Merge branch 'main' into patch-5

docs/content/services/networking/application-gateway/_index.md

@@ -20,7 +20,6 @@ The presented resiliency recommendations in this guidance include Application Ga
 | [AGW-4 - Use Application GW V2 instead of V1](#agw-4---use-application-gw-v2-instead-of-v1)                                                  | System Efficiency |  High  | Preview |         Yes         |
 | [AGW-5 - Monitor and Log the configurations and traffic](#agw-5---monitor-and-log-the-configurations-and-traffic)                            |    Monitoring     | Medium | Preview |         No          |
 | [AGW-6 - Use Health Probes to detect backend availability](#agw-6---use-health-probes-to-detect-backend-availability)                        |    Monitoring     | Medium | Preview |         Yes         |
-| [AGW-7 - Deploy backends in a zone-redundant configuration](#agw-7---deploy-backends-in-a-zone-redundant-configuration)                      |   Availability    |  High  | Preview |         No          |
 | [AGW-8 - Plan for backend maintenance by using connection draining](#agw-8---plan-for-backend-maintenance-by-using-connection-draining)      |    Governance     | Medium | Preview |         No          |
 | [AGW-9 - Ensure Application Gateway Subnet is using a /24 subnet mask](#agw-9---ensure-application-gateway-subnet-is-using-a-24-subnet-mask) |    Networking     |  High  | Preview |         Yes          |
 
@@ -186,31 +185,6 @@ Using custom health probes can help with understand the availability of your bac
 
 <br><br>
 
-### AGW-7 - Deploy backends in a zone-redundant configuration
-
-**Category: Availability**
-
-**Impact: High**
-
-**Guidance**
-
-Deploying your backend services in a zone-aware configurations ensures that if a specific zone goes down that customers will still have access to the services as the other services located in other zones will still be available.
-
-**Resources**
-
-- [Well-Architected Framework Application Gateway Reliability](https://learn.microsoft.com/azure/well-architected/services/networking/azure-application-gateway#reliability)
-- [Application Gateway V2 Overview](https://learn.microsoft.com/azure/application-gateway/overview-v2)
-
-**Resource Graph Query**
-
-{{< collapse title="Show/Hide Query/Script" >}}
-
-{{< code lang="sql" file="code/agw-7/agw-7.kql" >}} {{< /code >}}
-
-{{< /collapse >}}
-
-<br><br>
-
 ### AGW-8 - Plan for backend maintenance by using connection draining
 
 **Category: Governance**

docs/content/services/networking/firewall/_index.md

@@ -18,6 +18,9 @@ The presented resiliency recommendations in this guidance include Firewall and a
 | [AFW-2 - Monitor Azure Firewall metrics](#afw-2---monitor-azure-firewall-metrics) | Monitoring | Medium | Verified | Yes |
 | [AFW-3 - Configure DDoS Protection on the Azure Firewall VNet](#afw-3---configure-ddos-protection-on-the-azure-firewall-vnet) | Access & Security | High | Verified | Yes |
 | [AFW-4 - Leverage Azure Policy inheritance model](#afw-4---leverage-azure-policy-inheritance-model) | Governance | Medium | Verified | No |
+| [AFW-5 - Configure 2-4 PIPs for SNAT Port utilization](#afw-5---configure-2-4-pips-for-snat-port-utilization) | Availability | Medium | Preview | No |
+| [AFW-6 - Monitor AZFW Latency Probes metric](#afw-6---monitor-azfw-latency-probes-metric) | Monitoring | Medium | Preview | No |
+
 {{< /table >}}
 
 {{< alert style="info" >}}
@@ -129,3 +132,50 @@ Azure Firewall policy allows you to define a rule hierarchy and enforce complian
 {{< /collapse >}}
 
