azure Firewall must have direct internet connectivity. If your AzureFirewallSubnet learns a default route to your on-premises network via the Border Gateway Protocol, you must configure Azure Firewall in the forced tunneling mode. Using the forced tunneling feature, you'll need another /26 address space for the Azure Firewall Management subnet. You're required to name it AzureFirewallManagementSubnet.If this is an existing Azure Firewall instance that can't be reconfigured in the forced tunneling mode, create a UDR with a 0.0.0.0/0 route. Set the NextHopType value as Internet. Associate it with AzureFirewallSubnet to maintain internet connectivity.",
+ "text": "Configure Azure Firewall in\u00a0forced tunneling mode if you need to route all internet-bound traffic to a designated next hop instead of directly to the internet. This recommendation doesn't apply to Virtual WAN.
Azure Firewall must have direct internet connectivity. If your AzureFirewallSubnet learns a default route to your on-premises network via the Border Gateway Protocol, you must configure Azure Firewall in forced tunneling mode. You can use the forced tunneling feature to add another /26 address space for the Azure Firewall Management subnet. Name the subnet AzureFirewallManagementSubnet. If you have an existing Azure Firewall instance that you can't reconfigure in forced tunneling mode, create a UDR with a 0.0.0.0/0 route. Set the NextHopType value as Internet. To maintain internet connectivity, associate the UDR with AzureFirewallSubnet. Set the public IP address to None to deploy a fully private data plane when you configure Azure Firewall in forced tunneling mode. But the management plane still requires a public IP for management purposes only. The internal traffic from virtual and on-premises networks doesn't use that public IP.",
+ "description": "Use forced tunneling so you don't expose your Azure resources directly to the internet. This approach reduces the attack surface and minimizes the risk of external threats. To enforce corporate policies and compliance requirements more effectively, route all internet-bound traffic through an on-premises firewall or an NVA.",
"type": "recommendation",
- "guid": "55277728-2747-486c-be69-3428291856a4"
+ "guid": "11c69324-ff8f-48aa-9e9e-9c954e29a121"
},
{
"waf": "Security",
"service": "Azure Firewall",
- "text": "Set the public IP address to None to deploy a fully private data plane when you configure Azure Firewall in the forced tunneling mode (does not apply to Azure Virtual WAN).",
- "description": "When you deploy a new Azure Firewall instance, if you enable the forced tunneling mode, you can set the public IP address to None to deploy a fully private data plane. However, the management plane still requires a public IP for management purposes only. The internal traffic from virtual and on-premises networks won't use that public IP. For more about forced tunneling, see Azure Firewall forced tunneling.",
+ "text": "Create rules for Firewall policies in an hierarchical structure to overlay a central base policy. For more information, see Use Azure Firewall policies to process rules.
Create your rules based on the least-privilege access Zero Trust principle",
+ "description": "Organize rules in a hierarchical structure so that granular policies can meet the requirements of specific regions. Each policy can contain different sets of Destination Network Address Translation (DNAT), network, and application rules that have specific priorities, actions, and processing orders.",
"type": "recommendation",
- "guid": "7d9cd1f0-0f59-452e-be83-de6b49710ddc"
+ "guid": "29a3b176-03b3-4273-b9f8-cdddee154009"
},
{
"waf": "Security",
"service": "Azure Firewall",
- "text": "Create rules for Firewall Policies based on least privilege access criteria.",
- "description": "Azure Firewall Policies can be arranged in an hierarchical structure to overlay a central base policy. Allow for granular policies to meet the requirements of specific regions. Each policy can contains different sets of DNAT, Network and Application rules with specific priority, action and processing order. Create your rules based on least privilege access Zero Trust principle . How rules are processed is explained in this article.",
+ "text": "Configure supported security partner providers within Firewall Manager to protect outbound connections.
This scenario requires Virtual WAN with a S2S VPN gateway in the hub because it uses an IPsec tunnel to connect to the provider's infrastructure. Managed security service providers might charge extra license fees and limit throughput on IPsec connections. You can also use alternative solutions, such as Zscaler Cloud Connector.",
+ "description": "Enable security partner providers in Azure Firewall to take advantage of best-in-breed cloud security offerings, which provide advanced protection for your internet traffic. These providers offer specialized, user-aware filtering and comprehensive threat-detection capabilities that enhance your overall security posture.",
"type": "recommendation",
- "guid": "c7600ea8-eb60-4eb1-9aee-c874efef69b7"
+ "guid": "f03b413a-c06c-4f22-98ad-6798b74f825e"
},
{
"waf": "Security",
"service": "Azure Firewall",
- "text": "Enable IDPS in Alert or Alert and deny mode.",
- "description": "IDPS is one of the most powerful Azure Firewall (Premium) security features and should be enabled. Based on security and application requirements, and considering the performance impact (see the Cost section below), Alert or Alert and deny modes can be selected.",
+ "text": "Enable\u00a0Azure Firewall DNS proxy\u00a0configuration.
Also configure Azure Firewall to use custom DNS for forwarding DNS queries.",
+ "description": "Enable this feature to point clients in the virtual networks to Azure Firewall as a DNS server. This feature protects internal DNS infrastructure that's not directly accessed and exposed.",
"type": "recommendation",
- "guid": "d8fc2b4d-a183-4949-82ff-c6130a9d87dc"
+ "guid": "98a53328-cf36-4d0e-b7dc-a15a8957ab3b"
},
{
"waf": "Security",
"service": "Azure Firewall",
- "text": "Enable Azure Firewall (DNS) proxy configuration.",
- "description": "Enabling this feature points clients in the VNets to Azure Firewall as a DNS server. It will protect internal DNS infrastructure that will not be directly accessed and exposed. Azure Firewall must be also configured to use custom DNS that will be used to forward DNS queries.",
+ "text": "Configure UDRs to force traffic through Azure Firewall in a traditional hub-and-spoke architecture for spoke-to-spoke, spoke-to-internet, and spoke-to-hybrid connectivity.
In Virtual WAN, configure routing intent and policies to redirect private traffic or internet traffic through the Azure Firewall instance that's integrated into the hub.
If you can't apply a UDR, and you only require web traffic redirection, use Azure Firewall as an explicit proxy on the outbound path. You can configure a proxy setting on the sending application, such as a web browser, when you configure Azure Firewall as a proxy.",
+ "description": "Send traffic through the firewall to inspect traffic and help identify and block malicious traffic.
Use Azure Firewall as an explicit proxy for outbound traffic so that web traffic reaches the firewall's private IP address and therefore egresses directly from the firewall without using a UDR. This feature also facilitates the use of multiple firewalls without modifying existing network routes.",
"type": "recommendation",
- "guid": "9fa0a48c-c3cb-4fc2-a02b-1182a047e076"
+ "guid": "5a33a8c3-32ad-4df5-b10e-ae88d9341652"
},
{
"waf": "Security",
"service": "Azure Firewall",
- "text": "Configure user-defined routes (UDR) to force traffic through Azure Firewall.",
- "description": "In a traditional Hub & Spokes architecture, configure UDRs to force traffic through Azure Firewall for `Spoke-to-Spoke`, `Spoke-to-Internet`, and `Spoke-to-Hybrid` connectivity. In Azure Virtual WAN, instead, configure Routing Intent and Policies to redirect private and/or Internet traffic through the Azure Firewall instance integrated into the hub.",
+ "text": "Use FQDN filtering in network rules. You must enable the Azure Firewall DNS proxy configuration to use FQDNs in your network rules.",
+ "description": "Use FQDNs in Azure Firewall network rules so that administrators can manage domain names instead of multiple IP addresses, which simplifies management. This dynamic resolution ensures that firewall rules automatically update when domain IPs change.",
"type": "recommendation",
- "guid": "a3f23112-5986-4fd2-9d64-edfb0363c08c"
+ "guid": "468a142a-2b62-4379-90d1-46a7d351716f"
},
{
"waf": "Security",
"service": "Azure Firewall",
- "text": "If not possible to apply UDR, and only web traffic redirection is required, consider using Azure Firewall as an Explicit Proxy",
- "description": "With explicit proxy feature enabled on the outbound path, you can configure a proxy setting on the sending web application (such as a web browser) with Azure Firewall configured as the proxy. As a result, web traffic will reach the firewall's private IP address and therefore egresses directly from the firewall without using a UDR. This feature also facilitates the usage of multiple firewalls without modifying existing network routes.",
+ "text": "Use Azure Firewall service tags in place of specific IP addresses to provide selective access to specific services in Azure, Microsoft Dynamics 365, and Microsoft 365.",
+ "description": "Use service tags in network rules so you can define access controls based on service names rather than specific IP addresses, which simplifies security management. Microsoft manages and updates these tags automatically when IP addresses change. This method ensures that your firewall rules remain accurate and effective without manual intervention.",
"type": "recommendation",
- "guid": "f62b7e3d-b86d-4f84-888d-ec7f97b34e96"
+ "guid": "d64d477e-8277-4f70-9727-8c1db0cd649c"
},
{
"waf": "Security",
"service": "Azure Firewall",
- "text": "Configure supported third-party software as a service (SaaS) security providers within Firewall Manager if you want to use these solutions to protect outbound connections.",
- "description": "You can use your familiar, best-in-breed, third-party SECaaS offerings to protect internet access for your users. This scenario does require Azure Virtual WAN with a S2S VPN Gateway in the Hub, as it uses an IPSec tunnel to connect to the provider's infrastructure. SECaaS providers might charge additional license fees and limit throughput on IPSec connections. Alternative solutions such as ZScaler Cloud Connector exist and might be more suitable.",
+ "text": "Use FQDN tags in application rules to provide selective access to specific Microsoft services.
