From b9ebca8fd0fa8ba939253323f47e5676816b1178 Mon Sep 17 00:00:00 2001 From: Tim Aranki Date: Tue, 26 Mar 2024 16:58:56 -0500 Subject: [PATCH 01/10] Updated AGW Page to remove AGW-7 (#401) --- .../networking/application-gateway/_index.md | 26 ------------------- 1 file changed, 26 deletions(-) diff --git a/docs/content/services/networking/application-gateway/_index.md b/docs/content/services/networking/application-gateway/_index.md index 40866b90..b4d151a9 100644 --- a/docs/content/services/networking/application-gateway/_index.md +++ b/docs/content/services/networking/application-gateway/_index.md @@ -20,7 +20,6 @@ The presented resiliency recommendations in this guidance include Application Ga | [AGW-4 - Use Application GW V2 instead of V1](#agw-4---use-application-gw-v2-instead-of-v1) | System Efficiency | High | Preview | Yes | | [AGW-5 - Monitor and Log the configurations and traffic](#agw-5---monitor-and-log-the-configurations-and-traffic) | Monitoring | Medium | Preview | No | | [AGW-6 - Use Health Probes to detect backend availability](#agw-6---use-health-probes-to-detect-backend-availability) | Monitoring | Medium | Preview | Yes | -| [AGW-7 - Deploy backends in a zone-redundant configuration](#agw-7---deploy-backends-in-a-zone-redundant-configuration) | Availability | High | Preview | No | | [AGW-8 - Plan for backend maintenance by using connection draining](#agw-8---plan-for-backend-maintenance-by-using-connection-draining) | Governance | Medium | Preview | No | | [AGW-9 - Ensure Application Gateway Subnet is using a /24 subnet mask](#agw-9---ensure-application-gateway-subnet-is-using-a-24-subnet-mask) | Networking | High | Preview | Yes | @@ -186,31 +185,6 @@ Using custom health probes can help with understand the availability of your bac

-### AGW-7 - Deploy backends in a zone-redundant configuration - -**Category: Availability** - -**Impact: High** - -**Guidance** - -Deploying your backend services in a zone-aware configurations ensures that if a specific zone goes down that customers will still have access to the services as the other services located in other zones will still be available. - -**Resources** - -- [Well-Architected Framework Application Gateway Reliability](https://learn.microsoft.com/azure/well-architected/services/networking/azure-application-gateway#reliability) -- [Application Gateway V2 Overview](https://learn.microsoft.com/azure/application-gateway/overview-v2) - -**Resource Graph Query** - -{{< collapse title="Show/Hide Query/Script" >}} - -{{< code lang="sql" file="code/agw-7/agw-7.kql" >}} {{< /code >}} - -{{< /collapse >}} - -

- ### AGW-8 - Plan for backend maintenance by using connection draining **Category: Governance** From 326b2bd9f070116eab9b8b81f36393ff923940b0 Mon Sep 17 00:00:00 2001 From: Eric Henry <44706965+ejhenry@users.noreply.github.com> Date: Tue, 26 Mar 2024 15:29:08 -0700 Subject: [PATCH 02/10] Add recommendation wamn-5 (#395) Co-authored-by: Eric Henry Co-authored-by: Zach Trocinski <30884663+oZakari@users.noreply.github.com> --- .../well-architected/5-monitor/_index.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/docs/content/well-architected/5-monitor/_index.md b/docs/content/well-architected/5-monitor/_index.md index 49968452..032240c0 100644 --- a/docs/content/well-architected/5-monitor/_index.md +++ b/docs/content/well-architected/5-monitor/_index.md @@ -21,6 +21,7 @@ Ongoing monitoring is essential for maintaining system reliability. Key performa | [WAMN-2 - Define a health model based on performance, availability, and recovery targets](#wamn-2---define-a-health-model-based-on-performance-availability-and-recovery-targets) | Monitoring | Low | Verified | No | | [WAMN-3 - Create Dashboards and Alerts for Azure Platform resources](#wamn-3---create-dashboards-and-alerts-for-azure-platform-resources) | Monitoring | Low | Verified | No | | [WAMN-4 - Ensure that the right people in your organization will be notified about any future service issues](#wamn-4---ensure-that-the-right-people-in-your-organization-will-be-notified-about-any-future-service-issues) | Monitoring | Medium | Verified | No | +| [WAMN-5 - Utilize built-in Resilience policies](#wamn-5---utilize-built-in-resilience-policies) | Governance | Medium | Verified | No | {{< /table >}} {{< alert style="info" >}} @@ -120,3 +121,20 @@ Azure offers a suite of experiences to keep you informed about the health of you - [Create a Service Health alert using the Azure portal](https://learn.microsoft.com/azure/service-health/alerts-activity-log-service-notifications-portal#create-a-service-health-alert-using-the-azure-portal)

+ +### WAMN-5 - Utilize built-in Resilience policies + +**Category: Governance** + +**Impact: Medium** + +**Recommendation/Guidance** + +Utilize Azure's built-in Resilience policies to audit and enforce resilient configurations of Azure services. Azure Policy helps to enforce organizational standards and to assess compliance at-scale. + +**Resources** + +- [Built-in Resilience policy definitions](https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Resilience) +- [Get policy compliance data](https://learn.microsoft.com/azure/governance/policy/how-to/get-compliance-data) + +

From 2c8a7a07877ebd24317a314730c4bb911d801d4e Mon Sep 17 00:00:00 2001 From: Sean Luce Date: Tue, 26 Mar 2024 18:43:13 -0400 Subject: [PATCH 03/10] updated Azure NetApp Files recommendations (#308) Co-authored-by: Sean Luce (NETAPP INC) Co-authored-by: Eric Henry <44706965+ejhenry@users.noreply.github.com> --- .../storage/azure-netapp-files/_index.md | 183 ++++++++++++++---- .../azure-netapp-files/code/anf-10/anf-10.kql | 1 + .../azure-netapp-files/code/anf-11/anf-11.kql | 1 + .../azure-netapp-files/code/anf-12/anf-12.kql | 1 + .../azure-netapp-files/code/anf-2/anf-2.kql | 2 +- .../azure-netapp-files/code/anf-3/anf-3.kql | 2 +- .../azure-netapp-files/code/anf-4/anf-4.kql | 6 +- .../azure-netapp-files/code/anf-5/anf-5.kql | 11 +- .../azure-netapp-files/code/anf-6/anf-6.kql | 4 +- .../azure-netapp-files/code/anf-7/anf-7.kql | 11 +- .../azure-netapp-files/code/anf-8/anf-8.kql | 2 +- .../azure-netapp-files/code/anf-9/anf-9.kql | 1 + 12 files changed, 177 insertions(+), 48 deletions(-) create mode 100644 docs/content/services/storage/azure-netapp-files/code/anf-10/anf-10.kql create mode 100644 docs/content/services/storage/azure-netapp-files/code/anf-11/anf-11.kql create mode 100644 docs/content/services/storage/azure-netapp-files/code/anf-12/anf-12.kql create mode 100644 docs/content/services/storage/azure-netapp-files/code/anf-9/anf-9.kql diff --git a/docs/content/services/storage/azure-netapp-files/_index.md b/docs/content/services/storage/azure-netapp-files/_index.md index 6e9fc9a4..443f4012 100644 --- a/docs/content/services/storage/azure-netapp-files/_index.md +++ b/docs/content/services/storage/azure-netapp-files/_index.md @@ -1,9 +1,9 @@ +++ title = "Azure NetApp Files" description = "Best practices and resiliency recommendations for Azure NetApp Files and associated resources and settings." -date = "8/30/23" -author = "maheshbenke" -msAuthor = "maheshbenke" +date = "3/26/24" +author = "seanluce" +msAuthor = "b-sluce" draft = false +++ @@ -14,14 +14,18 @@ The presented resiliency recommendations in this guidance include Azure NetApp F {{< table style="table-striped" >}} | Recommendation | Category | Impact | State | ARG Query Available | | :------------------------------------------------ | :---------------------------------------------------------------------: | :------: | :------: | :-----------------: | -| [ANF-1 - Use the correct service level and volume quota size for the expected performance level](#anf-1---use-the-correct-service-level-and-volume-quota-size-for-the-expected-performance-level) | System Efficiency | High | Preview | No | +| [ANF-1 - Use the correct service level and volume quota size for the expected performance level](#anf-1---use-the-correct-service-level-and-volume-quota-size-for-the-expected-performance-level) | System Efficiency | Medium | Preview | No | | [ANF-2 - Use standard network features for production in Azure NetApp Files](#anf-2---use-standard-network-features-for-production-in-azure-netapp-files) | Networking | High | Preview | Yes | | [ANF-3 - Use availability zones for high availability in Azure NetApp Files](#anf-3---use-availability-zones-for-high-availability-in-azure-netapp-files) | Availability | High | Preview | Yes | -| [ANF-4 - Use snapshot and backup for in-region data protection in Azure NetApp Files](#anf-4---use-snapshot-and-backup-for-in-region-data-protection-in-azure-netapp-files) | Availability | High | Preview | No | -| [ANF-5 - Enable Cross-region replication of Azure NetApp Files volumes](#anf-5---enable-cross-region-replication-of-azure-netapp-files-volumes) | Disaster Recovery | High | Preview | Yes | -| [ANF-6 - Enable Cross-zone replication of Azure NetApp Files volumes](#anf-6---enable-cross-zone-replication-of-azure-netapp-files-volumes) | Availability | High | Preview | Yes | -| [ANF-7 - Monitor Azure NetApp Files metrics to better understand usage pattern and performance](#anf-7---monitor-azure-netapp-files-metrics-to-better-understand-usage-pattern-and-performance) | Monitoring | Medium | Preview | No | -| [ANF-8 - Use Azure policy to enforce organizational standards and to assess compliance at-scale in Azure NetApp Files](#anf-8---use-azure-policy-to-enforce-organizational-standards-and-to-assess-compliance-at-scale-in-azure-netapp-files) | Governance | Medium | Preview | No | +| [ANF-4 - Use snapshots for data protection in Azure NetApp Files](#anf-4---use-snapshots-for-data-protection-in-azure-netapp-files) | Availability | High | Preview | Yes | +| [ANF-5 - Enable backup for data protection in Azure NetApp Files](#anf-5---enable-backup-for-data-protection-in-azure-netapp-files) | Disaster Recovery | High | Preview | Yes | +| [ANF-6 - Enable Cross-region replication of Azure NetApp Files volumes](#anf-6---enable-cross-region-replication-of-azure-netapp-files-volumes) | Disaster Recovery | High | Preview | Yes | +| [ANF-7 - Enable Cross-zone replication of Azure NetApp Files volumes](#anf-7---enable-cross-zone-replication-of-azure-netapp-files-volumes) | Availability | High | Preview | Yes | +| [ANF-8 - Monitor Azure NetApp Files metrics to better understand usage pattern and performance](#anf-8---monitor-azure-netapp-files-metrics-to-better-understand-usage-pattern-and-performance) | Monitoring | Medium | Preview | No | +| [ANF-9 - Use Azure policy to enforce organizational standards and to assess compliance at-scale in Azure NetApp Files](#anf-9---use-azure-policy-to-enforce-organizational-standards-and-to-assess-compliance-at-scale-in-azure-netapp-files) | Governance | Medium | Preview | No | +| [ANF-10 - Restrict default access to Azure NetApp Files volumes](#anf-10---restrict-default-access-to-azure-netapp-files-volumes) | Access & Security | Medium | Preview | No | +| [ANF-11 - Make use of SMB continuous availability for supported applications](#anf-11---make-use-of-smb-continuous-availability-for-supported-applications) | Application Resilience | Medium | Preview | No | +| [ANF-12 - Ensure application resilience for service maintenance events](#anf-12---ensure-application-resilience-for-service-maintenance-events) | Application Resilience | Medium | Preview | No | {{< /table >}} {{< alert style="info" >}} @@ -36,7 +40,7 @@ Definitions of states can be found [here]({{< ref "../../../_index.md#definition **Category: System Efficiency** -**Impact: High** +**Impact: Medium** **Guidance** @@ -48,7 +52,7 @@ Service levels are an attribute of a capacity pool. Service levels are defined a **Resources** -- [Service levels for Azure NetApp Files | Microsoft Learn](https://learn.microsoft.com/en-us/azure/azure-netapp-files/azure-netapp-files-service-levels) +- [Service levels for Azure NetApp Files | Microsoft Learn](https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-service-levels) **Resource Graph Query** @@ -69,11 +73,10 @@ Service levels are an attribute of a capacity pool. Service levels are defined a **Guidance** Standard network feature enables higher IP limits and standard VNet features such as network security groups and user-defined routes on delegated subnets, and additional connectivity patterns. -Please check the supported regions for standard network feature [here](https://docs.microsoft.com/en-us/azure/azure-netapp-files/azure-netapp-files-network-topologies#supported-regions-for-standard-network-feature) **Resources** -- [Guidelines for Azure NetApp Files network planning | Microsoft Learn](https://learn.microsoft.com/en-us/azure/azure-netapp-files/azure-netapp-files-network-topologies) +- [Guidelines for Azure NetApp Files network planning | Microsoft Learn](https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-network-topologies) **Resource Graph Query** @@ -97,7 +100,7 @@ Azure availability zones are physically separate locations within each suppo **Resources** -- [Use availability zones for high availability in Azure NetApp Files | Microsoft Learn](https://learn.microsoft.com/en-us/azure/azure-netapp-files/use-availability-zones) +- [Use availability zones for high availability in Azure NetApp Files | Microsoft Learn](https://learn.microsoft.com/azure/azure-netapp-files/use-availability-zones) **Resource Graph Query** @@ -109,7 +112,7 @@ Azure availability zones are physically separate locations within each suppo

