Azure · oZakari · Dec 20, 2024 · Dec 18, 2024 · Dec 18, 2024 · Dec 18, 2024
@@ -21,7 +21,7 @@
   recommendationControl: Scalability
   recommendationImpact: High
   recommendationResourceType: Microsoft.DBforMySQL/flexibleServers
-  recommendationMetadataState: Active
+  recommendationMetadataState: Disabled
   longDescription: |
     Use custom maintenance schedule on flexible server instances to select a preferred time for service updates to be applied.
   potentialBenefits: Control update timings

@@ -19,7 +19,7 @@
   aprlGuid: a5f3a4bd-4cf1-4196-a3cb-f5a0876198b2
   recommendationTypeId: null
   recommendationControl: HighAvailability
-  recommendationImpact: High
+  recommendationImpact: Medium
   recommendationResourceType: Microsoft.Network/connections
   recommendationMetadataState: Disabled
   longDescription: |

@@ -1,13 +1,13 @@
-- description: Ensure Time-To-Live (TTL) is set appropriately to ensure RPOs can be met
+- description: Ensure Time-To-Live (TTL) is set appropriately to ensure RTOs can be met
   aprlGuid: 7d09523b-b3c0-403e-b104-d5d46240d683
   recommendationTypeId: null
   recommendationControl: DisasterRecovery
-  recommendationImpact: High
+  recommendationImpact: Medium
   recommendationResourceType: Microsoft.Network/dnsZones
   recommendationMetadataState: Active
   longDescription: |
-    Azure DNS allows the Time-To-Live (TTL) for record sets in the zone to be set to a value between 1 and 2147483647 seconds. You should ensure that the TTL for the DNS record sets in your DNS Zones are set appropriately to meet your RPO targets.
-  potentialBenefits: Ensures that no cached DNS records exist past RPO targets
+    Azure DNS allows the Time-To-Live (TTL) for record sets in the zone to be set to a value between 1 and 2147483647 seconds. You should ensure that the TTL for the DNS record sets in your DNS Zones are set appropriately to meet your RTO targets.
+  potentialBenefits: Ensures that no cached DNS records exist past RTO targets
   pgVerified: false
   automationAvailable: false
   tags: null

@@ -15,17 +15,17 @@
     - name: How to configure ExpressRoute Direct Change Admin State of links
       url: "https://learn.microsoft.com/en-us/azure/expressroute/expressroute-howto-erdirect#state"
 
-- description: Ensure you do not over-subscribe an ExpressRoute Direct
+- description: Ensure ExpressRoute Direct is not over-subscribed
   aprlGuid: 0bee356b-7348-4799-8cab-0c71ffe13018
   recommendationTypeId: null
   recommendationControl: Scalability
-  recommendationImpact: High
+  recommendationImpact: Medium
   recommendationResourceType: Microsoft.Network/ExpressRoutePorts
   recommendationMetadataState: Active
   longDescription: |
     Provisioning ExpressRoute circuits on a 10-Gbps or 100-Gbps ExpressRoute Direct resource up to 20-Gbps or 200-Gbps is possible but not recommended for resiliency. If an ExpressRoute Direct port fails, and circuits are using full capacity, the remaining port won't handle the extra load.
   potentialBenefits: Improves resilience during port failures
-  pgVerified: true
+  pgVerified: false
   automationAvailable: true
   tags: null
   learnMoreLink:
@@ -36,7 +36,7 @@
   aprlGuid: 55815823-d588-4cb7-a5b8-ae581837356e
   recommendationTypeId: null
   recommendationControl: MonitoringAndAlerting
-  recommendationImpact: High
+  recommendationImpact: Medium
   recommendationResourceType: Microsoft.Network/expressRoutePorts
   recommendationMetadataState: Active
   longDescription: |

@@ -1,5 +1,5 @@
 // Azure Resource Graph Query
-// This query will return all Network Watcher Flow Logs that are not enabled or in a succeeded state
+// This query will return all Network Watcher Flow Logs that are not enabled or not in a succeeded state
 resources
 | where type =~ "microsoft.network/networkwatchers/flowlogs" and isnotnull(properties)
 | extend targetResourceId = tostring(properties.targetResourceId)