You can use an FQDN tag in application rules to allow the required outbound network traffic through your firewall for specific Azure services, such as Microsoft 365, Windows 365, and Microsoft Intune.",
+ "description": "Use FQDN tags in Azure Firewall application rules to represent a group of FQDNs that are associated with well-known Microsoft services. This method simplifies the management of network security rules.",
"type": "recommendation",
- "guid": "1f1a4239-f908-4fb5-aff5-7d716d9227a1"
+ "guid": "f8f92e49-b7ed-40cc-ad7b-3431067dd488"
},
{
"waf": "Security",
"service": "Azure Firewall",
- "text": "Use Fully Qualified Domain Name (FQDN) filtering in network rules.",
- "description": "You can use FQDN based on DNS resolution in Azure Firewall and firewall policies. This capability allows you to filter outbound traffic with any TCP/UDP protocol (including NTP, SSH, RDP, and more). You must enable the Azure Firewall DNS Proxy configuration to use FQDNs in your network rules. To learn how it works, see Azure Firewall FQDN filtering in network rules.",
+ "text": "Enable\u00a0threat intelligence\u00a0on Azure Firewall in\u00a0Alert and deny\u00a0mode.",
+ "description": "Use threat intelligence to provide real-time protection against emerging threats, which reduces the risk of cyberattacks. This feature uses the Microsoft threat intelligence feed to automatically alert and block traffic from known malicious IP addresses, domains, and URLs.",
"type": "recommendation",
- "guid": "cac3a2cc-688b-42c3-bfb5-e2b55270b8a0"
+ "guid": "ecce93c9-ffc9-498f-abdf-d29a618b8d1c"
},
{
"waf": "Security",
"service": "Azure Firewall",
- "text": "Use Service Tags in Network Rules to enable selective access to specific Microsoft services.",
- "description": "A service tag represents a group of IP address prefixes to help minimize complexity for security rule creation. Using Service Tags in Network Rules, it is possible to enable outbound access to specific services in Azure, Dynamics and Office 365 without opening wide ranges of IP addresses. Azure will maintain automatically the mapping between these tags and underlying IP addresses used by each service. The list of Service Tags available to Azure Firewall are listed here: Az Firewall Service Tags.",
+ "text": "Enable\u00a0the IDPS\u00a0in\u00a0Alert\u00a0or\u00a0Alert and deny\u00a0mode. Consider the performance impact of this feature.",
+ "description": "Enable IDPS filtering in Azure Firewall provides real-time monitoring and analysis of network traffic to detect and prevent malicious activities. This feature uses signature-based detection to swiftly identify known threats and block them before they cause harm. For more information, see Detect abuse.",
"type": "recommendation",
- "guid": "8e718b0b-3ae5-4a85-9e5e-7f12ac48ace8"
+ "guid": "754d917c-b22f-4fe7-92b1-d0d88b5b1873"
},
{
"waf": "Security",
"service": "Azure Firewall",
- "text": "Use FQDN Tags in Application Rules to enable selective access to specific Microsoft services.",
- "description": "An FQDN tag represents a group of fully qualified domain names (FQDNs) associated with well known Microsoft services. You can use an FQDN tag in application rules to allow the required outbound network traffic through your firewall for some specific Azure services, Office 365, Windows 365 and Intune.",
+ "text": "Use an internal enterprise certification authority (CA) to generate certificates when you use TLS inspection with Azure Firewall Premium. Use self-signed certificates only for testing and proof of concept (PoC) purposes.",
+ "description": "Enable TLS inspection so that Azure Firewall Premium terminates and inspects TLS connections to detect, alert, and mitigate malicious activity in HTTPS.",
"type": "recommendation",
- "guid": "66db2147-74f7-4b4a-af65-a946369ae551"
+ "guid": "9e220953-da77-44f0-9e85-ccc7743e2d2a"
},
{
"waf": "Security",
"service": "Azure Firewall",
- "text": "Use Azure Firewall Manager to create and associate a DDoS protection plan with your hub virtual network (does not apply to Azure Virtual WAN).",
- "description": "A DDoS protection plan provides enhanced mitigation features to defend your firewall from DDoS attacks. Azure Firewall Manager is an integrated tool to create your firewall infrastructure and DDoS protection plans. For more information, see Configure an Azure DDoS Protection Plan using Azure Firewall Manager.",
- "type": "recommendation",
- "guid": "0c87e550-0780-401e-9208-5464b378a8e7"
- },
- {
- "waf": "Security",
- "service": "Azure Firewall",
- "text": "Use an Enterprise PKI to generate certificates for TLS Inspection.",
- "description": "With Azure Firewall Premium, if TLS Inspection feature is used, it is recommended to leverage an internal Enterprise Certification Authority (CA) for production environment. Self-signed certificates should be used for testing/PoC purposes only.",
- "type": "recommendation",
- "guid": "821132d4-1ba9-4709-9eb3-5906871b1721"
- },
- {
- "waf": "Security",
- "service": "Azure Firewall",
- "text": "Review Zero-Trust configuration guide for Azure Firewall and Application Gateway",
- "description": "If your security requirements necessitate implementing a Zero-Trust approach for web applications (inspection and encryption), it is recommended to follow this guide. In this document, how to integrate together Azure Firewall and Application Gateway will be explained, in both traditional Hub & Spoke and Virtual WAN scenarios.",
- "type": "recommendation",
- "guid": "0ecf166e-e415-45bf-bece-87a32e76b096"
- },
- {
- "waf": "Cost",
- "service": "Azure Firewall",
- "text": "Deploy the proper Azure Firewall SKU.",
- "description": "Azure Firewall can be deployed in three different SKUs: Basic, Standard and Premium. Azure Firewall Premium is recommended to secure highly sensitive applications (such as payment processing). Azure Firewall Standard is recommended for customers looking for Layer 3\u2013Layer 7 firewall and needs autoscaling to handle peak traffic periods of up to 30 Gbps. Azure Firewall Basic is recommended for SMB customers with throughput needs of 250 Mbps. If required, downgrade or upgrade is possible between Standard and Premium as documented here. For more information, see Choose the right Azure Firewall SKU to meet your needs.",
- "type": "recommendation",
- "guid": "fbcc2c4d-8026-46a9-8fe7-bdb04dbd1f20"
- },
- {
- "waf": "Cost",
- "service": "Azure Firewall",
- "text": "Stop Azure Firewall deployments that don't need to run for 24x7.",
- "description": "You might have development or testing environments that are used only during business hours. For more information, see Deallocate and allocate Azure Firewall.",
+ "text": "Use Firewall Manager to create and associate an Azure DDoS Protection plan with your hub virtual network. This approach doesn't apply to Virtual WAN.",
+ "description": "Configure an Azure DDoS Protection plan so that you can centrally manage DDoS protection alongside your firewall policies. This approach streamlines how you manage your network security and simplifies how you deploy and monitor processes.",
"type": "recommendation",
- "guid": "4bf5b742-3a86-40a3-abce-a7991e9a0e78"
+ "guid": "fe3488cd-72a6-4672-b26b-64b1a0e9f625"
},
{
"waf": "Cost",
"service": "Azure Firewall",
- "text": "Share the same instance of Azure Firewall across multiple workloads and Azure Virtual Networks.",
- "description": "You can use a central instance of Azure Firewall in the hub virtual network or Virtual WAN secure hub and share the same firewall across many spoke virtual networks that are connected to the same hub from the same region. Ensure there's no unexpected cross-region traffic as part of the hub-spoke topology.",
+ "text": "Stop Azure Firewall deployments that don't need to continuously run. You might have development or testing environments that you only use during business hours. For more information, see Deallocate and allocate Azure Firewall.",
+ "description": "Shut down these deployments during off-peak hours or when idle to reduce unnecessary expenses but maintain security and performance during critical times.",
"type": "recommendation",
- "guid": "4468b60f-0f1d-4af5-98cd-b4f9fc3bd70f"
+ "guid": "463b7549-f012-4554-a6df-4ea62350cc52"
},
{
"waf": "Cost",
"service": "Azure Firewall",
- "text": "Regularly review traffic processed by Azure Firewall and look for originating workload optimizations",
- "description": "Top Flows log (known in the industry as Fat Flows), shows the top connections that are contributing to the highest throughput through the firewall. It is recommended to regularly review traffic processed by the Azure Firewall and search for possible optimizations to reduce the amount of traffic traversing the firewall.",
+ "text": "Regularly review traffic that Azure Firewall processes, and find originating workload optimizations. The top flows log, also known as the fat flows log, shows the top connections that contribute to the highest throughput through the firewall.",
+ "description": "Optimize workloads that generate the most traffic through the firewall to reduce the volume of traffic, which decreases the load on the firewall and minimizes data-processing and bandwidth costs.",
"type": "recommendation",
- "guid": "3ec205f3-5201-4a2e-b82b-1c77c9ee139c"
+ "guid": "ccd04d1a-611b-4c77-aef7-96d1ac1470d1"
},
{
"waf": "Cost",
"service": "Azure Firewall",
- "text": "Review under-utilized Azure Firewall instances. Identify and delete unused Azure Firewall deployments.",
- "description": "To identify unused Azure Firewall deployments, start by analyzing the monitoring metrics and UDRs associated with subnets pointing to the firewall's private IP. Combine that information with other validations, such as if your instance of Azure Firewall has any rules (classic) for NAT, Network and Application, or even if the DNS Proxy setting is configured to Disabled, and with internal documentation about your environment and deployments. You can detect deployments that are cost-effective over time. For more information about monitoring logs and metrics, see Monitor Azure Firewall logs and metrics and SNAT port utilization.",
+ "text": "Identify and delete unused Azure Firewall deployments. Analyze monitoring metrics and UDRs that are associated with subnets that point to the firewall's private IP. Also consider other validations and internal documentation about your environment and deployments. For example, analyze any classic NAT, network, and application rules for Azure Firewall. And consider your settings. For example, you might configure the DNS proxy setting to Disabled. For more information, see Monitor Azure Firewall.",
+ "description": "Use this approach to detect cost-effective deployments over time and eliminate unused resources, which prevents unnecessary costs.",
"type": "recommendation",
- "guid": "514f4dbe-5294-44e1-95c5-923a199ff687"
+ "guid": "9ddcb977-4f4d-4c98-a7bc-daad82bf79fb"
},
{
"waf": "Cost",
"service": "Azure Firewall",
- "text": "Use Azure Firewall Manager and its Policies to reduce operational costs, increase efficiency, and reduce management overhead.",
- "description": "Review your Firewall Manager policies, associations, and inheritance carefully. Policies are billed based on firewall associations. A policy with zero or one firewall association is free of charge. A policy with multiple firewall associations is billed at a fixed rate.For more information, see Pricing - Azure Firewall Manager.",
+ "text": "Review your Firewall Manager policies, associations, and inheritance carefully to optimize cost. Policies are billed based on firewall associations. A policy with zero or one firewall association is free. A policy with multiple firewall associations is billed at a fixed rate. For more information, see Firewall Manager pricing.",
+ "description": "Properly use Firewall Manager and its policies to reduce operational costs, increase efficiency, and reduce management overhead.",
"type": "recommendation",
- "guid": "90f29560-d536-46bf-a719-f0f95f89105e"
+ "guid": "a42cec48-b5d7-467a-8296-4864c6e9b413"
},
{
"waf": "Cost",
"service": "Azure Firewall",
- "text": "Delete unused public IP addresses.",
- "description": "Validate whether all the associated public IP addresses are in use. If they aren't in use, disassociate and delete them. Evaluate SNAT port utilization before removing any IP addresses.You'll only use the number of public IPs your firewall needs. For more information, see Monitor Azure Firewall logs and metrics and SNAT port utilization.",
+ "text": "Review all the public IP addresses in your configuration, and disassociate and delete the ones that you don't use. Evaluate source network address translation (SNAT) port usage before you remove any IP addresses. For more information, see Monitor Azure Firewall logs and metrics and SNAT port usage.",
+ "description": "Delete unused IP addresses to reduce costs.",
"type": "recommendation",
- "guid": "e81c61b3-0085-4029-82e3-d55513288f87"
- },
- {
- "waf": "Cost",
- "service": "Azure Firewall",
- "text": "Review logging requirements.",
- "description": "Azure Firewall has the ability to comprehensively log metadata of all traffic it sees, to Log Analytics Workspaces, Storage or third party solutions through Event Hubs. However, all logging solutions incur costs for data processing and storage. At very large volumes these costs can be significant, a cost effective approach and alternative to Log Analytics should be considered and cost estimated. Consider whether it is required to log traffic metadata for all logging categories and modify in Diagnostic Settings if needed.",
- "type": "recommendation",
- "guid": "a27d979a-c88c-4ce0-9310-9a69eba3460d"
- },
- {
- "waf": "Operations",
- "service": "Azure Firewall",
- "text": "Do not use Azure Firewall for intra-VNet traffic control.",
- "description": "Azure Firewall should be used to control traffic across VNets, between VNets and on-premises networks, outbound traffic to the Internet and incoming non-HTTP/s traffic. For intra-VNet traffic control, it is recommended to use Network Security Groups.",
