From a66f0834349269e9b754f1f277e0d7b6ec19bd0f Mon Sep 17 00:00:00 2001
From: Charles J Shea <58995422+cshea-msft@users.noreply.github.com>
Date: Tue, 26 Mar 2024 15:08:44 -0400
Subject: [PATCH 1/6] adding new fw recommendations (#343)
Co-authored-by: Eric Henry <44706965+ejhenry@users.noreply.github.com>
---
.../services/networking/firewall/_index.md | 48 +++++++++++++++++++
.../networking/firewall/code/afw-5/afw-5.kql | 1 +
.../networking/firewall/code/afw-6/afw-6.kql | 1 +
3 files changed, 50 insertions(+)
create mode 100644 docs/content/services/networking/firewall/code/afw-5/afw-5.kql
create mode 100644 docs/content/services/networking/firewall/code/afw-6/afw-6.kql
diff --git a/docs/content/services/networking/firewall/_index.md b/docs/content/services/networking/firewall/_index.md
index 2a949d864..81f94c3ee 100644
--- a/docs/content/services/networking/firewall/_index.md
+++ b/docs/content/services/networking/firewall/_index.md
@@ -18,6 +18,7 @@ The presented resiliency recommendations in this guidance include Firewall and a
| [AFW-2 - Monitor Azure Firewall metrics](#afw-2---monitor-azure-firewall-metrics) | Monitoring | Medium | Verified | Yes |
| [AFW-3 - Configure DDoS Protection on the Azure Firewall VNet](#afw-3---configure-ddos-protection-on-the-azure-firewall-vnet) | Access & Security | High | Verified | Yes |
| [AFW-4 - Leverage Azure Policy inheritance model](#afw-4---leverage-azure-policy-inheritance-model) | Governance | Medium | Verified | No |
+
{{< /table >}}
{{< alert style="info" >}}
@@ -129,3 +130,50 @@ Azure Firewall policy allows you to define a rule hierarchy and enforce complian
{{< /collapse >}}
+
+### AFW-5 - Configure 2-4 PIPs for SNAT Port utilization
+
+**Category: Availability**
+
+**Impact: Medium**
+
+**Guidance**
+
+Configure a minimum of two to four public IP addresses per Azure Firewall to avoid SNAT exhaustion. Azure Firewall provides SNAT capability for all outbound traffic traffic to public IP addresses. Azure Firewall provides 2,496 SNAT ports per each additional PIP.
+
+**Resources**
+
+- [Azure Well-Architected Framework review - Azure Firewall](https://learn.microsoft.com/en-us/azure/well-architected/service-guides/azure-firewall#recommendations)
+
+**Resource Graphy Query/Scripts**
+
+{{< collapse title="Show/Hide Query/Script" >}}
+
+{{< code lang="sql" file="code/afw-5/afw-5.kql" >}} {{< /code >}}
+
+{{< /collapse >}}
+
+
+
+### AFW-6 - Monitor AZFW Latency Probes metric
+
+**Category: Monitoring**
+
+**Impact: Medium**
+
+**Guidance**
+
+Create the metric to monitor latency probes 20ms over a long period of time ( > 30mins ). When the latency probe is over a long period of time, it means the firewall instance CPUs are stressed and could possible be causing issues.
+
+**Resources**
+
+- [Azure Well-Architected Framework review - Azure Firewall](https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall#recommendations)
+- [Azure Firewall metrics overview](https://learn.microsoft.com/azure/firewall/metrics)
+
+**Resource Graphy Query/Scripts**
+
+{{< collapse title="Show/Hide Query/Script" >}}
+
+{{< code lang="sql" file="code/afw-6/afw-6.kql" >}} {{< /code >}}
+
+{{< /collapse >}}
diff --git a/docs/content/services/networking/firewall/code/afw-5/afw-5.kql b/docs/content/services/networking/firewall/code/afw-5/afw-5.kql
new file mode 100644
index 000000000..7b5bb5473
--- /dev/null
+++ b/docs/content/services/networking/firewall/code/afw-5/afw-5.kql
@@ -0,0 +1 @@
+// under development
diff --git a/docs/content/services/networking/firewall/code/afw-6/afw-6.kql b/docs/content/services/networking/firewall/code/afw-6/afw-6.kql
new file mode 100644
index 000000000..7b5bb5473
--- /dev/null
+++ b/docs/content/services/networking/firewall/code/afw-6/afw-6.kql
@@ -0,0 +1 @@
+// under development
From b9ebca8fd0fa8ba939253323f47e5676816b1178 Mon Sep 17 00:00:00 2001
From: Tim Aranki
Date: Tue, 26 Mar 2024 16:58:56 -0500
Subject: [PATCH 2/6] Updated AGW Page to remove AGW-7 (#401)
---
.../networking/application-gateway/_index.md | 26 -------------------
1 file changed, 26 deletions(-)
diff --git a/docs/content/services/networking/application-gateway/_index.md b/docs/content/services/networking/application-gateway/_index.md
index 40866b901..b4d151a98 100644
--- a/docs/content/services/networking/application-gateway/_index.md
+++ b/docs/content/services/networking/application-gateway/_index.md
@@ -20,7 +20,6 @@ The presented resiliency recommendations in this guidance include Application Ga
| [AGW-4 - Use Application GW V2 instead of V1](#agw-4---use-application-gw-v2-instead-of-v1) | System Efficiency | High | Preview | Yes |
| [AGW-5 - Monitor and Log the configurations and traffic](#agw-5---monitor-and-log-the-configurations-and-traffic) | Monitoring | Medium | Preview | No |
| [AGW-6 - Use Health Probes to detect backend availability](#agw-6---use-health-probes-to-detect-backend-availability) | Monitoring | Medium | Preview | Yes |
-| [AGW-7 - Deploy backends in a zone-redundant configuration](#agw-7---deploy-backends-in-a-zone-redundant-configuration) | Availability | High | Preview | No |
| [AGW-8 - Plan for backend maintenance by using connection draining](#agw-8---plan-for-backend-maintenance-by-using-connection-draining) | Governance | Medium | Preview | No |
| [AGW-9 - Ensure Application Gateway Subnet is using a /24 subnet mask](#agw-9---ensure-application-gateway-subnet-is-using-a-24-subnet-mask) | Networking | High | Preview | Yes |
@@ -186,31 +185,6 @@ Using custom health probes can help with understand the availability of your bac
-### AGW-7 - Deploy backends in a zone-redundant configuration
-
-**Category: Availability**
-
-**Impact: High**
-
-**Guidance**
-
-Deploying your backend services in a zone-aware configurations ensures that if a specific zone goes down that customers will still have access to the services as the other services located in other zones will still be available.
