diff --git a/checklists-ext/appservicewebapps_sg_checklist.en.json b/checklists-ext/appservicewebapps_sg_checklist.en.json index 42fd21193..8e5c28a6b 100644 --- a/checklists-ext/appservicewebapps_sg_checklist.en.json +++ b/checklists-ext/appservicewebapps_sg_checklist.en.json @@ -192,31 +192,31 @@ "name": "reliability" }, { - "name": "cost" + "name": "Cost" }, { - "name": "operations" + "name": "Operations" }, { - "name": "Cost" + "name": "security" }, { - "name": "Security" + "name": "Performance" }, { - "name": "security" + "name": "Reliability" }, { - "name": "Reliability" + "name": "operations" }, { - "name": "performance" + "name": "Security" }, { - "name": "Performance" + "name": "performance" }, { - "name": "Operations" + "name": "cost" } ], "yesno": [ @@ -253,6 +253,6 @@ "name": "App Service Web Apps Service Guide", "waf": "all", "state": "preview", - "timestamp": "October 13, 2024" + "timestamp": "October 20, 2024" } } \ No newline at end of file diff --git a/checklists-ext/azureapplicationgateway_sg_checklist.en.json b/checklists-ext/azureapplicationgateway_sg_checklist.en.json index b8521bf0c..f497f846a 100644 --- a/checklists-ext/azureapplicationgateway_sg_checklist.en.json +++ b/checklists-ext/azureapplicationgateway_sg_checklist.en.json @@ -4,234 +4,146 @@ { "waf": "Reliability", "service": "Azure Application Gateway", - "text": "Plan for rule updates", - "description": "Plan enough time for updates before accessing Application Gateway or making further changes. For example, removing servers from backend pool might take some time because they have to drain existing connections.", + "text": "Deploy Application Gateway instances in a zone-aware configuration. Check regional support for zone redundancy because not all regions offer this feature.", + "description": "When you spread multiple instances across zones, your workload can withstand failures in a single zone. If you have an unavailable zone, traffic automatically shifts to healthy instances in other zones, which maintains application reliability.", "type": "recommendation", - "guid": "9a17eb2b-c5e3-428b-9e45-73dead45c4f9" + "guid": "a36e2517-aa81-4e4b-9962-e78144b18ac7" }, { "waf": "Reliability", "service": "Azure Application Gateway", - "text": "Use health probes to detect backend unavailability", - "description": "If Application Gateway is used to load balance incoming traffic over multiple backend instances, we recommend the use of health probes. These will ensure that traffic is not routed to backends that are unable to handle the traffic.", + "text": "Use Application Gateway health probes to detect back-end unavailability.", + "description": "Health probes ensure that traffic only routes to back ends that can handle the traffic. Application Gateway monitors the health of all the servers in its back-end pool and automatically stops sending traffic to any server that it considers unhealthy.", "type": "recommendation", - "guid": "5bfa95df-20d8-4452-a6c1-79c88b07d4cc" + "guid": "9afcdcea-4d65-4d51-9008-297c2c363625" }, { "waf": "Reliability", "service": "Azure Application Gateway", - "text": "Review the impact of the interval and threshold settings on health probes", - "description": "The health probe sends requests to the configured endpoint at a set interval. Also, there's a threshold of failed requests that will be tolerated before the backend is marked unhealthy. These numbers present a trade-off.- Setting a higher interval puts a higher load on your service. Each Application Gateway instance sends its own health probes, so 100 instances every 30 seconds means 100 requests per 30 seconds.- Setting a lower interval leaves more time before an outage is detected.- Setting a low unhealthy threshold might mean that short, transient failures might take down a backend. - Setting a high threshold it can take longer to take a backend out of rotation.", + "text": "Configure rate-limiting rules for Azure WAF so that clients can't send too much traffic to your application.", + "description": "Use rate limiting to avoid problems like retry storms.", "type": "recommendation", - "guid": "ec5bc6c4-6176-44a2-860e-8654f588effd" + "guid": "7bcec0ab-ea83-427d-ae8c-946bf662ece6" }, { "waf": "Reliability", "service": "Azure Application Gateway", - "text": "Verify downstream dependencies through health endpoints", - "description": "Suppose each backend has its own dependencies to ensure failures are isolated. For example, an application hosted behind Application Gateway might have multiple backends, each connected to a different database (replica). When such a dependency fails, the application might be working but won't return valid results. For that reason, the health endpoint should ideally validate all dependencies. Keep in mind that if each call to the health endpoint has a direct dependency call, that database would receive 100 queries every 30 seconds instead of 1. To avoid this, the health endpoint should cache the state of the dependencies for a short period of time.", + "text": "Don't use UDRs on Application Gateway so that the back-end health report functions properly and generates the correct logs and metrics. If you must use a UDR in the Application Gateway subnet, see Supported UDRs.", + "description": "UDRs on the Application Gateway subnet can cause some problems. Don't use UDRs on the Application Gateway subnet so that you can view the back-end health, logs, and metrics.", "type": "recommendation", - "guid": "78bc5274-ca88-4e2a-8d3a-7b6a5ed1ccd6" + "guid": "b2881b32-11c9-4bec-94d0-255ec577fdab" }, { "waf": "Reliability", "service": "Azure Application Gateway", - "text": "When using Azure Front Door and Application Gateway to protect `HTTP/S` applications, use WAF policies in Front Door and lock down Application Gateway to receive traffic only from Azure Front Door.", - "description": "Certain scenarios can force you to implement rules specifically on Application Gateway. For example, if ModSec CRS 2.2.9, CRS 3.0 or CRS 3.1 rules are required, these rules can be only implemented on Application Gateway. Conversely, rate-limiting and geo-filtering are available only on Azure Front Door, not on AppGateway.", + "text": "Configure the IdleTimeout settings to match the listener and traffic characteristics of the back-end application. The default value is four minutes. You can configure it to a maximum of 30 minutes. For more information, see Load balancer Transmission Control Protocol (TCP) reset and idle timeout.", + "description": "Set the IdleTimeout to match the back end. This setting ensures that the connection between Application Gateway and the client stays open if the back end takes more than four minutes to respond to the request. If you don't configure this setting, the connection closes, and the client doesn't see the back-end response.", "type": "recommendation", - "guid": "da7234f3-70a7-47d2-b685-3e47843003e9" + "guid": "0719fb38-2436-415b-8db7-3d19a1e57bee" }, { "waf": "Security", "service": "Azure Application Gateway", - "text": "Set up a TLS policy for enhanced security", - "description": "Set up a TLS policy for extra security. Ensure you're always using the latest TLS policy version available. This enforces TLS 1.2 and stronger ciphers.", + "text": "Set up a TLS policy for enhanced security. Ensure that you use the latest TLS policy version.", + "description": "Use the latest TLS policy to enforce the use of TLS 1.2 and stronger ciphers. The TLS policy includes control of the TLS protocol version and the cipher suites and also the order in which a TLS handshake uses ciphers.", "type": "recommendation", - "guid": "9e5ba3b9-3512-425b-95e3-d5009e7630f3" + "guid": "8e0ffc7d-aecb-456f-8a8a-6cbd5743e076" }, { "waf": "Security", "service": "Azure Application Gateway", - "text": "Use AppGateway for TLS termination", - "description": "There are advantages of using Application Gateway for TLS termination:- Performance improves because requests going to different backends to have to re-authenticate to each backend.- Better utilization of backend servers because they don't have to perform TLS processing- Intelligent routing by accessing the request content.- Easier certificate management because the certificate only needs to be installed on Application Gateway.", + "text": "Use Application Gateway for TLS termination.", + "description": "Performance improves because requests that go to different back ends don't have to reauthenticate to each back end. The gateway can access the request content and make intelligent routing decisions. You only need to install the certificate on Application Gateway, which simplifies certificate management.", "type": "recommendation", - "guid": "5cbd84eb-56a7-4d18-9f50-de47d3b29a8f" + "guid": "0534341b-03de-4eb4-9fbb-47806be1958d" }, { "waf": "Security", "service": "Azure Application Gateway", - "text": "Use Azure Key Vault to store TLS certificates", - "description": "Application Gateway can be integrated with Key Vault. This provides stronger security, easier separation of roles and responsibilities, support for managed certificates, and an easier certificate renewal and rotation process.", + "text": "Integrate Application Gateway with Key Vault to store TLS certificates.", + "description": "This approach provides stronger security, easier separation of roles and responsibilities, support for managed certificates, and an easier certificate renewal and rotation process.", "type": "recommendation", - "guid": "c1e7b351-a459-49d1-b473-a1f663310205" + "guid": "14551ef6-ea58-410f-bb9b-08a0c10381a8" }, { "waf": "Security", "service": "Azure Application Gateway", - "text": "When re-encrypting backend traffic, ensure the backend server certificate contains both the root and intermediate Certificate Authorities (CAs)", - "description": "A TLS certificate of the backend server must be issued by a well-known CA. If the certificate was not issued by a trusted CA, the Application Gateway checks if the certificate was issued by a trusted CA, and so on, until a trusted CA certificate is found. Only then a secure connection is established. Otherwise, Application Gateway marks the backend as unhealthy.", + "text": "Comply with all NSG restrictions for Application Gateway.", + "description": "The Application Gateway subnet supports NSGs, but there are some restrictions. For instance, some communication with certain port ranges is prohibited. Make sure you