 <br><br>
+
+### AFW-5 - Configure 2-4 PIPs for SNAT Port utilization
+
+**Category: Availability**
+
+**Impact: Medium**
+
+**Guidance**
+
+Configure a minimum of two to four public IP addresses per Azure Firewall to avoid SNAT exhaustion. Azure Firewall provides SNAT capability for all outbound traffic traffic to public IP addresses. Azure Firewall provides 2,496 SNAT ports per each additional PIP.
+
+**Resources**
+
+- [Azure Well-Architected Framework review - Azure Firewall](https://learn.microsoft.com/en-us/azure/well-architected/service-guides/azure-firewall#recommendations)
+
+**Resource Graphy Query/Scripts**
+
+{{< collapse title="Show/Hide Query/Script" >}}
+
+{{< code lang="sql" file="code/afw-5/afw-5.kql" >}} {{< /code >}}
+
+{{< /collapse >}}
+
+<br><br>
+
+### AFW-6 - Monitor AZFW Latency Probes metric
+
+**Category: Monitoring**
+
+**Impact: Medium**
+
+**Guidance**
+
+Create the metric to monitor latency probes 20ms over a long period of time ( > 30mins ). When the latency probe is over a long period of time, it means the firewall instance CPUs are stressed and could possible be causing issues.
+
+**Resources**
+
+- [Azure Well-Architected Framework review - Azure Firewall](https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall#recommendations)
+- [Azure Firewall metrics overview](https://learn.microsoft.com/azure/firewall/metrics)
+
+**Resource Graphy Query/Scripts**
+
+{{< collapse title="Show/Hide Query/Script" >}}
+
+{{< code lang="sql" file="code/afw-6/afw-6.kql" >}} {{< /code >}}
+
+{{< /collapse >}}

docs/content/services/networking/firewall/code/afw-5/afw-5.kql

@@ -0,0 +1 @@
+// under development

docs/content/services/networking/firewall/code/afw-6/afw-6.kql

@@ -0,0 +1 @@
+// under development

docs/content/services/networking/vpn-gateway/_index.md

@@ -14,14 +14,15 @@ The presented resiliency recommendations in this guidance include VPN Gateway an
 The below table shows the list of resiliency recommendations for VPN Gateway and associated resources.
 
 {{< table style="table-striped" >}}
-| Recommendation | Category | Impact | State | ARG Query Available |
+| Recommendation                                                                                                                                                      |     Category      | Impact |  State  | ARG Query Available |
 |:--------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------------:|:------:|:-------:|:-------------------:|
-| [VPNG-1 - Choose a Zone-redundant gateway](#vpng-1---choose-a-zone-redundant-gateway) | Availability | High | Verified | Yes |
-| [VPNG-2 - Plan for Active-Active mode](#vpng-2---plan-for-active-active-mode) | Availability | High | Verified | Yes |
-| [VPNG-3 - Plan for Site-to-Site VPN and Azure ExpressRoute coexisting connection](#vpng-3---plan-for-site-to-site-vpn-and-azure-expressroute-coexisting-connection) | Disaster Recovery | High | Verified | No |
-| [VPNG-4 - Plan for geo-redundant VPN Connections](#vpng-4---plan-for-geo-redundant-vpn-connections) | Disaster Recovery | High | Verified | No |
-| [VPNG-5 - Monitor connections and gateway health](#vpng-5---monitor-connections-and-gateway-health) | Monitoring | Medium | Verified | No |
-| [VPNG-6 - Enable service health alerts](#vpng-6---enable-service-health-alerts) | Monitoring | Medium | Verified | No |
+| [VPNG-1 - Choose a Zone-redundant gateway](#vpng-1---choose-a-zone-redundant-gateway)                                                                               |   Availability    |  High  | Preview |         Yes         |
+| [VPNG-2 - Plan for Active-Active mode](#vpng-2---plan-for-active-active-mode)                                                                                       |   Availability    |  High  | Preview |         Yes         |
+| [VPNG-4 - Deploy active-active VPN concentrators on your premises for maximum resiliency](#vpng-4---deploy-active-active-vpn-concentrators-on-your-premises-for-maximum-resiliency) | Availability | High | Preview | No |                                                                | Availability |  Medium  | Preview |         No          |
+| [VPNG-5 - Monitor connections and gateway health](#vpng-5---monitor-connections-and-gateway-health)                                                                 |    Monitoring     | Medium | Preview |         No          |
+| [VPNG-6 - Enable service health](#vpng-6---enable-service-health)                                                                                                   |    Monitoring     | Medium | Preview |         No          |
+| [VPNG-7 - Deploy zone-redundant VPN Gateways with zone-redundant Public IP(s)](#vpng-7---deploy-zone-redundant-vpn-gateways-with-zone-redundant-public-ips)         | Availability | Medium | Preview | Yes |                                                                                          |    Availability     | High | Preview |         Yes          |
+
 {{< /table >}}
 
 {{< alert style="info" >}}
@@ -40,13 +41,13 @@ Definitions of states can be found [here]({{< ref "../../../_index.md#definition
 
 **Guidance**
 
-Azure VPN gateway provides different SLAs when it's deployed in a single availability zone and when it's deployed in two or more availability zones. For information about all Azure SLAs, see [SLA summary for Azure services](https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1).
-To automatically deploy your virtual network gateways across availability zones, use zone-redundant virtual network gateways. The zone-redundant gateways benefits from zone-resiliency to access mission-critical, scalable services on Azure.
+Azure VPN gateway provides different SLAs when it's deployed in a single availability zone and when it's deployed in two availability zones. To automatically deploy your virtual network gateways across availability zones, you can use zone-redundant virtual network gateways. With zone-redundant gateways, you can benefit from zone-resiliency to access your mission-critical, scalable services on Azure.
 