-### ANF-4 - Use snapshot and backup for in-region data protection in Azure NetApp Files +### ANF-4 - Use snapshots for data protection in Azure NetApp Files **Category: Availability** @@ -117,13 +120,11 @@ Azure availability zones are physically separate locations within each suppo **Guidance** -Azure NetApp Files snapshot technology delivers stability, scalability, and swift recoverability without impacting performance. -Azure NetApp Files supports a fully managed backup solution for long-term recovery, archive, and compliance. Backups can be restored to new volumes in the same region as the backup. Backups created by Azure NetApp Files are stored in Azure storage, independent of volume snapshots that are available for near-term recovery or cloning. +Azure NetApp Files snapshot technology delivers stability, scalability, and swift recoverability without impacting performance. Use snapshot policies to automatically create snapshots of your Azure NetApp Files data. **Resources** -- [Snapshots](https://learn.microsoft.com/en-us/azure/azure-netapp-files/data-protection-disaster-recovery-options#snapshots) -- [Backup](https://learn.microsoft.com/en-us/azure/azure-netapp-files/data-protection-disaster-recovery-options#backups) +- [How Azure NetApp Files snapshots work | Microsoft Learn](https://learn.microsoft.com/azure/azure-netapp-files/snapshots-introduction) **Resource Graph Query** @@ -135,7 +136,31 @@ Azure NetApp Files supports a fully managed backup solution for long-term recove

-### ANF-5 - Enable Cross-region replication of Azure NetApp Files volumes +### ANF-5 - Enable backup for data protection in Azure NetApp Files + +**Category: Availability** + +**Impact: High** + +**Guidance** + +Azure NetApp Files supports a fully managed backup solution for long-term recovery, archive, and compliance. Backups can be restored to new volumes in the same region as the backup. Backups created by Azure NetApp Files are stored in Azure storage, independent of volume snapshots that are available for near-term recovery or cloning. Use backup policies to create backups of your Azure NetApp Files data automatically. + +**Resources** + +- [Understand Azure NetApp Files backup | Microsoft Learn](https://learn.microsoft.com/azure/azure-netapp-files/backup-introduction) + +**Resource Graph Query** + +{{< collapse title="Show/Hide Query/Script" >}} + +{{< code lang="sql" file="code/anf-5/anf-5.kql" >}} {{< /code >}} + +{{< /collapse >}} + +

+ +### ANF-6 - Enable Cross-region replication of Azure NetApp Files volumes **Category: Disaster Recovery** @@ -145,21 +170,23 @@ Azure NetApp Files supports a fully managed backup solution for long-term recove The Azure NetApp Files replication functionality provides data protection through cross-region volume replication. You can asynchronously replicate data from an Azure NetApp Files volume (source) in one region to another Azure NetApp Files volume (destination) in another region. This capability enables you to fail over your critical application if a region-wide outage or disaster happens. +Note: A volume can be replicated via cross-zone replication (CZR) or cross-region replication (CRR) but not both concurrently. + **Resources** -- [Cross-zone replication of Azure NetApp Files volumes | Microsoft Learn](https://learn.microsoft.com/en-us/azure/azure-netapp-files/cross-region-replication-introduction) +- [Cross-zone replication of Azure NetApp Files volumes | Microsoft Learn](https://learn.microsoft.com/azure/azure-netapp-files/cross-region-replication-introduction) **Resource Graph Query** {{< collapse title="Show/Hide Query/Script" >}} -{{< code lang="sql" file="code/anf-5/anf-5.kql" >}} {{< /code >}} +{{< code lang="sql" file="code/anf-6/anf-6.kql" >}} {{< /code >}} {{< /collapse >}}

-### ANF-6 - Enable Cross-zone replication of Azure NetApp Files volumes +### ANF-7 - Enable Cross-zone replication of Azure NetApp Files volumes **Category: Availability** @@ -169,21 +196,23 @@ The Azure NetApp Files replication functionality provides data protection throug The cross-zone replication (CZR) capability provides data protection between volumes in different availability zones. You can asynchronously replicate data from an Azure NetApp Files volume (source) in one availability zone to another Azure NetApp Files volume (destination) in another availability. This capability enables you to fail over your critical application if a zone-wide outage or disaster happens. +Note: A volume can be replicated via cross-zone replication (CZR) or cross-region replication (CRR) but not both concurrently. + **Resources** -- [Cross-zone replication of Azure NetApp Files volumes | Microsoft Learn](https://learn.microsoft.com/en-us/azure/azure-netapp-files/cross-zone-replication-introduction) +- [Cross-zone replication of Azure NetApp Files volumes | Microsoft Learn](https://learn.microsoft.com/azure/azure-netapp-files/cross-zone-replication-introduction) **Resource Graph Query** {{< collapse title="Show/Hide Query/Script" >}} -{{< code lang="sql" file="code/anf-6/anf-6.kql" >}} {{< /code >}} +{{< code lang="sql" file="code/anf-7/anf-7.kql" >}} {{< /code >}} {{< /collapse >}}

-### ANF-7 - Monitor Azure NetApp Files metrics to better understand usage pattern and performance +### ANF-8 - Monitor Azure NetApp Files metrics to better understand usage pattern and performance **Category: Monitoring** @@ -195,19 +224,19 @@ Azure NetApp Files provides metrics on allocated storage, actual storage usage, **Resources** -- [Ways to monitor Azure NetApp Files | Microsoft Learn](https://learn.microsoft.com/en-us/azure/azure-netapp-files/monitor-azure-netapp-files) +- [Ways to monitor Azure NetApp Files | Microsoft Learn](https://learn.microsoft.com/azure/azure-netapp-files/monitor-azure-netapp-files) **Resource Graph Query** {{< collapse title="Show/Hide Query/Script" >}} -{{< code lang="sql" file="code/anf-7/anf-7.kql" >}} {{< /code >}} +{{< code lang="sql" file="code/anf-8/anf-8.kql" >}} {{< /code >}} {{< /collapse >}}

-### ANF-8 - Use Azure policy to enforce organizational standards and to assess compliance at-scale in Azure NetApp Files +### ANF-9 - Use Azure policy to enforce organizational standards and to assess compliance at-scale in Azure NetApp Files **Category: Governance** @@ -215,17 +244,105 @@ Azure NetApp Files provides metrics on allocated storage, actual storage usage, **Guidance** -Azure NetApp Files supports Azure Policy. You can integrate Azure NetApp Files with Azure Policy through [creating custom policy definitions](https://learn.microsoft.com/en-us/azure/governance/policy/tutorials/create-custom-policy-definition). You can find examples in [Enforce Snapshot Policies with Azure Policy](https://anfcommunity.com/2021/08/30/enforce-snapshot-policies-with-azure-policy/) and [Azure Policy now available for Azure NetApp Files](https://anfcommunity.com/2021/04/19/azure-policy-now-available-for-azure-netapp-files/). +Azure NetApp Files supports Azure policy. You can integrate Azure NetApp Files with Azure policy by using built-in policy definitions or by creating custom policy definitions. **Resources** -- [Azure Policy definitions for Azure NetApp Files | Microsoft Learn](https://learn.microsoft.com/en-us/azure/azure-netapp-files/azure-policy-definitions) +- [Azure Policy definitions for Azure NetApp Files | Microsoft Learn](https://learn.microsoft.com/azure/azure-netapp-files/azure-policy-definitions) +- [Creating custom policy definitions | Microsoft Learn](https://learn.microsoft.com/azure/governance/policy/tutorials/create-custom-policy-definition) -**Resource Graph Query** +**Resource Graph Query/Scripts** {{< collapse title="Show/Hide Query/Script" >}} -{{< code lang="sql" file="code/anf-8/anf-8.kql" >}} {{< /code >}} +{{< code lang="sql" file="code/anf-9/anf-9.kql" >}} {{< /code >}} + +{{< /collapse >}} + +

+ +### ANF-10 - Restrict default access to Azure NetApp Files volumes + +**Category: Access & Security** + +**Impact: Medium** + +**Guidance** + +Access to the delegated subnet should be granted to specific Azure Virtual Networks only whenever possible. +Share permissions on SMB-enabled volumes should be restricted from the default 'Everyone – Full control'. +Access to NFS-enabled volumes should be restricted by using export policies and/or NFSv4.1 ACLs. +Mount path change permissions should be further restricted. + + +**Resources** + +- [Configure network features for an Azure NetApp Files volume](https://learn.microsoft.com/azure/azure-netapp-files/configure-network-features) +- [Manage SMB share ACLs in Azure NetApp Files](https://learn.microsoft.com/azure/azure-netapp-files/manage-smb-share-access-control-lists) +- [Configure export policy for NFS or dual-protocol volumes](https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-configure-export-policy) +- [Configure access control lists on NFSv4.1 volumes for Azure NetApp Files](https://learn.microsoft.com/azure/azure-netapp-files/configure-access-control-lists) +- [Configure Unix permissions and change ownership mode for NFS and dual-protocol volumes](https://learn.microsoft.com/azure/azure-netapp-files/configure-unix-permissions-change-ownership-mode) + +**Resource Graph Query/Scripts** + +{{< collapse title="Show/Hide Query/Script" >}} + +{{< code lang="sql" file="code/anf-10/anf-10.kql" >}} {{< /code >}} + +{{< /collapse >}} + +

+ +### ANF-11 - Make use of SMB continuous availability for supported applications + +**Category: Application Resilience** + +**Impact: Medium** + +**Guidance** + +Certain SMB-based applications require SMB Transparent Failover. SMB Transparent Failover enables maintenance operations on the Azure NetApp Files service without interrupting connectivity to server applications storing and accessing data on SMB volumes. To support SMB Transparent Failover for specific applications, Azure NetApp Files supports the SMB Continuous Availability shares option. + +Consider using the Continuous Availability option for the following SMB-based applications: +- Citrix App Layering +- FSLogix user profile containers +- FSLogix ODFC containers +- Microsoft SQL Server +- MSIX app attach + +**Resources** + +- [Do I need to take special precautions for SMB-based applications? | Microsoft Learn](https://learn.microsoft.com/azure/azure-netapp-files/faq-application-resilience#do-i-need-to-take-special-precautions-for-smb-based-applications) + +**Resource Graph Query/Scripts** + +{{< collapse title="Show/Hide Query/Script" >}} + +{{< code lang="sql" file="code/anf-11/anf-11.kql" >}} {{< /code >}} + +{{< /collapse >}} + +