understand the implications of those restrictions.", "type": "recommendation", - "guid": "1f53df88-090e-4f67-8a41-866ea4938cb1" - }, - { - "waf": "Security", - "service": "Azure Application Gateway", - "text": "Use an appropriate DNS server for backend pool resources", - "description": "When the backend pool contains a resolvable FQDN, the DNS resolution is based on a private DNS zone or custom DNS server (if configured on the VNet), or it uses the default Azure-provided DNS.", - "type": "recommendation", - "guid": "0e1af02a-017b-4a41-a7e5-98b47d7b1fd7" - }, - { - "waf": "Security", - "service": "Azure Application Gateway", - "text": "Comply with all NSG restrictions for Application Gateway", - "description": "NSGs are supported on Application Gateway subnet, but there are some restrictions. For instance, some communication with certain port ranges is prohibited. Make sure you understand the implications of those restrictions. For details, see Network security groups.", - "type": "recommendation", - "guid": "75da1adb-f8a2-4ad5-879a-a8552d1c836a" - }, - { - "waf": "Security", - "service": "Azure Application Gateway", - "text": "Refrain from using UDRs on the Application gateway subnet", - "description": "Using User Defined Routes (UDR) on the Application Gateway subnet can cause some issues. Health status in the back-end might be unknown. Application Gateway logs and metrics might not get generated. We recommend that you don't use UDRs on the Application Gateway subnet so that you can view the back-end health, logs, and metrics. If your organizations require to use UDR in the Application Gateway subnet, please ensure you review the supported scenarios. For more information, see Supported user-defined routes.", - "type": "recommendation", - "guid": "7776e1c9-a0a7-4fd5-8fe9-1b2b9c56cf31" - }, - { - "waf": "Security", - "service": "Azure Application Gateway", - "text": "Be aware of Application Gateway capacity changes when enabling WAF", - "description": "When WAF is enabled, every request must be buffered by the Application Gateway until it fully arrives, checks if the request matches with any rule violation in its core rule set, and then forwards the packet to the backend instances. When there are large file uploads (30MB+ in size), it can result in a significant latency. Because Application Gateway capacity requirements are different with WAF, we do not recommend enabling WAF on Application Gateway without proper testing and validation.", - "type": "recommendation", - "guid": "7c173790-6fac-43bc-b1b4-e787fdbb904f" - }, - { - "waf": "Cost", - "service": "Azure Application Gateway", - "text": "Familiarize yourself with Application Gateway pricing", - "description": "For information about Application Gateway pricing, see Understanding Pricing for Azure Application Gateway and Web Application Firewall. You can also leverage the Pricing calculator.Ensure that the options are adequately sized to meet the capacity demand and deliver expected performance without wasting resources.", - "type": "recommendation", - "guid": "13adc786-048a-4720-9aad-610419507199" - }, - { - "waf": "Cost", - "service": "Azure Application Gateway", - "text": "Review underutilized resources", - "description": "Identify and delete Application Gateway instances with empty backend pools to avoid unnecessary costs.", - "type": "recommendation", - "guid": "8d3979f9-bd25-4455-9e2f-2cc7e0deaf5e" + "guid": "6febf0db-32d2-4e89-a3fd-debec3a426dd" }, { "waf": "Cost", "service": "Azure Application Gateway", - "text": "Stop Application Gateway instances when not in use", - "description": "You aren't billed when Application Gateway is in the stopped state. Continuously running Application Gateway instances can incur extraneous costs. Evaluate usage patterns and stop instances when you don't need them. For example, usage after business hours in Dev/Test environments is expected to be low.See these articles for information about how to stop and start instances.- Stop-AzApplicationGateway- Start-AzApplicationGateway", + "text": "Stop Application Gateway instances when they're not in use. For more information, see Stop-AzApplicationGateway and Start-AzApplicationGateway.", + "description": "A stopped Application Gateway instance doesn't incur costs. Application Gateway instances that continuously run can incur unnecessary costs. Evaluate usage patterns, and stop instances when you don't need them. For example, expect low usage after business hours in dev/test environments.", "type": "recommendation", - "guid": "fc01794b-1808-4152-a82c-95b43b2a4c45" + "guid": "147308ab-aa3c-4724-b314-5820ebe6a0ee" }, { "waf": "Cost", "service": "Azure Application Gateway", - "text": "Have a scale-in and scale-out policy", - "description": "A scale-out policy ensures that there will be enough instances to handle incoming traffic and spikes. Also, have a scale-in policy that makes sure the number of instances are reduced when demand drops. Consider the choice of instance size. The size can significantly impact the cost. Some considerations are described in the Estimate the Application Gateway instance count.For more information, see What is Azure Application Gateway v2?", + "text": "Monitor key cost driver Application Gateway metrics, like: - Estimated billed capacity units. - Fixed billable capacity units. - Current capacity units. Make sure you account for bandwidth costs.", + "description": "Use these metrics to validate whether the provisioned instance count matches the amount of incoming traffic, and ensure that you fully utilize the allocated resources.", "type": "recommendation", - "guid": "4e5743d9-44ec-4a09-9c80-d77056109fc6" - }, - { - "waf": "Cost", - "service": "Azure Application Gateway", - "text": "Review consumption metrics across different parameters", - "description": "You're billed based on metered instances of Application Gateway based on the metrics tracked by Azure. Evaluate the various metrics and capacity units and determine the cost drivers. For more information, see Microsoft Cost Management and Billing. The following metrics are key for Application Gateway. This information can be used to validate that the provisioned instance count matches the amount of incoming traffic.- Estimated Billed Capacity Units- Fixed Billable Capacity Units- Current Capacity UnitsFor more information, see Application Gateway metrics.Make sure you account for bandwidth costs.", - "type": "recommendation", - "guid": "30129a61-cd84-4085-9533-5d42f89372d9" + "guid": "1946aefd-0576-40b2-a8ed-58265dc9dcf0" }, { "waf": "Operations", "service": "Azure Application Gateway", - "text": "Monitor capacity metrics", - "description": "Use these metrics as indicators of utilization of the provisioned Application Gateway capacity. We strongly recommend setting up alerts on capacity. For details, see Application Gateway high traffic support.", + "text": "Configure alerts to notify your team when capacity metrics, like CPU usage and compute unit usage, cross recommended thresholds. To configure a comprehensive set of alerts based on capacity metrics, see Application Gateway high-traffic support.", + "description": "Set alerts when metrics cross thresholds so that you know when your usage increases. This approach ensures that you have enough time to implement necessary changes to your workload and prevents degradation or outages.", "type": "recommendation", - "guid": "57cc0c49-939f-46d9-864e-d7ce31733771" + "guid": "aa1eacb3-ef9f-4e69-bc98-784ec67d1192" }, { "waf": "Operations", "service": "Azure Application Gateway", - "text": "Troubleshoot using metrics", - "description": "There are other metrics that can indicate issues either at Application Gateway or the backend. We recommend evaluating the following alerts:- Unhealthy Host Count- Response Status (dimension 4xx and 5xx)- Backend Response Status (dimension 4xx and 5xx)- Backend Last Byte Response Time- Application Gateway Total TimeFor more information, see Metrics for Application Gateway.", + "text": "Configure alerts to notify your team about metrics that indicate problems either at Application Gateway or the back end. We recommend that you evaluate the following alerts:- Unhealthy host count- Response status, such as 4xx and 5xx errors - Back-end response status, such as 4xx and 5xx errors - Back-end last byte response time- Application Gateway total timeFor more information, see Metrics for Application Gateway.", + "description": "Use alerts to help ensure that your team can respond to problems in a timely manner and facilitate troubleshooting.", "type": "recommendation", - "guid": "071e5241-c008-41a2-9e62-c056081158d2" + "guid": "91992f80-fca7-48ad-85bc-3bad00352475" }, { "waf": "Operations", "service": "Azure Application Gateway", - "text": "Enable diagnostics on Application Gateway and Web Application Firewall (WAF)", - "description": "Diagnostic logs allow you to view firewall logs, performance logs, and access logs. Use these logs to manage and troubleshoot issues with Application Gateway instances. For more information, see Back-end health and diagnostic logs for Application Gateway.", + "text": "Enable diagnostic logs on Application Gateway and WAF to collect firewall logs, performance logs, and access logs.", + "description": "Use logs to help detect, investigate, and troubleshoot problems with Application Gateway instances and your workload.", "type": "recommendation", - "guid": "7e160588-dc1c-48d5-9a56-4ddc6aeb8fc2" + "guid": "59ddc80c-f93b-488b-814d-270a4ad7786d" }, { "waf": "Operations", "service": "Azure Application Gateway", - "text": "Use Azure Monitor Network Insights", - "description": "Azure Monitor Network Insights provides a comprehensive view of health and metrics for network resources, including Application Gateway. For additional details and supported capabilities for Application Gateway, see Azure Monitor Network insights.", + "text": "Use Advisor to monitor Key Vault configuration problems. Set an alert to notify your team when you get the recommendation that states Resolve Azure Key Vault issue for your Application Gateway.", + "description": "Use Advisor alerts to stay up to date and fix problems immediately. Prevent any control plane or data plane-related problems. Application Gateway checks for the renewed certificate version in the linked Key Vault instance every 4 hours. If the certificate version is inaccessible because of an