@@ -1 +1,7 @@
-// under-development
+// Azure Resource Graph Query
+// This query will return all Flow Logs where Flow Analytics Configuration is disabled
+resources
+| where type =~ "microsoft.network/networkwatchers/flowlogs"
+| where properties.targetResourceId contains "microsoft.network/virtualNetworks"
+| where not(properties.flowAnalyticsConfiguration.networkWatcherFlowAnalyticsConfiguration.enabled)
+| project recommendationId = "bf0b7dbd-016d-458c-af99-70fcb03ad451", name, id, tags, param1= "Flow Analytics Configuration is disabled",param2=strcat("Vnet Name : ", properties.targetResourceId)
@@ -36,7 +36,7 @@
   aprlGuid: 1e28bbc1-1eb7-486f-8d7f-93943f40219c
   recommendationTypeId: null
   recommendationControl: MonitoringAndAlerting
-  recommendationImpact: High
+  recommendationImpact: Medium
   recommendationResourceType: Microsoft.Network/networkWatchers
   recommendationMetadataState: Active
   longDescription: |
@@ -49,30 +49,11 @@
     - name: Connection monitor overview
       url: "https://learn.microsoft.com/en-us/azure/network-watcher/connection-monitor-overview"
 
-- description: Enable Network Security Group and Virtual Network Flow Logs
-  aprlGuid: a1317a0b-402d-4604-be40-a25a004ba171
-  recommendationTypeId: null
-  recommendationControl: MonitoringAndAlerting
-  recommendationImpact: High
-  recommendationResourceType: Microsoft.Network/networkWatchers
-  recommendationMetadataState: Active
-  longDescription: |
-    Improves monitoring and security for Azure and Hybrid connectivity
-  potentialBenefits: Improves monitoring and security for Azure connectivity
-  pgVerified: true
-  automationAvailable: false
-  tags: null
-  learnMoreLink:
-    - name: Flow logging for network security groups
-      url: "https://learn.microsoft.com/en-us/azure/network-watcher/nsg-flow-logs-overview"
-    - name: Virtual network flow logs
-      url: "https://learn.microsoft.com/en-us/azure/network-watcher/vnet-flow-logs-overview"
-
-- description: Enable traffic analytics in Network Security Group and Virtual Network Flow Logs configuration.
+- description: Enable traffic analytics in Virtual Network Flow Logs configuration
   aprlGuid: bf0b7dbd-016d-458c-af99-70fcb03ad451
   recommendationTypeId: null
   recommendationControl: MonitoringAndAlerting
-  recommendationImpact: High
+  recommendationImpact: Medium
   recommendationResourceType: Microsoft.Network/networkWatchers
   recommendationMetadataState: Active
   longDescription: |

@@ -5,7 +5,7 @@
   recommendationImpact: High
   recommendationResourceType: Microsoft.Network/p2sVpnGateways
   recommendationMetadataState: Active
-  longDescription: Set up monitoring and alerts for Point-to-Site VPN gateways. Create alert rule for ensuring promptly response to critical events such as Gateway overutilization, connection count limits and User VPN route limits.
+  longDescription: Set up monitoring and alerts for Point-to-Site VPN gateways. Create alert rule for ensuring promptly response to critical events such as Gateway over utilization, connection count limits and User VPN route limits. Mission Critical workloads should use dual ExpressRoutes instead of VPN.
   potentialBenefits: Detection and mitigation to avoid disruptions.
   pgVerified: false
   automationAvailable: false

@@ -19,7 +19,7 @@
   aprlGuid: ab896e8c-49b9-2c44-adec-98339aff7821
   recommendationTypeId: null
   recommendationControl: MonitoringAndAlerting
-  recommendationImpact: High
+  recommendationImpact: Medium
   recommendationResourceType: Microsoft.Network/privateDnsZones
   recommendationMetadataState: Active
   longDescription: |
@@ -49,16 +49,16 @@
     - name: Private Link and DNS integration at scale
       url: "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/private-link-and-dns-integration-at-scale"
 