+ +### ANF-12 - Ensure application resilience for service maintenance events + +**Category: Application Resilience** + +**Impact: Medium** + +**Guidance** + +Azure NetApp Files might undergo occasional planned maintenance (for example, platform updates, service or software upgrades). As such, ensure that you're aware of the application’s resiliency settings to cope with the storage service maintenance events. + +**Resources** + +- [What do you recommend for handling potential application disruptions due to storage service maintenance events? | Microsoft Learn](https://learn.microsoft.com/azure/azure-netapp-files/faq-application-resilience#what-do-you-recommend-for-handling-potential-application-disruptions-due-to-storage-service-maintenance-events) + +**Resource Graph Query/Scripts** + +{{< collapse title="Show/Hide Query/Script" >}} + +{{< code lang="sql" file="code/anf-12/anf-12.kql" >}} {{< /code >}} {{< /collapse >}} diff --git a/docs/content/services/storage/azure-netapp-files/code/anf-10/anf-10.kql b/docs/content/services/storage/azure-netapp-files/code/anf-10/anf-10.kql new file mode 100644 index 00000000..fa5cad25 --- /dev/null +++ b/docs/content/services/storage/azure-netapp-files/code/anf-10/anf-10.kql @@ -0,0 +1 @@ +// cannot-be-validated-with-arg diff --git a/docs/content/services/storage/azure-netapp-files/code/anf-11/anf-11.kql b/docs/content/services/storage/azure-netapp-files/code/anf-11/anf-11.kql new file mode 100644 index 00000000..fa5cad25 --- /dev/null +++ b/docs/content/services/storage/azure-netapp-files/code/anf-11/anf-11.kql @@ -0,0 +1 @@ +// cannot-be-validated-with-arg diff --git a/docs/content/services/storage/azure-netapp-files/code/anf-12/anf-12.kql b/docs/content/services/storage/azure-netapp-files/code/anf-12/anf-12.kql new file mode 100644 index 00000000..fa5cad25 --- /dev/null +++ b/docs/content/services/storage/azure-netapp-files/code/anf-12/anf-12.kql @@ -0,0 +1 @@ +// cannot-be-validated-with-arg diff --git a/docs/content/services/storage/azure-netapp-files/code/anf-2/anf-2.kql b/docs/content/services/storage/azure-netapp-files/code/anf-2/anf-2.kql index 47e9bd63..906b9091 100644 --- a/docs/content/services/storage/azure-netapp-files/code/anf-2/anf-2.kql +++ b/docs/content/services/storage/azure-netapp-files/code/anf-2/anf-2.kql @@ -1,4 +1,4 @@ -// This Resource Graph query will return all NetApp Volumes without Network Feature Standard. +// This Resource Graph query will return all Azure NetApp Files volumes without standard network features. resources | where type =~ "microsoft.netapp/netappaccounts/capacitypools/volumes" | where properties.networkFeatures != "Standard" diff --git a/docs/content/services/storage/azure-netapp-files/code/anf-3/anf-3.kql b/docs/content/services/storage/azure-netapp-files/code/anf-3/anf-3.kql index 059fb715..95f3d2aa 100644 --- a/docs/content/services/storage/azure-netapp-files/code/anf-3/anf-3.kql +++ b/docs/content/services/storage/azure-netapp-files/code/anf-3/anf-3.kql @@ -1,4 +1,4 @@ -// This Resource Graph query will return all NetApp Volumes without AVzone defined. +// This Resource Graph query will return all Azure NetApp Files volumes without an availability zone defined. resources | where type =~ "microsoft.netapp/netappaccounts/capacitypools/volumes" | where zones == "[]" diff --git a/docs/content/services/storage/azure-netapp-files/code/anf-4/anf-4.kql b/docs/content/services/storage/azure-netapp-files/code/anf-4/anf-4.kql index 614a7f9c..ec6b55ec 100644 --- a/docs/content/services/storage/azure-netapp-files/code/anf-4/anf-4.kql +++ b/docs/content/services/storage/azure-netapp-files/code/anf-4/anf-4.kql @@ -1 +1,5 @@ -// under-development +// This Resource Graph query will return all Azure NetApp Files volumes without a snapshot policy defined. +resources +| where type == "microsoft.netapp/netappaccounts/capacitypools/volumes" +| where properties.dataProtection.snapshot.snapshotPolicyId == "" +| project recommendationId = "ANF-4", name, id, tags diff --git a/docs/content/services/storage/azure-netapp-files/code/anf-5/anf-5.kql b/docs/content/services/storage/azure-netapp-files/code/anf-5/anf-5.kql index e570c550..536374bd 100644 --- a/docs/content/services/storage/azure-netapp-files/code/anf-5/anf-5.kql +++ b/docs/content/services/storage/azure-netapp-files/code/anf-5/anf-5.kql @@ -1,10 +1,5 @@ -// This Resource Graph query will return all NetApp Volumes without Cross-Region Replication. +// This Resource Graph query will return all Azure NetApp Files volumes without a backup policy defined. resources -| where type =~ "microsoft.netapp/netappaccounts/capacitypools/volumes" -| extend NetAC0 = tostring(split(name,'/')[0]) -| join kind=leftouter (resources - | where type =~ "microsoft.netapp/netappaccounts/capacitypools/volumes" - | extend NetAC1 = tostring(split(name,'/')[0]) - | project id,NetAC1,remid=tostring(properties.dataProtection.replication.remoteVolumeResourceId)) on $left.id == $right.remid -| where properties.volumeType != 'DataProtection' and NetAC0 == NetAC1 +| where type == "microsoft.netapp/netappaccounts/capacitypools/volumes" +| where properties.dataProtection.backup.backupPolicyId == "" | project recommendationId = "ANF-5", name, id, tags diff --git a/docs/content/services/storage/azure-netapp-files/code/anf-6/anf-6.kql b/docs/content/services/storage/azure-netapp-files/code/anf-6/anf-6.kql index 1b470bde..d0fe698c 100644 --- a/docs/content/services/storage/azure-netapp-files/code/anf-6/anf-6.kql +++ b/docs/content/services/storage/azure-netapp-files/code/anf-6/anf-6.kql @@ -1,4 +1,4 @@ -// This Resource Graph query will return all NetApp Volumes without Cross-Zone Replication. +// This Resource Graph query will return all Azure NetApp Files volumes without cross-region replication. resources | where type =~ "microsoft.netapp/netappaccounts/capacitypools/volumes" | extend NetAC0 = tostring(split(name,'/')[0]) @@ -6,5 +6,5 @@ resources | where type =~ "microsoft.netapp/netappaccounts/capacitypools/volumes" | extend NetAC1 = tostring(split(name,'/')[0]) | project id,NetAC1,remid=tostring(properties.dataProtection.replication.remoteVolumeResourceId)) on $left.id == $right.remid -| where properties.volumeType != 'DataProtection' and NetAC0 != NetAC1 +| where properties.volumeType != 'DataProtection' and NetAC0 == NetAC1 | project recommendationId = "ANF-6", name, id, tags diff --git a/docs/content/services/storage/azure-netapp-files/code/anf-7/anf-7.kql b/docs/content/services/storage/azure-netapp-files/code/anf-7/anf-7.kql index 8f0edb91..eb50b5c5 100644 --- a/docs/content/services/storage/azure-netapp-files/code/anf-7/anf-7.kql +++ b/docs/content/services/storage/azure-netapp-files/code/anf-7/anf-7.kql @@ -1 +1,10 @@ -// cannot-be-validated-with-arg. The validation for this recommendation cannot be achieved with an Azure Resource Graph query. +// This Resource Graph query will return all Azure NetApp Files volumes without cross-zone replication. +resources +| where type =~ "microsoft.netapp/netappaccounts/capacitypools/volumes" +| extend NetAC0 = tostring(split(name,'/')[0]) +| join kind=leftouter (resources + | where type =~ "microsoft.netapp/netappaccounts/capacitypools/volumes" + | extend NetAC1 = tostring(split(name,'/')[0]) + | project id,NetAC1,remid=tostring(properties.dataProtection.replication.remoteVolumeResourceId)) on $left.id == $right.remid +| where properties.volumeType != 'DataProtection' and NetAC0 != NetAC1 +| project recommendationId = "ANF-7", name, id, tags diff --git a/docs/content/services/storage/azure-netapp-files/code/anf-8/anf-8.kql b/docs/content/services/storage/azure-netapp-files/code/anf-8/anf-8.kql index 614a7f9c..fa5cad25 100644 --- a/docs/content/services/storage/azure-netapp-files/code/anf-8/anf-8.kql +++ b/docs/content/services/storage/azure-netapp-files/code/anf-8/anf-8.kql @@ -1 +1 @@ -// under-development +// cannot-be-validated-with-arg diff --git a/docs/content/services/storage/azure-netapp-files/code/anf-9/anf-9.kql b/docs/content/services/storage/azure-netapp-files/code/anf-9/anf-9.kql new file mode 100644 index 00000000..fa5cad25 --- /dev/null +++ b/docs/content/services/storage/azure-netapp-files/code/anf-9/anf-9.kql @@ -0,0 +1 @@ +// cannot-be-validated-with-arg From 13e0577bd1796d0ec737ffd5eae3f12876b18a6b Mon Sep 17 00:00:00 2001 From: Federico Guerrini Date: Wed, 27 Mar 2024 00:04:30 +0100 Subject: [PATCH 04/10] Updated VPNG1, removed VPNG-3, added VPNG-7 (#377) Co-authored-by: Eric Henry <44706965+ejhenry@users.noreply.github.com> --- .../services/networking/vpn-gateway/_index.md | 74 ++++++++++--------- .../vpn-gateway/code/vpng-3/vpng-3.kql | 1 - .../vpn-gateway/code/vpng-7/vpng-7.kql | 14 ++++ 3 files changed, 52 insertions(+), 37 deletions(-) delete mode 100644 docs/content/services/networking/vpn-gateway/code/vpng-3/vpng-3.kql create mode 100644 docs/content/services/networking/vpn-gateway/code/vpng-7/vpng-7.kql diff --git a/docs/content/services/networking/vpn-gateway/_index.md b/docs/content/services/networking/vpn-gateway/_index.md index ad912816..7ad016cc 100644 --- a/docs/content/services/networking/vpn-gateway/_index.md +++ b/docs/content/services/networking/vpn-gateway/_index.md @@ -14,14 +14,15 @@ The presented resiliency recommendations in this guidance include VPN Gateway an The below table shows the list of resiliency recommendations for VPN Gateway and associated resources. {{< table style="table-striped" >}} -| Recommendation | Category | Impact | State | ARG Query Available | +| Recommendation | Category | Impact | State | ARG Query Available | |:--------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------------:|:------:|:-------:|:-------------------:| -| [VPNG-1 - Choose a Zone-redundant gateway](#vpng-1---choose-a-zone-redundant-gateway) | Availability | High | Verified | Yes | -| [VPNG-2 - Plan for Active-Active mode](#vpng-2---plan-for-active-active-mode) | Availability | High | Verified | Yes | -| [VPNG-3 - Plan for Site-to-Site VPN and Azure ExpressRoute coexisting connection](#vpng-3---plan-for-site-to-site-vpn-and-azure-expressroute-coexisting-connection) | Disaster Recovery | High | Verified | No | -| [VPNG-4 - Plan for geo-redundant VPN Connections](#vpng-4---plan-for-geo-redundant-vpn-connections) | Disaster Recovery | High | Verified | No | -| [VPNG-5 - Monitor connections and gateway health](#vpng-5---monitor-connections-and-gateway-health) | Monitoring | Medium | Verified | No | -| [VPNG-6 - Enable service health alerts](#vpng-6---enable-service-health-alerts) | Monitoring | Medium | Verified | No | +| [VPNG-1 - Choose a Zone-redundant gateway](#vpng-1---choose-a-zone-redundant-gateway) | Availability | High | Preview | Yes | +| [VPNG-2 - Plan for Active-Active mode](#vpng-2---plan-for-active-active-mode) | Availability | High | Preview | Yes | +| [VPNG-4 - Deploy active-active VPN concentrators on your premises for maximum resiliency](#vpng-4---deploy-active-active-vpn-concentrators-on-your-premises-for-maximum-resiliency) | Availability | High | Preview | No | | Availability | Medium | Preview | No | +| [VPNG-5 - Monitor connections and gateway health](#vpng-5---monitor-connections-and-gateway-health) | Monitoring | Medium | Preview | No | +| [VPNG-6 - Enable service health](#vpng-6---enable-service-health) | Monitoring | Medium | Preview | No | +| [VPNG-7 - Deploy zone-redundant VPN Gateways with zone-redundant Public IP(s)](#vpng-7---deploy-zone-redundant-vpn-gateways-with-zone-redundant-public-ips) | Availability | Medium | Preview | Yes | | Availability | High | Preview | Yes | + {{< /table >}} {{< alert style="info" >}} @@ -40,13 +41,13 @@ Definitions of states can be found [here]({{< ref "../../../_index.md#definition **Guidance** -Azure VPN gateway provides different SLAs when it's deployed in a single availability zone and when it's deployed in two or more availability zones. For information about all Azure SLAs, see [SLA summary for Azure services](https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1). -To automatically deploy your virtual network gateways across availability zones, use zone-redundant virtual network gateways. The zone-redundant gateways benefits from zone-resiliency to access mission-critical, scalable services on Azure. +Azure VPN gateway provides different SLAs when it's deployed in a single availability zone and when it's deployed in two availability zones. To automatically deploy your virtual network gateways across availability zones, you can use zone-redundant virtual network gateways. With zone-redundant gateways, you can benefit from zone-resiliency to access your mission-critical, scalable services on Azure. **Resources** - [Zone redundant Virtual network gateway in availability zone](https://learn.microsoft.com/azure/vpn-gateway/about-zone-redundant-vnet-gateways) - [Gateway SKU](https://learn.microsoft.com/azure/vpn-gateway/about-zone-redundant-vnet-gateways#gwskus) +- [SLA summary for Azure services](https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1). **Resource Graph Query** @@ -66,12 +67,13 @@ To automatically deploy your virtual network gateways across availability zones, **Guidance** -The active-active mode is available for all SKUs except Basic. You can create an Azure VPN gateway in an active-active configuration, where both instances of the gateway VMs establish S2S VPN tunnels to your on-premises VPN device. When a planned maintenance or unplanned event happens to one gateway instance, the switch over will happen automatically from the affected instance to the active instance. +The active-active mode is available for all SKUs except Basic. +Active-active gateways have two Gateway IP configurations and two public IP addresses. **Resources** -- [About Active-Active VPN gateway](https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-highlyavailable#active-active-vpn-gateways) -- [Configure Active-active VPN gateway](https://learn.microsoft.com/azure/vpn-gateway/active-active-portal#gateway) +- [Active-active VPN gateway](https://learn.microsoft.com/azure/vpn-gateway/active-active-portal#gateway) +- [Gateway SKU](https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsku) **Resource Graph Query** @@ -83,57 +85,56 @@ The active-active mode is available for all SKUs except Basic. You can create an