 **Resources**
 
 - [Zone redundant Virtual network gateway in availability zone](https://learn.microsoft.com/azure/vpn-gateway/about-zone-redundant-vnet-gateways)
 - [Gateway SKU](https://learn.microsoft.com/azure/vpn-gateway/about-zone-redundant-vnet-gateways#gwskus)
+- [SLA summary for Azure services](https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1).
 
 **Resource Graph Query**
 
@@ -66,12 +67,13 @@ To automatically deploy your virtual network gateways across availability zones,
 
 **Guidance**
 
-The active-active mode is available for all SKUs except Basic. You can create an Azure VPN gateway in an active-active configuration, where both instances of the gateway VMs establish S2S VPN tunnels to your on-premises VPN device. When a planned maintenance or unplanned event happens to one gateway instance, the switch over will happen automatically from the affected instance to the active instance.
+The active-active mode is available for all SKUs except Basic.
+Active-active gateways have two Gateway IP configurations and two public IP addresses.
 
 **Resources**
 
-- [About Active-Active VPN gateway](https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-highlyavailable#active-active-vpn-gateways)
-- [Configure Active-active VPN gateway](https://learn.microsoft.com/azure/vpn-gateway/active-active-portal#gateway)
+- [Active-active VPN gateway](https://learn.microsoft.com/azure/vpn-gateway/active-active-portal#gateway)
+- [Gateway SKU](https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsku)
 
 **Resource Graph Query**
 
@@ -83,101 +85,101 @@ The active-active mode is available for all SKUs except Basic. You can create an
 
 <br><br>
 
-### VPNG-3 - Plan for Site-to-Site VPN and Azure ExpressRoute coexisting connection
+### VPNG-4 - Deploy active-active VPN concentrators on your premises for maximum resiliency
 
-**Category: Disaster Recovery**
+**Category: Availability**
 
 **Impact: High**
 
 **Guidance**
 
-Having the ability to configure Site-to-Site VPN and ExpressRoute has several advantages. You can configure Site-to-Site VPN as a secure failover path for ExpressRoute, or use Site-to-Site VPNs to connect to sites that aren't connected through ExpressRoute
+By deploying active-active VPN concentrators on your premises, along with active-active Azure VPN Gateways, you can maximize resilience and availability by using a fully-meshed topology based on four IPSec tunnels.
 
 **Resources**
 
-- [Configure a Site-to-Site VPN as a failover path for ExpressRoute](https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager#configuration-designs)
-- [Limit and limitations](https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager#limits-and-limitations)
+- [Dual-redundancy: active-active VPN gateways for both Azure and on-premises networks](https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-highlyavailable#dual-redundancy-active-active-vpn-gateways-for-both-azure-and-on-premises-networks)
+
 
 **Resource Graph Query**
 
 {{< collapse title="Show/Hide Query/Script" >}}
 
-{{< code lang="sql" file="code/vpng-3/vpng-3.kql" >}} {{< /code >}}
+{{< code lang="sql" file="code/vpng-4/vpng-4.kql" >}} {{< /code >}}
 
 {{< /collapse >}}
 
 <br><br>
 
-### VPNG-4 - Plan for geo-redundant VPN connections
+### VPNG-5 - Monitor connections and gateway health
 
-**Category: Disaster Recovery**
+**Category: Monitoring**
 
-**Impact: High**
+**Impact: Medium**
 
 **Guidance**
 
-If your gateway is not zone redundant, to plan for disaster recovery, set up Site-to-Site VPN in more than one location. You can create IP Sec connectivity in the same metro or different metro and choose to work with different service providers for diverse paths
+Set up monitoring and alerts for Virtual Network Gateway health based on various metrics available.
 