-
-**Resources**
-
-- [Well-Architected Framework Application Gateway Reliability](https://learn.microsoft.com/azure/well-architected/services/networking/azure-application-gateway#reliability)
-- [Application Gateway V2 Overview](https://learn.microsoft.com/azure/application-gateway/overview-v2)
-
-**Resource Graph Query**
-
-{{< collapse title="Show/Hide Query/Script" >}}
-
-{{< code lang="sql" file="code/agw-7/agw-7.kql" >}} {{< /code >}}
-
-{{< /collapse >}}
-
-
-
### AGW-8 - Plan for backend maintenance by using connection draining
**Category: Governance**
From 326b2bd9f070116eab9b8b81f36393ff923940b0 Mon Sep 17 00:00:00 2001
From: Eric Henry <44706965+ejhenry@users.noreply.github.com>
Date: Tue, 26 Mar 2024 15:29:08 -0700
Subject: [PATCH 3/6] Add recommendation wamn-5 (#395)
Co-authored-by: Eric Henry
Co-authored-by: Zach Trocinski <30884663+oZakari@users.noreply.github.com>
---
.../well-architected/5-monitor/_index.md | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/docs/content/well-architected/5-monitor/_index.md b/docs/content/well-architected/5-monitor/_index.md
index 499684528..032240c04 100644
--- a/docs/content/well-architected/5-monitor/_index.md
+++ b/docs/content/well-architected/5-monitor/_index.md
@@ -21,6 +21,7 @@ Ongoing monitoring is essential for maintaining system reliability. Key performa
| [WAMN-2 - Define a health model based on performance, availability, and recovery targets](#wamn-2---define-a-health-model-based-on-performance-availability-and-recovery-targets) | Monitoring | Low | Verified | No |
| [WAMN-3 - Create Dashboards and Alerts for Azure Platform resources](#wamn-3---create-dashboards-and-alerts-for-azure-platform-resources) | Monitoring | Low | Verified | No |
| [WAMN-4 - Ensure that the right people in your organization will be notified about any future service issues](#wamn-4---ensure-that-the-right-people-in-your-organization-will-be-notified-about-any-future-service-issues) | Monitoring | Medium | Verified | No |
+| [WAMN-5 - Utilize built-in Resilience policies](#wamn-5---utilize-built-in-resilience-policies) | Governance | Medium | Verified | No |
{{< /table >}}
{{< alert style="info" >}}
@@ -120,3 +121,20 @@ Azure offers a suite of experiences to keep you informed about the health of you
- [Create a Service Health alert using the Azure portal](https://learn.microsoft.com/azure/service-health/alerts-activity-log-service-notifications-portal#create-a-service-health-alert-using-the-azure-portal)
+
+### WAMN-5 - Utilize built-in Resilience policies
+
+**Category: Governance**
+
+**Impact: Medium**
+
+**Recommendation/Guidance**
+
+Utilize Azure's built-in Resilience policies to audit and enforce resilient configurations of Azure services. Azure Policy helps to enforce organizational standards and to assess compliance at-scale.
+
+**Resources**
+
+- [Built-in Resilience policy definitions](https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Resilience)
+- [Get policy compliance data](https://learn.microsoft.com/azure/governance/policy/how-to/get-compliance-data)
+
+
From 2c8a7a07877ebd24317a314730c4bb911d801d4e Mon Sep 17 00:00:00 2001
From: Sean Luce
Date: Tue, 26 Mar 2024 18:43:13 -0400
Subject: [PATCH 4/6] updated Azure NetApp Files recommendations (#308)
Co-authored-by: Sean Luce (NETAPP INC)
Co-authored-by: Eric Henry <44706965+ejhenry@users.noreply.github.com>
---
.../storage/azure-netapp-files/_index.md | 183 ++++++++++++++----
.../azure-netapp-files/code/anf-10/anf-10.kql | 1 +
.../azure-netapp-files/code/anf-11/anf-11.kql | 1 +
.../azure-netapp-files/code/anf-12/anf-12.kql | 1 +
.../azure-netapp-files/code/anf-2/anf-2.kql | 2 +-
.../azure-netapp-files/code/anf-3/anf-3.kql | 2 +-
.../azure-netapp-files/code/anf-4/anf-4.kql | 6 +-
.../azure-netapp-files/code/anf-5/anf-5.kql | 11 +-
.../azure-netapp-files/code/anf-6/anf-6.kql | 4 +-
.../azure-netapp-files/code/anf-7/anf-7.kql | 11 +-
.../azure-netapp-files/code/anf-8/anf-8.kql | 2 +-
.../azure-netapp-files/code/anf-9/anf-9.kql | 1 +
12 files changed, 177 insertions(+), 48 deletions(-)
create mode 100644 docs/content/services/storage/azure-netapp-files/code/anf-10/anf-10.kql
create mode 100644 docs/content/services/storage/azure-netapp-files/code/anf-11/anf-11.kql
create mode 100644 docs/content/services/storage/azure-netapp-files/code/anf-12/anf-12.kql
create mode 100644 docs/content/services/storage/azure-netapp-files/code/anf-9/anf-9.kql
diff --git a/docs/content/services/storage/azure-netapp-files/_index.md b/docs/content/services/storage/azure-netapp-files/_index.md
index 6e9fc9a4c..443f40120 100644
--- a/docs/content/services/storage/azure-netapp-files/_index.md
+++ b/docs/content/services/storage/azure-netapp-files/_index.md
@@ -1,9 +1,9 @@
+++
title = "Azure NetApp Files"
description = "Best practices and resiliency recommendations for Azure NetApp Files and associated resources and settings."