incorrect Key Vault configuration, it logs that error and pushes a corresponding Advisor recommendation.", "type": "recommendation", - "guid": "260dc49f-05b9-4c43-9cda-afc5b1923c89" - }, - { - "waf": "Operations", - "service": "Azure Application Gateway", - "text": "Match timeout settings with the backend application", - "description": "Ensure you have configured the IdleTimeout settings to match the listener and traffic characteristics of the backend application. The default value is set to four minutes and can be configured to a maximum of 30. For more information, see Load Balancer TCP Reset and Idle Timeout.For workload considerations, see Monitoring application health for reliability.", - "type": "recommendation", - "guid": "8c5e5e8f-44d7-4494-8819-c1d765838fec" - }, - { - "waf": "Operations", - "service": "Azure Application Gateway", - "text": "Monitor Key Vault configuration issues using Azure Advisor", - "description": "Application Gateway checks for the renewed certificate version in the linked Key Vault at every 4-hour interval. If it is inaccessible due to any incorrect Key Vault configuration, it logs that error and pushes a corresponding Advisor recommendation. You must configure the Advisor alerts to stay updated and fix such issues immediately to avoid any Control or Data plane related problems. For more information, see Investigating and resolving key vault errors. To set an alert for this specific case, use the Recommendation Type as Resolve Azure Key Vault issue for your Application Gateway.", - "type": "recommendation", - "guid": "4123369e-cbd7-472d-9879-e155476c2595" - }, - { - "waf": "Operations", - "service": "Azure Application Gateway", - "text": "Consider SNAT port limitations in your design", - "description": "SNAT port limitations are important for backend connections on the Application Gateway. There are separate factors that affect how Application Gateway reaches the SNAT port limit. For example, if the backend is a public IP address, it will require its own SNAT port. In order to avoid SNAT port limitations, you can increase the number of instances per Application Gateway, scale out the backends to have more IP addresses, or move your backends into the same virtual network and use private IP addresses for the backends.Requests per second (RPS) on the Application Gateway will be affected if the SNAT port limit is reached. For example, if an Application Gateway reaches the SNAT port limit, then it won't be able to open a new connection to the backend, and the request will fail.", - "type": "recommendation", - "guid": "d2713c48-1e6f-4ee8-b91c-8499e7146945" - }, - { - "waf": "Performance", - "service": "Azure Application Gateway", - "text": "Define the minimum instance count", - "description": "For Application Gateway v2 SKU, autoscaling takes some time (approximately six to seven minutes) before the additional set of instances is ready to serve traffic. During that time, if there are short spikes in traffic, expect transient latency or loss of traffic.We recommend that you set your minimum instance count to an optimal level. After you estimate the average instance count and determine your Application Gateway autoscaling trends, define the minimum instance count based on your application patterns. For information, see Application Gateway high traffic support.Check the Current Compute Units for the past one month. This metric represents the gateway's CPU utilization. To define the minimum instance count, divide the peak usage by 10. For example, if your average Current Compute Units in the past month is 50, set the minimum instance count to five.", - "type": "recommendation", - "guid": "8bba115b-e086-458e-beca-ae9d8144a1f6" + "guid": "88daf0df-5324-450c-ae59-e8d3f12f697a" }, { "waf": "Performance", "service": "Azure Application Gateway", - "text": "Define the maximum instance count", - "description": "We recommend 125 as the maximum autoscale instance count. Make sure the subnet that has the Application Gateway has sufficient available IP addresses to support the scale-up set of instances.Setting the maximum instance count to 125 has no cost implications because you're billed only for the consumed capacity.", + "text": "Set the minimum instance count to an optimal level based on you estimated instance count, actual Application Gateway autoscaling trends, and your application patterns. Check the current compute units for the past month. This metric represents the gateway's CPU usage. To define the minimum instance count, divide the peak usage by 10. For example, if your average current compute units in the past month is 50, set the minimum instance count to five.", + "description": "For Application Gateway v2, autoscaling takes approximately six to seven minutes before the extra set of instances are ready to serve traffic. During that time, if Application Gateway has short spikes in traffic, expect transient latency or loss of traffic.", "type": "recommendation", - "guid": "1250aa80-2761-4138-9565-57735472779b" + "guid": "1c9a7b2a-0e95-4416-8af5-4d173c48870e" }, { "waf": "Performance", "service": "Azure Application Gateway", - "text": "Define Application Gateway subnet size", - "description": "Application Gateway needs a dedicated subnet within a virtual network. The subnet can have multiple instances of the deployed Application Gateway resource. You can also deploy other Application Gateway resources in that subnet, v1 or v2 SKU.Here are some considerations for defining the subnet size:- Application Gateway uses one private IP address per instance and another private IP address if a private front-end IP is configured.- Azure reserves five IP addresses in each subnet for internal use.- Application Gateway (Standard or WAF SKU) can support up to 32 instances. Taking 32 instance IP addresses + 1 private front-end IP + 5 Azure reserved, a minimum subnet size of /26 is recommended. Because the Standard_v2 or WAF_v2 SKU can support up to 125 instances, using the same calculation, a subnet size of /24 is recommended.- If you want to deploy additional Application Gateway resources in the same subnet, consider the additional IP addresses that will be required for their maximum instance count for both, Standard and Standard v2.", + "text": "Set the maximum autoscale instance count to the maximum possible, which is 125 instances. Make sure that the Application Gateway dedicated subnet has sufficient available IP addresses to support the increased set of instances.", + "description": "Application Gateway can scale out as needed to handle increased traffic to your applications. This setting doesn't increase cost because you only pay for the consumed capacity.", "type": "recommendation", - "guid": "dbf3ca82-d3a8-431e-a86e-65df49c72032" + "guid": "2b1242f0-cf07-48fa-8567-63a11efd6d13" }, { "waf": "Performance", "service": "Azure Application Gateway", - "text": "Take advantage of features for autoscaling and performance benefits", - "description": "The v2 SKU offers autoscaling to ensure that your Application Gateway can scale up as traffic increases. When compared to v1 SKU, v2 has capabilities that enhance the performance of the workload. For example, better TLS offload performance, quicker deployment and update times, zone redundancy, and more. For more information about autoscaling features, see Scaling Application Gateway v2 and WAF v2.If you are running v1 SKU Application gateway, consider migrating to the Application gateway v2 SKU. For more information, see Migrate Azure Application Gateway and Web Application Firewall from v1 to v2.", + "text": "Appropriately size the Application Gateway dedicated subnet. We highly recommend a /24 subnet for an Application Gateway v2 deployment. If you want to deploy other Application Gateway resources in the same subnet, consider the extra IP addresses that you require for the maximum instance count. For more considerations about sizing the subnet, see Application Gateway infrastructure configuration.", + "description": "Use a /24 subnet to provide support for all IP addresses that your Application Gateway v2 deployment needs. Application Gateway uses one private IP address for each instance and another private IP address if you configure a private front-end IP. The Standard_v2 or WAF_v2 SKU can support up to 125 instances. Azure reserves five IP addresses in each subnet for internal use.", "type": "recommendation", - "guid": "dffdc8e9-9139-46c1-93df-638e00cb3657" + "guid": "bd29ba93-56b6-43cc-9546-8aace18d45e5" } ], "categories": [], @@ -240,31 +152,31 @@ "name": "reliability" }, { - "name": "cost" + "name": "Cost" }, { - "name": "operations" + "name": "Operations" }, { - "name": "Cost" + "name": "security" }, { - "name": "Security" + "name": "Performance" }, { - "name": "security" + "name": "Reliability" }, { - "name": "Reliability" + "name": "operations" }, { - "name": "performance" + "name": "Security" }, { - "name": "Performance" + "name": "performance" }, { - "name": "Operations" + "name": "cost" } ], "yesno": [ @@ -301,6 +213,6 @@ "name": "Azure Application Gateway Service Guide", "waf": "all", "state": "preview", - "timestamp": "October 13, 2024" + "timestamp": "October 20, 2024" } } \ No newline at end of file diff --git a/checklists-ext/azureblobstorage_sg_checklist.en.json b/checklists-ext/azureblobstorage_sg_checklist.en.json index 8a72d1214..6ad0b3896 100644 --- a/checklists-ext/azureblobstorage_sg_checklist.en.json +++ b/checklists-ext/azureblobstorage_sg_checklist.en.json @@ -216,31 +216,31 @@ "name": "reliability" }, { - "name": "cost" + "name": "Cost" }, { - "name": "operations" + "name": "Operations" }, { - "name": "Cost" + "name": "security" }, { - "name": "Security" + "name": "Performance" }, { - "name": "security" + "name": "Reliability" }, { - "name": "Reliability" + "name": "operations" }, { - "name": "performance" + "name": "Security" }, { - "name": "Performance" + "name": "performance" }, { - "name": "Operations" + "name": "cost" } ], "yesno": [ @@ -277,6 +277,6 @@ "name": "Azure Blob Storage Service Guide", "waf": "all", "state": "preview", - "timestamp": "October 13, 2024" + "timestamp": "October 20, 2024" } } \ No newline at end of file diff --git a/checklists-ext/azureexpressroute_sg_checklist.en.json b/checklists-ext/azureexpressroute_sg_checklist.en.json index d75ea900d..c87889e44 100644 --- a/checklists-ext/azureexpressroute_sg_checklist.en.json +++ b/checklists-ext/azureexpressroute_sg_checklist.en.json @@ -208,31 +208,31 @@ "name": "reliability" }, { - "name": "cost" + "name": "Cost" }, { - "name": "operations" + "name": "Operations" }, { - "name": "Cost" + "name": "security" }, { - "name": "Security" + "name": "Performance" }, { - "name": "security" + "name": "Reliability" }, { - "name": "Reliability" + "name": "operations" }, { - "name": "performance" + "name": "Security" }, { - "name": "Performance" + "name": "performance" }, { - "name": "Operations" + "name": "cost" } ], "yesno": [ @@ -269,6 +269,6 @@ "name": "Azure Expressroute Service Guide", "waf": "all", "state": "preview", - "timestamp": "October 13, 2024" + "timestamp": "October 20, 2024" } } \ No newline at end of file diff --git a/checklists-ext/azurefiles_sg_checklist.en.json b/checklists-ext/azurefiles_sg_checklist.en.json index 0a08f3e7d..979d7c5a8 100644 --- a/checklists-ext/azurefiles_sg_checklist.en.json +++ b/checklists-ext/azurefiles_sg_checklist.en.json @@ -240,31 +240,31 @@ "name": "reliability" }, { - "name": "cost" + "name": "Cost" }, { - "name": "operations" + "name": "Operations" }, { - "name": "Cost" + "name": "security" }, { - "name": "Security" + "name": "Performance" }, { - "name": "security" + "name": "Reliability" }, { - "name": "Reliability" + "name": "operations" }, { - "name": "performance" + "name": "Security" }, { - "name": "Performance" + "name": "performance" }, { - "name": "Operations" + "name": "cost" } ], "yesno": [ @@ -301,6 +301,6 @@ "name": "Azure Files Service Guide", "waf": "all", "state": "preview", - "timestamp": "October 13, 2024" + "timestamp": "October 20, 2024" } } \ No newline at end of file diff --git a/checklists-ext/azurefirewall_sg_checklist.en.json b/checklists-ext/azurefirewall_sg_checklist.en.json index fd3361860..5bcd62937 100644 --- a/checklists-ext/azurefirewall_sg_checklist.en.json +++ b/checklists-ext/azurefirewall_sg_checklist.en.json @@ -248,31 +248,31 @@ "name": "reliability" }, { - "name": "cost" + "name": "Cost" }, { - "name": "operations" + "name": "Operations" }, { - "name": "Cost" + "name": "security" }, { - "name": "Security" + "name": "Performance" }, { - "name": "security" + "name": "Reliability" }, { - "name": "Reliability" + "name": "operations" }, { - "name": "performance" + "name": "Security" }, { - "name": "Performance" + "name": "performance" }, { - "name": "Operations" + "name": "cost" } ], "yesno": [ @@ -309,6 +309,6 @@ "name": "Azure Firewall Service Guide", "waf": "all", "state": "preview", - "timestamp": "October 13, 2024" + "timestamp": "October 20, 2024" } } \ No newline at end of file diff --git a/checklists-ext/azurefrontdoor_sg_checklist.en.json b/checklists-ext/azurefrontdoor_sg_checklist.en.json index ef3fa1249..e00c8dc13 100644 --- a/checklists-ext/azurefrontdoor_sg_checklist.en.json +++ b/checklists-ext/azurefrontdoor_sg_checklist.en.json @@ -184,31 +184,31 @@ "name": "reliability" }, { - "name": "cost" + "name": "Cost" }, { - "name": "operations" + "name": "Operations" }, { - "name": "Cost" + "name": "security" }, { - "name": "Security" + "name": "Performance" }, { - "name": "security" + "name": "Reliability" }, { - "name": "Reliability" + "name": "operations" }, { - "name": "performance" + "name": "Security" }, { - "name": "Performance" + "name": "performance" }, { - "name": "Operations" + "name": "cost" } ], "yesno": [ @@ -245,6 +245,6 @@ "name": "Azure Front Door Service Guide", "waf": "all", "state": "preview", - "timestamp": "October 13, 2024" + "timestamp": "October 20, 2024" } } \ No newline at end of file diff --git a/checklists-ext/azurekubernetesservice_sg_checklist.en.json b/checklists-ext/azurekubernetesservice_sg_checklist.en.json index 29ff1b714..10fd2600d 100644 --- a/checklists-ext/azurekubernetesservice_sg_checklist.en.json +++ b/checklists-ext/azurekubernetesservice_sg_checklist.en.json @@ -376,31 +376,31 @@ "name": "reliability" }, { - "name": "cost" + "name": "Cost" }, { - "name": "operations" + "name": "Operations" }, { - "name": "Cost" + "name": "security" }, { - "name": "Security" + "name": "Performance" }, { - "name": "security" + "name": "Reliability" }, { - "name": "Reliability" + "name": "operations" }, { - "name": "performance" + "name": "Security" }, { - "name": "Performance" + "name": "performance" }, { - "name": "Operations" + "name": "cost" } ], "yesno": [ @@ -437,6 +437,6 @@ "name": "Azure Kubernetes Service Service Guide", "waf": "all", "state": "preview", - "timestamp": "October 13, 2024" + "timestamp": "October 20, 2024" } } \ No newline at end of file diff --git a/checklists-ext/azuremachinelearning_sg_checklist.en.json b/checklists-ext/azuremachinelearning_sg_checklist.en.json index 4b44ee891..d42e8c4be 100644 --- a/checklists-ext/azuremachinelearning_sg_checklist.en.json +++ b/checklists-ext/azuremachinelearning_sg_checklist.en.json @@ -272,31 +272,31 @@ "name": "reliability" }, { - "name": "cost" + "name": "Cost" }, { - "name": "operations" + "name": "Operations" }, { - "name": "Cost" + "name": "security" }, { - "name": "Security" + "name": "Performance" }, { - "name": "security" + "name": "Reliability" }, { - "name": "Reliability" + "name": "operations" }, { - "name": "performance" + "name": "Security" }, { - "name": "Performance" + "name": "performance" }, { - "name": "Operations" + "name": "cost" } ], "yesno": [ @@ -333,6 +333,6 @@ "name": "Azure Machine Learning Service Guide", "waf": "all", "state": "preview", - "timestamp": "October 13, 2024" + "timestamp": "October 20, 2024" } } \ No newline at end of file diff --git a/checklists-ext/azureopenai_sg_checklist.en.json b/checklists-ext/azureopenai_sg_checklist.en.json index 97fb7774e..e2b1032dc 100644 --- a/checklists-ext/azureopenai_sg_checklist.en.json +++ b/checklists-ext/azureopenai_sg_checklist.en.json @@ -112,31 +112,31 @@ "name": "reliability" }, { - "name": "cost" + "name": "Cost" }, { - "name": "operations" + "name": "Operations" }, { - "name": "Cost" + "name": "security" }, { - "name": "Security" + "name": "Performance" }, { - "name": "security" + "name": "Reliability" }, { - "name": "Reliability" + "name": "operations" }, { - "name": "performance" + "name": "Security" }, { - "name": "Performance" + "name": "performance" }, { - "name": "Operations" + "name": "cost" } ], "yesno": [ @@ -173,6 +173,6 @@ "name": "Azure Openai Service Guide", "waf": "all", "state": "preview", - "timestamp": "October 13, 2024" + "timestamp": "October 20, 2024" } } \ No newline at end of file diff --git a/checklists-ext/virtualmachines_sg_checklist.en.json b/checklists-ext/virtualmachines_sg_checklist.en.json index 0e6cb700b..4b3cd509c 100644 --- a/checklists-ext/virtualmachines_sg_checklist.en.json +++ b/checklists-ext/virtualmachines_sg_checklist.en.json @@ -232,31 +232,31 @@ "name": "reliability" }, { - "name": "cost" + "name": "Cost" }, { - "name": "operations" + "name": "Operations" }, { - "name": "Cost" + "name": "security" }, { - "name": "Security" + "name": "Performance" }, { - "name": "security" + "name": "Reliability" }, { - "name": "Reliability" + "name": "operations" }, { - "name": "performance" + "name": "Security" }, { - "name": "Performance" + "name": "performance" }, { - "name": "Operations" + "name": "cost" } ], "yesno": [ @@ -293,6 +293,6 @@ "name": "Virtual Machines Service Guide", "waf": "all", "state": "preview", - "timestamp": "October 13, 2024" + "timestamp": "October 20, 2024" } } \ No newline at end of file diff --git a/checklists-ext/wafsg_checklist.en.json b/checklists-ext/wafsg_checklist.en.json index 48958d2c0..f08136c80 100644 --- a/checklists-ext/wafsg_checklist.en.json +++ b/checklists-ext/wafsg_checklist.en.json @@ -476,490 +476,338 @@ { "waf": "reliability", "service": "Azure Application Gateway", - "text": "Deploy the instances in a zone-aware configuration, where available.", + "text": "Use Application Gateway v2 in new deployments unless your workload specifically requires Application Gateway v1.", "description": "", "type": "checklist", - "guid": "ee4fab35-3fcf-469c-aa4a-baaa7ea46a76" + "guid": "12b36c73-1ef0-428b-89b2-2b3db9077b88" }, { "waf": "reliability", "service": "Azure Application Gateway", - "text": "Use Application Gateway with Web Application Firewall (WAF) within a virtual network to protect inbound `HTTP/S` traffic from the Internet.", + "text": "Build redundancy in your design. Spread Application Gateway instances across availability zones to improve fault tolerance and build redundancy. Traffic goes to other zones if one zone fails. For more information, see Recommendations for using availability zones and regions.", "description": "", "type": "checklist", - "guid": "897c9b7a-c56c-4390-9938-71ed0ee875d8" + "guid": "f4a44a99-6a02-46f3-851a-5579949b9dee" }, { "waf": "reliability", "service": "Azure Application Gateway", - "text": "In new deployments, use Azure Application Gateway v2 unless there is a compelling reason to use Azure Application Gateway v1.", + "text": "Plan extra time for rule updates and other configuration changes before you access Application Gateway or make further changes. For example, you might need extra time to remove servers from a back-end pool because they have to drain existing connections.", "description": "", "type": "checklist", - "guid": "9d1d0113-dcc3-4309-bf89-57f43eff537c" + "guid": "54a59adf-6a9e-4068-9276-ced14131275e" }, { "waf": "reliability", "service": "Azure Application Gateway", - "text": "Plan for rule updates", + "text": "Implement the Health Endpoint Monitoring pattern. Your application should expose health endpoints, which aggregate the state of the critical services and dependencies that your application needs to serve requests. Application Gateway health probes use the endpoint to detect the health of servers in the back-end pool. For more information, see Health Endpoint Monitoring pattern.", "description": "", "type": "checklist", - "guid": "f6991e25-5c9d-4b36-9df6-d4cd17d6d7cc" + "guid": "fbc1a333-d306-4d1e-8796-17e2df93b21d" }, { "waf": "reliability", "service": "Azure Application Gateway", - "text": "Use health probes to detect backend unavailability", + "text": "Evaluate the impact of interval and threshold settings on a health probe. The health probe sends requests to the configured endpoint at a set interval. And the back end tolerates a limited number of failed requests before it's marked as unhealthy. These settings can conflict, which presents a