- "type": "recommendation",
- "guid": "bce7644e-fefe-4d43-94ea-37af4d8743f9"
- },
- {
- "waf": "Operations",
- "service": "Azure Firewall",
- "text": "Maintain regular backups of Azure Policy artifacts.",
- "description": "If Infrastructure-as-Code (IaC) approach is used to maintain Azure Firewall and all dependencies then backup and versioning of Azure Firewall Policies should be already in place. If not, a companion mechanism based on external Logic App can be deployed to automate and provide an effective solution.",
- "type": "recommendation",
- "guid": "8b0afffb-17aa-4839-b93f-c01d990ad7c6"
- },
- {
- "waf": "Operations",
- "service": "Azure Firewall",
- "text": "Enable Diagnostic Logs for Azure Firewall.",
- "description": "Diagnostic Logs is a key component for many monitoring tools and strategies for Azure Firewall and should be enabled. You can monitor Azure Firewall by using firewall logs or workbooks. You can also use activity logs for auditing operations on Azure Firewall resources.",
- "type": "recommendation",
- "guid": "6d52b11a-0034-4824-84c4-7383182dc4df"
- },
- {
- "waf": "Operations",
- "service": "Azure Firewall",
- "text": "Use Structured Firewall Logs format.",
- "description": "Structured Firewall Logs are a type of log data that are organized in a specific new format. They use a predefined schema to structure log data in a way that makes it easy to search, filter, and analyze. The latest monitoring tools are based on this type of logs hence it is often a pre-requisite. Use the previous Diagnostic Logs format only if there is an existing tool with a pre-requisite on that. Do not enable both logging formats at the same time.",
- "type": "recommendation",
- "guid": "99a0621d-2643-4e46-afb0-dd3e5111dedd"
+ "guid": "407db414-2814-4803-9b80-be5ff2a97950"
},
{
"waf": "Operations",
"service": "Azure Firewall",
- "text": "Use the built-in Azure Firewall Monitoring Workbook.",
- "description": "Azure Firewall portal experience now includes a new workbook under the Monitoring section UI, a separate installation is no longer required. With the Azure Firewall Workbook, you can extract valuable insights from Azure Firewall events, delve into your application and network rules, and examine statistics regarding firewall activities across URLs, ports, and addresses.",
+ "text": "Enable diagnostic logs for Azure Firewall. Use firewall logs or workbooks to monitor Azure Firewall. You can also use activity logs to audit operations on Azure Firewall resources. Use the structured firewall logs format. Only use the previous diagnostic logs format if you have an existing tool that requires it. Don't enable both logging formats at the same time.",
+ "description": "Enable diagnostic logs to optimize your monitoring tools and strategies for Azure Firewall. Use structured firewall logs to structure log data so that it's easy to search, filter, and analyze. The latest monitoring tools are based on this type of log, so it's often a prerequisite.",
"type": "recommendation",
- "guid": "8c18d9ea-2440-4125-a0cb-c1cf35c0be70"
+ "guid": "fb2c3215-9576-49d1-a936-e302ef9049c2"
},
{
"waf": "Operations",
"service": "Azure Firewall",
- "text": "Monitor key metrics and create alerts for indicators of the utilization of Azure Firewall capacity.",
- "description": "Alerts should be created to monitor at least Throughput, Firewall health state, SNAT port utilization and AZFW Latency Probe metrics.For information about monitoring logs and metrics, see Monitor Azure Firewall logs and metrics.",
+ "text": "Use the built-in Azure Firewall workbook.",
+ "description": "Use the Azure Firewall workbook to extract valuable insights from Azure Firewall events, analyze your application and network rules, and examine statistics about firewall activities across URLs, ports, and addresses.",
"type": "recommendation",
- "guid": "05877204-1759-4b71-8938-4766b1b24fa7"
+ "guid": "913ed2e5-c63c-4325-8578-965c5c3c4b79"
},
{
"waf": "Operations",
"service": "Azure Firewall",
- "text": "Configure Azure Firewall integration with Microsoft Defender for Cloud and Microsoft Sentinel.",
- "description": "If these tools are available in the environment, it is recommended to leverage integration with Microsoft Defender for Cloud and Microsoft Sentinel solutions. With Microsoft Defender for Cloud integration, you can visualize the all-up status of network infrastructure and network security in one place, including Azure Network Security across all VNets and Virtual Hubs spread across different regions in Azure. Integration with Microsoft Sentinel provides threat detection and prevention capabilities.",
+ "text": "Monitor Azure Firewall logs and metrics, and create alerts for Azure Firewall capacity. Create alerts to monitor Throughput, Firewall health state, SNAT port utilization, and AZFW latency probe metrics.",
+ "description": "Set up alerts for key events to notify operators before potential problems arise, help prevent disruptions, and initiate quick capacity adjustments.",
"type": "recommendation",
- "guid": "0dd715ab-c76e-49b9-9616-ccb36ddb293e"
+ "guid": "79268d8a-5829-4fb3-a1c6-d7ee9c980cd4"
},
{
"waf": "Operations",
"service": "Azure Firewall",
- "text": "Regularly review Policy Analytics dashboard to identify potential issues.",
- "description": "Policy Analytics is a new feature that provides insights into the impact of your Azure Firewall policies. It helps you identify potential issues (hitting policy limits, low utilization rules, redundant rules, rules too generic, IP Groups usage recommendation) in your policies and provides recommendations to improve your security posture and rule processing performance.",
+ "text": "Regularly review the policy analytics dashboard to identify potential problems.",
+ "description": "Use policy analytics to analyze the impact of your Azure Firewall policies. Identify potential problems in your policies, such as meeting policy limits, improper rules, and improper IP groups usage. Get recommendations to improve your security posture and rule-processing performance.",
"type": "recommendation",
- "guid": "9e1b460f-0d41-40a1-9da7-89cda32f7190"
+ "guid": "63b266a4-285f-4fd4-a0fb-b6bb4c1ce75b"
},
{
"waf": "Operations",
"service": "Azure Firewall",
- "text": "Become familiar with KQL (Kusto Query Language) queries to allow quick analysis and troubleshooting using Azure Firewall logs.",
- "description": "Sample queries are provided for Azure Firewall. Those will enable you to quickly identify what's happening inside your firewall and check to see which rule was triggered, or which rule is allowing/blocking a request.",
+ "text": "Understand KQL queries so you can use Azure Firewall logs to quickly analyze and troubleshoot problems. Azure Firewall provides sample queries.",
+ "description": "Use KQL queries to quickly identify events inside your firewall and check to see which rule is triggered or which rule allows or blocks a request.",
"type": "recommendation",
- "guid": "8f1b00a0-2ba3-4dff-b808-072bbd316a88"
+ "guid": "37cc2cc2-5700-4e4b-bb0b-86e6acb11092"
},
{
"waf": "Performance",
"service": "Azure Firewall",
- "text": "Use Policy Analytics dashboard to identify potential optimizations for Firewall Policies.",
- "description": "Policy Analytics is a new feature that provides insights into the impact of your Azure Firewall policies. It helps you identify potential issues (hitting policy limits, low utilization rules, redundant rules, rules too generic, IP Groups usage recommendation) in your policies and provides recommendations to improve your security posture and rule processing performance.",
+ "text": "Use the policy analytics dashboard to identify ways to optimize Azure Firewall policies.",
+ "description": "Use policy analytics to identify potential problems in your policies, such as meeting policy limits, improper rules, and improper IP groups usage. Get recommendations to improve your security posture and rule-processing performance.",
"type": "recommendation",
- "guid": "f3a64299-022d-492e-a095-72965cbb79b8"
+ "guid": "e9cf81c7-6938-44e1-83fe-0c16af8214fd"
},
{
"waf": "Performance",
"service": "Azure Firewall",
- "text": "Consider Web Categories to allow or deny outbound access in bulk.",
- "description": "Instead of explicitly building and maintaining a long list of public Internet sites, consider the usage of Azure Firewall Web Categories. This feature will dynamically categorize web content and will permit the creation of compact Application Rules.",
+ "text": "Place frequently used rules early in a group to optimize latency for Azure Firewall policies that have large rule sets. For more information, see Use Azure Firewall policies to process rules.",
+ "description": "Place frequently used rules high in a rule set to optimize processing latency. Azure Firewall processes rules based on the rule type, inheritance, rule collection group priority, and rule collection priority. Azure Firewall processes high-priority rule collection groups first. Inside a rule collection group, Azure Firewall processes rule collections that have the highest priority first.",
"type": "recommendation",
- "guid": "53e42e9b-6d25-4116-87ca-6c97252e1cd6"
+ "guid": "4413e944-e222-419c-bc01-54f518dace78"
},
{
"waf": "Performance",
"service": "Azure Firewall",
- "text": "Evaluate the performance impact of IDPS in Alert and deny mode.",
- "description": "If Azure Firewall is required to operate in IDPS mode Alert and deny, carefully consider the performance impact as documented in firewall performance.",
+ "text": "Use IP groups to summarize IP address ranges and avoid exceeding the limit of unique source or unique destination network rules. Azure Firewall treats the IP group as a single address when you create network rules.",
+ "description": "This approach effectively increases the number of IP addresses that you can cover without exceeding the limit. For each rule, Azure multiplies ports by IP addresses. So, if one rule has four IP address ranges and five ports, you consume 20 network rules.",
"type": "recommendation",
- "guid": "4afedb20-a63a-4c17-907d-d8afc5cd1b43"
+ "guid": "6acef044-ef2f-47b0-8463-5de890902930"
},
{
"waf": "Performance",
"service": "Azure Firewall",
- "text": "Assess potential SNAT port exhaustion problem.",
- "description": "Azure Firewall currently supports 2496 ports per Public IP address per backend Virtual Machine Scale Set instance. By default, there are two Virtual Machine Scale Set instances. So, there are 4992 ports per flow destination IP, destination port and protocol (TCP or UDP). The firewall scales up to a maximum of 20 instances. You can work around the limits by configuring Azure Firewall deployments with a minimum of five public IP addresses for deployments susceptible to SNAT exhaustion.",
+ "text": "Use Azure Firewall web categories to allow or deny outbound access in bulk, instead of explicitly building and maintaining a long list of public internet sites.",
+ "description": "This feature dynamically categorizes web content and permits the creation of compact application rules, which reduces operational overhead.",
"type": "recommendation",
- "guid": "cdb16c9c-fe4e-41d6-bc0c-8519a606d37b"
+ "guid": "0a8a6e9c-57e9-40bd-8345-8b5abbcfa504"
},
{
"waf": "Performance",
"service": "Azure Firewall",
- "text": "Properly warm up Azure Firewall before any performance test.",
- "description": "Create initial traffic that isn't part of your load tests 20 minutes before the test. Use diagnostics settings to capture scale-up and scale-down events. You can use the Azure Load Testing service to generate the initial traffic. Allows the Azure Firewall instance to scale up its instances to the maximum.",
+ "text": "Evaluate the performance impact of IDPS in Alert and deny mode. For more information, see Azure Firewall performance.",
+ "description": "Enable IDPS in Alert and deny mode to detect and prevent malicious network activity. This feature might introduce a performance penalty. Understand the effect on your workload so you can plan accordingly.",
"type": "recommendation",
- "guid": "1859fa28-775d-433f-b189-6b250e51b441"
+ "guid": "a281c1d2-e2da-458f-ad57-d67d19b8377e"
},
{
"waf": "Performance",
"service": "Azure Firewall",
- "text": "Configure an Azure Firewall subnet (AzureFirewallSubnet) with a /26 address space.",
- "description": "Azure Firewall is a dedicated deployment in your virtual network. Within your virtual network, a dedicated subnet is required for the instance of Azure Firewall. Azure Firewall provisions more capacity as it scales.A /26 address space for its subnets ensures that the firewall has enough IP addresses available to accommodate the scaling. Azure Firewall doesn't need a subnet bigger than /26. The Azure Firewall subnet name must be AzureFirewallSubnet.",
+ "text": "Configure Azure Firewall deployments with a minimum of five public IP addresses for deployments that are susceptible to SNAT port exhaustion.",
+ "description": "Azure Firewall supports 2,496 ports for each public IP address that each back-end Azure Virtual Machine Scale Sets instance uses. This configuration increases the available SNAT ports by five times. By default, Azure Firewall deploys two Virtual Machine Scale Sets instances that support 4,992 ports for each flow destination IP, destination port, and TCP or UDP protocol. The firewall scales up to a maximum of 20 instances.",
"type": "recommendation",
- "guid": "272b1122-494d-4baa-a328-928a89ebb0ad"
- },
- {
- "waf": "Performance",
- "service": "Azure Firewall",
- "text": "Do not enable advanced logging if not required",
- "description": "Azure Firewall provides some advanced logging capabilities that can be expensive to maintain always active. Instead, they should be used for troubleshooting purposes only, and limited in duration, then disabled when no more necessary. For example, Top flows and Flow trace logs are expensive can cause excessive CPU and storage usage on the Azure Firewall infrastructure.",