-date = "8/30/23"
-author = "maheshbenke"
-msAuthor = "maheshbenke"
+date = "3/26/24"
+author = "seanluce"
+msAuthor = "b-sluce"
draft = false
+++
@@ -14,14 +14,18 @@ The presented resiliency recommendations in this guidance include Azure NetApp F
{{< table style="table-striped" >}}
| Recommendation | Category | Impact | State | ARG Query Available |
| :------------------------------------------------ | :---------------------------------------------------------------------: | :------: | :------: | :-----------------: |
-| [ANF-1 - Use the correct service level and volume quota size for the expected performance level](#anf-1---use-the-correct-service-level-and-volume-quota-size-for-the-expected-performance-level) | System Efficiency | High | Preview | No |
+| [ANF-1 - Use the correct service level and volume quota size for the expected performance level](#anf-1---use-the-correct-service-level-and-volume-quota-size-for-the-expected-performance-level) | System Efficiency | Medium | Preview | No |
| [ANF-2 - Use standard network features for production in Azure NetApp Files](#anf-2---use-standard-network-features-for-production-in-azure-netapp-files) | Networking | High | Preview | Yes |
| [ANF-3 - Use availability zones for high availability in Azure NetApp Files](#anf-3---use-availability-zones-for-high-availability-in-azure-netapp-files) | Availability | High | Preview | Yes |
-| [ANF-4 - Use snapshot and backup for in-region data protection in Azure NetApp Files](#anf-4---use-snapshot-and-backup-for-in-region-data-protection-in-azure-netapp-files) | Availability | High | Preview | No |
-| [ANF-5 - Enable Cross-region replication of Azure NetApp Files volumes](#anf-5---enable-cross-region-replication-of-azure-netapp-files-volumes) | Disaster Recovery | High | Preview | Yes |
-| [ANF-6 - Enable Cross-zone replication of Azure NetApp Files volumes](#anf-6---enable-cross-zone-replication-of-azure-netapp-files-volumes) | Availability | High | Preview | Yes |
-| [ANF-7 - Monitor Azure NetApp Files metrics to better understand usage pattern and performance](#anf-7---monitor-azure-netapp-files-metrics-to-better-understand-usage-pattern-and-performance) | Monitoring | Medium | Preview | No |
-| [ANF-8 - Use Azure policy to enforce organizational standards and to assess compliance at-scale in Azure NetApp Files](#anf-8---use-azure-policy-to-enforce-organizational-standards-and-to-assess-compliance-at-scale-in-azure-netapp-files) | Governance | Medium | Preview | No |
+| [ANF-4 - Use snapshots for data protection in Azure NetApp Files](#anf-4---use-snapshots-for-data-protection-in-azure-netapp-files) | Availability | High | Preview | Yes |
+| [ANF-5 - Enable backup for data protection in Azure NetApp Files](#anf-5---enable-backup-for-data-protection-in-azure-netapp-files) | Disaster Recovery | High | Preview | Yes |
+| [ANF-6 - Enable Cross-region replication of Azure NetApp Files volumes](#anf-6---enable-cross-region-replication-of-azure-netapp-files-volumes) | Disaster Recovery | High | Preview | Yes |
+| [ANF-7 - Enable Cross-zone replication of Azure NetApp Files volumes](#anf-7---enable-cross-zone-replication-of-azure-netapp-files-volumes) | Availability | High | Preview | Yes |
+| [ANF-8 - Monitor Azure NetApp Files metrics to better understand usage pattern and performance](#anf-8---monitor-azure-netapp-files-metrics-to-better-understand-usage-pattern-and-performance) | Monitoring | Medium | Preview | No |
+| [ANF-9 - Use Azure policy to enforce organizational standards and to assess compliance at-scale in Azure NetApp Files](#anf-9---use-azure-policy-to-enforce-organizational-standards-and-to-assess-compliance-at-scale-in-azure-netapp-files) | Governance | Medium | Preview | No |
+| [ANF-10 - Restrict default access to Azure NetApp Files volumes](#anf-10---restrict-default-access-to-azure-netapp-files-volumes) | Access & Security | Medium | Preview | No |
+| [ANF-11 - Make use of SMB continuous availability for supported applications](#anf-11---make-use-of-smb-continuous-availability-for-supported-applications) | Application Resilience | Medium | Preview | No |
+| [ANF-12 - Ensure application resilience for service maintenance events](#anf-12---ensure-application-resilience-for-service-maintenance-events) | Application Resilience | Medium | Preview | No |
{{< /table >}}
{{< alert style="info" >}}
@@ -36,7 +40,7 @@ Definitions of states can be found [here]({{< ref "../../../_index.md#definition
**Category: System Efficiency**
-**Impact: High**
+**Impact: Medium**
**Guidance**
@@ -48,7 +52,7 @@ Service levels are an attribute of a capacity pool. Service levels are defined a
**Resources**
-- [Service levels for Azure NetApp Files | Microsoft Learn](https://learn.microsoft.com/en-us/azure/azure-netapp-files/azure-netapp-files-service-levels)
+- [Service levels for Azure NetApp Files | Microsoft Learn](https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-service-levels)
**Resource Graph Query**
@@ -69,11 +73,10 @@ Service levels are an attribute of a capacity pool. Service levels are defined a
**Guidance**
Standard network feature enables higher IP limits and standard VNet features such as network security groups and user-defined routes on delegated subnets, and additional connectivity patterns.
-Please check the supported regions for standard network feature [here](https://docs.microsoft.com/en-us/azure/azure-netapp-files/azure-netapp-files-network-topologies#supported-regions-for-standard-network-feature)
**Resources**
-- [Guidelines for Azure NetApp Files network planning | Microsoft Learn](https://learn.microsoft.com/en-us/azure/azure-netapp-files/azure-netapp-files-network-topologies)
+- [Guidelines for Azure NetApp Files network planning | Microsoft Learn](https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-network-topologies)
**Resource Graph Query**
@@ -97,7 +100,7 @@ Azure availability zones are physically separate locations within each suppo
**Resources**
-- [Use availability zones for high availability in Azure NetApp Files | Microsoft Learn](https://learn.microsoft.com/en-us/azure/azure-netapp-files/use-availability-zones)
+- [Use availability zones for high availability in Azure NetApp Files | Microsoft Learn](https://learn.microsoft.com/azure/azure-netapp-files/use-availability-zones)
**Resource Graph Query**
@@ -109,7 +112,7 @@ Azure availability zones are physically separate locations within each suppo
-### ANF-4 - Use snapshot and backup for in-region data protection in Azure NetApp Files
+### ANF-4 - Use snapshots for data protection in Azure NetApp Files
**Category: Availability**
@@ -117,13 +120,11 @@ Azure availability zones are physically separate locations within each suppo
**Guidance**
-Azure NetApp Files snapshot technology delivers stability, scalability, and swift recoverability without impacting performance.
-Azure NetApp Files supports a fully managed backup solution for long-term recovery, archive, and compliance. Backups can be restored to new volumes in the same region as the backup. Backups created by Azure NetApp Files are stored in Azure storage, independent of volume snapshots that are available for near-term recovery or cloning.
+Azure NetApp Files snapshot technology delivers stability, scalability, and swift recoverability without impacting performance. Use snapshot policies to automatically create snapshots of your Azure NetApp Files data.
**Resources**
-- [Snapshots](https://learn.microsoft.com/en-us/azure/azure-netapp-files/data-protection-disaster-recovery-options#snapshots)
-- [Backup](https://learn.microsoft.com/en-us/azure/azure-netapp-files/data-protection-disaster-recovery-options#backups)
+- [How Azure NetApp Files snapshots work | Microsoft Learn](https://learn.microsoft.com/azure/azure-netapp-files/snapshots-introduction)
**Resource Graph Query**
@@ -135,7 +136,31 @@ Azure NetApp Files supports a fully managed backup solution for long-term recove
-### ANF-5 - Enable Cross-region replication of Azure NetApp Files volumes
+### ANF-5 - Enable backup for data protection in Azure NetApp Files
+
+**Category: Availability**
+
+**Impact: High**
+
+**Guidance**
+
+Azure NetApp Files supports a fully managed backup solution for long-term recovery, archive, and compliance. Backups can be restored to new volumes in the same region as the backup. Backups created by Azure NetApp Files are stored in Azure storage, independent of volume snapshots that are available for near-term recovery or cloning. Use backup policies to create backups of your Azure NetApp Files data automatically.