tradeoff.", "description": "", "type": "checklist", - "guid": "93d5c5fc-95da-40dc-a935-bcdf72bb49bc" + "guid": "a13fb2ce-1102-4f48-a841-41bb97cdecd8" }, { "waf": "reliability", "service": "Azure Application Gateway", - "text": "Review the impact of the interval and threshold settings on health probes", + "text": "Verify downstream dependencies through health endpoints. To isolate failures, each of your back ends might have its own dependencies. For example, an application that you host behind Application Gateway might have multiple back ends, and each back end connects to a different database, or replica. When such a dependency fails, the application might work but doesn't return valid results. For that reason, the health endpoint should ideally validate all dependencies.", "description": "", "type": "checklist", - "guid": "e4a0745d-0b8a-459b-8fc0-0399061a6425" + "guid": "831469ab-6e35-4740-a283-1ac886bd1836" }, { "waf": "reliability", "service": "Azure Application Gateway", - "text": "Verify downstream dependencies through health endpoints", + "text": "Consider Application Gateway limitations and known issues that might affect reliability. Review the Application Gateway FAQ for important information about by-design behavior, fixes under construction, platform limitations, and possible workarounds or mitigation strategies. Don't use UDRs in the Application Gateway dedicated subnet.", "description": "", "type": "checklist", - "guid": "4d7b12c2-d9bb-4547-8238-c2c93491afed" + "guid": "b4a35881-6e26-4b8c-b870-fc00da6799eb" }, { - "waf": "Reliability", + "waf": "reliability", "service": "Azure Application Gateway", - "text": "Plan for rule updates", - "description": "Plan enough time for updates before accessing Application Gateway or making further changes. For example, removing servers from backend pool might take some time because they have to drain existing connections.", - "type": "recommendation", - "guid": "f6991e25-5c9d-4b36-9df6-d4cd17d6d7cc" + "text": "Consider Source Network Address Translation (SNAT) port limitations in your design that can affect back-end connections on Application Gateway. Some factors affect how Application Gateway reaches the SNAT port limit. For example, if the back end is a public IP address, it requires its own SNAT port. To avoid SNAT port limitations, you can do one of the following options:", + "description": "", + "type": "checklist", + "guid": "aacf5d13-97a8-4b22-b3b3-e9920e26cc8a" }, { "waf": "Reliability", "service": "Azure Application Gateway", - "text": "Use health probes to detect backend unavailability", - "description": "If Application Gateway is used to load balance incoming traffic over multiple backend instances, we recommend the use of health probes. These will ensure that traffic is not routed to backends that are unable to handle the traffic.", + "text": "Deploy Application Gateway instances in a zone-aware configuration. Check regional support for zone redundancy because not all regions offer this feature.", + "description": "When you spread multiple instances across zones, your workload can withstand failures in a single zone. If you have an unavailable zone, traffic automatically shifts to healthy instances in other zones, which maintains application reliability.", "type": "recommendation", - "guid": "93d5c5fc-95da-40dc-a935-bcdf72bb49bc" + "guid": "d4a3a0ad-1d2b-4173-ac4c-44acb08fa368" }, { "waf": "Reliability", "service": "Azure Application Gateway", - "text": "Review the impact of the interval and threshold settings on health probes", - "description": "The health probe sends requests to the configured endpoint at a set interval. Also, there's a threshold of failed requests that will be tolerated before the backend is marked unhealthy. These numbers present a trade-off.- Setting a higher interval puts a higher load on your service. Each Application Gateway instance sends its own health probes, so 100 instances every 30 seconds means 100 requests per 30 seconds.- Setting a lower interval leaves more time before an outage is detected.- Setting a low unhealthy threshold might mean that short, transient failures might take down a backend. - Setting a high threshold it can take longer to take a backend out of rotation.", + "text": "Use Application Gateway health probes to detect back-end unavailability.", + "description": "Health probes ensure that traffic only routes to back ends that can handle the traffic. Application Gateway monitors the health of all the servers in its back-end pool and automatically stops sending traffic to any server that it considers unhealthy.", "type": "recommendation", - "guid": "e4a0745d-0b8a-459b-8fc0-0399061a6425" + "guid": "13ba88d2-e858-44f3-9747-f11a4c3615fd" }, { "waf": "Reliability", "service": "Azure Application Gateway", - "text": "Verify downstream dependencies through health endpoints", - "description": "Suppose each backend has its own dependencies to ensure failures are isolated. For example, an application hosted behind Application Gateway might have multiple backends, each connected to a different database (replica). When such a dependency fails, the application might be working but won't return valid results. For that reason, the health endpoint should ideally validate all dependencies. Keep in mind that if each call to the health endpoint has a direct dependency call, that database would receive 100 queries every 30 seconds instead of 1. To avoid this, the health endpoint should cache the state of the dependencies for a short period of time.", + "text": "Configure rate-limiting rules for Azure WAF so that clients can't send too much traffic to your application.", + "description": "Use rate limiting to avoid problems like retry storms.", "type": "recommendation", - "guid": "4d7b12c2-d9bb-4547-8238-c2c93491afed" + "guid": "0ace6ede-d8a6-4c71-bd0b-feba5fdb57ef" }, { "waf": "Reliability", "service": "Azure Application Gateway", - "text": "When using Azure Front Door and Application Gateway to protect `HTTP/S` applications, use WAF policies in Front Door and lock down Application Gateway to receive traffic only from Azure Front Door.", - "description": "Certain scenarios can force you to implement rules specifically on Application Gateway. For example, if ModSec CRS 2.2.9, CRS 3.0 or CRS 3.1 rules are required, these rules can be only implemented on Application Gateway. Conversely, rate-limiting and geo-filtering are available only on Azure Front Door, not on AppGateway.", + "text": "Don't use UDRs on Application Gateway so that the back-end health report functions properly and generates the correct logs and metrics. If you must use a UDR in the Application Gateway subnet, see Supported UDRs.", + "description": "UDRs on the Application Gateway subnet can cause some problems. Don't use UDRs on the Application Gateway subnet so that you can view the back-end health, logs, and metrics.", "type": "recommendation", - "guid": "2cc68719-238d-40f1-9eda-37a4b77cabc2" + "guid": "7fafa967-ba5d-4de5-8446-14c154e20b39" }, { - "waf": "security", + "waf": "Reliability", "service": "Azure Application Gateway", - "text": "Set up a TLS policy for enhanced security", - "description": "", - "type": "checklist", - "guid": "c394ed0c-ddb2-4efa-b4eb-deb2f11cff32" + "text": "Configure the IdleTimeout settings to match the listener and traffic characteristics of the back-end application. The default value is four minutes. You can configure it to a maximum of 30 minutes. For more information, see Load balancer Transmission Control Protocol (TCP) reset and idle timeout.", + "description": "Set the IdleTimeout to match the back end. This setting ensures that the connection between Application Gateway and the client stays open if the back end takes more than four minutes to respond to the request. If you don't configure this setting, the connection closes, and the client doesn't see the back-end response.", + "type": "recommendation", + "guid": "e7750d05-2f4c-4dfa-b330-001d53221295" }, { "waf": "security", "service": "Azure Application Gateway", - "text": "Use AppGateway for TLS termination", + "text": "Review the security baseline for Application Gateway.", "description": "", "type": "checklist", - "guid": "f2c0a397-56bb-45f1-ac4d-b1837045db05" + "guid": "29e7a329-70b0-4458-8980-08810eeb5e8c" }, { "waf": "security", "service": "Azure Application Gateway", - "text": "Use Azure Key Vault to store TLS certificates", + "text": "Block common threats at the edge. WAF integrates with Application Gateway. Enable WAF rules on the front ends to protect applications from common exploits and vulnerabilities at the network edge, which is close to the attack source. For more information, see WAF on Application Gateway.", "description": "", "type": "checklist", - "guid": "db6594c5-00d9-42e3-9190-0da310bd8af5" + "guid": "06e72d1f-194b-4f65-805a-fd78eb15deb1" }, { "waf": "security", "service": "Azure Application Gateway", - "text": "When re-encrypting backend traffic, ensure the backend server certificate contains both the root and intermediate Certificate Authorities (CAs)", + "text": "Allow only authorized access to the control plane. Use Application Gateway role-based access control (RBAC) to restrict access to only the identities that need it.", "description": "", "type": "checklist", - "guid": "79778b7d-1a8d-47bf-9000-cfe8f28007ed" + "guid": "e92b04dd-c98e-4f4e-bdd5-903fd4e50098" }, { "waf": "security", "service": "Azure Application Gateway", - "text": "Use an appropriate DNS server for backend pool resources", + "text": "Protect data in transit. Enable end-to-end Transport Layer Security (TLS), TLS termination, and end-to-end TLS encryption. When you re-encrypt back-end traffic, ensure that the back-end server certificate contains both the root and intermediate certificate authorities (CAs).", "description": "", "type": "checklist", - "guid": "32630271-62af-4005-933b-36e73b3d6c43" + "guid": "616bcb27-4b69-4b6d-be33-c97788d267d9" }, { "waf": "security", "service": "Azure Application Gateway", - "text": "Comply with all NSG restrictions for Application Gateway", + "text": "Protect application secrets. Use Azure Key Vault to store TLS certificates for increased security and an easier certificate renewal and rotation process.", "description": "", "type": "checklist", - "guid": "5644f4cb-0c54-41d6-9aff-27357089743c" + "guid": "dfb1da6c-7250-47eb-9780-6d3661bce1ed" }, { "waf": "security", "service": "Azure