 **Resources**
 
-- [Highly available cross-premises](https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-highlyavailable)
-- [About VPN gateway redundancy](https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-highlyavailable#about-vpn-gateway-redundancy)
+- [VPN gateway data reference](https://learn.microsoft.com/azure/vpn-gateway/monitor-vpn-gateway-reference)
 
 **Resource Graph Query**
 
 {{< collapse title="Show/Hide Query/Script" >}}
 
-{{< code lang="sql" file="code/vpng-4/vpng-4.kql" >}} {{< /code >}}
+{{< code lang="sql" file="code/vpng-5/vpng-5.kql" >}} {{< /code >}}
 
 {{< /collapse >}}
 
 <br><br>
 
-### VPNG-5 - Monitor connections and gateway health
+### VPNG-6 - Enable service health
 
 **Category: Monitoring**
 
 **Impact: Medium**
 
 **Guidance**
 
-Set up monitoring and alerts for Virtual Network Gateway health based on various metrics available.
+VPN Gateway uses service health to notify about planned and unplanned maintenance. Configuring service health will notify you about changes made to your VPN connectivity.
 
 **Resources**
 
-- [VPN gateway data reference](https://learn.microsoft.com/azure/vpn-gateway/monitor-vpn-gateway-reference)
+- [Getting started with Azure Metrics Explorer](hhttps://learn.microsoft.com/azure/azure-monitor/essentials/metrics-getting-started)
+- [Monitor VPN gateway](hhttps://learn.microsoft.com/azure/vpn-gateway/monitor-vpn-gateway-reference#metrics)
 
 **Resource Graph Query**
 
 {{< collapse title="Show/Hide Query/Script" >}}
 
-{{< code lang="sql" file="code/vpng-5/vpng-5.kql" >}} {{< /code >}}
+{{< code lang="sql" file="code/vpng-6/vpng-6.kql" >}} {{< /code >}}
 
 {{< /collapse >}}
 
 <br><br>
 
-### VPNG-6 - Enable Service Health alerts
+### VPNG-7 - Deploy zone-redundant VPN Gateways with zone-redundant Public IP(s)
 
-**Category: Monitoring**
+**Category: Availability**
 
-**Impact: Medium**
+**Impact: High**
 
 **Guidance**
 
-VPN Gateway uses service health alerts to notify about planned and unplanned maintenance.
+When using zone-redundant SKUs for VPN Gateways (VpnGw*AZ), make sure that you associate your gateway with zone-redundant Standard SKU public IP addresses. If a VPN gateway is associated with zonal Standard SKU public IP addresses, all the gateway instances are deployed in the same zone as the IP address(es). This recommendation applies to both active-passive gateways (which use a single public IP address) and active-active VPN gateways (which use two public IP addresses).
 
 **Resources**
 
-- [Getting started with Azure Metrics Explorer](hhttps://learn.microsoft.com/azure/azure-monitor/essentials/metrics-getting-started)
-- [Monitor VPN gateway](hhttps://learn.microsoft.com/azure/vpn-gateway/monitor-vpn-gateway-reference#metrics)
+- [About zone-redundant virtual network gateway in Azure availability zones](https://learn.microsoft.com/azure/vpn-gateway/about-zone-redundant-vnet-gateways)
 
 **Resource Graph Query**
 
 {{< collapse title="Show/Hide Query/Script" >}}
 
-{{< code lang="sql" file="code/vpng-6/vpng-6.kql" >}} {{< /code >}}
+{{< code lang="sql" file="code/vpng-7/vpng-7.kql" >}} {{< /code >}}
 
 {{< /collapse >}}
 
 <br><br>
+

docs/content/services/networking/vpn-gateway/code/vpng-7/vpng-7.kql

@@ -0,0 +1,14 @@
+// Azure Resource Graph Query
+// Provides a list of zone-redundant Azure VPN gateways associated with non-zone-redundant Public IPs
+resources
+| where type =~ "Microsoft.Network/virtualNetworkGateways"
+| where properties.gatewayType == "Vpn"
+| where properties.sku.tier contains 'AZ'
+| mv-expand ipconfig = properties.ipConfigurations
+| extend pipId = tostring(ipconfig.properties.publicIPAddress.id)
+| join kind=inner (
+    resources
+    | where type == "microsoft.network/publicipaddresses"
+    | where isnull(zones) or array_length(zones) < 3   )
+    on $left.pipId == $right.id
+| project recommendationId = "vpng-7", name, id, tags, param1 = strcat("PublicIpAddressName: ", name1), param2 = strcat ("PublicIpAddressId: ",id1), param3 = strcat ("PublicIpAddressTags: ",tags1)