-### VPNG-3 - Plan for Site-to-Site VPN and Azure ExpressRoute coexisting connection +### VPNG-4 - Deploy active-active VPN concentrators on your premises for maximum resiliency -**Category: Disaster Recovery** +**Category: Availability** **Impact: High** **Guidance** -Having the ability to configure Site-to-Site VPN and ExpressRoute has several advantages. You can configure Site-to-Site VPN as a secure failover path for ExpressRoute, or use Site-to-Site VPNs to connect to sites that aren't connected through ExpressRoute +By deploying active-active VPN concentrators on your premises, along with active-active Azure VPN Gateways, you can maximize resilience and availability by using a fully-meshed topology based on four IPSec tunnels. **Resources** -- [Configure a Site-to-Site VPN as a failover path for ExpressRoute](https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager#configuration-designs) -- [Limit and limitations](https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager#limits-and-limitations) +- [Dual-redundancy: active-active VPN gateways for both Azure and on-premises networks](https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-highlyavailable#dual-redundancy-active-active-vpn-gateways-for-both-azure-and-on-premises-networks) + **Resource Graph Query** {{< collapse title="Show/Hide Query/Script" >}} -{{< code lang="sql" file="code/vpng-3/vpng-3.kql" >}} {{< /code >}} +{{< code lang="sql" file="code/vpng-4/vpng-4.kql" >}} {{< /code >}} {{< /collapse >}}

-### VPNG-4 - Plan for geo-redundant VPN connections +### VPNG-5 - Monitor connections and gateway health -**Category: Disaster Recovery** +**Category: Monitoring** -**Impact: High** +**Impact: Medium** **Guidance** -If your gateway is not zone redundant, to plan for disaster recovery, set up Site-to-Site VPN in more than one location. You can create IP Sec connectivity in the same metro or different metro and choose to work with different service providers for diverse paths +Set up monitoring and alerts for Virtual Network Gateway health based on various metrics available. **Resources** -- [Highly available cross-premises](https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-highlyavailable) -- [About VPN gateway redundancy](https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-highlyavailable#about-vpn-gateway-redundancy) +- [VPN gateway data reference](https://learn.microsoft.com/azure/vpn-gateway/monitor-vpn-gateway-reference) **Resource Graph Query** {{< collapse title="Show/Hide Query/Script" >}} -{{< code lang="sql" file="code/vpng-4/vpng-4.kql" >}} {{< /code >}} +{{< code lang="sql" file="code/vpng-5/vpng-5.kql" >}} {{< /code >}} {{< /collapse >}}

-### VPNG-5 - Monitor connections and gateway health +### VPNG-6 - Enable service health **Category: Monitoring** @@ -141,43 +142,44 @@ If your gateway is not zone redundant, to plan for disaster recovery, set up Sit **Guidance** -Set up monitoring and alerts for Virtual Network Gateway health based on various metrics available. +VPN Gateway uses service health to notify about planned and unplanned maintenance. Configuring service health will notify you about changes made to your VPN connectivity. **Resources** -- [VPN gateway data reference](https://learn.microsoft.com/azure/vpn-gateway/monitor-vpn-gateway-reference) +- [Getting started with Azure Metrics Explorer](hhttps://learn.microsoft.com/azure/azure-monitor/essentials/metrics-getting-started) +- [Monitor VPN gateway](hhttps://learn.microsoft.com/azure/vpn-gateway/monitor-vpn-gateway-reference#metrics) **Resource Graph Query** {{< collapse title="Show/Hide Query/Script" >}} -{{< code lang="sql" file="code/vpng-5/vpng-5.kql" >}} {{< /code >}} +{{< code lang="sql" file="code/vpng-6/vpng-6.kql" >}} {{< /code >}} {{< /collapse >}}

-### VPNG-6 - Enable Service Health alerts +### VPNG-7 - Deploy zone-redundant VPN Gateways with zone-redundant Public IP(s) -**Category: Monitoring** +**Category: Availability** -**Impact: Medium** +**Impact: High** **Guidance** -VPN Gateway uses service health alerts to notify about planned and unplanned maintenance. +When using zone-redundant SKUs for VPN Gateways (VpnGw*AZ), make sure that you associate your gateway with zone-redundant Standard SKU public IP addresses. If a VPN gateway is associated with zonal Standard SKU public IP addresses, all the gateway instances are deployed in the same zone as the IP address(es). This recommendation applies to both active-passive gateways (which use a single public IP address) and active-active VPN gateways (which use two public IP addresses). **Resources** -- [Getting started with Azure Metrics Explorer](hhttps://learn.microsoft.com/azure/azure-monitor/essentials/metrics-getting-started) -- [Monitor VPN gateway](hhttps://learn.microsoft.com/azure/vpn-gateway/monitor-vpn-gateway-reference#metrics) +- [About zone-redundant virtual network gateway in Azure availability zones](https://learn.microsoft.com/azure/vpn-gateway/about-zone-redundant-vnet-gateways) **Resource Graph Query** {{< collapse title="Show/Hide Query/Script" >}} -{{< code lang="sql" file="code/vpng-6/vpng-6.kql" >}} {{< /code >}} +{{< code lang="sql" file="code/vpng-7/vpng-7.kql" >}} {{< /code >}} {{< /collapse >}}