+
+**Resources**
+
+- [Understand Azure NetApp Files backup | Microsoft Learn](https://learn.microsoft.com/azure/azure-netapp-files/backup-introduction)
+
+**Resource Graph Query**
+
+{{< collapse title="Show/Hide Query/Script" >}}
+
+{{< code lang="sql" file="code/anf-5/anf-5.kql" >}} {{< /code >}}
+
+{{< /collapse >}}
+
+
+
+### ANF-6 - Enable Cross-region replication of Azure NetApp Files volumes
**Category: Disaster Recovery**
@@ -145,21 +170,23 @@ Azure NetApp Files supports a fully managed backup solution for long-term recove
The Azure NetApp Files replication functionality provides data protection through cross-region volume replication. You can asynchronously replicate data from an Azure NetApp Files volume (source) in one region to another Azure NetApp Files volume (destination) in another region. This capability enables you to fail over your critical application if a region-wide outage or disaster happens.
+Note: A volume can be replicated via cross-zone replication (CZR) or cross-region replication (CRR) but not both concurrently.
+
**Resources**
-- [Cross-zone replication of Azure NetApp Files volumes | Microsoft Learn](https://learn.microsoft.com/en-us/azure/azure-netapp-files/cross-region-replication-introduction)
+- [Cross-zone replication of Azure NetApp Files volumes | Microsoft Learn](https://learn.microsoft.com/azure/azure-netapp-files/cross-region-replication-introduction)
**Resource Graph Query**
{{< collapse title="Show/Hide Query/Script" >}}
-{{< code lang="sql" file="code/anf-5/anf-5.kql" >}} {{< /code >}}
+{{< code lang="sql" file="code/anf-6/anf-6.kql" >}} {{< /code >}}
{{< /collapse >}}
-### ANF-6 - Enable Cross-zone replication of Azure NetApp Files volumes
+### ANF-7 - Enable Cross-zone replication of Azure NetApp Files volumes
**Category: Availability**
@@ -169,21 +196,23 @@ The Azure NetApp Files replication functionality provides data protection throug
The cross-zone replication (CZR) capability provides data protection between volumes in different availability zones. You can asynchronously replicate data from an Azure NetApp Files volume (source) in one availability zone to another Azure NetApp Files volume (destination) in another availability. This capability enables you to fail over your critical application if a zone-wide outage or disaster happens.
+Note: A volume can be replicated via cross-zone replication (CZR) or cross-region replication (CRR) but not both concurrently.
+
**Resources**
-- [Cross-zone replication of Azure NetApp Files volumes | Microsoft Learn](https://learn.microsoft.com/en-us/azure/azure-netapp-files/cross-zone-replication-introduction)
+- [Cross-zone replication of Azure NetApp Files volumes | Microsoft Learn](https://learn.microsoft.com/azure/azure-netapp-files/cross-zone-replication-introduction)
**Resource Graph Query**
{{< collapse title="Show/Hide Query/Script" >}}
-{{< code lang="sql" file="code/anf-6/anf-6.kql" >}} {{< /code >}}
+{{< code lang="sql" file="code/anf-7/anf-7.kql" >}} {{< /code >}}
{{< /collapse >}}
-### ANF-7 - Monitor Azure NetApp Files metrics to better understand usage pattern and performance
+### ANF-8 - Monitor Azure NetApp Files metrics to better understand usage pattern and performance
**Category: Monitoring**
@@ -195,19 +224,19 @@ Azure NetApp Files provides metrics on allocated storage, actual storage usage,
**Resources**
-- [Ways to monitor Azure NetApp Files | Microsoft Learn](https://learn.microsoft.com/en-us/azure/azure-netapp-files/monitor-azure-netapp-files)
+- [Ways to monitor Azure NetApp Files | Microsoft Learn](https://learn.microsoft.com/azure/azure-netapp-files/monitor-azure-netapp-files)
**Resource Graph Query**
{{< collapse title="Show/Hide Query/Script" >}}
-{{< code lang="sql" file="code/anf-7/anf-7.kql" >}} {{< /code >}}
+{{< code lang="sql" file="code/anf-8/anf-8.kql" >}} {{< /code >}}
{{< /collapse >}}
-### ANF-8 - Use Azure policy to enforce organizational standards and to assess compliance at-scale in Azure NetApp Files
+### ANF-9 - Use Azure policy to enforce organizational standards and to assess compliance at-scale in Azure NetApp Files
**Category: Governance**
@@ -215,17 +244,105 @@ Azure NetApp Files provides metrics on allocated storage, actual storage usage,
**Guidance**
-Azure NetApp Files supports Azure Policy. You can integrate Azure NetApp Files with Azure Policy through [creating custom policy definitions](https://learn.microsoft.com/en-us/azure/governance/policy/tutorials/create-custom-policy-definition). You can find examples in [Enforce Snapshot Policies with Azure Policy](https://anfcommunity.com/2021/08/30/enforce-snapshot-policies-with-azure-policy/) and [Azure Policy now available for Azure NetApp Files](https://anfcommunity.com/2021/04/19/azure-policy-now-available-for-azure-netapp-files/).
+Azure NetApp Files supports Azure policy. You can integrate Azure NetApp Files with Azure policy by using built-in policy definitions or by creating custom policy definitions.
**Resources**
-- [Azure Policy definitions for Azure NetApp Files | Microsoft Learn](https://learn.microsoft.com/en-us/azure/azure-netapp-files/azure-policy-definitions)
+- [Azure Policy definitions for Azure NetApp Files | Microsoft Learn](https://learn.microsoft.com/azure/azure-netapp-files/azure-policy-definitions)
+- [Creating custom policy definitions | Microsoft Learn](https://learn.microsoft.com/azure/governance/policy/tutorials/create-custom-policy-definition)
-**Resource Graph Query**
+**Resource Graph Query/Scripts**
{{< collapse title="Show/Hide Query/Script" >}}
-{{< code lang="sql" file="code/anf-8/anf-8.kql" >}} {{< /code >}}
+{{< code lang="sql" file="code/anf-9/anf-9.kql" >}} {{< /code >}}
+
+{{< /collapse >}}
+
+
+
+### ANF-10 - Restrict default access to Azure NetApp Files volumes
+
+**Category: Access & Security**
+
+**Impact: Medium**
+
+**Guidance**
+
+Access to the delegated subnet should be granted to specific Azure Virtual Networks only whenever possible.