Application Gateway", - "text": "Refrain from using UDRs on the Application Gateway subnet", + "text": "Reduce the attack surface and harden the configuration. Remove default configurations that you don't need, and harden your Application Gateway configuration to tighten security controls. Comply with all network security group (NSG) restrictions for Application Gateway.", "description": "", "type": "checklist", - "guid": "5ff5e810-ac1d-42ef-9a30-812c15c42be8" + "guid": "0dbdce8a-165e-48ad-a562-5d7d4fd259e5" }, { "waf": "security", "service": "Azure Application Gateway", - "text": "Be aware of Application Gateway capacity changes when enabling WAF", + "text": "Monitor anomalous activity. Regularly review logs to check for attacks and false positives. Send WAF logs from Application Gateway to your organization's centralized security information and event management (SIEM), such as Microsoft Sentinel, to detect threat patterns and incorporate preventative measures in the workload design.", "description": "", "type": "checklist", - "guid": "3ac67acb-dcca-413d-b0f9-50441d51675f" - }, - { - "waf": "Security", - "service": "Azure Application Gateway", - "text": "Set up a TLS policy for enhanced security", - "description": "Set up a TLS policy for extra security. Ensure you're always using the latest TLS policy version available. This enforces TLS 1.2 and stronger ciphers.", - "type": "recommendation", - "guid": "c394ed0c-ddb2-4efa-b4eb-deb2f11cff32" + "guid": "b6d22f85-e9d4-4a82-83cb-78e0bbe1c3da" }, { "waf": "Security", "service": "Azure Application Gateway", - "text": "Use AppGateway for TLS termination", - "description": "There are advantages of using Application Gateway for TLS termination:- Performance improves because requests going to different backends to have to re-authenticate to each backend.- Better utilization of backend servers because they don't have to perform TLS processing- Intelligent routing by accessing the request content.- Easier certificate management because the certificate only needs to be installed on Application Gateway.", + "text": "Set up a TLS policy for enhanced security. Ensure that you use the latest TLS policy version.", + "description": "Use the latest TLS policy to enforce the use of TLS 1.2 and stronger ciphers. The TLS policy includes control of the TLS protocol version and the cipher suites and also the order in which a TLS handshake uses ciphers.", "type": "recommendation", - "guid": "f2c0a397-56bb-45f1-ac4d-b1837045db05" + "guid": "1a3a9dbe-2312-4a68-b063-8b0c22592e23" }, { "waf": "Security", "service": "Azure Application Gateway", - "text": "Use Azure Key Vault to store TLS certificates", - "description": "Application Gateway can be integrated with Key Vault. This provides stronger security, easier separation of roles and responsibilities, support for managed certificates, and an easier certificate renewal and rotation process.", + "text": "Use Application Gateway for TLS termination.", + "description": "Performance improves because requests that go to different back ends don't have to reauthenticate to each back end. The gateway can access the request content and make intelligent routing decisions. You only need to install the certificate on Application Gateway, which simplifies certificate management.", "type": "recommendation", - "guid": "db6594c5-00d9-42e3-9190-0da310bd8af5" + "guid": "0c1b9371-c2cb-49da-85eb-26cc64757480" }, { "waf": "Security", "service": "Azure Application Gateway", - "text": "When re-encrypting backend traffic, ensure the backend server certificate contains both the root and intermediate Certificate Authorities (CAs)", - "description": "A TLS certificate of the backend server must be issued by a well-known CA. If the certificate was not issued by a trusted CA, the Application Gateway checks if the certificate was issued by a trusted CA, and so on, until a trusted CA certificate is found. Only then a secure connection is established. Otherwise, Application Gateway marks the backend as unhealthy.", + "text": "Integrate Application Gateway with Key Vault to store TLS certificates.", + "description": "This approach provides stronger security, easier separation of roles and responsibilities, support for managed certificates, and an easier certificate renewal and rotation process.", "type": "recommendation", - "guid": "79778b7d-1a8d-47bf-9000-cfe8f28007ed" + "guid": "ea5e0485-b8da-4ee3-8a93-e99759bb4425" }, { "waf": "Security", "service": "Azure Application Gateway", - "text": "Use an appropriate DNS server for backend pool resources", - "description": "When the backend pool contains a resolvable FQDN, the DNS resolution is based on a private DNS zone or custom DNS server (if configured on the VNet), or it uses the default Azure-provided DNS.", + "text": "Comply with all NSG restrictions for Application Gateway.", + "description": "The Application Gateway subnet supports NSGs, but there are some restrictions. For instance, some communication with certain port ranges is prohibited. Make sure you understand the implications of those restrictions.", "type": "recommendation", - "guid": "32630271-62af-4005-933b-36e73b3d6c43" - }, - { - "waf": "Security", - "service": "Azure Application Gateway", - "text": "Comply with all NSG restrictions for Application Gateway", - "description": "NSGs are supported on Application Gateway subnet, but there are some restrictions. For instance, some communication with certain port ranges is prohibited. Make sure you understand the implications of those restrictions. For details, see Network security groups.", - "type": "recommendation", - "guid": "5644f4cb-0c54-41d6-9aff-27357089743c" - }, - { - "waf": "Security", - "service": "Azure Application Gateway", - "text": "Refrain from using UDRs on the Application gateway subnet", - "description": "Using User Defined Routes (UDR) on the Application Gateway subnet can cause some issues. Health status in the back-end might be unknown. Application Gateway logs and metrics might not get generated. We recommend that you don't use UDRs on the Application Gateway subnet so that you can view the back-end health, logs, and metrics. If your organizations require to use UDR in the Application Gateway subnet, please ensure you review the supported scenarios. For more information, see Supported user-defined routes.", - "type": "recommendation", - "guid": "96ac0266-6e5d-4944-bccb-0c6b3bd00b89" - }, - { - "waf": "Security", - "service": "Azure Application Gateway", - "text": "Be aware of Application Gateway capacity changes when enabling WAF", - "description": "When WAF is enabled, every request must be buffered by the Application Gateway until it fully arrives, checks if the request matches with any rule violation in its core rule set, and then forwards the packet to the backend instances. When there are large file uploads (30MB+ in size), it can result in a significant latency. Because Application Gateway capacity requirements are different with WAF, we do not recommend enabling WAF on Application Gateway without proper testing and validation.", - "type": "recommendation", - "guid": "3ac67acb-dcca-413d-b0f9-50441d51675f" - }, - { - "waf": "cost", - "service": "Azure Application Gateway", - "text": "Familiarize yourself with Application Gateway pricing", - "description": "", - "type": "checklist", - "guid": "dc1995b1-dcc3-4864-a862-0c5ceeb3452c" + "guid": "573c5c87-a8d7-434a-bc3f-209bab02e1e3" }, { "waf": "cost", "service": "Azure Application Gateway", - "text": "Review underutilized resources", + "text": "Familiarize yourself with Application Gateway and WAF pricing. Choose appropriately sized options to meet your workload capacity demand and deliver expected performance without wasting resources. To estimate costs, use the pricing calculator.", "description": "", "type": "checklist", - "guid": "baadcfab-050c-4d30-a79a-a235e775836a" + "guid": "5a84b7c4-ee9e-4d73-aa23-c72b22068b5c" }, { "waf": "cost", "service": "Azure Application Gateway", - "text": "Stop Application Gateway instances that are not in use", + "text": "Remove unused Application Gateway instances, and optimize underused instances. To avoid unnecessary costs, identify and delete Application Gateway instances that have empty back-end pools. Stop Application Gateway instances when they're not in use.", "description": "", "type": "checklist", - "guid": "03e1fbfa-86c2-4550-a6aa-e111d6ab895d" + "guid": "d3f52caf-385f-438a-a8f6-141c46452277" }, { "waf": "cost", "service": "Azure Application Gateway", - "text": "Have a scale-in and scale-out policy", + "text": "Optimize the scaling cost of your Application Gateway instance. To optimize your scaling strategy and reduce your wokload's demands, see Recommendations for optimizing scaling cost.", "description": "", "type": "checklist", - "guid": "a63e6bb7-8040-4b43-9d0e-6ca8a3413315" + "guid": "189437c3-c8b7-4186-aefa-353651b4885a" }, { "waf": "cost", "service": "Azure Application Gateway", - "text": "Review consumption metrics across different parameters", + "text": "Monitor Application Gateway consumption metrics, and understand their cost impact. Azure charges for metered instances of Application Gateway based on tracked metrics. Evaluate the various metrics and capacity units, and determine the cost drivers. For more information, see Microsoft Cost Management.", "description": "", "type": "checklist", - "guid": "352664a9-dea7-4e45-9f4a-b1160768ac1b" + "guid": "2a8113e8-7870-49b1-aeaf-39fa6e5d9992" }, { "waf": "Cost", "service": "Azure Application Gateway", - "text": "Familiarize yourself with Application Gateway pricing", - "description": "For information about Application Gateway pricing, see Understanding Pricing for Azure Application Gateway and Web Application Firewall. You can also leverage the Pricing calculator.Ensure that the options are adequately sized to meet the capacity demand and deliver expected performance without wasting resources.", + "text": "Stop Application Gateway instances when they're not in use. For more information, see Stop-AzApplicationGateway and Start-AzApplicationGateway.", + "description": "A stopped Application Gateway instance doesn't incur costs. Application Gateway instances that continuously run can incur unnecessary costs. Evaluate usage patterns, and stop instances when you don't need them. For example, expect low usage after business hours in dev/test environments.", "type": "recommendation", - "guid": "dc1995b1-dcc3-4864-a862-0c5ceeb3452c" + "guid": "58efe3ac-2476-4879-a014-d8eccee8da2a" }, { "waf": "Cost", "service": "Azure Application Gateway", - "text": "Review underutilized resources", - "description": "Identify and delete Application Gateway instances with empty backend pools to avoid unnecessary costs.", + "text": "Monitor key cost driver Application Gateway metrics, like: - Estimated billed capacity units. - Fixed billable capacity units. - Current capacity units. Make sure you account for bandwidth costs.", + "description": "Use these metrics to validate whether the provisioned instance count matches the amount of incoming traffic, and ensure that you fully utilize the allocated resources.", "type": "recommendation", - "guid": "baadcfab-050c-4d30-a79a-a235e775836a" - }, - { - "waf": "Cost", - "service": "Azure Application Gateway", - "text": "Stop Application Gateway instances when not in use", - "description": "You aren't billed when Application Gateway is in the stopped state. Continuously running Application Gateway instances can incur extraneous costs. Evaluate usage patterns and stop instances when you don't need them. For example, usage after business hours in Dev/Test environments is expected to be low.See these articles for information about how to stop and start instances.