- "type": "recommendation",
- "guid": "2b20c2ea-e6fd-4570-b86f-b20bfb695c6f"
+ "guid": "ffa8eeee-ff51-44ca-a416-275bcf54be52"
}
],
"categories": [],
"waf": [
{
- "name": "performance"
- },
- {
- "name": "cost"
+ "name": "Performance"
},
{
- "name": "Operations"
+ "name": "security"
},
{
- "name": "security"
+ "name": "performance"
},
{
- "name": "Security"
+ "name": "Cost"
},
{
"name": "Reliability"
},
{
- "name": "Cost"
+ "name": "operations"
},
{
- "name": "operations"
+ "name": "Operations"
},
{
"name": "reliability"
},
{
- "name": "Performance"
+ "name": "Security"
+ },
+ {
+ "name": "cost"
}
],
"yesno": [
@@ -437,6 +309,6 @@
"name": "Azure Firewall Service Guide",
"waf": "all",
"state": "preview",
- "timestamp": "September 22, 2024"
+ "timestamp": "September 29, 2024"
}
}
\ No newline at end of file
diff --git a/checklists-ext/azurefrontdoor_sg_checklist.en.json b/checklists-ext/azurefrontdoor_sg_checklist.en.json
index 7b0d17c47..155f4642b 100644
--- a/checklists-ext/azurefrontdoor_sg_checklist.en.json
+++ b/checklists-ext/azurefrontdoor_sg_checklist.en.json
@@ -181,34 +181,34 @@
"categories": [],
"waf": [
{
- "name": "performance"
- },
- {
- "name": "cost"
+ "name": "Performance"
},
{
- "name": "Operations"
+ "name": "security"
},
{
- "name": "security"
+ "name": "performance"
},
{
- "name": "Security"
+ "name": "Cost"
},
{
"name": "Reliability"
},
{
- "name": "Cost"
+ "name": "operations"
},
{
- "name": "operations"
+ "name": "Operations"
},
{
"name": "reliability"
},
{
- "name": "Performance"
+ "name": "Security"
+ },
+ {
+ "name": "cost"
}
],
"yesno": [
@@ -245,6 +245,6 @@
"name": "Azure Front Door Service Guide",
"waf": "all",
"state": "preview",
- "timestamp": "September 22, 2024"
+ "timestamp": "September 29, 2024"
}
}
\ No newline at end of file
diff --git a/checklists-ext/azurekubernetesservice_sg_checklist.en.json b/checklists-ext/azurekubernetesservice_sg_checklist.en.json
index d79b00b2a..cd969157d 100644
--- a/checklists-ext/azurekubernetesservice_sg_checklist.en.json
+++ b/checklists-ext/azurekubernetesservice_sg_checklist.en.json
@@ -373,34 +373,34 @@
"categories": [],
"waf": [
{
- "name": "performance"
- },
- {
- "name": "cost"
+ "name": "Performance"
},
{
- "name": "Operations"
+ "name": "security"
},
{
- "name": "security"
+ "name": "performance"
},
{
- "name": "Security"
+ "name": "Cost"
},
{
"name": "Reliability"
},
{
- "name": "Cost"
+ "name": "operations"
},
{
- "name": "operations"
+ "name": "Operations"
},
{
"name": "reliability"
},
{
- "name": "Performance"
+ "name": "Security"
+ },
+ {
+ "name": "cost"
}
],
"yesno": [
@@ -437,6 +437,6 @@
"name": "Azure Kubernetes Service Service Guide",
"waf": "all",
"state": "preview",
- "timestamp": "September 22, 2024"
+ "timestamp": "September 29, 2024"
}
}
\ No newline at end of file
diff --git a/checklists-ext/azuremachinelearning_sg_checklist.en.json b/checklists-ext/azuremachinelearning_sg_checklist.en.json
index 277b294cf..174299545 100644
--- a/checklists-ext/azuremachinelearning_sg_checklist.en.json
+++ b/checklists-ext/azuremachinelearning_sg_checklist.en.json
@@ -269,34 +269,34 @@
"categories": [],
"waf": [
{
- "name": "performance"
- },
- {
- "name": "cost"
+ "name": "Performance"
},
{
- "name": "Operations"
+ "name": "security"
},
{
- "name": "security"
+ "name": "performance"
},
{
- "name": "Security"
+ "name": "Cost"
},
{
"name": "Reliability"
},
{
- "name": "Cost"
+ "name": "operations"
},
{
- "name": "operations"
+ "name": "Operations"
},
{
"name": "reliability"
},
{
- "name": "Performance"
+ "name": "Security"
+ },
+ {
+ "name": "cost"
}
],
"yesno": [
@@ -333,6 +333,6 @@
"name": "Azure Machine Learning Service Guide",
"waf": "all",
"state": "preview",
- "timestamp": "September 22, 2024"
+ "timestamp": "September 29, 2024"
}
}
\ No newline at end of file
diff --git a/checklists-ext/azureopenai_sg_checklist.en.json b/checklists-ext/azureopenai_sg_checklist.en.json
index 7bc742962..2c6ad05c4 100644
--- a/checklists-ext/azureopenai_sg_checklist.en.json
+++ b/checklists-ext/azureopenai_sg_checklist.en.json
@@ -109,34 +109,34 @@
"categories": [],
"waf": [
{
- "name": "performance"
- },
- {
- "name": "cost"
+ "name": "Performance"
},
{
- "name": "Operations"
+ "name": "security"
},
{
- "name": "security"
+ "name": "performance"
},
{
- "name": "Security"
+ "name": "Cost"
},
{
"name": "Reliability"
},
{
- "name": "Cost"
+ "name": "operations"
},
{
- "name": "operations"
+ "name": "Operations"
},
{
"name": "reliability"
},
{
- "name": "Performance"
+ "name": "Security"
+ },
+ {
+ "name": "cost"
}
],
"yesno": [
@@ -173,6 +173,6 @@
"name": "Azure Openai Service Guide",
"waf": "all",
"state": "preview",
- "timestamp": "September 22, 2024"
+ "timestamp": "September 29, 2024"
}
}
\ No newline at end of file
diff --git a/checklists-ext/virtualmachines_sg_checklist.en.json b/checklists-ext/virtualmachines_sg_checklist.en.json
index ec0c7000c..2eaef1e8b 100644
--- a/checklists-ext/virtualmachines_sg_checklist.en.json
+++ b/checklists-ext/virtualmachines_sg_checklist.en.json
@@ -229,34 +229,34 @@
"categories": [],
"waf": [
{
- "name": "performance"
- },
- {
- "name": "cost"
+ "name": "Performance"
},
{
- "name": "Operations"
+ "name": "security"
},
{
- "name": "security"
+ "name": "performance"
},
{
- "name": "Security"
+ "name": "Cost"
},
{
"name": "Reliability"
},
{
- "name": "Cost"
+ "name": "operations"
},
{
- "name": "operations"
+ "name": "Operations"
},
{
"name": "reliability"
},
{
- "name": "Performance"
+ "name": "Security"
+ },
+ {
+ "name": "cost"
}
],
"yesno": [
@@ -293,6 +293,6 @@
"name": "Virtual Machines Service Guide",
"waf": "all",
"state": "preview",
- "timestamp": "September 22, 2024"
+ "timestamp": "September 29, 2024"
}
}
\ No newline at end of file
diff --git a/checklists-ext/wafsg_checklist.en.json b/checklists-ext/wafsg_checklist.en.json
index 6619cab86..0f9638c22 100644
--- a/checklists-ext/wafsg_checklist.en.json
+++ b/checklists-ext/wafsg_checklist.en.json
@@ -2388,594 +2388,410 @@
{
"waf": "reliability",
"service": "Azure Firewall",
- "text": "Deploy Azure Firewall in hub virtual networks or as part of Azure Virtual WAN hubs.",
+ "text": "Review the list of Azure Firewall known issues. Azure Firewall products maintain an updated list of known issues. This list contains important information about by-design behavior, fixes under construction, platform limitations, and possible workarounds or mitigation strategies.",
"description": "",
"type": "checklist",
- "guid": "5820ff87-d98e-490e-93a0-28028bbb05e6"
+ "guid": "20ce14f0-d217-45ca-953e-da6acda1b73c"
},
{
"waf": "reliability",
"service": "Azure Firewall",
- "text": "Leverage Availability Zones resiliency.",
+ "text": "Deploy Azure Firewall across multiple availability zones for a higher service-level agreement (SLA). Azure Firewall provides different SLAs depending on whether you deploy the service in a single availability zone or multiple zones. For more information, see SLAs for online services.",
"description": "",
"type": "checklist",
- "guid": "7c605481-a9d5-480f-8738-ac2022ef28ed"
+ "guid": "de630a06-a4a8-4215-bb80-cc89dd3ced08"
},
{
"waf": "reliability",
"service": "Azure Firewall",
- "text": "Create Azure Firewall Policy structure.",
+ "text": "Deploy an Azure Firewall instance in each region in multi-region environments. For traditional hub-and-spoke architectures, see Multi-region considerations. For secured Azure Virtual WAN hubs, configure routing intent and policies to secure inter-hub and branch-to-branch communications. For failure-resistant and fault-tolerant workloads, consider instances of Azure Firewall and Azure Virtual Network as regional resources.",
"description": "",
"type": "checklist",
- "guid": "2ceafe5f-6511-42a6-9687-cebaf586b293"
+ "guid": "be394cd4-78f2-4737-8d8d-ec8f83193584"
},
{
"waf": "reliability",
"service": "Azure Firewall",
- "text": "Review the Known Issue list.",
+ "text": "Monitor Azure Firewall metrics and the resource health state. Azure Firewall integrates with Azure Resource Health. Use the Resource Health check to view the health status of Azure Firewall and address service problems that might affect your Azure Firewall resource.",
"description": "",
"type": "checklist",
- "guid": "85a53628-bd7b-43bb-a817-b6f0c11c34c9"
+ "guid": "5f5c6480-7d26-4d6a-b375-e5786b200448"
},
{
"waf": "reliability",
"service": "Azure Firewall",
- "text": "Monitor Azure Firewall health state.",
+ "text": "Deploy Azure Firewall in hub virtual networks or as part of Virtual WAN hubs.",
"description": "",
"type": "checklist",
- "guid": "74a2596f-1cc9-4715-8de2-5afdde7b9f9a"
+ "guid": "e1c47da5-f5ed-4300-911e-7fc916e4c488"
},
{
"waf": "Reliability",
"service": "Azure Firewall",
- "text": "Use Azure Firewall Manager with traditional Hub & Spokes or Azure Virtual WAN network topologies to deploy and manage instances of Azure Firewall.",
- "description": "Easily create hub-and-spoke and transitive architectures with native security services for traffic governance and protection. For more information on network topologies, see the Azure Cloud Adoption Framework documentation.",
+ "text": "Deploy Azure Firewall across multiple availability zones.",
+ "description": "Deploy Azure Firewall across multiple availability zones to maintain a specific level of resiliency. If one zone experiences an outage, another zone continues to serve traffic.",
"type": "recommendation",
- "guid": "21f4d348-c086-4e96-b5bc-91f8a3c25841"
+ "guid": "13571efe-01ca-4dd1-8cc8-fe95125e3bf2"
},
{
"waf": "Reliability",
"service": "Azure Firewall",
- "text": "Create Azure Firewall Policies to govern the security posture across global network environments. Assign policies to all instances of Azure Firewall.",
- "description": "Azure Firewall Policies can be arranged in an hierarchical structure to overlay a central base policy. Allow for granular policies to meet the requirements of specific regions. Delegate incremental firewall policies to local security teams through role-based access control (RBAC). Some settings are specific per instance, for example DNAT Rules and DNS configuration, then multiple specialized policies might be required.",
+ "text": "Monitor Azure Firewall metrics in a Log Analytics workspace. Closely monitor metrics that indicate the Azure Firewall health state, such as throughput, Firewall health state, SNAT port utilization, and AZFW latency probe metrics. Use Azure Service Health to monitor Azure Firewall health.",
+ "description": "Monitor resource metrics and service health so you can detect when a service state degrades and take proactive measures to prevent failures.",
"type": "recommendation",
- "guid": "1e604a31-46f0-4fcc-9f0e-1ca46cc3f677"
- },
- {
- "waf": "Reliability",
- "service": "Azure Firewall",
- "text": "Migrate Azure Firewall Classic Rules to Azure Firewall Manager Policies for existing deployments.",
- "description": "For existing deployments, migrate Azure Firewall rules to Azure Firewall Manager policies. Use Azure Firewall Manager to centrally manage your firewalls and policies. For more information, see Migrate to Azure Firewall Premium.",
- "type": "recommendation",
- "guid": "d17fbf01-c796-45dd-9ca4-99af38b2ae9b"
- },
- {
- "waf": "Reliability",
- "service": "Azure Firewall",
- "text": "Review the list of Azure Firewall Known Issues.",
- "description": "Azure Firewall Product Group maintains an updated list of known-issues at this location. This list contains important information related to by-design behavior, fixes under construction, platform limitations, along with possible workarounds or mitigation.",
- "type": "recommendation",
- "guid": "b7623c43-bb6b-4629-a655-551c92e2dffa"
- },
- {
- "waf": "Reliability",
- "service": "Azure Firewall",
- "text": "Ensure your Azure Firewall Policy adheres to Azure Firewall limits and recommendations.",
- "description": "There are limits on the policy structure, including numbers of Rules and Rule Collection Groups, total policy size, source/target destinations. Be sure to compose your policy and stay below the documented thresholds.",
- "type": "recommendation",
- "guid": "9230da4d-4e27-4106-9552-294b1a93d780"
- },
- {
- "waf": "Reliability",
- "service": "Azure Firewall",
- "text": "Deploy Azure Firewall across multiple availability zones for higher service-level agreement (SLA).",
- "description": "Azure Firewall provides different SLAs when it's deployed in a single availability zone and when it's deployed in multiple zones. For more information, see SLA for Azure Firewall. For information about all Azure SLAs, see SLA summary for Azure services.",
- "type": "recommendation",
- "guid": "6a88967d-b182-437d-ac3b-1cb45ddfaa86"
- },
- {
- "waf": "Reliability",
- "service": "Azure Firewall",
- "text": "In multi-region environments, deploy an Azure Firewall instance per region.",
- "description": "For traditional Hub & Spokes architectures, multi-region details are explained in this article. For secured virtual hubs (Azure Virtual WAN), Routing Intent and Policies must be configured to secure inter-hub and branch-to-branch communications. For workloads designed to be resistant to failures and fault tolerant, remember to consider that instances of Azure Firewall and Azure Virtual Network as regional resources.",
- "type": "recommendation",
- "guid": "a4b78865-a047-4afc-b7e6-b2f54cee83cb"
- },
- {
- "waf": "Reliability",
- "service": "Azure Firewall",
- "text": "Monitor Azure Firewall Metrics and Resource Health state.",
- "description": "Closely monitor key metrics indicator of Azure Firewall health state such as Throughput, Firewall health state, SNAT port utilization and AZFW Latency Probe metrics. Additionally, Azure Firewall now integrates with Azure Resource Health. With the Azure Firewall Resource Health check, you can now view the health status of your Azure Firewall and address service problems that might affect your Azure Firewall resource.",
- "type": "recommendation",
- "guid": "9621bb59-3034-4e42-8344-5ce24b47425b"