+ diff --git a/docs/content/services/networking/vpn-gateway/code/vpng-3/vpng-3.kql b/docs/content/services/networking/vpn-gateway/code/vpng-3/vpng-3.kql deleted file mode 100644 index 614a7f9c..00000000 --- a/docs/content/services/networking/vpn-gateway/code/vpng-3/vpng-3.kql +++ /dev/null @@ -1 +0,0 @@ -// under-development diff --git a/docs/content/services/networking/vpn-gateway/code/vpng-7/vpng-7.kql b/docs/content/services/networking/vpn-gateway/code/vpng-7/vpng-7.kql new file mode 100644 index 00000000..29a64436 --- /dev/null +++ b/docs/content/services/networking/vpn-gateway/code/vpng-7/vpng-7.kql @@ -0,0 +1,14 @@ +// Azure Resource Graph Query +// Provides a list of zone-redundant Azure VPN gateways associated with non-zone-redundant Public IPs +resources +| where type =~ "Microsoft.Network/virtualNetworkGateways" +| where properties.gatewayType == "Vpn" +| where properties.sku.tier contains 'AZ' +| mv-expand ipconfig = properties.ipConfigurations +| extend pipId = tostring(ipconfig.properties.publicIPAddress.id) +| join kind=inner ( + resources + | where type == "microsoft.network/publicipaddresses" + | where isnull(zones) or array_length(zones) < 3 ) + on $left.pipId == $right.id +| project recommendationId = "vpng-7", name, id, tags, param1 = strcat("PublicIpAddressName: ", name1), param2 = strcat ("PublicIpAddressId: ",id1), param3 = strcat ("PublicIpAddressTags: ",tags1) From 20d4b5d2e45ef4e6ab72f0cd58b9432fa8dfd5e3 Mon Sep 17 00:00:00 2001 From: Eric Henry <44706965+ejhenry@users.noreply.github.com> Date: Tue, 26 Mar 2024 16:25:23 -0700 Subject: [PATCH 05/10] update firewall summary table (#403) Co-authored-by: Eric Henry Co-authored-by: Robert Lightner <49571483+DaFitRobsta@users.noreply.github.com> --- docs/content/services/networking/firewall/_index.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/content/services/networking/firewall/_index.md b/docs/content/services/networking/firewall/_index.md index 81f94c3e..a1601960 100644 --- a/docs/content/services/networking/firewall/_index.md +++ b/docs/content/services/networking/firewall/_index.md @@ -18,6 +18,8 @@ The presented resiliency recommendations in this guidance include Firewall and a | [AFW-2 - Monitor Azure Firewall metrics](#afw-2---monitor-azure-firewall-metrics) | Monitoring | Medium | Verified | Yes | | [AFW-3 - Configure DDoS Protection on the Azure Firewall VNet](#afw-3---configure-ddos-protection-on-the-azure-firewall-vnet) | Access & Security | High | Verified | Yes | | [AFW-4 - Leverage Azure Policy inheritance model](#afw-4---leverage-azure-policy-inheritance-model) | Governance | Medium | Verified | No | +| [AFW-5 - Configure 2-4 PIPs for SNAT Port utilization](#afw-5---configure-2-4-pips-for-snat-port-utilization) | Availability | Medium | Preview | No | +| [AFW-6 - Monitor AZFW Latency Probes metric](#afw-6---monitor-azfw-latency-probes-metric) | Monitoring | Medium | Preview | No | {{< /table >}} From 156fc655458cdf64377ee19f0c08afd840fe03bb Mon Sep 17 00:00:00 2001 From: moisesjgomez <51566179+moisesjgomez@users.noreply.github.com> Date: Wed, 27 Mar 2024 11:38:15 -0500 Subject: [PATCH 06/10] AVD updates (#373) Co-authored-by: Zach Trocinski <30884663+oZakari@users.noreply.github.com> Co-authored-by: swathibhat1 <114373505+swathibhat1@users.noreply.github.com> Co-authored-by: Eric Henry <44706965+ejhenry@users.noreply.github.com> Co-authored-by: Zach Trocinski --- .../azure-virtual-desktop/_index.md | 700 ++++++++++++++++-- .../code/avd-11/avd-11.kql | 1 + .../code/avd-12/avd-12.kql | 1 + .../code/avd-13/avd-13.kql | 1 + .../code/avd-14/avd-14.kql | 1 + .../code/avd-15/avd-15.kql | 1 + .../code/avd-16/avd-16.kql | 1 + .../code/avd-17/avd-17.kql | 1 + .../code/avd-18/avd-18.kql | 1 + .../code/avd-19/avd-19.kql | 1 + .../code/avd-2/avd-2.kql | 2 +- .../code/avd-20/avd-20.kql | 1 + .../code/avd-21/avd-21.kql | 1 + .../code/avd-22/avd-22.kql | 1 + .../code/avd-23/avd-23.kql | 1 + .../code/avd-24/avd-24.kql | 1 + .../code/avd-25/avd-25.kql | 1 + .../code/avd-26/avd-26.kql | 1 + .../code/avd-27/avd-27.kql | 1 + .../code/avd-28/avd-28.kql | 1 + .../code/avd-29/avd-29.kql | 1 + .../code/avd-30/avd-30.kql | 1 + .../code/avd-31/avd-31.kql | 1 + .../code/avd-32/avd-32.kql | 1 + .../code/avd-33/avd-33.kql | 1 + .../code/avd-34/avd-34.kql | 1 + .../code/avd-35/avd-35.kql | 1 + .../code/avd-36/avd-36.kql | 1 + .../code/avd-37/avd-37.kql | 1 + .../code/avd-38/avd-38.kql | 1 + .../code/avd-9/avd-9.kql | 2 +- 31 files changed, 680 insertions(+), 52 deletions(-) create mode 100644 docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-11/avd-11.kql create mode 100644 docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-12/avd-12.kql create mode 100644 docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-13/avd-13.kql create mode 100644 docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-14/avd-14.kql create mode 100644 docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-15/avd-15.kql create mode 100644 docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-16/avd-16.kql create mode 100644 docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-17/avd-17.kql create mode 100644 docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-18/avd-18.kql create mode 100644 docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-19/avd-19.kql create mode 100644 docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-20/avd-20.kql create mode 100644 docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-21/avd-21.kql create mode 100644 docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-22/avd-22.kql create mode 100644 docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-23/avd-23.kql create mode 100644 docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-24/avd-24.kql create mode 100644 docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-25/avd-25.kql create mode 100644 docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-26/avd-26.kql create mode 100644 docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-27/avd-27.kql create mode 100644 docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-28/avd-28.kql create mode 100644 docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-29/avd-29.kql create mode 100644 docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-30/avd-30.kql create mode 100644 docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-31/avd-31.kql create mode 100644 docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-32/avd-32.kql create mode 100644 docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-33/avd-33.kql create mode 100644 docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-34/avd-34.kql create mode 100644 docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-35/avd-35.kql create mode 100644 docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-36/avd-36.kql create mode 100644 docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-37/avd-37.kql create mode 100644 docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-38/avd-38.kql diff --git a/docs/content/services/specialized-workloads/azure-virtual-desktop/_index.md b/docs/content/services/specialized-workloads/azure-virtual-desktop/_index.md index 97806037..82c8ea3a 100644 --- a/docs/content/services/specialized-workloads/azure-virtual-desktop/_index.md +++ b/docs/content/services/specialized-workloads/azure-virtual-desktop/_index.md @@ -12,30 +12,56 @@ The presented resiliency recommendations in this guidance include Azure Virtual ## Summary of Recommendations {{< table style="table-striped" >}} -| Recommendation | Category | Impact | State | ARG Query Available | +| Recommendation | Category | Impact | State | ARG Query Available | |:----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------------:|:--------:|:-------:|:-------------------:| -| [AVD-1 Use Private link when connecting to File Share or Key Vault](#avd-1---use-private-link-when-connecting-to-file-share-or-key-vault) | Access & Security | Medium | Verified | Yes | -| [AVD-2 Monitor Service Health and Resource Health of AVD](#avd-2---monitor-service-health-and-resource-health-of-avd) | Monitoring | Medium | Verified | No | -| [AVD-3 Deploy Session Hosts in an Availability Zone](#avd-3---deploy-session-hosts-in-an-availability-zone) | Availability | High | Verified | No | -| [AVD-4 Deploy Domain Controllers and DNS Servers in Azure Virtual Network Across Availability Zones](#avd-4---deploy-domain-controllers-and-dns-servers-in-azure-virtual-network-across-availability-zones) | Availability | Medium | Preview | No | -| [AVD-5 Implement RDP Shortpath for Public or Managed Networks](#avd-5---implement-rdp-shortpath-for-public-or-managed-networks) | Networking | Medium | Verified | No | -| [AVD-6 Implement a Multi-Region BCDR Plan](#avd-6---implement-a-multi-region-bcdr-plan) | Disaster Recovery | Medium | Verified | No | -| [AVD-7 Store Golden Image Redundantly for Disaster Recovery](#avd-7---store-golden-image-redundantly-for-disaster-recovery) | Disaster Recovery | Low | Verified | No | -| [AVD-8 Capacity Planning for AVD Resources](#avd-8---capacity-planning-for-avd-resources) | Disaster Recovery | Low | Verified | No | -| [AVD-9 Ensure that FSLogix Storage Account is Redundant](#avd-9---ensure-that-fslogix-storage-account-is-redundant) | Availability | High | Verified | No | -| [AVD-10 Enable Azure Backup for FSLogix Storage Account](#avd-10---enable-azure-backup-for-fslogix-storage-account) | Disaster Recovery | Medium | Preview | No | -| [IT-2 - Replicate your Image Templates to a secondary region](https://azure.github.io/Azure-Proactive-Resiliency-Library/services/compute/image-templates/#it-2---replicate-your-image-templates-to-a-secondary-region) | Disaster Recovery | Low | Preview | Yes | -| [CG-2 - Zone redundant storage should be used for image versions](https://azure.github.io/Azure-Proactive-Resiliency-Library/services/compute/compute-gallery/#cg-2---zone-redundant-storage-should-be-used-for-image-versions) | Availability | Medium | Preview | Yes | +| [AVD-1 Use Private link when connecting to File Share or Key Vault](#avd-1---use-private-link-when-connecting-to-file-share-or-key-vault) | Access & Security | Medium | Verified | Yes | +| [AVD-2 Monitor Service Health and Resource Health of AVD](#avd-2---monitor-service-health-and-resource-health-of-avd) | Monitoring | High | Verified | Yes | +| [AVD-4 Deploy Domain Controllers and DNS Servers in Azure Virtual Network Across Availability Zones](#avd-4---deploy-domain-controllers-and-dns-servers-in-azure-virtual-network-across-availability-zones) | Availability | Medium | Verified | No | +| [AVD-5 Implement RDP Shortpath for Public or Managed Networks](#avd-5---implement-rdp-shortpath-for-public-or-managed-networks) | Networking | Medium | Verified | No | +| [AVD-6 Implement a Multi-Region BCDR Plan](#avd-6---implement-a-multi-region-bcdr-plan) | Disaster Recovery | Medium | Verified | No | +| [AVD-7 Store Golden Image Redundantly for Disaster Recovery](#avd-7---store-golden-image-redundantly-for-disaster-recovery) | Disaster Recovery | Low | Verified | No | +| [AVD-8 Capacity Planning for AVD Resources](#avd-8---capacity-planning-for-avd-resources) | Disaster Recovery | Low | Verified | No | +| [AVD-9 Ensure that FSLogix Storage Account is Redundant](#avd-9---ensure-that-fslogix-storage-account-is-redundant) | Availability | High | Verified | Yes | +| [AVD-10 Enable Azure Backup for FSLogix Storage Account](#avd-10---enable-azure-backup-for-fslogix-storage-account) | Storage | Medium | Verified | No | +| [AVD-11 Scaling plans should be created per region and not scaled across regions](#avd-11---scaling-plans-should-be-created-per-region-and-not-scaled-across-regions) | Disaster Recovery | Medium | Verified | No | +| [AVD-13 Validate that the AVD session hosts can communicate with the AVD control plane and UDP ports are open if UDP is in use](#avd-13---validate-avd-session-host-connectivity-to-the-avd-control-plane-and-udp-ports-open-if-in-use) | Networking | Medium | Verified | No | +| [AVD-14 Ensure Secondary Entra ID connect synchronization server](#avd-14---ensure-secondary-entra-id-connect-synchronization-server) | Access & Security | Low | Verified | No | +| [AVD-15 Deploy paired Domain Controllers in the same region as AVD session hosts](#avd-15---deploy-paired-domain-controllers-in-the-same-region-as-avd-session-hosts) | Disaster Recovery | High | Verified | No | +| [AVD-16 Ensure DNS regions are replicated to avoid single point of failure](#avd-16---ensure-dns-regions-are-replicated-to-avoid-single-point-of-failure) | Networking | Medium | Verified | No | +| [AVD-17 Capacity Planning for AVD Resources](#avd-17---capacity-planning-for-avd-resources) | Disaster Recovery | Low | Verified | No | +| [AVD-18 Create new version of updated image and replace session hosts rather than update host directly](#avd-18---create-updated-image-version-and-replace-session-hosts-rather-than-updating-host-directly) | Governance | Low | Verified | No | +| [AVD-19 Pooled Create a validation pool for testing of planned updates](#avd-19---pooled-create-a-validation-pool-for-testing-of-planned-updates) | Governance | Medium | Verified | No | +| [AVD-20 Pooled Configure scheduled agent updates](#avd-20---pooled-configure-scheduled-agent-updates) | System Efficiency | Medium | Verified | No | +| [AVD-21 Personal Create a validation pool for testing of planned updates](#avd-21---personal-create-a-validation-pool-for-testing-of-planned-updates) | Governance | Low | Verified | No | +| [AVD-22 Use Azure Site Recovery or Backups on VMs supporting personal desktops](#avd-22---use-azure-site-recovery-or-backups-on-vms-supporting-personal-desktops) | Disaster Recovery | Medium | Verified | No | +| [AVD-23 Ensure a unique OU when deploying VMs to Domain](#avd-23---ensure-a-unique-ou-when-deploying-vms-to-domain) | Governance | Medium | Verified | No | +| [AVD-24 Ensure the standard FSLogix configuration is deployed](#avd-24---ensure-the-standard-fslogix-configuration-is-deployed) | Storage | Medium | Verified | No | +| [AVD-25 Ensure user permissions are set correctly on SMB shares](#avd-25---ensure-user-permissions-are-set-correctly-on-smb-shares) | Storage | Medium | Verified | No | +| [AVD-26 Configure Diagnostic Settings for FSLogix logs and enable review for accounts](#avd-26---configure-diagnostic-settings-for-fslogix-logs-and-enable-review-for-accounts) | Storage | Medium | Verified | No | +| [AVD-27 Manually update new FSLogix image when available](#avd-27---manually-update-new-fslogix-image-when-available) | Availability | Low | Verified | No | +| [AVD-28 Turn on Continuous Availability for ANF if using App Attach](#avd-28---turn-on-continuous-availability-for-anf-if-using-app-attach) | App Attach Storage | Medium | Verified | No | +| [AVD-29 App attach should be placed in separate file share; Disaster recovery plan should include App attach storage](#avd-29---app-attach-should-be-placed-in-separate-file-share-and-disaster-recovery-plan-should-include-app-attach-storage) | Storage | Medium | Verified | No | +| [AVD-30 Ensure virtual networks have route tables/route server configured for all regions](#avd-30---ensure-virtual-networks-have-route-tablesroute-server-configured-for-all-regions) | Networking | Medium | Verified | No | +| [AVD-31 Ensure virtual networks isolation with separate IP space and NSGs for Prod and DR](#avd-31---ensure-virtual-networks-isolation-with-separate-ip-space-and-nsgs-for-prod-and-dr) | Networking | Medium | Verified | No | +| [AVD-33 Ensure route tables accommodate failover](#avd-33---ensure-route-tables-accommodate-failover) | Disaster Recovery | Medium | Verified | No | +| [AVD-34 Ensure Resilient Deployment of Keyvault for AVD Host Pools](#avd-34---provision-secondary-key-vault-for-disaster-recovery) | Disaster Recovery | High | Verified | No | +| [AVD-35 Configure AVD insights Workbook](#avd-35---configure-avd-insights-workbook) | Monitoring | High | Verified | No | +| [AVD-36 Ensure separate log analytics workspaces for Prod and DR](#avd-36---ensure-separate-log-analytics-workspaces-for-prod-and-dr) | Disaster Recovery | Low | Verified | No | +| [AVD-38 Organize AVD resources using the AVD Scale unit model described by the AVD Landing Zone Methodology](#avd-38---organize-avd-resources-using-the-avd-scale-unit-model-described-by-the-avd-landing-zone-methodology) | Governance | Low | Verified | No | +| [IT-2 - Replicate your Image Templates to a secondary region](https://azure.github.io/Azure-Proactive-Resiliency-Library/services/compute/image-templates/#it-2---replicate-your-image-templates-to-a-secondary-region) | Disaster Recovery | Low | Preview | Yes | +| [CG-2 - Zone redundant storage should be used for image versions](https://azure.github.io/Azure-Proactive-Resiliency-Library/services/compute/compute-gallery/#cg-2---zone-redundant-storage-should-be-used-for-image-versions) | Availability | Medium | Verified | Yes | | [VM-2 - Deploy VMs across Availability Zones](https://azure.github.io/Azure-Proactive-Resiliency-Library/services/compute/virtual-machines/#vm-2---deploy-vms-across-availability-zones) | Availability | High | Verified | Yes | | [VM-7 - Enable Backups on your VMs](https://azure.github.io/Azure-Proactive-Resiliency-Library/services/compute/virtual-machines/#vm-7---backup-vms-with-azure-backup-service) | Disaster Recovery | Medium | Verified | Yes | | [VM-8 - Production VMs should be using SSD disks](https://azure.github.io/Azure-Proactive-Resiliency-Library/services/compute/virtual-machines/#vm-8---production-vms-should-be-using-ssd-disks) | System Efficiency | High | Verified | Yes | -| [ERC-1 - Connect your on-premises network to critical workloads in Azure through two or more ExpressRoute circuits in different peering locations](https://azure.github.io/Azure-Proactive-Resiliency-Library/services/networking/expressroute-circuits/#erc-1---connect-your-on-premises-network-to-critical-workloads-in-azure-through-two-or-more-expressroute-circuits-in-different-peering-locations) | Availability | High | Preview | No | -| [ERC-2 - Ensure the two physical links of your ExpressRoute circuit are connected to two distinct edge devices in your network](https://azure.github.io/Azure-Proactive-Resiliency-Library/services/networking/expressroute-circuits/#erc-2---ensure-the-two-physical-links-of-your-expressroute-circuit-are-connected-to-two-distinct-edge-devices-in-your-network) | Availability | High | Preview | No | -| [VPNG-1 - Choose a Zone-redundant gateway](https://azure.github.io/Azure-Proactive-Resiliency-Library/services/networking/vpn-gateway/#vpng-1---choose-a-zone-redundant-gateway) | Availability | High | Preview | Yes | -| [VPNG-3 - Plan for Site-to-Site VPN and Azure ExpressRoute coexisting connection](https://azure.github.io/Azure-Proactive-Resiliency-Library/services/networking/vpn-gateway/#vpng-3---plan-for-site-to-site-vpn-and-azure-expressroute-coexisting-connection) | Disaster Recovery | High | Preview | No | -| [NSG-4 - Configure NSG Flow Logs](https://azure.github.io/Azure-Proactive-Resiliency-Library/services/networking/network-security-group/#nsg-4---configure-nsg-flow-logs) | Monitoring | Medium | Preview | Yes | | [VM-21 - Configure diagnostic settings for all Azure Virtual Machines](https://azure.github.io/Azure-Proactive-Resiliency-Library/services/compute/virtual-machines/#vm-21---configure-diagnostic-settings-for-all-azure-virtual-machines) | Monitoring | Low | Preview | Yes | -| [VM-25 - Do not create more than 2000 Citrix VDA servers per subscription](https://azure.github.io/Azure-Proactive-Resiliency-Library/services/compute/virtual-machines/#vm-25---do-not-create-more-than-2000-citrix-vda-servers-per-subscription) | Application Resiliency | High | Preview | Yes | +| [ERC-1 - Connect your on-premises network to critical workloads in Azure through two or more ExpressRoute circuits in different peering locations](https://azure.github.io/Azure-Proactive-Resiliency-Library/services/networking/expressroute-circuits/#erc-1---connect-your-on-premises-network-to-critical-workloads-in-azure-through-two-or-more-expressroute-circuits-in-different-peering-locations) | Availability | High | Verified | No | +| [ERC-2 - Ensure the two physical links of your ExpressRoute circuit are connected to two distinct edge devices in your network](https://azure.github.io/Azure-Proactive-Resiliency-Library/services/networking/expressroute-circuits/#erc-2---ensure-the-two-physical-links-of-your-expressroute-circuit-are-connected-to-two-distinct-edge-devices-in-your-network) | Availability | High | Verified | No | +| [VPNG-1 - Choose a Zone-redundant gateway](https://azure.github.io/Azure-Proactive-Resiliency-Library/services/networking/vpn-gateway/#vpng-1---choose-a-zone-redundant-gateway) | Availability | High | Verified | Yes | +| [VPNG-3 - Plan for Site-to-Site VPN and Azure ExpressRoute coexisting connection](https://azure.github.io/Azure-Proactive-Resiliency-Library/services/networking/vpn-gateway/#vpng-3---plan-for-site-to-site-vpn-and-azure-expressroute-coexisting-connection) | Disaster Recovery | High | Verified | No | +| [NSG-4 - Configure NSG Flow Logs](https://azure.github.io/Azure-Proactive-Resiliency-Library/services/networking/network-security-group/#nsg-4---configure-nsg-flow-logs) | Monitoring | Medium | Preview | Yes | +| [ST-1 - Ensure that Storage Account configuration is at least Zone redundant](https://azure.github.io/Azure-Proactive-Resiliency-Library/services/storage/storage-account/#st-1---ensure-that-storage-account-configuration-is-at-least-zone-redundant) | Storage | High | Verified | Yes | +| [WADS-3 - Ensure that all fault-points and fault-modes are understood and operationalized](https://azure.github.io/Azure-Proactive-Resiliency-Library/well-architected/2-design/#wads-3---ensure-that-all-fault-points-and-fault-modes-are-understood-and-operationalized) | Availability | High | Verified | No | +| [WADS-7 - Design a BCDR strategy that will help to meet the business requirements](https://azure.github.io/Azure-Proactive-Resiliency-Library/well-architected/2-design/#wads-7---design-a-bcdr-strategy-that-will-help-to-meet-the-business-requirements) | Disaster Recovery | High | Verified | No | {{< /table >}} @@ -76,7 +102,7 @@ Private Link is available for other Azure services that work in conjunction with **Category: Monitoring** -**Impact: Medium** +**Impact: High** **Guidance** @@ -98,33 +124,6 @@ Use Resource Health to monitor your VMs and storage solutions.