-- description: Ensure Time-To-Live (TTL) is set appropriately to ensure RPOs can be met
+- description: Ensure Time-To-Live (TTL) is set appropriately to ensure RTOs can be met
   aprlGuid: 3538aa48-c40b-455b-a93b-269fe6e65be2
   recommendationTypeId: null
   recommendationControl: DisasterRecovery
-  recommendationImpact: High
+  recommendationImpact: Medium
   recommendationResourceType: Microsoft.Network/privateDnsZones
   recommendationMetadataState: Active
   longDescription: |
-    Azure Private DNS allows the Time-To-Live (TTL) for record sets in the zone to be set to a value between 1 and 2147483647 seconds. You should ensure that the TTL for the DNS record sets in your DNS Zones are set appropriately to meet your RPO targets.
-  potentialBenefits: Ensures that no cached DNS records exist past RPO targets
+    Azure Private DNS allows the Time-To-Live (TTL) for record sets in the zone to be set to a value between 1 and 2147483647 seconds. You should ensure that the TTL for the DNS record sets in your DNS Zones are set appropriately to meet your RTO targets.
+  potentialBenefits: Ensures that no cached DNS records exist past RTO targets
   pgVerified: false
   automationAvailable: false
   tags: null

@@ -55,7 +55,6 @@
     - name: Upgrade to Standard SKU public IP addresses in Azure by 30 September 2025 as Basic SKU will be retired
       url: "https://azure.microsoft.com/en-us/updates/upgrade-to-standard-sku-public-ip-addresses-in-azure-by-30-september-2025-basic-sku-will-be-retired/"
 
-
 - description: Public IP addresses should have DDoS protection enabled
   aprlGuid: c4254c66-b8a5-47aa-82f6-e7d7fb418f47
   recommendationTypeId: null

@@ -2,7 +2,7 @@
   aprlGuid: 23b2dfc7-7e5d-9443-9f62-980ca621b561
   recommendationTypeId: null
   recommendationControl: MonitoringAndAlerting
-  recommendationImpact: High
+  recommendationImpact: Medium
   recommendationResourceType: Microsoft.Network/routeTables
   recommendationMetadataState: Active
   longDescription: |

@@ -93,7 +93,7 @@
   aprlGuid: 3e115044-a3aa-433e-be01-ce17d67e50da
   recommendationTypeId: null
   recommendationControl: HighAvailability
-  recommendationImpact: High
+  recommendationImpact: Medium
   recommendationResourceType: Microsoft.Network/virtualNetworkGateways
   recommendationMetadataState: Active
   longDescription: |
@@ -114,7 +114,7 @@
   recommendationResourceType: Microsoft.Network/virtualNetworkGateways
   recommendationMetadataState: Active
   longDescription: |
-    Azure VPN gateway offers variable SLAs based on deployment in one or two availability zones. Deploying zone-redundant virtual network gateways across availability zones ensures zone-resiliency, improving access to mission-critical, scalable services on Azure.
+    Deploying zone-redundant virtual network gateways across availability zones ensures zone-resiliency, improving access to mission-critical, scalable services on Azure. Mission Critical workloads should use dual ExpressRoutes instead of VPN.
   potentialBenefits: Enhanced reliability and scalability
   pgVerified: true
   automationAvailable: true
@@ -135,7 +135,7 @@
   recommendationResourceType: Microsoft.Network/virtualNetworkGateways
   recommendationMetadataState: Active
   longDescription: |
-    The active-active mode is available for all SKUs except Basic, allowing for two Gateway IP configurations and two public IP addresses, enhancing redundancy and traffic handling.
+    The active-active mode is available for all SKUs except Basic, allowing for two Gateway IP configurations and two public IP addresses, enhancing redundancy and traffic handling. Mission Critical workloads should use dual ExpressRoutes instead of VPN.
   potentialBenefits: Enhanced reliability and network capacity
   pgVerified: true
   automationAvailable: true
@@ -146,15 +146,15 @@
     - name: Gateway SKU
       url: "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsku"
 