- },
- {
- "waf": "security",
- "service": "Azure Firewall",
- "text": "Determine if you need Forced Tunneling.",
- "description": "",
- "type": "checklist",
- "guid": "b0b563a2-ec75-4a12-981a-6c6138175122"
- },
- {
- "waf": "security",
- "service": "Azure Firewall",
- "text": "Create rules for Policies based on least privilege access criteria.",
- "description": "",
- "type": "checklist",
- "guid": "c39df35c-43a4-4bc2-ae65-3201a1b274a4"
- },
- {
- "waf": "security",
- "service": "Azure Firewall",
- "text": "Leverage Threat Intelligence.",
- "description": "",
- "type": "checklist",
- "guid": "08bebd22-0d6a-469c-ae5b-fed8774452de"
- },
- {
- "waf": "security",
- "service": "Azure Firewall",
- "text": "Enable Azure Firewall DNS proxy.",
- "description": "",
- "type": "checklist",
- "guid": "89484b0c-7b36-4fa2-9064-ae6db7dc411a"
- },
- {
- "waf": "security",
- "service": "Azure Firewall",
- "text": "Direct network traffic through Azure Firewall.",
- "description": "",
- "type": "checklist",
- "guid": "a875d2e4-5476-450f-8206-aa79ecdcb2e3"
- },
- {
- "waf": "security",
- "service": "Azure Firewall",
- "text": "Determine if you want to use third-party security as a service (SECaaS) providers.",
- "description": "",
- "type": "checklist",
- "guid": "50dc96a3-9dca-4aab-97f5-9f8654d4f49c"
- },
- {
- "waf": "security",
- "service": "Azure Firewall",
- "text": "Protect your Azure Firewall public IP addresses with DDoS.",
- "description": "",
- "type": "checklist",
- "guid": "98318578-48f2-4870-adc0-a6a2cf9ce25e"
- },
- {
- "waf": "Security",
- "service": "Azure Firewall",
- "text": "If required to route all internet-bound traffic to a designated next hop instead of going directly to the internet, configure Azure Firewall in forced tunneling mode (does not apply to Azure Virtual WAN).",
- "description": "Azure Firewall must have direct internet connectivity. If your AzureFirewallSubnet learns a default route to your on-premises network via the Border Gateway Protocol, you must configure Azure Firewall in the forced tunneling mode. Using the forced tunneling feature, you'll need another /26 address space for the Azure Firewall Management subnet. You're required to name it AzureFirewallManagementSubnet.If this is an existing Azure Firewall instance that can't be reconfigured in the forced tunneling mode, create a UDR with a 0.0.0.0/0 route. Set the NextHopType value as Internet. Associate it with AzureFirewallSubnet to maintain internet connectivity.",
- "type": "recommendation",
- "guid": "a845b563-f080-4a92-83b0-400feb87ee4e"
- },
- {
- "waf": "Security",
- "service": "Azure Firewall",
- "text": "Set the public IP address to None to deploy a fully private data plane when you configure Azure Firewall in the forced tunneling mode (does not apply to Azure Virtual WAN).",
- "description": "When you deploy a new Azure Firewall instance, if you enable the forced tunneling mode, you can set the public IP address to None to deploy a fully private data plane. However, the management plane still requires a public IP for management purposes only. The internal traffic from virtual and on-premises networks won't use that public IP. For more about forced tunneling, see Azure Firewall forced tunneling.",
- "type": "recommendation",
- "guid": "176ae9e3-7a07-4885-ab4e-72a9ea2ee7fc"
+ "guid": "09d6362f-d7a1-4c56-822c-065064bbcad7"
},
{
"waf": "Security",
"service": "Azure Firewall",
- "text": "Create rules for Firewall Policies based on least privilege access criteria.",
- "description": "Azure Firewall Policies can be arranged in an hierarchical structure to overlay a central base policy. Allow for granular policies to meet the requirements of specific regions. Each policy can contains different sets of DNAT, Network and Application rules with specific priority, action and processing order. Create your rules based on least privilege access Zero Trust principle . How rules are processed is explained in this article.",
+ "text": "Configure Azure Firewall in\u00a0forced tunneling mode if you need to route all internet-bound traffic to a designated next hop instead of directly to the internet. This recommendation doesn't apply to Virtual WAN.
Azure Firewall must have direct internet connectivity. If your AzureFirewallSubnet learns a default route to your on-premises network via the Border Gateway Protocol, you must configure Azure Firewall in forced tunneling mode. You can use the forced tunneling feature to add another /26 address space for the Azure Firewall Management subnet. Name the subnet AzureFirewallManagementSubnet. If you have an existing Azure Firewall instance that you can't reconfigure in forced tunneling mode, create a UDR with a 0.0.0.0/0 route. Set the NextHopType value as Internet. To maintain internet connectivity, associate the UDR with AzureFirewallSubnet. Set the public IP address to None to deploy a fully private data plane when you configure Azure Firewall in forced tunneling mode. But the management plane still requires a public IP for management purposes only. The internal traffic from virtual and on-premises networks doesn't use that public IP.",
+ "description": "Use forced tunneling so you don't expose your Azure resources directly to the internet. This approach reduces the attack surface and minimizes the risk of external threats. To enforce corporate policies and compliance requirements more effectively, route all internet-bound traffic through an on-premises firewall or an NVA.",
"type": "recommendation",
- "guid": "f1c5e5d4-9e41-4b27-b53f-fb36ddce75b7"
+ "guid": "7abca50a-05ca-41fc-8485-cd536ba9ec86"
},
{
"waf": "Security",
"service": "Azure Firewall",
- "text": "Enable IDPS in Alert or Alert and deny mode.",
- "description": "IDPS is one of the most powerful Azure Firewall (Premium) security features and should be enabled. Based on security and application requirements, and considering the performance impact (see the Cost section below), Alert or Alert and deny modes can be selected.",
+ "text": "Create rules for Firewall policies in an hierarchical structure to overlay a central base policy. For more information, see Use Azure Firewall policies to process rules.
Create your rules based on the least-privilege access Zero Trust principle",
+ "description": "Organize rules in a hierarchical structure so that granular policies can meet the requirements of specific regions. Each policy can contain different sets of Destination Network Address Translation (DNAT), network, and application rules that have specific priorities, actions, and processing orders.",
"type": "recommendation",
- "guid": "0722a8f4-bea5-4309-93de-d93fb93e0733"
+ "guid": "0d9c6369-6b1b-49db-8198-68f2344273d8"
},
{
"waf": "Security",
"service": "Azure Firewall",
- "text": "Enable Azure Firewall (DNS) proxy configuration.",
- "description": "Enabling this feature points clients in the VNets to Azure Firewall as a DNS server. It will protect internal DNS infrastructure that will not be directly accessed and exposed. Azure Firewall must be also configured to use custom DNS that will be used to forward DNS queries.",
+ "text": "Configure supported security partner providers within Firewall Manager to protect outbound connections.
This scenario requires Virtual WAN with a S2S VPN gateway in the hub because it uses an IPsec tunnel to connect to the provider's infrastructure. Managed security service providers might charge extra license fees and limit throughput on IPsec connections. You can also use alternative solutions, such as Zscaler Cloud Connector.",
+ "description": "Enable security partner providers in Azure Firewall to take advantage of best-in-breed cloud security offerings, which provide advanced protection for your internet traffic. These providers offer specialized, user-aware filtering and comprehensive threat-detection capabilities that enhance your overall security posture.",
"type": "recommendation",
- "guid": "8afc40b9-179e-4b5d-ba89-897925ad6d09"
+ "guid": "7bfae9e9-d97d-4d04-97a6-7eb31a73ed10"
},
{
"waf": "Security",
"service": "Azure Firewall",
- "text": "Configure user-defined routes (UDR) to force traffic through Azure Firewall.",
- "description": "In a traditional Hub & Spokes architecture, configure UDRs to force traffic through Azure Firewall for `Spoke-to-Spoke`, `Spoke-to-Internet`, and `Spoke-to-Hybrid` connectivity. In Azure Virtual WAN, instead, configure Routing Intent and Policies to redirect private and/or Internet traffic through the Azure Firewall instance integrated into the hub.",
+ "text": "Enable\u00a0Azure Firewall DNS proxy\u00a0configuration.
Also configure Azure Firewall to use custom DNS for forwarding DNS queries.",
+ "description": "Enable this feature to point clients in the virtual networks to Azure Firewall as a DNS server. This feature protects internal DNS infrastructure that's not directly accessed and exposed.",
"type": "recommendation",
- "guid": "54cc495b-54f8-4dc9-9ed9-e20c15a8beb9"
+ "guid": "68949fe5-365d-4c55-b909-d52c39d24b6d"
},
{
"waf": "Security",
"service": "Azure Firewall",
- "text": "If not possible to apply UDR, and only web traffic redirection is required, consider using Azure Firewall as an Explicit Proxy",
- "description": "With explicit proxy feature enabled on the outbound path, you can configure a proxy setting on the sending web application (such as a web browser) with Azure Firewall configured as the proxy. As a result, web traffic will reach the firewall's private IP address and therefore egresses directly from the firewall without using a UDR. This feature also facilitates the usage of multiple firewalls without modifying existing network routes.",
+ "text": "Configure UDRs to force traffic through Azure Firewall in a traditional hub-and-spoke architecture for spoke-to-spoke, spoke-to-internet, and spoke-to-hybrid connectivity.
In Virtual WAN, configure routing intent and policies to redirect private traffic or internet traffic through the Azure Firewall instance that's integrated into the hub.
If you can't apply a UDR, and you only require web traffic redirection, use Azure Firewall as an explicit proxy on the outbound path. You can configure a proxy setting on the sending application, such as a web browser, when you configure Azure Firewall as a proxy.",
+ "description": "Send traffic through the firewall to inspect traffic and help identify and block malicious traffic.
Use Azure Firewall as an explicit proxy for outbound traffic so that web traffic reaches the firewall's private IP address and therefore egresses directly from the firewall without using a UDR. This feature also facilitates the use of multiple firewalls without modifying existing network routes.",
"type": "recommendation",
- "guid": "18462426-38d0-444b-aaec-99aa97aefc57"
+ "guid": "7269ebdb-4f21-41f7-846b-b0f90145a8ca"
},
{
"waf": "Security",
"service": "Azure Firewall",
- "text": "Configure supported third-party software as a service (SaaS) security providers within Firewall Manager if you want to use these solutions to protect outbound connections.",
- "description": "You can use your familiar, best-in-breed, third-party SECaaS offerings to protect internet access for your users. This scenario does require Azure Virtual WAN with a S2S VPN Gateway in the Hub, as it uses an IPSec tunnel to connect to the provider's infrastructure. SECaaS providers might charge additional license fees and limit throughput on IPSec connections. Alternative solutions such as ZScaler Cloud Connector exist and might be more suitable.",
+ "text": "Use FQDN filtering in network rules. You must enable the Azure Firewall DNS proxy configuration to use FQDNs in your network rules.",
+ "description": "Use FQDNs in Azure Firewall network rules so that administrators can manage domain names instead of multiple IP addresses, which simplifies management. This dynamic resolution ensures that firewall rules automatically update when domain IPs change.",
"type": "recommendation",
- "guid": "cfcce0d3-c52d-4405-9316-d503ffcf5349"
+ "guid": "dbcfaeb4-af8a-4536-aea5-b0941fe8cb1c"
},
{
"waf": "Security",
"service": "Azure Firewall",
- "text": "Use Fully Qualified Domain Name (FQDN) filtering in network rules.",
- "description": "You can use FQDN based on DNS resolution in Azure Firewall and firewall policies. This capability allows you to filter outbound traffic with any TCP/UDP protocol (including NTP, SSH, RDP, and more). You must enable the Azure Firewall DNS Proxy configuration to use FQDNs in your network rules. To learn how it works, see Azure Firewall FQDN filtering in network rules.",
+ "text": "Use Azure Firewall service tags in place of specific IP addresses to provide selective access to specific services in Azure, Microsoft Dynamics 365, and Microsoft 365.",
+ "description": "Use service tags in network rules so you can define access controls based on service names rather than specific IP addresses, which simplifies security management. Microsoft manages and updates these tags automatically when IP addresses change. This method ensures that your firewall rules remain accurate and effective without manual intervention.",
"type": "recommendation",
- "guid": "ce2815a6-eee5-4c54-91e7-9ee1e95a191a"
+ "guid": "a24f4843-209c-4f51-88e6-1908be48e722"
},
{
"waf": "Security",
"service": "Azure Firewall",
- "text": "Use Service Tags in Network Rules to enable selective access to specific Microsoft services.",
- "description": "A service tag represents a group of IP address prefixes to help minimize complexity for security rule creation. Using Service Tags in Network Rules, it is possible to enable outbound access to specific services in Azure, Dynamics and Office 365 without opening wide ranges of IP addresses. Azure will maintain automatically the mapping between these tags and underlying IP addresses used by each service. The list of Service Tags available to Azure Firewall are listed here: Az Firewall Service Tags.",
+ "text": "Use FQDN tags in application rules to provide selective access to specific Microsoft services.