-### AVD-3 - Deploy Session Hosts in an Availability Zone - -**Category: Availability** - -**Impact: High** - -**Guidance** - -Deploy session hosts in an availability zone or an availability set helps protect the environment from outages. - -Enhances reliability by minimizing latency and impacts reliability helping keep the data synchronized and protecting from outages. If one zone experiences an outage, then regional services, capacity, and high availability are supported by the remaining zones. - -**Resources** - -- [Learn More](https://learn.microsoft.com/en-us/azure/well-architected/azure-virtual-desktop/application-delivery#session-host-settings) -- [Availability Zones](https://learn.microsoft.com/en-us/azure/well-architected/azure-virtual-desktop/application-delivery#session-host-settings) - -**Resource Graph Query** - -{{< collapse title="Show/Hide Query/Script" >}} - -{{< code lang="sql" file="code/avd-3/avd-3.kql" >}} {{< /code >}} - -{{< /collapse >}} - -

- ### AVD-4 - Deploy Domain Controllers and DNS Servers in Azure Virtual Network Across Availability Zones **Category: Availability** @@ -233,7 +232,7 @@ If a full BCDR strategy is not in place, consider using zone-redundant storage t **Guidance** -Monitor and plan for subscription limits. Closely monitor your Azure Virtual Desktop deployments, and keep track of resource usage within your subscription. By proactively monitoring capacity, you can identify potential challenges early on, and you can take suitable actions to avoid reaching limits. +Monitor and plan for subscription limits and API throttling limits. Closely monitor your Azure Virtual Desktop deployments, and keep track of resource usage within your subscription. By proactively monitoring capacity, you can identify potential challenges early on, and you can take suitable actions to avoid reaching limits. Consider scaling across multiple subscriptions if further scaling is required, or work with Azure support to adjust limits based on your business requirements. To handle a large number of users, consider scaling horizontally by creating multiple host pools. @@ -256,7 +255,7 @@ To handle a large number of users, consider scaling horizontally by creating mul **Category: Availability** -**Impact: High** +**Impact: Medium** **Guidance** @@ -286,7 +285,7 @@ Generally, it is recommended to store your data as secure and redundant as possi ### AVD-10 - Enable Azure Backup for FSLogix Storage Account -**Category: Backup/Storage** +**Category: Storage** **Impact: Medium** @@ -308,3 +307,604 @@ It is recommended to enable backup on the FSLogix Storage Account. Ensuring the {{< /collapse >}}

+ +### AVD-11 - Scaling plans should be created per region and not scaled across regions + +**Category: Disaster Recovery** + +**Impact: Medium** + +**Guidance:** +Each region has its own scaling plans assigned to host pools within that region. However, these plans can become inaccessible if there's a regional failure. To mitigate this risk, it's advisable to create a secondary scaling plan in another region. + +**Resources:** + +- [Learn More](https://learn.microsoft.com/en-us/azure/virtual-desktop/autoscale-scaling-plan?tabs=portal) + +**Resource Graph Query/Scripts** + +{{< collapse title="Show/Hide Query/Script" >}} + +{{< code lang="sql" file="code/avd-11/avd-11.kql" >}} {{< /code >}} + +{{< /collapse >}} + +

+ +### AVD-13 - Validate AVD Session Host Connectivity to the AVD Control Plane and UDP Ports open if in use + +**Category: Networking** + +**Impact: Medium** + +**Guidance:** +Ensure that AVD session hosts can effectively communicate with the AVD control plane and that UDP ports are open if UDP is utilized. Validate the connectivity of VMs to the AVD Control Plane and confirm the accessibility of UDP TURN ports. Whitelist global URLs and ensure that UDP/TURN ports are open and accessible to facilitate smooth user connections. Proper connectivity validation guarantees optimal performance and user experience within the AVD environment. + +**Resources:** + +- [Learn More](https://learn.microsoft.com/en-us/azure/virtual-desktop/troubleshoot-rdp-shortpath) + +**Resource Graph Query/Scripts** + +{{< collapse title="Show/Hide Query/Script" >}} + +{{< code lang="sql" file="code/avd-13/avd-13.kql" >}} {{< /code >}} + +{{< /collapse >}} + +

+ +### AVD-14 - Ensure Secondary Entra ID connect synchronization server + +**Category: Access & Security** + +**Impact: Low** + +**Guidance:** +Hybrid - Entra ID Connect best to run in Azure but can be hosted on-prem. Secondary or more VMs should be setup in staging mode in event of failover. +Set up secondary server in staging mode for Entra Connect for syncing to Entra in case of primary server outage. + +**Resources:** + +- [Learn More](https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-install-multiple-domains) + +**Resource Graph Query/Scripts** + +{{< collapse title="Show/Hide Query/Script" >}} + +{{< code lang="sql" file="code/avd-14/avd-14.kql" >}} {{< /code >}} + +{{< /collapse >}} + +

+ +### AVD-15 - Deploy paired Domain Controllers in the same region as AVD session hosts + +**Category: Disaster Recovery** + +**Impact: High** + +**Guidance:** +Ensure each region with session hosts has multiple domain controllers in the same region to support high availability with regards to identity. +For a hybrid scenario, each Azure region with AVD session hosts should have Active Directory Domain Controllers in Azure and use Availability Zones or Availability Sets for resilience within the region. This also mitigates dependency on ER/VPN/Inter-Azure dependencies. + +**Resources:** + +- [Learn More](https://learn.microsoft.com/en-us/azure/architecture/example-scenario/azure-virtual-desktop/azure-virtual-desktop-multi-region-bcdr) + +**Resource Graph Query/Scripts:** + +{{< collapse title="Show/Hide Query/Script" >}} + +{{< code lang="sql" file="code/avd-15/avd-15.kql" >}} {{< /code >}} + +{{< /collapse >}} + +

+ +### AVD-16 - Ensure DNS regions are replicated to avoid single point of failure + +**Category: Networking** + +**Impact: Medium** + +**Guidance:** +Active Directory Domain Services (AD DS) integrated DNS/other should target Secondary/Tertiary customer DNS across multi-region zones. If using custom DNS, ensure there are redundant DNS servers to avoid a single point of failure. + +**Resources:** + +- [Learn More](https://learn.microsoft.com/en-us/azure/architecture/example-scenario/azure-virtual-desktop/azure-virtual-desktop-multi-region-bcdr) + +**Resource Graph Query/Scripts:** + +{{< collapse title="Show/Hide Query/Script" >}} + +{{< code lang="sql" file="code/avd-16/avd-16.kql" >}} {{< /code >}} + +{{< /collapse >}} + +

+ +### AVD-17 - Capacity Planning for AVD Resources + +**Category: Disaster Recovery** + +**Impact: Low** + +**Guidance:** +Monitor and plan for subscription limits and API throttling limits. Closely monitor your Azure Virtual Desktop deployments and keep track of resource usage within your subscription. By proactively monitoring capacity, you can identify potential challenges early on, and you can take suitable actions to avoid reaching limits. Consider scaling across multiple subscriptions if further scaling is required, or work with Azure support to adjust limits based on your business requirements. To handle a large number of users, consider scaling horizontally by creating multiple host pools. + +**Resources:** + +- [Learn More](https://learn.microsoft.com/en-us/azure/architecture/example-scenario/wvd/windows-virtual-desktop#azure-virtual-desktop-limitations) + +**Resource Graph Query/Scripts:** + +{{< collapse title="Show/Hide Query/Script" >}} + +{{< code lang="sql" file="code/avd-17/avd-17.kql" >}} {{< /code >}} + +{{< /collapse >}} + +