- Stop-AzApplicationGateway- Start-AzApplicationGateway", - "type": "recommendation", - "guid": "6af81413-0516-4067-9e26-8aad8d2d06ca" - }, - { - "waf": "Cost", - "service": "Azure Application Gateway", - "text": "Have a scale-in and scale-out policy", - "description": "A scale-out policy ensures that there will be enough instances to handle incoming traffic and spikes. Also, have a scale-in policy that makes sure the number of instances are reduced when demand drops. Consider the choice of instance size. The size can significantly impact the cost. Some considerations are described in the Estimate the Application Gateway instance count.For more information, see What is Azure Application Gateway v2?", - "type": "recommendation", - "guid": "a63e6bb7-8040-4b43-9d0e-6ca8a3413315" - }, - { - "waf": "Cost", - "service": "Azure Application Gateway", - "text": "Review consumption metrics across different parameters", - "description": "You're billed based on metered instances of Application Gateway based on the metrics tracked by Azure. Evaluate the various metrics and capacity units and determine the cost drivers. For more information, see Microsoft Cost Management and Billing. The following metrics are key for Application Gateway. This information can be used to validate that the provisioned instance count matches the amount of incoming traffic.- Estimated Billed Capacity Units- Fixed Billable Capacity Units- Current Capacity UnitsFor more information, see Application Gateway metrics.Make sure you account for bandwidth costs.", - "type": "recommendation", - "guid": "352664a9-dea7-4e45-9f4a-b1160768ac1b" - }, - { - "waf": "operations", - "service": "Azure Application Gateway", - "text": "Monitor capacity metrics", - "description": "", - "type": "checklist", - "guid": "2aeef441-2f0c-4f28-b3fe-85bb210e70d4" - }, - { - "waf": "operations", - "service": "Azure Application Gateway", - "text": "Enable diagnostics on Application Gateway and Web Application Firewall (WAF)", - "description": "", - "type": "checklist", - "guid": "2a3d27da-fdb8-49b0-95ed-7f9b32b4f7ca" + "guid": "fd75964f-9b65-416c-a1c1-de548ad574ce" }, { "waf": "operations", "service": "Azure Application Gateway", - "text": "Use Azure Monitor Network Insights", + "text": "Enable diagnostics on Application Gateway and WAF. Collect logs and metrics so you can monitor the health of the workload, identify trends in the workload performance and reliability, and troubleshoot problems. To design your overall monitoring approach, see Recommendations for designing and creating a monitoring system.", "description": "", "type": "checklist", - "guid": "69a9c288-6a98-447b-92f8-68c84adc85cd" + "guid": "21e05ca9-4195-40c4-a568-d40330b4a852" }, { "waf": "operations", "service": "Azure Application Gateway", - "text": "Match timeout settings with the backend application", + "text": "Use Azure Monitor Network Insights to get a comprehensive view of health and metrics for network resources, including Application Gateway. Use centralized monitoring to quickly identify and resolve problems, optimize performance, and ensure the reliability of your applications.", "description": "", "type": "checklist", - "guid": "82f522dd-25e0-4e7c-a547-bc23577f7f1c" + "guid": "417dcfc5-3516-4d5d-ab16-86b929b8e06a" }, { "waf": "operations", "service": "Azure Application Gateway", - "text": "Monitor Key Vault configuration issues using Azure Advisor", + "text": "Monitor Application Gateway recommendations in Azure Advisor. Configure alerts to notify your team when you have new, critical recommendations for your Application Gateway instance. Advisor generates recommendations based on properties, such as the category, impact level, and recommendation type.", "description": "", "type": "checklist", - "guid": "6f9954fb-dff1-4d54-8672-0c1245908dca" - }, - { - "waf": "operations", - "service": "Azure Application Gateway", - "text": "Configure and monitor SNAT port limitations", - "description": "", - "type": "checklist", - "guid": "78bbcbf2-30c3-4c77-8e8f-8faf4c4b817d" - }, - { - "waf": "operations", - "service": "Azure Application Gateway", - "text": "Consider SNAT port limitations in your design", - "description": "", - "type": "checklist", - "guid": "ca428415-6120-410f-9a91-c1baeb6c0084" + "guid": "455209bc-8603-41ed-bcf9-0c535b024bda" }, { "waf": "Operations", "service": "Azure Application Gateway", - "text": "Monitor capacity metrics", - "description": "Use these metrics as indicators of utilization of the provisioned Application Gateway capacity. We strongly recommend setting up alerts on capacity. For details, see Application Gateway high traffic support.", + "text": "Configure alerts to notify your team when capacity metrics, like CPU usage and compute unit usage, cross recommended thresholds. To configure a comprehensive set of alerts based on capacity metrics, see Application Gateway high-traffic support.", + "description": "Set alerts when metrics cross thresholds so that you know when your usage increases. This approach ensures that you have enough time to implement necessary changes to your workload and prevents degradation or outages.", "type": "recommendation", - "guid": "2aeef441-2f0c-4f28-b3fe-85bb210e70d4" + "guid": "a6437209-8d1a-4a6b-94c8-84bb342256a4" }, { "waf": "Operations", "service": "Azure Application Gateway", - "text": "Troubleshoot using metrics", - "description": "There are other metrics that can indicate issues either at Application Gateway or the backend. We recommend evaluating the following alerts:- Unhealthy Host Count- Response Status (dimension 4xx and 5xx)- Backend Response Status (dimension 4xx and 5xx)- Backend Last Byte Response Time- Application Gateway Total TimeFor more information, see Metrics for Application Gateway.", + "text": "Configure alerts to notify your team about metrics that indicate problems either at Application Gateway or the back end. We recommend that you evaluate the following alerts:- Unhealthy host count- Response status, such as 4xx and 5xx errors - Back-end response status, such as 4xx and 5xx errors - Back-end last byte response time- Application Gateway total timeFor more information, see Metrics for Application Gateway.", + "description": "Use alerts to help ensure that your team can respond to problems in a timely manner and facilitate troubleshooting.", "type": "recommendation", - "guid": "af883a3e-1ece-4f8a-9732-95a461fe244c" + "guid": "0c7b12f7-1980-420c-bc6c-e6a14a76ef13" }, { "waf": "Operations", "service": "Azure Application Gateway", - "text": "Enable diagnostics on Application Gateway and Web Application Firewall (WAF)", - "description": "Diagnostic logs allow you to view firewall logs, performance logs, and access logs. Use these logs to manage and troubleshoot issues with Application Gateway instances. For more information, see Back-end health and diagnostic logs for Application Gateway.", + "text": "Enable diagnostic logs on Application Gateway and WAF to collect firewall logs, performance logs, and access logs.", + "description": "Use logs to help detect, investigate, and troubleshoot problems with Application Gateway instances and your workload.", "type": "recommendation", - "guid": "2a3d27da-fdb8-49b0-95ed-7f9b32b4f7ca" + "guid": "242dccc5-f6ec-483b-9f44-6b90695c9a55" }, { "waf": "Operations", "service": "Azure Application Gateway", - "text": "Use Azure Monitor Network Insights", - "description": "Azure Monitor Network Insights provides a comprehensive view of health and metrics for network resources, including Application Gateway. For additional details and supported capabilities for Application Gateway, see Azure Monitor Network insights.", + "text": "Use Advisor to monitor Key Vault configuration problems. Set an alert to notify your team when you get the recommendation that states Resolve Azure Key Vault issue for your Application Gateway.", + "description": "Use Advisor alerts to stay up to date and fix problems immediately. Prevent any control plane or data plane-related problems. Application Gateway checks for the renewed certificate version in the linked Key Vault instance every 4 hours. If the certificate version is inaccessible because of an incorrect Key Vault configuration, it logs that error and pushes a corresponding Advisor recommendation.", "type": "recommendation", - "guid": "69a9c288-6a98-447b-92f8-68c84adc85cd" - }, - { - "waf": "Operations", - "service": "Azure Application Gateway", - "text": "Match timeout settings with the backend application", - "description": "Ensure you have configured the IdleTimeout settings to match the listener and traffic characteristics of the backend application. The default value is set to four minutes and can be configured to a maximum of 30. For more information, see Load Balancer TCP Reset and Idle Timeout.For workload considerations, see Monitoring application health for reliability.", - "type": "recommendation", - "guid": "82f522dd-25e0-4e7c-a547-bc23577f7f1c" - }, - { - "waf": "Operations", - "service": "Azure Application Gateway", - "text": "Monitor Key Vault