You can use an FQDN tag in application rules to allow the required outbound network traffic through your firewall for specific Azure services, such as Microsoft 365, Windows 365, and Microsoft Intune.",
+ "description": "Use FQDN tags in Azure Firewall application rules to represent a group of FQDNs that are associated with well-known Microsoft services. This method simplifies the management of network security rules.",
"type": "recommendation",
- "guid": "55fe92cd-c2a0-4b0b-bd8b-691291c73651"
+ "guid": "4063f792-86cc-469b-9b6d-3c3d5e7f5d74"
},
{
"waf": "Security",
"service": "Azure Firewall",
- "text": "Use FQDN Tags in Application Rules to enable selective access to specific Microsoft services.",
- "description": "An FQDN tag represents a group of fully qualified domain names (FQDNs) associated with well known Microsoft services. You can use an FQDN tag in application rules to allow the required outbound network traffic through your firewall for some specific Azure services, Office 365, Windows 365 and Intune.",
+ "text": "Enable\u00a0threat intelligence\u00a0on Azure Firewall in\u00a0Alert and deny\u00a0mode.",
+ "description": "Use threat intelligence to provide real-time protection against emerging threats, which reduces the risk of cyberattacks. This feature uses the Microsoft threat intelligence feed to automatically alert and block traffic from known malicious IP addresses, domains, and URLs.",
"type": "recommendation",
- "guid": "c9cac1b2-3969-4de0-b36f-6f9992d9ebc6"
+ "guid": "e8dcc3ab-b391-475c-8d78-cee55c784f06"
},
{
"waf": "Security",
"service": "Azure Firewall",
- "text": "Use Azure Firewall Manager to create and associate a DDoS protection plan with your hub virtual network (does not apply to Azure Virtual WAN).",
- "description": "A DDoS protection plan provides enhanced mitigation features to defend your firewall from DDoS attacks. Azure Firewall Manager is an integrated tool to create your firewall infrastructure and DDoS protection plans. For more information, see Configure an Azure DDoS Protection Plan using Azure Firewall Manager.",
+ "text": "Enable\u00a0the IDPS\u00a0in\u00a0Alert\u00a0or\u00a0Alert and deny\u00a0mode. Consider the performance impact of this feature.",
+ "description": "Enable IDPS filtering in Azure Firewall provides real-time monitoring and analysis of network traffic to detect and prevent malicious activities. This feature uses signature-based detection to swiftly identify known threats and block them before they cause harm. For more information, see Detect abuse.",
"type": "recommendation",
- "guid": "e7925fd9-7502-4cb4-9b51-cbf8f546a5b2"
+ "guid": "053202f4-db7d-4b08-ad61-c5d0037b713a"
},
{
"waf": "Security",
"service": "Azure Firewall",
- "text": "Use an Enterprise PKI to generate certificates for TLS Inspection.",
- "description": "With Azure Firewall Premium, if TLS Inspection feature is used, it is recommended to leverage an internal Enterprise Certification Authority (CA) for production environment. Self-signed certificates should be used for testing/PoC purposes only.",
+ "text": "Use an internal enterprise certification authority (CA) to generate certificates when you use TLS inspection with Azure Firewall Premium. Use self-signed certificates only for testing and proof of concept (PoC) purposes.",
+ "description": "Enable TLS inspection so that Azure Firewall Premium terminates and inspects TLS connections to detect, alert, and mitigate malicious activity in HTTPS.",
"type": "recommendation",
- "guid": "2e318870-f258-484d-aef6-ed2972db1f44"
+ "guid": "ab822518-b2ff-4048-8e9f-5a86d431d063"
},
{
"waf": "Security",
"service": "Azure Firewall",
- "text": "Review Zero-Trust configuration guide for Azure Firewall and Application Gateway",
- "description": "If your security requirements necessitate implementing a Zero-Trust approach for web applications (inspection and encryption), it is recommended to follow this guide. In this document, how to integrate together Azure Firewall and Application Gateway will be explained, in both traditional Hub & Spoke and Virtual WAN scenarios.",
+ "text": "Use Firewall Manager to create and associate an Azure DDoS Protection plan with your hub virtual network. This approach doesn't apply to Virtual WAN.",
+ "description": "Configure an Azure DDoS Protection plan so that you can centrally manage DDoS protection alongside your firewall policies. This approach streamlines how you manage your network security and simplifies how you deploy and monitor processes.",
"type": "recommendation",
- "guid": "34821124-0275-4c49-8f1c-20eb84027df3"
+ "guid": "05a6fac9-edc2-49bc-8bf8-17950c0cd710"
},
{
"waf": "cost",
"service": "Azure Firewall",
- "text": "Select the Azure Firewall SKU to deploy.",
+ "text": "Select an Azure Firewall SKU to deploy. Choose from three Azure Firewall SKUs: Basic, Standard, and Premium. Use Azure Firewall Premium to secure highly sensitive applications, such as payment processing. Use Azure Firewall Standard if your workload needs a Layer 3 to Layer 7 firewall and needs autoscaling to handle peak traffic periods of up to 30 Gbps. Use Azure Firewall Basic if you use SMB and require up to 250 Mbps of throughput. You can downgrade or upgrade between Standard and Premium SKUs. For more information, see Choose the right Azure Firewall SKU.",
"description": "",
"type": "checklist",
- "guid": "ffdfd2b7-e799-4c09-9c76-1471fe5f8db9"
+ "guid": "9220cde5-ecbc-4eb1-a5ac-65e56e2aa925"
},
{
"waf": "cost",
"service": "Azure Firewall",
- "text": "Determine if some instances don't need permanent 24x7 allocation.",
+ "text": "Remove unused firewall deployments and optimize underused deployments. Stop Azure Firewall deployments that don't need to continuously run. Identify and delete unused Azure Firewall deployments. To reduce operational costs, monitor and optimize firewall instances usage, Azure Firewall Manager policies configuration, and the number of public IP addresses and policies that you use.",
"description": "",
"type": "checklist",
- "guid": "cca81cf9-4d7f-4e04-99e9-8ecfb533d814"
+ "guid": "54c37b38-2e3d-4cf9-b174-bee69a2a5b5d"
},
{
"waf": "cost",
"service": "Azure Firewall",
- "text": "Determine where you can optimize firewall use across workloads.",
+ "text": "Share the same instance of Azure Firewall. You can use a central instance of Azure Firewall in the hub virtual network or Virtual WAN secure hub and share the same Azure Firewall instance across spoke virtual networks that connect to the same hub from the same region. Ensure that you don't have unexpected cross-region traffic in a hub-and-spoke topology.",
"description": "",
"type": "checklist",
- "guid": "50c204ab-2e28-456c-a731-3ecf2e38d6d7"
+ "guid": "a522ab1e-0659-43b3-9fad-906116bb1432"
},
{
"waf": "cost",
"service": "Azure Firewall",
- "text": "Monitor and optimize firewall instances usage to determine cost-effectiveness.",
+ "text": "Optimize traffic through the firewall. Regularly review traffic that Azure Firewall processes. Find opportunities to reduce the amount of traffic that traverses the firewall.",
"description": "",
"type": "checklist",
- "guid": "365207d2-1008-4a6e-ad87-f4191a31a004"
+ "guid": "0976c680-8f44-46f9-ae4d-2349eaafd800"
},
{
"waf": "cost",
"service": "Azure Firewall",
- "text": "Review and optimize the number of public IP addresses required and Policies used.",
+ "text": "Decrease the amount of log data that you store. Azure Firewall can use Azure Event Hubs to comprehensively log the traffic's metadata and send it to Log Analytics workspaces, Azure Storage, or non-Microsoft solutions. All logging solutions incur costs to process data and provide storage. Large amounts of data can incur significant costs. Consider a cost-effective approach and alternative to Log Analytics, and estimate the cost. Consider whether you need to log traffic metadata for all logging categories.",
"description": "",
"type": "checklist",
- "guid": "39b1fd82-3efb-459b-b789-a9dc631f9f90"
- },
- {
- "waf": "cost",
- "service": "Azure Firewall",
- "text": "Review logging requirements, estimate cost and control over time.",
- "description": "",
- "type": "checklist",
- "guid": "46753a55-3740-4a6d-808b-fbe485bc66e5"
- },
- {
- "waf": "Cost",
- "service": "Azure Firewall",
- "text": "Deploy the proper Azure Firewall SKU.",
- "description": "Azure Firewall can be deployed in three different SKUs: Basic, Standard and Premium. Azure Firewall Premium is recommended to secure highly sensitive applications (such as payment processing). Azure Firewall Standard is recommended for customers looking for Layer 3\u2013Layer 7 firewall and needs autoscaling to handle peak traffic periods of up to 30 Gbps. Azure Firewall Basic is recommended for SMB customers with throughput needs of 250 Mbps. If required, downgrade or upgrade is possible between Standard and Premium as documented here. For more information, see Choose the right Azure Firewall SKU to meet your needs.",
- "type": "recommendation",
- "guid": "ba45f704-2456-4d6a-999d-57db4dbf3ff5"
+ "guid": "debc5298-dba5-4c67-a03a-1ca626025139"
},
{
"waf": "Cost",
"service": "Azure Firewall",
- "text": "Stop Azure Firewall deployments that don't need to run for 24x7.",
- "description": "You might have development or testing environments that are used only during business hours. For more information, see Deallocate and allocate Azure Firewall.",
+ "text": "Stop Azure Firewall deployments that don't need to continuously run. You might have development or testing environments that you only use during business hours. For more information, see Deallocate and allocate Azure Firewall.",
+ "description": "Shut down these deployments during off-peak hours or when idle to reduce unnecessary expenses but maintain security and performance during critical times.",
"type": "recommendation",
- "guid": "2ef42b67-50cc-4d54-bd3d-324ad2044fc7"
+ "guid": "c12bc13f-aeea-4f9c-a7c0-476028848d3c"
},
{
"waf": "Cost",
"service": "Azure Firewall",
- "text": "Share the same instance of Azure Firewall across multiple workloads and Azure Virtual Networks.",
- "description": "You can use a central instance of Azure Firewall in the hub virtual network or Virtual WAN secure hub and share the same firewall across many spoke virtual networks that are connected to the same hub from the same region. Ensure there's no unexpected cross-region traffic as part of the hub-spoke topology.",
+ "text": "Regularly review traffic that Azure Firewall processes, and find originating workload optimizations. The top flows log, also known as the fat flows log, shows the top connections that contribute to the highest throughput through the firewall.",
+ "description": "Optimize workloads that generate the most traffic through the firewall to reduce the volume of traffic, which decreases the load on the firewall and minimizes data-processing and bandwidth costs.",
"type": "recommendation",
- "guid": "ae5816a1-1766-425a-a117-2873865a9f10"
+ "guid": "fcd6975c-5cb6-4716-9bab-fe8e7cd50e00"
},
{
"waf": "Cost",
"service": "Azure Firewall",
- "text": "Regularly review traffic processed by Azure Firewall and look for originating workload optimizations",
- "description": "Top Flows log (known in the industry as Fat Flows), shows the top connections that are contributing to the highest throughput through the firewall. It is recommended to regularly review traffic processed by the Azure Firewall and search for possible optimizations to reduce the amount of traffic traversing the firewall.",
+ "text": "Identify and delete unused Azure Firewall deployments. Analyze monitoring metrics and UDRs that are associated with subnets that point to the firewall's private IP. Also consider other validations and internal documentation about your environment and deployments. For example, analyze any classic NAT, network, and application rules for Azure Firewall. And consider your settings. For example, you might configure the DNS proxy setting to Disabled. For more information, see Monitor Azure Firewall.",
+ "description": "Use this approach to detect cost-effective deployments over time and eliminate unused resources, which prevents unnecessary costs.",
"type": "recommendation",
- "guid": "791f974e-8c73-46ee-9b9e-26dd3a6c6845"
+ "guid": "06d0aca0-59c3-4474-aea8-314ebc1d4367"
},
{
"waf": "Cost",
"service": "Azure Firewall",
- "text": "Review under-utilized Azure Firewall instances. Identify and delete unused Azure Firewall deployments.",