+ +### AVD-18 - Create updated image version and replace session hosts rather than updating host directly + +**Category: Governance** + +**Impact: Low** + +**Guidance:** +Establish a systematic process for handling image updates within your Azure Virtual Desktop environment. Instead of directly updating individual session hosts, create a new version of the updated image. This process involves creating and configuring a golden image with the necessary updates and configurations. Once the new image is prepared, replace existing session hosts with instances using the updated image. This approach ensures consistency across all session hosts and minimizes the risk of configuration drift. Additionally, it enables quick rollback to a previous image version in case of any issues with the update. Implementing this process helps streamline maintenance activities and ensures that all session hosts are up-to-date with the latest configurations and updates. +has context menu + +**Resources:** + +- [Learn More](https://learn.microsoft.com/en-us/training/modules/create-manage-session-host-image/) + +**Resource Graph Query/Scripts:** + +{{< collapse title="Show/Hide Query/Script" >}} + +{{< code lang="sql" file="code/avd-18/avd-18.kql" >}} {{< /code >}} + +{{< /collapse >}} + +

+ +### AVD-19 - [Pooled] Create a validation pool for testing of planned updates + +**Category: Governance** + +**Impact: Medium** + +**Guidance:** +At least one Validation Pool to have early warning if a planned update to AVD causes an issue. support to adjust limits based on your business requirements. To handle a large number of users, consider scaling horizontally by creating multiple host pools. +Also check that the host pool has been used regularly to test planned updates. +Host pools are a collection of one or more identical virtual machines within Azure Virtual Desktop environment. We highly recommend you create a validation host pool where service updates are applied first. Validation host pools let you monitor service updates before the service applies them to your standard or non-validation environment. Without a validation host pool, you may not discover changes that introduce errors, which could result in downtime for users in your standard environment. +To ensure your apps work with the latest updates, the validation host pool should be as similar to host pools in your non-validation environment as possible. Users should connect as frequently to the validation host pool as they do to the standard host pool. If you have automated testing on your host pool, you should include automated testing on the validation host pool. + +**Resources:** + +- [Learn More](https://learn.microsoft.com/en-us/azure/virtual-desktop/configure-validation-environment?tabs=azure-portal) + +**Resource Graph Query/Scripts:** + +{{< collapse title="Show/Hide Query/Script" >}} + +{{< code lang="sql" file="code/avd-19/avd-19.kql" >}} {{< /code >}} + +{{< /collapse >}} + +

+ +### AVD-20 - [Pooled] Configure scheduled agent updates + +**Category: System Efficiency** + +**Impact: Medium** + +**Guidance:** +Ensure schedules have been created to provide maintenance windows for AVD agent updates. +The Scheduled Agent Updates feature lets you create up to two maintenance windows for the Azure Virtual Desktop agent, side-by-side stack, and Geneva Monitoring agent to get updated so that updates don't happen during peak business hours. + +**Resources:** + +- [Learn More](https://learn.microsoft.com/en-us/azure/virtual-desktop/scheduled-agent-updates) + +**Resource Graph Query/Scripts:** + +{{< collapse title="Show/Hide Query/Script" >}} + +{{< code lang="sql" file="code/avd-20/avd-20.kql" >}} {{< /code >}} + +{{< /collapse >}} + +

+ +### AVD-21 - [Personal] Create a validation pool for testing of planned updates + +**Category: Governance** + +**Impact: Low** + +**Guidance:** +At least one Validation Pool to have early warning if a planned update to AVD causes an issue. Also check that the host pool has been used regularly to test planned updates. +Host pools are a collection of one or more identical virtual machines within Azure Virtual Desktop environment. We highly recommend you create a validation host pool where service updates are applied first. Validation host pools let you monitor service updates before the service applies them to your standard or non-validation environment. Without a validation host pool, you may not discover changes that introduce errors, which could result in downtime for users in your standard environment. +To ensure your apps work with the latest updates, the validation host pool should be as similar to host pools in your non-validation environment as possible. Users should connect as frequently to the validation host pool as they do to the standard host pool. If you have automated testing on your host pool, you should include automated testing on the validation host pool. + +**Resources:** + +- [Learn More](https://learn.microsoft.com/en-us/azure/virtual-desktop/configure-validation-environment?tabs=azure-portal) + +**Resource Graph Query/Scripts:** + +{{< collapse title="Show/Hide Query/Script" >}} + +{{< code lang="sql" file="code/avd-21/avd-21.kql" >}} {{< /code >}} + +{{< /collapse >}} + +

+ +### AVD-22 - Use Azure Site Recovery or Backups on VMs supporting personal desktops + +**Category: Disaster Recovery** + +**Impact: Medium** + +**Guidance:** +Leverage Azure Site Recovery (ASR) or implement Azure Backup for personal host pools for seamless failover and failback capabilities, enabling the replication of VMs supporting personal desktops to a secondary Azure region. In the event of a disaster or unexpected outage, this ensures the recovery of these VMs from a known-state. + +**Resources:** + +- [Learn More](https://learn.microsoft.com/en-us/azure/virtual-desktop/scheduled-agent-updates) + +**Resource Graph Query/Scripts:** + +{{< collapse title="Show/Hide Query/Script" >}} + +{{< code lang="sql" file="code/avd-22/avd-22.kql" >}} {{< /code >}} + +{{< /collapse >}} + +

+ +### AVD-23 - Ensure a unique OU when deploying VMs to Domain + +**Category: Governance** + +**Impact: Medium** + +**Guidance:** +Hybrid VMs should be in a unique OU. +When using AD-joined session hosts will benefit from using a unique OU to target specific AVD configurations per hostpool. Examples include Fslogix, time out limits, session controls, and much more. It’s also important to segment Prod and DR organization units to ensure resources are configured per environment. + +**Resources:** + +- [Learn More](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/virtual-dc/adds-on-azure-vm#configure-the-vms-and-install-active-directory-domain-services) + +**Resource Graph Query/Scripts:** + +{{< collapse title="Show/Hide Query/Script" >}} + +{{< code lang="sql" file="code/avd-23/avd-23.kql" >}} {{< /code >}} + +{{< /collapse >}} + +

+ +### AVD-24 - Ensure the standard FSLogix configuration is deployed + +**Category: Storage** + +**Impact: High** + +**Guidance:** +Ensure all session hosts have the standard FSLogix configuration deployed. Regularly validate settings for consistency and alignment with best practices. + +**Resources:** + +- [Learn More](https://learn.microsoft.com/en-us/fslogix/reference-configuration-settings?tabs=profiles) + +**Resource Graph Query/Scripts:** + +{{< collapse title="Show/Hide Query/Script" >}} + +{{< code lang="sql" file="code/avd-24/avd-24.kql" >}} {{< /code >}} + +{{< /collapse >}} + +

+ +### AVD-25 - Ensure user permissions are set correctly on SMB shares + +**Category: Storage** + +**Impact: High** + +**Guidance:** +Verify user permissions are correctly set on SMB shares so that users have appropriate access to only their own profile and not other user profiles, while administrators have full access at the root volume. Also ensure secondary storage path permissions are set in case of a DR event. + +**Resources:** + +- [Learn More](https://learn.microsoft.com/en-us/fslogix/how-to-configure-storage-permissions) + +**Resource Graph Query/Scripts:** + +{{< collapse title="Show/Hide Query/Script" >}} + +{{< code lang="sql" file="code/avd-25/avd-25.kql" >}} {{< /code >}} + +{{< /collapse >}} + +

+ +### AVD-26 - Configure Diagnostic Settings for FSLogix logs and enable review for accounts + +**Category: Storage** + +**Impact: Medium** + +**Guidance:** +Regularly review FSLogix logs for errors and issues related to login and mounting the profile. Events can be reviewed by looking locally inside the Session Host and also in Log Analytics when the Azure Monitor Agent is used. + +**Resources:** + +- [Learn More](https://learn.microsoft.com/en-us/fslogix/troubleshooting-events-logs-diagnostics) + +**Resource Graph Query/Scripts:** + +{{< collapse title="Show/Hide Query/Script" >}} + +{{< code lang="sql" file="code/avd-26/avd-26.kql" >}} {{< /code >}} + +{{< /collapse >}} + +

+ +### AVD-27 - Manually update new FSLogix image when available + +**Category: Governance** + +**Impact: Low** + +**Guidance:** +Ensure a process is in place to regularly check for FSLogix agent upgrades and maintain FSLogix up to date. We recommend customers upgrade to the latest version of FSLogix as quickly as their deployment process can allow. FSLogix will provide hotfix releases which address current and potential bugs that impact customer deployments. Additionally, it is the first requirement when opening any support case. + +**Resources:** + +- [Learn More](https://learn.microsoft.com/en-us/fslogix/how-to-install-fslogix) + +**Resource Graph Query/Scripts:** + +{{< collapse title="Show/Hide Query/Script" >}} + +{{< code lang="sql" file="code/avd-27/avd-27.kql" >}} {{< /code >}} + +{{< /collapse >}} + +

+ +### AVD-28 - Turn on Continuous Availability for ANF if using App Attach + +**Category: Availability** + +**Impact: Medium** + +**Guidance** + +Turn on Continuous Availability if using Azure Netapp Files. + +Verify the number of users connecting to each file share to make sure the SMB path can handle the number of file connections. Currently, Azure Files supports up to 10k handles per root directory. + +**Resources** + +- [Learn More](https://learn.microsoft.com/en-us/azure/virtual-desktop/app-attach-overview?pivots=msix-app-attach) + +**Resource Graph Query/Scripts:** + +{{< collapse title="Show/Hide Query/Script" >}} + +{{< code lang="sql" file="code/avd-28/avd-28.kql" >}} {{< /code >}} + +{{< /collapse >}} + +

+ +### AVD-29 - App attach should be placed in separate file share and Disaster recovery plan should include App attach storage + +**Category: Storage** + +**Impact: Medium** + +**Guidance** + +App Attach packages should be on a separate share from profiles. And App Attach files should be backed up. + +Best practice is to separate App Attach VHD files in a separate file share away from user profiles, both for performance and scalability purposes. Requirements can vary greatly depending on how many packaged applications are stored in an image, and you need to test your applications to understand your requirements. + +Your file share should be in the same Azure region as your session hosts. + +**Resources** + +- [Learn More](https://learn.microsoft.com/en-us/azure/virtual-desktop/app-attach-overview?pivots=msix-app-attach) + +**Resource Graph Query/Scripts:** + +{{< collapse title="Show/Hide Query/Script" >}} + +{{< code lang="sql" file="code/avd-29/avd-29.kql" >}} {{< /code >}} + +{{< /collapse >}} + +

+ +### AVD-30 - Ensure virtual networks have route tables/route server configured for all regions + +**Category: Networking** + +**Impact: Medium** + +**Guidance** + +For high availability connections back to on-premises datacenters should consider backup paths across the regions that have been utilized. Ensure redundancy in routing by having a secondary route table in the secondary region. + +**Resources** + +- [Learn More](https://learn.microsoft.com/en-us/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#need-for-redundant-connectivity-solution) + +**Resource Graph Query/Scripts:** + +{{< collapse title="Show/Hide Query/Script" >}} + +{{< code lang="sql" file="code/avd-30/avd-30.kql" >}} {{< /code >}} + +{{< /collapse >}} + +

+ +### AVD-31 - Ensure virtual networks isolation with separate IP space and NSGs for Prod and DR + +**Category: Networking** + +**Impact: Medium** + +**Guidance** + +NSG and ASG per AVD persona and IP space per Prod/DR regions. + +It's important your organization plans for IP addressing in Azure. Planning ensures the IP address space doesn't overlap across on-premises locations and Azure regions. Overlapping IP address spaces across on-premises and Azure regions create major contention challenges. + +**Resources** + +- [Learn More](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) + +**Resource Graph Query/Scripts:** + +{{< collapse title="Show/Hide Query/Script" >}} + +{{< code lang="sql" file="code/avd-31/avd-31.kql" >}} {{< /code >}} + +{{< /collapse >}} + +