+Share permissions on SMB-enabled volumes should be restricted from the default 'Everyone – Full control'.
+Access to NFS-enabled volumes should be restricted by using export policies and/or NFSv4.1 ACLs.
+Mount path change permissions should be further restricted.
+
+
+**Resources**
+
+- [Configure network features for an Azure NetApp Files volume](https://learn.microsoft.com/azure/azure-netapp-files/configure-network-features)
+- [Manage SMB share ACLs in Azure NetApp Files](https://learn.microsoft.com/azure/azure-netapp-files/manage-smb-share-access-control-lists)
+- [Configure export policy for NFS or dual-protocol volumes](https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-configure-export-policy)
+- [Configure access control lists on NFSv4.1 volumes for Azure NetApp Files](https://learn.microsoft.com/azure/azure-netapp-files/configure-access-control-lists)
+- [Configure Unix permissions and change ownership mode for NFS and dual-protocol volumes](https://learn.microsoft.com/azure/azure-netapp-files/configure-unix-permissions-change-ownership-mode)
+
+**Resource Graph Query/Scripts**
+
+{{< collapse title="Show/Hide Query/Script" >}}
+
+{{< code lang="sql" file="code/anf-10/anf-10.kql" >}} {{< /code >}}
+
+{{< /collapse >}}
+
+
+
+### ANF-11 - Make use of SMB continuous availability for supported applications
+
+**Category: Application Resilience**
+
+**Impact: Medium**
+
+**Guidance**
+
+Certain SMB-based applications require SMB Transparent Failover. SMB Transparent Failover enables maintenance operations on the Azure NetApp Files service without interrupting connectivity to server applications storing and accessing data on SMB volumes. To support SMB Transparent Failover for specific applications, Azure NetApp Files supports the SMB Continuous Availability shares option.
+
+Consider using the Continuous Availability option for the following SMB-based applications:
+- Citrix App Layering
+- FSLogix user profile containers
+- FSLogix ODFC containers
+- Microsoft SQL Server
+- MSIX app attach
+
+**Resources**
+
+- [Do I need to take special precautions for SMB-based applications? | Microsoft Learn](https://learn.microsoft.com/azure/azure-netapp-files/faq-application-resilience#do-i-need-to-take-special-precautions-for-smb-based-applications)
+
+**Resource Graph Query/Scripts**
+
+{{< collapse title="Show/Hide Query/Script" >}}
+
+{{< code lang="sql" file="code/anf-11/anf-11.kql" >}} {{< /code >}}
+
+{{< /collapse >}}
+
+
+
+### ANF-12 - Ensure application resilience for service maintenance events
+
+**Category: Application Resilience**
+
+**Impact: Medium**
+
+**Guidance**
+
+Azure NetApp Files might undergo occasional planned maintenance (for example, platform updates, service or software upgrades). As such, ensure that you're aware of the application’s resiliency settings to cope with the storage service maintenance events.
+
+**Resources**
+
+- [What do you recommend for handling potential application disruptions due to storage service maintenance events? | Microsoft Learn](https://learn.microsoft.com/azure/azure-netapp-files/faq-application-resilience#what-do-you-recommend-for-handling-potential-application-disruptions-due-to-storage-service-maintenance-events)
+
+**Resource Graph Query/Scripts**
+
+{{< collapse title="Show/Hide Query/Script" >}}
+
+{{< code lang="sql" file="code/anf-12/anf-12.kql" >}} {{< /code >}}
{{< /collapse >}}
diff --git a/docs/content/services/storage/azure-netapp-files/code/anf-10/anf-10.kql b/docs/content/services/storage/azure-netapp-files/code/anf-10/anf-10.kql
new file mode 100644
index 000000000..fa5cad258
--- /dev/null
+++ b/docs/content/services/storage/azure-netapp-files/code/anf-10/anf-10.kql
@@ -0,0 +1 @@
+// cannot-be-validated-with-arg
diff --git a/docs/content/services/storage/azure-netapp-files/code/anf-11/anf-11.kql b/docs/content/services/storage/azure-netapp-files/code/anf-11/anf-11.kql
new file mode 100644
index 000000000..fa5cad258
--- /dev/null
+++ b/docs/content/services/storage/azure-netapp-files/code/anf-11/anf-11.kql
@@ -0,0 +1 @@
+// cannot-be-validated-with-arg
diff --git a/docs/content/services/storage/azure-netapp-files/code/anf-12/anf-12.kql b/docs/content/services/storage/azure-netapp-files/code/anf-12/anf-12.kql
new file mode 100644
index 000000000..fa5cad258
--- /dev/null
+++ b/docs/content/services/storage/azure-netapp-files/code/anf-12/anf-12.kql
@@ -0,0 +1 @@
+// cannot-be-validated-with-arg
diff --git a/docs/content/services/storage/azure-netapp-files/code/anf-2/anf-2.kql b/docs/content/services/storage/azure-netapp-files/code/anf-2/anf-2.kql
index 47e9bd63d..906b9091b 100644
--- a/docs/content/services/storage/azure-netapp-files/code/anf-2/anf-2.kql
+++ b/docs/content/services/storage/azure-netapp-files/code/anf-2/anf-2.kql
@@ -1,4 +1,4 @@
-// This Resource Graph query will return all NetApp Volumes without Network Feature Standard.
+// This Resource Graph query will return all Azure NetApp Files volumes without standard network features.
resources
| where type =~ "microsoft.netapp/netappaccounts/capacitypools/volumes"
| where properties.networkFeatures != "Standard"
diff --git a/docs/content/services/storage/azure-netapp-files/code/anf-3/anf-3.kql b/docs/content/services/storage/azure-netapp-files/code/anf-3/anf-3.kql
index 059fb715e..95f3d2aa9 100644
--- a/docs/content/services/storage/azure-netapp-files/code/anf-3/anf-3.kql
+++ b/docs/content/services/storage/azure-netapp-files/code/anf-3/anf-3.kql
@@ -1,4 +1,4 @@
-// This Resource Graph query will return all NetApp Volumes without AVzone defined.
+// This Resource Graph query will return all Azure NetApp Files volumes without an availability zone defined.
resources
| where type =~ "microsoft.netapp/netappaccounts/capacitypools/volumes"
| where zones == "[]"
diff --git a/docs/content/services/storage/azure-netapp-files/code/anf-4/anf-4.kql b/docs/content/services/storage/azure-netapp-files/code/anf-4/anf-4.kql
index 614a7f9ca..ec6b55ec6 100644
--- a/docs/content/services/storage/azure-netapp-files/code/anf-4/anf-4.kql
+++ b/docs/content/services/storage/azure-netapp-files/code/anf-4/anf-4.kql
@@ -1 +1,5 @@
-// under-development
+// This Resource Graph query will return all Azure NetApp Files volumes without a snapshot policy defined.