- "description": "To identify unused Azure Firewall deployments, start by analyzing the monitoring metrics and UDRs associated with subnets pointing to the firewall's private IP. Combine that information with other validations, such as if your instance of Azure Firewall has any rules (classic) for NAT, Network and Application, or even if the DNS Proxy setting is configured to Disabled, and with internal documentation about your environment and deployments. You can detect deployments that are cost-effective over time. For more information about monitoring logs and metrics, see Monitor Azure Firewall logs and metrics and SNAT port utilization.",
+ "text": "Review your Firewall Manager policies, associations, and inheritance carefully to optimize cost. Policies are billed based on firewall associations. A policy with zero or one firewall association is free. A policy with multiple firewall associations is billed at a fixed rate. For more information, see Firewall Manager pricing.",
+ "description": "Properly use Firewall Manager and its policies to reduce operational costs, increase efficiency, and reduce management overhead.",
"type": "recommendation",
- "guid": "6590ab7b-01d8-487c-ad40-c325eada375c"
+ "guid": "0afd66fd-36c6-44ad-8e71-cd3b247c6816"
},
{
"waf": "Cost",
"service": "Azure Firewall",
- "text": "Use Azure Firewall Manager and its Policies to reduce operational costs, increase efficiency, and reduce management overhead.",
- "description": "Review your Firewall Manager policies, associations, and inheritance carefully. Policies are billed based on firewall associations. A policy with zero or one firewall association is free of charge. A policy with multiple firewall associations is billed at a fixed rate.For more information, see Pricing - Azure Firewall Manager.",
+ "text": "Review all the public IP addresses in your configuration, and disassociate and delete the ones that you don't use. Evaluate source network address translation (SNAT) port usage before you remove any IP addresses. For more information, see Monitor Azure Firewall logs and metrics and SNAT port usage.",
+ "description": "Delete unused IP addresses to reduce costs.",
"type": "recommendation",
- "guid": "c82f1a0b-3dd1-4da7-9006-5b870e0ea843"
- },
- {
- "waf": "Cost",
- "service": "Azure Firewall",
- "text": "Delete unused public IP addresses.",
- "description": "Validate whether all the associated public IP addresses are in use. If they aren't in use, disassociate and delete them. Evaluate SNAT port utilization before removing any IP addresses.You'll only use the number of public IPs your firewall needs. For more information, see Monitor Azure Firewall logs and metrics and SNAT port utilization.",
- "type": "recommendation",
- "guid": "58401f6a-8858-4d03-bf00-7f6d8747297a"
- },
- {
- "waf": "Cost",
- "service": "Azure Firewall",
- "text": "Review logging requirements.",
- "description": "Azure Firewall has the ability to comprehensively log metadata of all traffic it sees, to Log Analytics Workspaces, Storage or third party solutions through Event Hubs. However, all logging solutions incur costs for data processing and storage. At very large volumes these costs can be significant, a cost effective approach and alternative to Log Analytics should be considered and cost estimated. Consider whether it is required to log traffic metadata for all logging categories and modify in Diagnostic Settings if needed.",
- "type": "recommendation",
- "guid": "a9f71813-ccf8-427a-9ce3-676b4123eff4"
+ "guid": "2cbff8d4-4f59-42dc-b186-58f7c4965dbe"
},
{
"waf": "operations",
"service": "Azure Firewall",
- "text": "Maintain inventory and backup of Azure Firewall configuration and Policies.",
+ "text": "Use Firewall Manager with traditional hub-and-spoke topologies or Virtual WAN network topologies to deploy and manage instances of Azure Firewall. Use native security services for traffic governance and protection to create hub-and-spoke and transitive architectures. For more information, see Network topology and connectivity.",
"description": "",
"type": "checklist",
- "guid": "c8e11b57-bc16-4a60-9c0d-aeae7239fe91"
+ "guid": "733bab93-bd9d-43c1-a780-e977d8f4fd3d"
},
{
"waf": "operations",
"service": "Azure Firewall",
- "text": "Leverage diagnostic logs for firewall monitoring and troubleshooting.",
+ "text": "Maintain regular backups of Azure Policy artifacts. If you use an infrastructure-as-code approach to maintain Azure Firewall and all dependencies, you should have backup and versioning of Azure Firewall policies in place. If you don't, you can deploy a companion mechanism that's based on an external logic app to provide an effective automated solution.",
"description": "",
"type": "checklist",
- "guid": "be3e8ab7-db2a-40f7-a76a-fba15b34b88d"
+ "guid": "8271c7ff-1472-4a86-ab05-0538a869631c"
},
{
"waf": "operations",
"service": "Azure Firewall",
- "text": "Leverage Azure Firewall Monitoring workbook.",
+ "text": "Monitor Azure Firewall logs and metrics. Take advantage of diagnostic logs for firewall monitoring and troubleshooting and activity logs for auditing operations.",
"description": "",
"type": "checklist",
- "guid": "af454d15-f640-47db-9864-7c31cbdcdffc"
+ "guid": "09e15d81-89b9-458e-85a1-98ea29c9c72f"
},
{
"waf": "operations",
"service": "Azure Firewall",
- "text": "Regularly review your Policy insights and analytics.",
+ "text": "Analyze monitoring data to assess the overall health of the system. Use the built-in Azure Firewall monitoring workbook, familiarize yourself with Kusto Query Language (KQL) queries, and use the policy analytics dashboard to identify potential problems.",
"description": "",
"type": "checklist",
- "guid": "010e0c46-9d19-46fb-9a85-4bb79828db8a"
+ "guid": "ab3610c2-56cf-4888-8bb3-fe3816ee0d11"
},
{
"waf": "operations",
"service": "Azure Firewall",
- "text": "Integrate Azure Firewall with Microsoft Defender for Cloud and Microsoft Sentinel.",
+ "text": "Define alerts for key events so that operators can quickly respond to them.",
"description": "",
"type": "checklist",
- "guid": "e455cf35-374c-4e02-9432-e0dc531b829b"
- },
- {
- "waf": "Operations",
- "service": "Azure Firewall",
- "text": "Do not use Azure Firewall for intra-VNet traffic control.",
- "description": "Azure Firewall should be used to control traffic across VNets, between VNets and on-premises networks, outbound traffic to the Internet and incoming non-HTTP/s traffic. For intra-VNet traffic control, it is recommended to use Network Security Groups.",
- "type": "recommendation",
- "guid": "337df674-237d-4b82-ac92-ae45f34a6e3d"
- },
- {
- "waf": "Operations",
- "service": "Azure Firewall",
- "text": "Maintain regular backups of Azure Policy artifacts.",
- "description": "If Infrastructure-as-Code (IaC) approach is used to maintain Azure Firewall and all dependencies then backup and versioning of Azure Firewall Policies should be already in place. If not, a companion mechanism based on external Logic App can be deployed to automate and provide an effective solution.",
- "type": "recommendation",
- "guid": "174e4ca6-77d4-4b83-8f05-0c54c43792ec"
- },
- {
- "waf": "Operations",
- "service": "Azure Firewall",
- "text": "Enable Diagnostic Logs for Azure Firewall.",
- "description": "Diagnostic Logs is a key component for many monitoring tools and strategies for Azure Firewall and should be enabled. You can monitor Azure Firewall by using firewall logs or workbooks. You can also use activity logs for auditing operations on Azure Firewall resources.",
- "type": "recommendation",
- "guid": "7e27b44b-e8c0-4f25-9fce-78a85810d715"
+ "guid": "67eb37ee-d9b8-4aff-8aa3-71011176aa0a"
},
{
- "waf": "Operations",
+ "waf": "operations",
"service": "Azure Firewall",
- "text": "Use Structured Firewall Logs format.",
- "description": "Structured Firewall Logs are a type of log data that are organized in a specific new format. They use a predefined schema to structure log data in a way that makes it easy to search, filter, and analyze. The latest monitoring tools are based on this type of logs hence it is often a pre-requisite. Use the previous Diagnostic Logs format only if there is an existing tool with a pre-requisite on that. Do not enable both logging formats at the same time.",
- "type": "recommendation",
- "guid": "078ab6f4-2ef5-4f91-856c-be9e3c2748a1"
+ "text": "Take advantage of platform-provided detection mechanisms in Azure to detect abuse. Integrate Azure Firewall with Microsoft Defender for Cloud and Microsoft Sentinel if possible. Integrate with Defender for Cloud so you can visualize the status of network infrastructure and network security in one place, including Azure network security across all virtual networks and virtual hubs in different regions in Azure. Integrate with Microsoft Sentinel to provide threat-detection and prevention capabilities.",
+ "description": "",
+ "type": "checklist",
+ "guid": "5a8645c5-e586-4562-9f0a-7893542586fd"
},
{
"waf": "Operations",
"service": "Azure Firewall",
- "text": "Use the built-in Azure Firewall Monitoring Workbook.",
- "description": "Azure Firewall portal experience now includes a new workbook under the Monitoring section UI, a separate installation is no longer required. With the Azure Firewall Workbook, you can extract valuable insights from Azure Firewall events, delve into your application and network rules, and examine statistics regarding firewall activities across URLs, ports, and addresses.",
+ "text": "Enable diagnostic logs for Azure Firewall. Use firewall logs or workbooks to monitor Azure Firewall. You can also use activity logs to audit operations on Azure Firewall resources. Use the structured firewall logs format. Only use the previous diagnostic logs format if you have an existing tool that requires it. Don't enable both logging formats at the same time.",
+ "description": "Enable diagnostic logs to optimize your monitoring tools and strategies for Azure Firewall. Use structured firewall logs to structure log data so that it's easy to search, filter, and analyze. The latest monitoring tools are based on this type of log, so it's often a prerequisite.",
"type": "recommendation",
- "guid": "a246ca16-d2da-4ebc-ad28-0bcbb0813be0"
+ "guid": "1069db41-1f8c-43b3-a25f-9981cc78e397"
},
{
"waf": "Operations",
"service": "Azure Firewall",
- "text": "Monitor key metrics and create alerts for indicators of the utilization of Azure Firewall capacity.",
- "description": "Alerts should be created to monitor at least Throughput, Firewall health state, SNAT port utilization and AZFW Latency Probe metrics.For information about monitoring logs and metrics, see Monitor Azure Firewall logs and metrics.",
+ "text": "Use the built-in Azure Firewall workbook.",
+ "description": "Use the Azure Firewall workbook to extract valuable insights from Azure Firewall events, analyze your application and network rules, and examine statistics about firewall activities across URLs, ports, and addresses.",
"type": "recommendation",
- "guid": "0c405dff-403a-4ead-94d9-5539ba1eaea6"
+ "guid": "3e10f8ea-c20e-4374-9e58-52969a407dc5"
},
{
"waf": "Operations",
"service": "Azure Firewall",
- "text": "Configure Azure Firewall integration with Microsoft Defender for Cloud and Microsoft Sentinel.",
- "description": "If these tools are available in the environment, it is recommended to leverage integration with Microsoft Defender for Cloud and Microsoft Sentinel solutions. With Microsoft Defender for Cloud integration, you can visualize the all-up status of network infrastructure and network security in one place, including Azure Network Security across all VNets and Virtual Hubs spread across different regions in Azure. Integration with Microsoft Sentinel provides threat detection and prevention capabilities.",
+ "text": "Monitor Azure Firewall logs and metrics, and create alerts for Azure Firewall capacity. Create alerts to monitor Throughput, Firewall health state, SNAT port utilization, and AZFW latency probe metrics.",
+ "description": "Set up alerts for key events to notify operators before potential problems arise, help prevent disruptions, and initiate quick capacity adjustments.",
"type": "recommendation",
- "guid": "6643f4d1-ee99-4466-9175-164787d00fc3"
+ "guid": "7f972e0f-0259-4783-b9e6-82c278711b0f"
},
{
"waf": "Operations",
"service": "Azure Firewall",
- "text": "Regularly review Policy Analytics dashboard to identify potential issues.",