-- description: Deploy active-active VPN concentrators on your premises for maximum resiliency with VPN gateways
+- description: Deploy active-active VPN concentrators on your premises
   aprlGuid: af11fc4c-c06c-4f4c-b98d-6eee6d5c4c70
   recommendationTypeId: null
   recommendationControl: DisasterRecovery
   recommendationImpact: High
   recommendationResourceType: Microsoft.Network/virtualNetworkGateways
   recommendationMetadataState: Active
   longDescription: |
-    Deploying active-active VPN concentrators and Azure VPN Gateways maximizes resilience and availability using a fully-meshed topology with four IPSec tunnels.
+    Deploying active-active VPN concentrators and Azure VPN Gateways maximizes resilience and availability using a fully-meshed topology with four IPSec tunnels. Mission Critical workloads should use dual ExpressRoutes instead of VPN.
   potentialBenefits: Maximizes resilience and availability
   pgVerified: true
   automationAvailable: false
@@ -171,7 +171,7 @@
   recommendationResourceType: Microsoft.Network/virtualNetworkGateways
   recommendationMetadataState: Active
   longDescription: |
-    Set up monitoring and alerts for Virtual Network Gateway health to utilize a variety of metrics for ensuring operational efficiency and prompt response to any disruptions.
+    Set up monitoring and alerts for Virtual Network Gateway health to utilize a variety of metrics for ensuring operational efficiency and prompt response to any disruptions. Mission Critical workloads should use dual ExpressRoutes instead of VPN.
   potentialBenefits: Improved uptime and issue awareness
   pgVerified: true
   automationAvailable: false
@@ -188,7 +188,7 @@
   recommendationResourceType: Microsoft.Network/virtualNetworkGateways
   recommendationMetadataState: Active
   longDescription: |
-    VPN gateway leverages service health to inform users about both planned and unplanned maintenance, ensuring they are notified about modifications to their VPN connectivity.
+    VPN gateway leverages service health to inform users about both planned and unplanned maintenance, ensuring they are notified about modifications to their VPN connectivity. Mission Critical workloads should use dual ExpressRoutes instead of VPN.
   potentialBenefits: Improves VPN maintenance alerts
   pgVerified: true
   automationAvailable: false
@@ -199,15 +199,15 @@
     - name: Monitor VPN gateway
       url: "https://learn.microsoft.com/azure/vpn-gateway/monitor-vpn-gateway-reference#metrics"
 
-- description: Deploy zone-redundant VPN gateways with zone-redundant Public IP(s)
+- description: Deploy VPN gateways with zone-redundant Public IPs
   aprlGuid: 4bae5a28-5cf4-40d9-bcf1-623d28f6d917
   recommendationTypeId: null
   recommendationControl: HighAvailability
   recommendationImpact: High
   recommendationResourceType: Microsoft.Network/virtualNetworkGateways
   recommendationMetadataState: Active
   longDescription: |
-    For zone-redundant VPN gateways, always use zone-redundant Standard SKU public IPs to avoid deploying all instances in one zone. This ensures the gateway's reliability, applying to both active-passive (single IP) and active-active (dual IP) setups.
+    For zone-redundant VPN gateways, always use zone-redundant Standard SKU public IPs to avoid deploying all instances in one zone. This ensures the gateway's reliability. Mission Critical workloads should use dual ExpressRoutes instead of VPN.
   potentialBenefits: Enhanced reliability and disaster recovery
   pgVerified: true
   automationAvailable: true