+resources
+| where type == "microsoft.netapp/netappaccounts/capacitypools/volumes"
+| where properties.dataProtection.snapshot.snapshotPolicyId == ""
+| project recommendationId = "ANF-4", name, id, tags
diff --git a/docs/content/services/storage/azure-netapp-files/code/anf-5/anf-5.kql b/docs/content/services/storage/azure-netapp-files/code/anf-5/anf-5.kql
index e570c5507..536374bd0 100644
--- a/docs/content/services/storage/azure-netapp-files/code/anf-5/anf-5.kql
+++ b/docs/content/services/storage/azure-netapp-files/code/anf-5/anf-5.kql
@@ -1,10 +1,5 @@
-// This Resource Graph query will return all NetApp Volumes without Cross-Region Replication.
+// This Resource Graph query will return all Azure NetApp Files volumes without a backup policy defined.
resources
-| where type =~ "microsoft.netapp/netappaccounts/capacitypools/volumes"
-| extend NetAC0 = tostring(split(name,'/')[0])
-| join kind=leftouter (resources
- | where type =~ "microsoft.netapp/netappaccounts/capacitypools/volumes"
- | extend NetAC1 = tostring(split(name,'/')[0])
- | project id,NetAC1,remid=tostring(properties.dataProtection.replication.remoteVolumeResourceId)) on $left.id == $right.remid
-| where properties.volumeType != 'DataProtection' and NetAC0 == NetAC1
+| where type == "microsoft.netapp/netappaccounts/capacitypools/volumes"
+| where properties.dataProtection.backup.backupPolicyId == ""
| project recommendationId = "ANF-5", name, id, tags
diff --git a/docs/content/services/storage/azure-netapp-files/code/anf-6/anf-6.kql b/docs/content/services/storage/azure-netapp-files/code/anf-6/anf-6.kql
index 1b470bde6..d0fe698c0 100644
--- a/docs/content/services/storage/azure-netapp-files/code/anf-6/anf-6.kql
+++ b/docs/content/services/storage/azure-netapp-files/code/anf-6/anf-6.kql
@@ -1,4 +1,4 @@
-// This Resource Graph query will return all NetApp Volumes without Cross-Zone Replication.
+// This Resource Graph query will return all Azure NetApp Files volumes without cross-region replication.
resources
| where type =~ "microsoft.netapp/netappaccounts/capacitypools/volumes"
| extend NetAC0 = tostring(split(name,'/')[0])
@@ -6,5 +6,5 @@ resources
| where type =~ "microsoft.netapp/netappaccounts/capacitypools/volumes"
| extend NetAC1 = tostring(split(name,'/')[0])
| project id,NetAC1,remid=tostring(properties.dataProtection.replication.remoteVolumeResourceId)) on $left.id == $right.remid
-| where properties.volumeType != 'DataProtection' and NetAC0 != NetAC1
+| where properties.volumeType != 'DataProtection' and NetAC0 == NetAC1
| project recommendationId = "ANF-6", name, id, tags
diff --git a/docs/content/services/storage/azure-netapp-files/code/anf-7/anf-7.kql b/docs/content/services/storage/azure-netapp-files/code/anf-7/anf-7.kql
index 8f0edb91a..eb50b5c5d 100644
--- a/docs/content/services/storage/azure-netapp-files/code/anf-7/anf-7.kql
+++ b/docs/content/services/storage/azure-netapp-files/code/anf-7/anf-7.kql
@@ -1 +1,10 @@
-// cannot-be-validated-with-arg. The validation for this recommendation cannot be achieved with an Azure Resource Graph query.
+// This Resource Graph query will return all Azure NetApp Files volumes without cross-zone replication.
+resources
+| where type =~ "microsoft.netapp/netappaccounts/capacitypools/volumes"
+| extend NetAC0 = tostring(split(name,'/')[0])
+| join kind=leftouter (resources
+ | where type =~ "microsoft.netapp/netappaccounts/capacitypools/volumes"
+ | extend NetAC1 = tostring(split(name,'/')[0])
+ | project id,NetAC1,remid=tostring(properties.dataProtection.replication.remoteVolumeResourceId)) on $left.id == $right.remid
+| where properties.volumeType != 'DataProtection' and NetAC0 != NetAC1
+| project recommendationId = "ANF-7", name, id, tags
diff --git a/docs/content/services/storage/azure-netapp-files/code/anf-8/anf-8.kql b/docs/content/services/storage/azure-netapp-files/code/anf-8/anf-8.kql
index 614a7f9ca..fa5cad258 100644
--- a/docs/content/services/storage/azure-netapp-files/code/anf-8/anf-8.kql
+++ b/docs/content/services/storage/azure-netapp-files/code/anf-8/anf-8.kql
@@ -1 +1 @@
-// under-development
+// cannot-be-validated-with-arg
diff --git a/docs/content/services/storage/azure-netapp-files/code/anf-9/anf-9.kql b/docs/content/services/storage/azure-netapp-files/code/anf-9/anf-9.kql
new file mode 100644
index 000000000..fa5cad258
--- /dev/null
+++ b/docs/content/services/storage/azure-netapp-files/code/anf-9/anf-9.kql
@@ -0,0 +1 @@
+// cannot-be-validated-with-arg
From 13e0577bd1796d0ec737ffd5eae3f12876b18a6b Mon Sep 17 00:00:00 2001
From: Federico Guerrini
Date: Wed, 27 Mar 2024 00:04:30 +0100
Subject: [PATCH 5/6] Updated VPNG1, removed VPNG-3, added VPNG-7 (#377)
Co-authored-by: Eric Henry <44706965+ejhenry@users.noreply.github.com>
---
.../services/networking/vpn-gateway/_index.md | 74 ++++++++++---------
.../vpn-gateway/code/vpng-3/vpng-3.kql | 1 -
.../vpn-gateway/code/vpng-7/vpng-7.kql | 14 ++++
3 files changed, 52 insertions(+), 37 deletions(-)
delete mode 100644 docs/content/services/networking/vpn-gateway/code/vpng-3/vpng-3.kql
create mode 100644 docs/content/services/networking/vpn-gateway/code/vpng-7/vpng-7.kql
diff --git a/docs/content/services/networking/vpn-gateway/_index.md b/docs/content/services/networking/vpn-gateway/_index.md
index ad9128162..7ad016ccc 100644
--- a/docs/content/services/networking/vpn-gateway/_index.md
+++ b/docs/content/services/networking/vpn-gateway/_index.md
@@ -14,14 +14,15 @@ The presented resiliency recommendations in this guidance include VPN Gateway an
The below table shows the list of resiliency recommendations for VPN Gateway and associated resources.