configuration issues using Azure Advisor", - "description": "Application Gateway checks for the renewed certificate version in the linked Key Vault at every 4-hour interval. If it is inaccessible due to any incorrect Key Vault configuration, it logs that error and pushes a corresponding Advisor recommendation. You must configure the Advisor alerts to stay updated and fix such issues immediately to avoid any Control or Data plane related problems. For more information, see Investigating and resolving key vault errors. To set an alert for this specific case, use the Recommendation Type as Resolve Azure Key Vault issue for your Application Gateway.", - "type": "recommendation", - "guid": "6f9954fb-dff1-4d54-8672-0c1245908dca" - }, - { - "waf": "Operations", - "service": "Azure Application Gateway", - "text": "Consider SNAT port limitations in your design", - "description": "SNAT port limitations are important for backend connections on the Application Gateway. There are separate factors that affect how Application Gateway reaches the SNAT port limit. For example, if the backend is a public IP address, it will require its own SNAT port. In order to avoid SNAT port limitations, you can increase the number of instances per Application Gateway, scale out the backends to have more IP addresses, or move your backends into the same virtual network and use private IP addresses for the backends.Requests per second (RPS) on the Application Gateway will be affected if the SNAT port limit is reached. For example, if an Application Gateway reaches the SNAT port limit, then it won't be able to open a new connection to the backend, and the request will fail.", - "type": "recommendation", - "guid": "ca428415-6120-410f-9a91-c1baeb6c0084" - }, - { - "waf": "performance", - "service": "Azure Application Gateway", - "text": "Estimate the Application Gateway instance count", - "description": "", - "type": "checklist", - "guid": "261fdf60-ce3b-4abd-8a85-b39ebb208df9" + "guid": "a0bfec93-73f3-421d-bce8-f055e8c52d03" }, { "waf": "performance", "service": "Azure Application Gateway", - "text": "Define the maximum instance count", + "text": "Estimate capacity requirements for Application Gateway to support your workload requirements. Take advantage of the autoscaling functionality in Application Gateway v2. Set appropriate values for the minimum and maximum number of instances. Appropriately size the dedicated subnet that Application Gateway requires. For more information, see Recommendations for capacity planning.", "description": "", "type": "checklist", - "guid": "895dcecb-9895-4a39-bafd-4df574353366" + "guid": "6c174b42-25c9-48b5-a7f0-66194a921499" }, { "waf": "performance", "service": "Azure Application Gateway", - "text": "Define the minimum instance count", + "text": "Take advantage of features for autoscaling and performance benefits. The v2 SKU offers autoscaling, which scales up Application Gateway as traffic increases. Compared to the v1 SKU, the v2 SKU has capabilities that enhance the performance of the workload. For example, the v2 SKU has better TLS offload performance, quicker deployment and update times, and zone-redundancy support. For more information, see Scaling Application Gateway v2 and WAF v2.", "description": "", "type": "checklist", - "guid": "4d24ceaf-6ff5-4b88-96e2-851546c368c1" - }, - { - "waf": "performance", - "service": "Azure Application Gateway", - "text": "Define Application Gateway subnet size", - "description": "", - "type": "checklist", - "guid": "57675336-826b-4523-b248-bfe3c324c38a" - }, - { - "waf": "performance", - "service": "Azure Application Gateway", - "text": "Take advantage of Application Gateway V2 features for autoscaling and performance benefits", - "description": "", - "type": "checklist", - "guid": "958240c8-23f1-447d-9cb7-ce9edb5aa606" - }, - { - "waf": "Performance", - "service": "Azure Application Gateway", - "text": "Define the minimum instance count", - "description": "For Application Gateway v2 SKU, autoscaling takes some time (approximately six to seven minutes) before the additional set of instances is ready to serve traffic. During that time, if there are short spikes in traffic, expect transient latency or loss of traffic.We recommend that you set your minimum instance count to an optimal level. After you estimate the average instance count and determine your Application Gateway autoscaling trends, define the minimum instance count based on your application patterns. For information, see Application Gateway high traffic support.Check the Current Compute Units for the past one month. This metric represents the gateway's CPU utilization. To define the minimum instance count, divide the peak usage by 10. For example, if your average Current Compute Units in the past month is 50, set the minimum instance count to five.", - "type": "recommendation", - "guid": "4d24ceaf-6ff5-4b88-96e2-851546c368c1" + "guid": "6d050160-98d5-49dd-9181-c01917b3f19a" }, { "waf": "Performance", "service": "Azure Application Gateway", - "text": "Define the maximum instance count", - "description": "We recommend 125 as the maximum autoscale instance count. Make sure the subnet that has the Application Gateway has sufficient available IP addresses to support the scale-up set of instances.Setting the maximum instance count to 125 has no cost implications because you're billed only for the consumed capacity.", + "text": "Set the minimum instance count to an optimal level based on you estimated instance count, actual Application Gateway autoscaling trends, and your application patterns. Check the current compute units for the past month. This metric represents the gateway's CPU usage. To define the minimum instance count, divide the peak usage by 10. For example, if your average current compute units in the past month is 50, set the minimum instance count to five.", + "description": "For Application Gateway v2, autoscaling takes approximately six to seven minutes before the extra set of instances are ready to serve traffic. During that time, if Application Gateway has short spikes in traffic, expect transient latency or loss of traffic.", "type": "recommendation", - "guid": "895dcecb-9895-4a39-bafd-4df574353366" + "guid": "b556535f-178c-4d6f-a2eb-be758dfd24da" }, { "waf": "Performance", "service": "Azure Application Gateway", - "text": "Define Application Gateway subnet size", - "description": "Application Gateway needs a dedicated subnet within a virtual network. The subnet can have multiple instances of the deployed Application Gateway resource. You can also deploy other Application Gateway resources in that subnet, v1 or v2 SKU.Here are some considerations for defining the subnet size:- Application Gateway uses one private IP address per instance and another private IP address if a private front-end IP is configured.- Azure reserves five IP addresses in each subnet for internal use.- Application Gateway (Standard or WAF SKU) can support up to 32 instances. Taking 32 instance IP addresses + 1 private front-end IP + 5 Azure reserved, a minimum subnet size of /26 is recommended. Because the Standard_v2 or WAF_v2 SKU can support up to 125 instances, using the same calculation, a subnet size of /24 is recommended.- If you want to deploy additional Application Gateway resources in the same subnet, consider the additional IP addresses that will be required for their maximum instance count for both, Standard and Standard v2.", + "text": "Set the maximum autoscale instance count to the maximum possible, which is 125 instances. Make sure that the Application Gateway dedicated subnet has sufficient available IP addresses to support the increased set of instances.", + "description": "Application Gateway can scale out as needed to handle increased traffic to your applications. This setting doesn't increase cost because you only pay for the consumed capacity.", "type": "recommendation", - "guid": "57675336-826b-4523-b248-bfe3c324c38a" + "guid": "4d433fe8-4f14-4878-b319-c27bb4846a48" }, { "waf": "Performance", "service": "Azure Application Gateway", - "text": "Take advantage of features for autoscaling and performance benefits", - "description": "The v2 SKU offers autoscaling to ensure that your Application Gateway can scale up as traffic increases. When compared to v1 SKU, v2 has capabilities that enhance the performance of the workload. For example, better TLS offload performance, quicker deployment and update times, zone redundancy, and more. For more information about autoscaling features, see Scaling Application Gateway v2 and WAF v2.If you are running v1 SKU Application gateway, consider migrating to the Application gateway v2 SKU. For more information, see Migrate Azure Application Gateway and Web Application Firewall from v1 to v2.", + "text": "Appropriately size the Application Gateway dedicated subnet. We highly recommend a /24 subnet for an Application Gateway v2 deployment. If you want to deploy other Application Gateway resources in the same subnet, consider the extra IP addresses that you require for the maximum instance count. For more considerations about sizing the subnet, see Application Gateway infrastructure configuration.", + "description": "Use a /24 subnet to provide support for all IP addresses that your Application Gateway v2 deployment needs. Application Gateway uses one private IP address for each instance and another private IP address if you configure a private front-end IP. The Standard_v2 or WAF_v2 SKU can support up to 125 instances. Azure reserves five IP addresses in each subnet for internal use.", "type": "recommendation", - "guid": "508791c8-897f-4490-8590-fc33a9df8f73" + "guid": "e3323d47-6019-49e3-bc22-a24bcfa4efba" }, { "waf": "reliability", @@ -5328,31 +5176,31 @@ "name": "reliability" }, { - "name": "cost" + "name": "Cost" }, { - "name": "operations" + "name": "Operations" }, { - "name": "Cost" + "name": "security" }, { - "name": "Security" + "name": "Performance" }, { - "name": "security" + "name": "Reliability" }, { - "name": "Reliability" + "name": "operations" }, { - "name": "performance" + "name": "Security" }, { - "name": "Performance" + "name": "performance" }, { - "name": "Operations" + "name": "cost" } ], "yesno": [ @@ -5389,6 +5237,6 @@ "name": "WAF Service Guides", "waf": "all", "state": "preview", - "timestamp": "October 13, 2024" + "timestamp": "October 20, 2024" } } \ No newline at end of file