@@ -0,0 +1,17 @@
+// Azure Resource Graph Query
+// This query will return all Vnets missing Flow Logs configuration
+resources
+| where type =~ "Microsoft.Network/virtualNetworks"
+| extend vnetId = tolower(tostring(id)),vnetName = name,vnetTags = tags,vnetLocation = location
+| join kind = leftouter (
+    resources
+    | where type =~ "microsoft.network/networkwatchers/flowlogs"
+    | extend flowLogType = iff(
+        properties.targetResourceId contains "Microsoft.Network/virtualNetworks",
+        'Virtual network',
+        'Virtual network'
+      )
+    | extend flowLogTargetVnet = tolower(properties.targetResourceId)
+) on $left.vnetId == $right.flowLogTargetVnet
+| where strlen(flowLogTargetVnet) == 0
+| project recommendationId = "06b77be9-56a3-4d41-b362-8b295c5a283d",name=vnetName,id=vnetId,tags,param1 = "Missing Vnet Flow Log configuration"
@@ -58,3 +58,20 @@
       url: "https://learn.microsoft.com/azure/architecture/framework/services/networking/network-connectivity/reliability"
     - name: Azure Private Link availability
       url: "https://learn.microsoft.com/en-us/azure/private-link/availability"
+
+- description: Enable Virtual Network Flow Logs
+  aprlGuid: 06b77be9-56a3-4d41-b362-8b295c5a283d
+  recommendationTypeId: null
+  recommendationControl: MonitoringAndAlerting
+  recommendationImpact: Medium
+  recommendationResourceType: Microsoft.Network/virtualNetworks
+  recommendationMetadataState: Active
+  longDescription: |
+    Improves monitoring and security for Azure and Hybrid connectivity
+  potentialBenefits: Improves monitoring and security for Azure connectivity
+  pgVerified: true
+  automationAvailable: true
+  tags: null
+  learnMoreLink:
+    - name: Virtual network flow logs
+      url: "https://learn.microsoft.com/azure/network-watcher/vnet-flow-logs-overview"
@@ -2,10 +2,10 @@
   aprlGuid: f0d4f766-ac19-48c4-b228-4601cc038baa
   recommendationTypeId: null
   recommendationControl: MonitoringAndAlerting
-  recommendationImpact: High
+  recommendationImpact: Medium
   recommendationResourceType: Microsoft.Network/vpnGateways
   recommendationMetadataState: Active
-  longDescription: Set up monitoring and alerts for v-Hub's VPN Gateway. Create alert rule for ensuring promptly response to critical events such as packet drop counts, BGP status, Gateway overutilization.
+  longDescription: Set up monitoring and alerts for v-Hub's VPN Gateway. Create alert rule for ensuring promptly response to critical events such as packet drop counts, BGP status, Gateway over utilization. Mission Critical workloads should use dual ExpressRoutes instead of VPN.
   potentialBenefits: Detection and mitigation to avoid disruptions.
   pgVerified: false
   automationAvailable: false

@@ -1 +1,9 @@
-// under-development
+// Azure Resource Graph Query
+// This Resource Graph query will return all Recovery services vault with Classic alerts enabled.
+resources
+| where type in~ ('microsoft.recoveryservices/vaults')
+| extend monitoringSettings = parse_json(properties).monitoringSettings
+| extend isUsingClassicAlerts = case(isnull(monitoringSettings),'Enabled',monitoringSettings.classicAlertSettings.alertsForCriticalOperations)
+| extend isUsingJobsAlerts = case(isnull(monitoringSettings), 'Enabled', monitoringSettings.azureMonitorAlertSettings.alertsForAllJobFailures)
+| where isUsingClassicAlerts == 'Enabled'
+| project recommendationId = "2912472d-0198-4bdc-aa90-37f145790edc", name, id, tags, param1=strcat("isUsingClassicAlerts: ", isUsingClassicAlerts), param2=strcat("isUsingJobsAlerts: ", isUsingJobsAlerts)
@@ -1,5 +1,5 @@
 ---
 title: Resources
 geekdocCollapseSection: true
-geekdocHidden: false
+geekdocHidden: true
 ---
@@ -1,7 +1,7 @@
 ---
 title: subscriptions
 geekdocCollapseSection: true
-geekdocHidden: false
+geekdocHidden: true
 ---
 
 {{< azure-resources-recommendationlist name="azure-resources-recommendationlist" >}}