{{< table style="table-striped" >}}
-| Recommendation | Category | Impact | State | ARG Query Available |
+| Recommendation | Category | Impact | State | ARG Query Available |
|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------------:|:------:|:-------:|:-------------------:|
-| [VPNG-1 - Choose a Zone-redundant gateway](#vpng-1---choose-a-zone-redundant-gateway) | Availability | High | Verified | Yes |
-| [VPNG-2 - Plan for Active-Active mode](#vpng-2---plan-for-active-active-mode) | Availability | High | Verified | Yes |
-| [VPNG-3 - Plan for Site-to-Site VPN and Azure ExpressRoute coexisting connection](#vpng-3---plan-for-site-to-site-vpn-and-azure-expressroute-coexisting-connection) | Disaster Recovery | High | Verified | No |
-| [VPNG-4 - Plan for geo-redundant VPN Connections](#vpng-4---plan-for-geo-redundant-vpn-connections) | Disaster Recovery | High | Verified | No |
-| [VPNG-5 - Monitor connections and gateway health](#vpng-5---monitor-connections-and-gateway-health) | Monitoring | Medium | Verified | No |
-| [VPNG-6 - Enable service health alerts](#vpng-6---enable-service-health-alerts) | Monitoring | Medium | Verified | No |
+| [VPNG-1 - Choose a Zone-redundant gateway](#vpng-1---choose-a-zone-redundant-gateway) | Availability | High | Preview | Yes |
+| [VPNG-2 - Plan for Active-Active mode](#vpng-2---plan-for-active-active-mode) | Availability | High | Preview | Yes |
+| [VPNG-4 - Deploy active-active VPN concentrators on your premises for maximum resiliency](#vpng-4---deploy-active-active-vpn-concentrators-on-your-premises-for-maximum-resiliency) | Availability | High | Preview | No | | Availability | Medium | Preview | No |
+| [VPNG-5 - Monitor connections and gateway health](#vpng-5---monitor-connections-and-gateway-health) | Monitoring | Medium | Preview | No |
+| [VPNG-6 - Enable service health](#vpng-6---enable-service-health) | Monitoring | Medium | Preview | No |
+| [VPNG-7 - Deploy zone-redundant VPN Gateways with zone-redundant Public IP(s)](#vpng-7---deploy-zone-redundant-vpn-gateways-with-zone-redundant-public-ips) | Availability | Medium | Preview | Yes | | Availability | High | Preview | Yes |
+
{{< /table >}}
{{< alert style="info" >}}
@@ -40,13 +41,13 @@ Definitions of states can be found [here]({{< ref "../../../_index.md#definition
**Guidance**
-Azure VPN gateway provides different SLAs when it's deployed in a single availability zone and when it's deployed in two or more availability zones. For information about all Azure SLAs, see [SLA summary for Azure services](https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1).
-To automatically deploy your virtual network gateways across availability zones, use zone-redundant virtual network gateways. The zone-redundant gateways benefits from zone-resiliency to access mission-critical, scalable services on Azure.
+Azure VPN gateway provides different SLAs when it's deployed in a single availability zone and when it's deployed in two availability zones. To automatically deploy your virtual network gateways across availability zones, you can use zone-redundant virtual network gateways. With zone-redundant gateways, you can benefit from zone-resiliency to access your mission-critical, scalable services on Azure.
**Resources**
- [Zone redundant Virtual network gateway in availability zone](https://learn.microsoft.com/azure/vpn-gateway/about-zone-redundant-vnet-gateways)
- [Gateway SKU](https://learn.microsoft.com/azure/vpn-gateway/about-zone-redundant-vnet-gateways#gwskus)
+- [SLA summary for Azure services](https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1).
**Resource Graph Query**
@@ -66,12 +67,13 @@ To automatically deploy your virtual network gateways across availability zones,
**Guidance**
-The active-active mode is available for all SKUs except Basic. You can create an Azure VPN gateway in an active-active configuration, where both instances of the gateway VMs establish S2S VPN tunnels to your on-premises VPN device. When a planned maintenance or unplanned event happens to one gateway instance, the switch over will happen automatically from the affected instance to the active instance.
+The active-active mode is available for all SKUs except Basic.
+Active-active gateways have two Gateway IP configurations and two public IP addresses.
**Resources**
-- [About Active-Active VPN gateway](https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-highlyavailable#active-active-vpn-gateways)
-- [Configure Active-active VPN gateway](https://learn.microsoft.com/azure/vpn-gateway/active-active-portal#gateway)
+- [Active-active VPN gateway](https://learn.microsoft.com/azure/vpn-gateway/active-active-portal#gateway)
+- [Gateway SKU](https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsku)
**Resource Graph Query**
@@ -83,57 +85,56 @@ The active-active mode is available for all SKUs except Basic. You can create an
-### VPNG-3 - Plan for Site-to-Site VPN and Azure ExpressRoute coexisting connection
+### VPNG-4 - Deploy active-active VPN concentrators on your premises for maximum resiliency
-**Category: Disaster Recovery**
+**Category: Availability**
**Impact: High**
**Guidance**
-Having the ability to configure Site-to-Site VPN and ExpressRoute has several advantages. You can configure Site-to-Site VPN as a secure failover path for ExpressRoute, or use Site-to-Site VPNs to connect to sites that aren't connected through ExpressRoute
+By deploying active-active VPN concentrators on your premises, along with active-active Azure VPN Gateways, you can maximize resilience and availability by using a fully-meshed topology based on four IPSec tunnels.
**Resources**
-- [Configure a Site-to-Site VPN as a failover path for ExpressRoute](https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager#configuration-designs)
-- [Limit and limitations](https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager#limits-and-limitations)
+- [Dual-redundancy: active-active VPN gateways for both Azure and on-premises networks](https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-highlyavailable#dual-redundancy-active-active-vpn-gateways-for-both-azure-and-on-premises-networks)
+
**Resource Graph Query**
{{< collapse title="Show/Hide Query/Script" >}}
-{{< code lang="sql" file="code/vpng-3/vpng-3.kql" >}} {{< /code >}}
+{{< code lang="sql" file="code/vpng-4/vpng-4.kql" >}} {{< /code >}}
{{< /collapse >}}
-### VPNG-4 - Plan for geo-redundant VPN connections
+### VPNG-5 - Monitor connections and gateway health
-**Category: Disaster Recovery**
+**Category: Monitoring**
-**Impact: High**
+**Impact: Medium**
**Guidance**
-If your gateway is not zone redundant, to plan for disaster recovery, set up Site-to-Site VPN in more than one location. You can create IP Sec connectivity in the same metro or different metro and choose to work with different service providers for diverse paths
+Set up monitoring and alerts for Virtual Network Gateway health based on various metrics available.