- "description": "Policy Analytics is a new feature that provides insights into the impact of your Azure Firewall policies. It helps you identify potential issues (hitting policy limits, low utilization rules, redundant rules, rules too generic, IP Groups usage recommendation) in your policies and provides recommendations to improve your security posture and rule processing performance.",
+ "text": "Regularly review the policy analytics dashboard to identify potential problems.",
+ "description": "Use policy analytics to analyze the impact of your Azure Firewall policies. Identify potential problems in your policies, such as meeting policy limits, improper rules, and improper IP groups usage. Get recommendations to improve your security posture and rule-processing performance.",
"type": "recommendation",
- "guid": "43d91873-4442-40ae-b2a3-263bc7fdcaab"
+ "guid": "90c06dd6-c01a-4f49-9054-7073f5c774ae"
},
{
"waf": "Operations",
"service": "Azure Firewall",
- "text": "Become familiar with KQL (Kusto Query Language) queries to allow quick analysis and troubleshooting using Azure Firewall logs.",
- "description": "Sample queries are provided for Azure Firewall. Those will enable you to quickly identify what's happening inside your firewall and check to see which rule was triggered, or which rule is allowing/blocking a request.",
+ "text": "Understand KQL queries so you can use Azure Firewall logs to quickly analyze and troubleshoot problems. Azure Firewall provides sample queries.",
+ "description": "Use KQL queries to quickly identify events inside your firewall and check to see which rule is triggered or which rule allows or blocks a request.",
"type": "recommendation",
- "guid": "8bc24ea6-da9e-48b8-a05c-4fce251d2046"
+ "guid": "a3aa7729-46bd-4de6-82e6-28ac9d631b7a"
},
{
"waf": "performance",
"service": "Azure Firewall",
- "text": "Regularly review and optimize firewall rules.",
+ "text": "Optimize your Azure Firewall configuration in accordance with the Well-Architected Framework recommendations to optimize code and infrastructure and ensure peak operation. To maintain an efficient and secure network, regularly review and optimize firewall rules. This practice helps ensure that your firewall configurations remain effective and up to date with the latest security threats.",
"description": "",
"type": "checklist",
- "guid": "9469b3e2-6be2-470b-a10b-9fb0150c5733"
+ "guid": "9e42071b-fe43-455d-afa9-5ed2c33c7d20"
},
{
"waf": "performance",
"service": "Azure Firewall",
- "text": "Review policy requirements and opportunities to summarize IP ranges and URLs list.",
+ "text": "Don't use Azure Firewall for intra-virtual network traffic control. Use Azure Firewall to control the following types of traffic:",
"description": "",
"type": "checklist",
- "guid": "9efe3606-1aa2-4e06-bf6a-2e5214cf080f"
+ "guid": "1655f213-e590-45ee-8819-9a5e40f83430"
},
{
"waf": "performance",
"service": "Azure Firewall",
- "text": "Assess your SNAT port requirements.",
+ "text": "Warm up Azure Firewall properly before performance tests. Create initial traffic that isn't part of your load tests 20 minutes before your tests. Use diagnostics settings to capture scale-up and scale-down events. You can use the Azure Load Testing service to generate the initial traffic so you can scale up Azure Firewall to the maximum number of instances.",
"description": "",
"type": "checklist",
- "guid": "93db9b9d-c43d-47e2-a1cf-e81841274059"
+ "guid": "c3ae17a3-eff4-4f6e-98b9-df3a59bacfd9"
},
{
"waf": "performance",
"service": "Azure Firewall",
- "text": "Plan load tests to test auto-scale performance in your environment.",
+ "text": "Configure an Azure Firewall subnet with a /26 address space. You need a dedicated subnet for Azure Firewall. Azure Firewall provisions more capacity as it scales.",
"description": "",
"type": "checklist",
- "guid": "fbe59997-e12b-497b-bdbd-d2a5e3f728e7"
+ "guid": "df91da5c-22c8-4c7c-bfe5-9a1ede0028d9"
},
{
"waf": "performance",
"service": "Azure Firewall",
- "text": "Do not enable diagnostic tools and logging if not required.",
+ "text": "Don't enable advanced logging if you don't need it. Azure Firewall provides some advanced logging capabilities that can incur significant costs to keep active. Instead, you can use these capabilities for troubleshooting purposes only and for limited amounts of time. Disable capabilities when you don't need them. For example, top flows and flow trace logs are expensive and can cause excessive CPU and storage usage on the Azure Firewall infrastructure.",
"description": "",
"type": "checklist",
- "guid": "c68f8c08-fe1e-4515-a877-67daaa008ab0"
+ "guid": "ddf79c25-05f6-4085-94c4-9534ec1a05fa"
},
{
"waf": "Performance",
"service": "Azure Firewall",
- "text": "Use Policy Analytics dashboard to identify potential optimizations for Firewall Policies.",
- "description": "Policy Analytics is a new feature that provides insights into the impact of your Azure Firewall policies. It helps you identify potential issues (hitting policy limits, low utilization rules, redundant rules, rules too generic, IP Groups usage recommendation) in your policies and provides recommendations to improve your security posture and rule processing performance.",
+ "text": "Use the policy analytics dashboard to identify ways to optimize Azure Firewall policies.",
+ "description": "Use policy analytics to identify potential problems in your policies, such as meeting policy limits, improper rules, and improper IP groups usage. Get recommendations to improve your security posture and rule-processing performance.",
"type": "recommendation",
- "guid": "cbbaf175-2b8e-4a1f-af5a-a9cbfb798ffb"
+ "guid": "9a20f369-25cd-45ba-bda7-e56f1e379e15"
},
{
"waf": "Performance",
"service": "Azure Firewall",
- "text": "Consider Web Categories to allow or deny outbound access in bulk.",
- "description": "Instead of explicitly building and maintaining a long list of public Internet sites, consider the usage of Azure Firewall Web Categories. This feature will dynamically categorize web content and will permit the creation of compact Application Rules.",
+ "text": "Place frequently used rules early in a group to optimize latency for Azure Firewall policies that have large rule sets. For more information, see Use Azure Firewall policies to process rules.",
+ "description": "Place frequently used rules high in a rule set to optimize processing latency. Azure Firewall processes rules based on the rule type, inheritance, rule collection group priority, and rule collection priority. Azure Firewall processes high-priority rule collection groups first. Inside a rule collection group, Azure Firewall processes rule collections that have the highest priority first.",
"type": "recommendation",
- "guid": "b8bc28b7-69d4-49d3-8a1e-8dd7ba71ebbe"
+ "guid": "ce0fa221-61f9-41ab-a9ed-233f5546d732"
},
{
"waf": "Performance",
"service": "Azure Firewall",
- "text": "Evaluate the performance impact of IDPS in Alert and deny mode.",
- "description": "If Azure Firewall is required to operate in IDPS mode Alert and deny, carefully consider the performance impact as documented in firewall performance.",
+ "text": "Use IP groups to summarize IP address ranges and avoid exceeding the limit of unique source or unique destination network rules. Azure Firewall treats the IP group as a single address when you create network rules.",
+ "description": "This approach effectively increases the number of IP addresses that you can cover without exceeding the limit. For each rule, Azure multiplies ports by IP addresses. So, if one rule has four IP address ranges and five ports, you consume 20 network rules.",
"type": "recommendation",
- "guid": "b91be607-0c6b-4c0d-bdd2-367879f7632d"
+ "guid": "1d2f023e-7dcf-4f55-b07f-1a93c9c0ab4e"
},
{
"waf": "Performance",
"service": "Azure Firewall",
- "text": "Assess potential SNAT port exhaustion problem.",
- "description": "Azure Firewall currently supports 2496 ports per Public IP address per backend Virtual Machine Scale Set instance. By default, there are two Virtual Machine Scale Set instances. So, there are 4992 ports per flow destination IP, destination port and protocol (TCP or UDP). The firewall scales up to a maximum of 20 instances. You can work around the limits by configuring Azure Firewall deployments with a minimum of five public IP addresses for deployments susceptible to SNAT exhaustion.",
+ "text": "Use Azure Firewall web categories to allow or deny outbound access in bulk, instead of explicitly building and maintaining a long list of public internet sites.",
+ "description": "This feature dynamically categorizes web content and permits the creation of compact application rules, which reduces operational overhead.",
"type": "recommendation",
- "guid": "a5847147-e7ef-48d1-ba16-d896fdce1b9f"
+ "guid": "2007a892-6911-4310-b6eb-5eb3660dc8c9"
},
{
"waf": "Performance",
"service": "Azure Firewall",
- "text": "Properly warm up Azure Firewall before any performance test.",
- "description": "Create initial traffic that isn't part of your load tests 20 minutes before the test. Use diagnostics settings to capture scale-up and scale-down events. You can use the Azure Load Testing service to generate the initial traffic. Allows the Azure Firewall instance to scale up its instances to the maximum.",
+ "text": "Evaluate the performance impact of IDPS in Alert and deny mode. For more information, see Azure Firewall performance.",
+ "description": "Enable IDPS in Alert and deny mode to detect and prevent malicious network activity. This feature might introduce a performance penalty. Understand the effect on your workload so you can plan accordingly.",
"type": "recommendation",
- "guid": "908a8bfa-9e9f-4199-8b5a-f2a031ab22e0"
+ "guid": "984c7d68-82f6-48e9-a894-a8e7717d49e2"
},
{
"waf": "Performance",
"service": "Azure Firewall",
- "text": "Configure an Azure Firewall subnet (AzureFirewallSubnet) with a /26 address space.",
- "description": "Azure Firewall is a dedicated deployment in your virtual network. Within your virtual network, a dedicated subnet is required for the instance of Azure Firewall. Azure Firewall provisions more capacity as it scales.A /26 address space for its subnets ensures that the firewall has enough IP addresses available to accommodate the scaling. Azure Firewall doesn't need a subnet bigger than /26. The Azure Firewall subnet name must be AzureFirewallSubnet.",
+ "text": "Configure Azure Firewall deployments with a minimum of five public IP addresses for deployments that are susceptible to SNAT port exhaustion.",
+ "description": "Azure Firewall supports 2,496 ports for each public IP address that each back-end Azure Virtual Machine Scale Sets instance uses. This configuration increases the available SNAT ports by five times. By default, Azure Firewall deploys two Virtual Machine Scale Sets instances that support 4,992 ports for each flow destination IP, destination port, and TCP or UDP protocol. The firewall scales up to a maximum of 20 instances.",
"type": "recommendation",
- "guid": "d0e66443-59f1-48cb-995f-eaa6688c4f3b"
- },
- {
- "waf": "Performance",
- "service": "Azure Firewall",
- "text": "Do not enable advanced logging if not required",
- "description": "Azure Firewall provides some advanced logging capabilities that can be expensive to maintain always active. Instead, they should be used for troubleshooting purposes only, and limited in duration, then disabled when no more necessary. For example, Top flows and Flow trace logs are expensive can cause excessive CPU and storage usage on the Azure Firewall infrastructure.",
- "type": "recommendation",
- "guid": "2c51e141-6e45-42cd-8c22-c55b219ffe83"
+ "guid": "899877c6-618a-4814-953a-7c7ce430e407"
},
{
"waf": "reliability",
@@ -5509,34 +5325,34 @@
"categories": [],
"waf": [
{
- "name": "performance"
- },
- {
- "name": "cost"
+ "name": "Performance"
},
{
- "name": "Operations"
+ "name": "security"
},
{
- "name": "security"
+ "name": "performance"
},
{
- "name": "Security"
+ "name": "Cost"
},
{
"name": "Reliability"
},
{
- "name": "Cost"
+ "name": "operations"
},
{
- "name": "operations"
+ "name": "Operations"
},
{
"name": "reliability"
},
{
- "name": "Performance"
+ "name": "Security"
+ },
+ {
+ "name": "cost"
}
],
"yesno": [
@@ -5573,6 +5389,6 @@
"name": "WAF Service Guides",
"waf": "all",
"state": "preview",
- "timestamp": "September 22, 2024"
+ "timestamp": "September 29, 2024"
}
}
\ No newline at end of file