**Resources**
-- [Highly available cross-premises](https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-highlyavailable)
-- [About VPN gateway redundancy](https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-highlyavailable#about-vpn-gateway-redundancy)
+- [VPN gateway data reference](https://learn.microsoft.com/azure/vpn-gateway/monitor-vpn-gateway-reference)
**Resource Graph Query**
{{< collapse title="Show/Hide Query/Script" >}}
-{{< code lang="sql" file="code/vpng-4/vpng-4.kql" >}} {{< /code >}}
+{{< code lang="sql" file="code/vpng-5/vpng-5.kql" >}} {{< /code >}}
{{< /collapse >}}
-### VPNG-5 - Monitor connections and gateway health
+### VPNG-6 - Enable service health
**Category: Monitoring**
@@ -141,43 +142,44 @@ If your gateway is not zone redundant, to plan for disaster recovery, set up Sit
**Guidance**
-Set up monitoring and alerts for Virtual Network Gateway health based on various metrics available.
+VPN Gateway uses service health to notify about planned and unplanned maintenance. Configuring service health will notify you about changes made to your VPN connectivity.
**Resources**
-- [VPN gateway data reference](https://learn.microsoft.com/azure/vpn-gateway/monitor-vpn-gateway-reference)
+- [Getting started with Azure Metrics Explorer](hhttps://learn.microsoft.com/azure/azure-monitor/essentials/metrics-getting-started)
+- [Monitor VPN gateway](hhttps://learn.microsoft.com/azure/vpn-gateway/monitor-vpn-gateway-reference#metrics)
**Resource Graph Query**
{{< collapse title="Show/Hide Query/Script" >}}
-{{< code lang="sql" file="code/vpng-5/vpng-5.kql" >}} {{< /code >}}
+{{< code lang="sql" file="code/vpng-6/vpng-6.kql" >}} {{< /code >}}
{{< /collapse >}}
-### VPNG-6 - Enable Service Health alerts
+### VPNG-7 - Deploy zone-redundant VPN Gateways with zone-redundant Public IP(s)
-**Category: Monitoring**
+**Category: Availability**
-**Impact: Medium**
+**Impact: High**
**Guidance**
-VPN Gateway uses service health alerts to notify about planned and unplanned maintenance.
+When using zone-redundant SKUs for VPN Gateways (VpnGw*AZ), make sure that you associate your gateway with zone-redundant Standard SKU public IP addresses. If a VPN gateway is associated with zonal Standard SKU public IP addresses, all the gateway instances are deployed in the same zone as the IP address(es). This recommendation applies to both active-passive gateways (which use a single public IP address) and active-active VPN gateways (which use two public IP addresses).
**Resources**
-- [Getting started with Azure Metrics Explorer](hhttps://learn.microsoft.com/azure/azure-monitor/essentials/metrics-getting-started)
-- [Monitor VPN gateway](hhttps://learn.microsoft.com/azure/vpn-gateway/monitor-vpn-gateway-reference#metrics)
+- [About zone-redundant virtual network gateway in Azure availability zones](https://learn.microsoft.com/azure/vpn-gateway/about-zone-redundant-vnet-gateways)
**Resource Graph Query**
{{< collapse title="Show/Hide Query/Script" >}}
-{{< code lang="sql" file="code/vpng-6/vpng-6.kql" >}} {{< /code >}}
+{{< code lang="sql" file="code/vpng-7/vpng-7.kql" >}} {{< /code >}}
{{< /collapse >}}
+
diff --git a/docs/content/services/networking/vpn-gateway/code/vpng-3/vpng-3.kql b/docs/content/services/networking/vpn-gateway/code/vpng-3/vpng-3.kql
deleted file mode 100644
index 614a7f9ca..000000000
--- a/docs/content/services/networking/vpn-gateway/code/vpng-3/vpng-3.kql
+++ /dev/null
@@ -1 +0,0 @@
-// under-development
diff --git a/docs/content/services/networking/vpn-gateway/code/vpng-7/vpng-7.kql b/docs/content/services/networking/vpn-gateway/code/vpng-7/vpng-7.kql
new file mode 100644
index 000000000..29a644362
--- /dev/null
+++ b/docs/content/services/networking/vpn-gateway/code/vpng-7/vpng-7.kql
@@ -0,0 +1,14 @@
+// Azure Resource Graph Query
+// Provides a list of zone-redundant Azure VPN gateways associated with non-zone-redundant Public IPs
+resources
+| where type =~ "Microsoft.Network/virtualNetworkGateways"
+| where properties.gatewayType == "Vpn"
+| where properties.sku.tier contains 'AZ'
+| mv-expand ipconfig = properties.ipConfigurations
+| extend pipId = tostring(ipconfig.properties.publicIPAddress.id)
+| join kind=inner (
+ resources
+ | where type == "microsoft.network/publicipaddresses"
+ | where isnull(zones) or array_length(zones) < 3 )
+ on $left.pipId == $right.id
+| project recommendationId = "vpng-7", name, id, tags, param1 = strcat("PublicIpAddressName: ", name1), param2 = strcat ("PublicIpAddressId: ",id1), param3 = strcat ("PublicIpAddressTags: ",tags1)
From 20d4b5d2e45ef4e6ab72f0cd58b9432fa8dfd5e3 Mon Sep 17 00:00:00 2001
From: Eric Henry <44706965+ejhenry@users.noreply.github.com>
Date: Tue, 26 Mar 2024 16:25:23 -0700
Subject: [PATCH 6/6] update firewall summary table (#403)
Co-authored-by: Eric Henry
Co-authored-by: Robert Lightner <49571483+DaFitRobsta@users.noreply.github.com>
---
docs/content/services/networking/firewall/_index.md | 2 ++
1 file changed, 2 insertions(+)
diff --git a/docs/content/services/networking/firewall/_index.md b/docs/content/services/networking/firewall/_index.md
index 81f94c3ee..a16019601 100644
--- a/docs/content/services/networking/firewall/_index.md
+++ b/docs/content/services/networking/firewall/_index.md
@@ -18,6 +18,8 @@ The presented resiliency recommendations in this guidance include Firewall and a
| [AFW-2 - Monitor Azure Firewall metrics](#afw-2---monitor-azure-firewall-metrics) | Monitoring | Medium | Verified | Yes |
| [AFW-3 - Configure DDoS Protection on the Azure Firewall VNet](#afw-3---configure-ddos-protection-on-the-azure-firewall-vnet) | Access & Security | High | Verified | Yes |
| [AFW-4 - Leverage Azure Policy inheritance model](#afw-4---leverage-azure-policy-inheritance-model) | Governance | Medium | Verified | No |
+| [AFW-5 - Configure 2-4 PIPs for SNAT Port utilization](#afw-5---configure-2-4-pips-for-snat-port-utilization) | Availability | Medium | Preview | No |
+| [AFW-6 - Monitor AZFW Latency Probes metric](#afw-6---monitor-azfw-latency-probes-metric) | Monitoring | Medium | Preview | No |
{{< /table >}}