+ +### AVD-33 - Ensure route tables accommodate failover + +**Category: Disaster Recovery** + +**Impact: Medium** + +**Guidance** + +Ensure Route Tables that force tunnel traffic to FW/NVA have failover considerations evaluated and won't fail or trigger next-gen FW protections. + +AVD workload teams should collaborate with centralized teams that manage the shared infrastructure, like networking, to ensure that both Production and DR workloads have the appropriate route tables in place for failover of routing to perform as expected. + +**Resources** + +- [Learn More](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-business-continuity-disaster-recovery) + +**Resource Graph Query/Scripts:** + +{{< collapse title="Show/Hide Query/Script" >}} + +{{< code lang="sql" file="code/avd-33/avd-33.kql" >}} {{< /code >}} + +{{< /collapse >}} + +

+ +### AVD-34 - Provision Secondary Key Vault for Disaster Recovery + +**Category: Disaster Recovery** + +**Impact: High** + +**Guidance:** +To ensure continuous availability and disaster recovery readiness, it is recommended to provision a secondary Key Vault in a secondary region. In the event of a primary region failure, this secondary Key Vault will ensure that critical secrets are accessible for use in deployments in the secondary region. + +**Resources:** + +- [Learn More](https://learn.microsoft.com/en-us/azure/key-vault/general/disaster-recovery-guidance) + +**Resource Graph Query/Scripts:** + +{{< collapse title="Show/Hide Query/Script" >}} + +{{< code lang="sql" file="code/avd-34/avd-34.kql" >}} {{< /code >}} + +{{< /collapse >}} + +### AVD-35 - Configure AVD Insights Workbook + +**Category: Monitoring** + +**Impact: High** + +**Guidance** + +AVD Insights is an Azure Workbook template provided by the AVD product team. It is highly recommended in order to monitor and troubleshoot AVD workloads across metrics, logs, events, and more. Both Production and DR workloads should be enabled with AVD Insights. + +**Resources** + +- [Learn More](https://learn.microsoft.com/en-us/azure/virtual-desktop/insights?tabs=monitor) + +**Resource Graph Query/Scripts:** + +{{< collapse title="Show/Hide Query/Script" >}} + +{{< code lang="sql" file="code/avd-35/avd-35.kql" >}} {{< /code >}} + +{{< /collapse >}} + +

+ +### AVD-36 - Ensure separate log analytics workspaces for Prod and DR + +**Category: Disaster Recovery** + +**Impact: Low** + +**Guidance** + +Having separate Log Analytics ensures that your DR environment is fully operational for visibility of the metrics, performance, and other auditing tools your workload teams will rely on in the event of an incident. + +**Resources** + +- [Learn More](https://learn.microsoft.com/en-us/azure/virtual-desktop/diagnostics-log-analytics) + +**Resource Graph Query/Scripts:** + +{{< collapse title="Show/Hide Query/Script" >}} + +{{< code lang="sql" file="code/avd-36/avd-36.kql" >}} {{< /code >}} + +{{< /collapse >}} + +

+ +### AVD-38 - Organize AVD resources using the AVD Scale unit model described by the AVD Landing Zone Methodology + +**Category: Governance** + +**Impact: Low** + +**Guidance** + +Follow AVD Landing Zone best practices using multiple resource groups based on resource type and associated shared resources for AVD workloads. + +**Resources** + +- [Learn More](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/scenarios/azure-virtual-desktop/enterprise-scale-landing-zone) + +**Resource Graph Query/Scripts:** + +{{< collapse title="Show/Hide Query/Script" >}} + +{{< code lang="sql" file="code/avd-38/avd-38.kql" >}} {{< /code >}} + +{{< /collapse >}} + +

diff --git a/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-11/avd-11.kql b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-11/avd-11.kql new file mode 100644 index 00000000..614a7f9c --- /dev/null +++ b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-11/avd-11.kql @@ -0,0 +1 @@ +// under-development diff --git a/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-12/avd-12.kql b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-12/avd-12.kql new file mode 100644 index 00000000..614a7f9c --- /dev/null +++ b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-12/avd-12.kql @@ -0,0 +1 @@ +// under-development diff --git a/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-13/avd-13.kql b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-13/avd-13.kql new file mode 100644 index 00000000..614a7f9c --- /dev/null +++ b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-13/avd-13.kql @@ -0,0 +1 @@ +// under-development diff --git a/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-14/avd-14.kql b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-14/avd-14.kql new file mode 100644 index 00000000..614a7f9c --- /dev/null +++ b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-14/avd-14.kql @@ -0,0 +1 @@ +// under-development diff --git a/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-15/avd-15.kql b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-15/avd-15.kql new file mode 100644 index 00000000..fa5cad25 --- /dev/null +++ b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-15/avd-15.kql @@ -0,0 +1 @@ +// cannot-be-validated-with-arg diff --git a/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-16/avd-16.kql b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-16/avd-16.kql new file mode 100644 index 00000000..614a7f9c --- /dev/null +++ b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-16/avd-16.kql @@ -0,0 +1 @@ +// under-development diff --git a/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-17/avd-17.kql b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-17/avd-17.kql new file mode 100644 index 00000000..614a7f9c --- /dev/null +++ b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-17/avd-17.kql @@ -0,0 +1 @@ +// under-development diff --git a/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-18/avd-18.kql b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-18/avd-18.kql new file mode 100644 index 00000000..614a7f9c --- /dev/null +++ b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-18/avd-18.kql @@ -0,0 +1 @@ +// under-development diff --git a/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-19/avd-19.kql b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-19/avd-19.kql new file mode 100644 index 00000000..614a7f9c --- /dev/null +++ b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-19/avd-19.kql @@ -0,0 +1 @@ +// under-development diff --git a/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-2/avd-2.kql b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-2/avd-2.kql index 614a7f9c..fa5cad25 100644 --- a/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-2/avd-2.kql +++ b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-2/avd-2.kql @@ -1 +1 @@ -// under-development +// cannot-be-validated-with-arg diff --git a/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-20/avd-20.kql b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-20/avd-20.kql new file mode 100644 index 00000000..614a7f9c --- /dev/null +++ b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-20/avd-20.kql @@ -0,0 +1 @@ +// under-development diff --git a/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-21/avd-21.kql b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-21/avd-21.kql new file mode 100644 index 00000000..614a7f9c --- /dev/null +++ b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-21/avd-21.kql @@ -0,0 +1 @@ +// under-development diff --git a/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-22/avd-22.kql b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-22/avd-22.kql new file mode 100644 index 00000000..614a7f9c --- /dev/null +++ b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-22/avd-22.kql @@ -0,0 +1 @@ +// under-development diff --git a/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-23/avd-23.kql b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-23/avd-23.kql new file mode 100644 index 00000000..614a7f9c --- /dev/null +++ b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-23/avd-23.kql @@ -0,0 +1 @@ +// under-development diff --git a/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-24/avd-24.kql b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-24/avd-24.kql new file mode 100644 index 00000000..fa5cad25 --- /dev/null +++ b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-24/avd-24.kql @@ -0,0 +1 @@ +// cannot-be-validated-with-arg diff --git a/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-25/avd-25.kql b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-25/avd-25.kql new file mode 100644 index 00000000..fa5cad25 --- /dev/null +++ b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-25/avd-25.kql @@ -0,0 +1 @@ +// cannot-be-validated-with-arg diff --git a/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-26/avd-26.kql b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-26/avd-26.kql new file mode 100644 index 00000000..614a7f9c --- /dev/null +++ b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-26/avd-26.kql @@ -0,0 +1 @@ +// under-development diff --git a/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-27/avd-27.kql b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-27/avd-27.kql new file mode 100644 index 00000000..614a7f9c --- /dev/null +++ b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-27/avd-27.kql @@ -0,0 +1 @@ +// under-development diff --git a/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-28/avd-28.kql b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-28/avd-28.kql new file mode 100644 index 00000000..614a7f9c --- /dev/null +++ b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-28/avd-28.kql @@ -0,0 +1 @@ +// under-development diff --git a/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-29/avd-29.kql b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-29/avd-29.kql new file mode 100644 index 00000000..614a7f9c --- /dev/null +++ b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-29/avd-29.kql @@ -0,0 +1 @@ +// under-development diff --git a/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-30/avd-30.kql b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-30/avd-30.kql new file mode 100644 index 00000000..614a7f9c --- /dev/null +++ b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-30/avd-30.kql @@ -0,0 +1 @@ +// under-development diff --git a/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-31/avd-31.kql b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-31/avd-31.kql new file mode 100644 index 00000000..614a7f9c --- /dev/null +++ b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-31/avd-31.kql @@ -0,0 +1 @@ +// under-development diff --git a/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-32/avd-32.kql b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-32/avd-32.kql new file mode 100644 index 00000000..614a7f9c --- /dev/null +++ b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-32/avd-32.kql @@ -0,0 +1 @@ +// under-development diff --git a/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-33/avd-33.kql b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-33/avd-33.kql new file mode 100644 index 00000000..614a7f9c --- /dev/null +++ b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-33/avd-33.kql @@ -0,0 +1 @@ +// under-development diff --git a/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-34/avd-34.kql b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-34/avd-34.kql new file mode 100644 index 00000000..fa5cad25 --- /dev/null +++ b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-34/avd-34.kql @@ -0,0 +1 @@ +// cannot-be-validated-with-arg diff --git a/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-35/avd-35.kql b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-35/avd-35.kql new file mode 100644 index 00000000..fa5cad25 --- /dev/null +++ b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-35/avd-35.kql @@ -0,0 +1 @@ +// cannot-be-validated-with-arg diff --git a/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-36/avd-36.kql b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-36/avd-36.kql new file mode 100644 index 00000000..fa5cad25 --- /dev/null +++ b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-36/avd-36.kql @@ -0,0 +1 @@ +// cannot-be-validated-with-arg diff --git a/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-37/avd-37.kql b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-37/avd-37.kql new file mode 100644 index 00000000..fa5cad25 --- /dev/null +++ b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-37/avd-37.kql @@ -0,0 +1 @@ +// cannot-be-validated-with-arg diff --git a/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-38/avd-38.kql b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-38/avd-38.kql new file mode 100644 index 00000000..614a7f9c --- /dev/null +++ b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-38/avd-38.kql @@ -0,0 +1 @@ +// under-development diff --git a/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-9/avd-9.kql b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-9/avd-9.kql index 614a7f9c..fa5cad25 100644 --- a/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-9/avd-9.kql +++ b/docs/content/services/specialized-workloads/azure-virtual-desktop/code/avd-9/avd-9.kql @@ -1 +1 @@ -// under-development +// cannot-be-validated-with-arg From 9715bb62d43deec43d5619f288661c9c92e8399d Mon Sep 17 00:00:00 2001 From: Michiel van Schaik Date: Wed, 27 Mar 2024 17:57:47 +0100 Subject: [PATCH 07/10] Updated Image Templates to verified (#392) --- .../services/compute/compute-gallery/_index.md | 16 ++++++++-------- .../services/compute/image-templates/_index.md | 8 ++++---- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/docs/content/services/compute/compute-gallery/_index.md b/docs/content/services/compute/compute-gallery/_index.md index c524f981..78c06c9d 100644 --- a/docs/content/services/compute/compute-gallery/_index.md +++ b/docs/content/services/compute/compute-gallery/_index.md @@ -12,11 +12,11 @@ The presented resiliency recommendations in this guidance include Compute Galler ## Summary of Recommendations {{< table style="table-striped" >}} -| Recommendation | Category | Impact | State | ARG Query Available | -|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------:|:------:|:-------:|:-------------------:| -| [CG-1 - A minimum of three replicas should be kept for production image versions](#cg-1---a-minimum-of-three-replicas-should-be-kept-for-production-image-versions) | Availability | Medium | Preview | Yes | -| [CG-2 - Zone redundant storage should be used for image versions](#cg-2---zone-redundant-storage-should-be-used-for-image-versions) | Availability | Medium | Preview | Yes | -| [CG-3 - Consider using hyper-V generation version 2 images where possible](#cg-3---consider-using-hyper-v-generation-version-2-images-where-possible) | Availability | Low | Preview | Yes | +| Recommendation | Category | Impact | State | ARG Query Available | +|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------:|:------:|:--------:|:-------------------:| +| [CG-1 - A minimum of three replicas should be kept for production image versions](#cg-1---a-minimum-of-three-replicas-should-be-kept-for-production-image-versions) | Availability | Medium | Verified | Yes | +| [CG-2 - Zone redundant storage should be used for image versions](#cg-2---zone-redundant-storage-should-be-used-for-image-versions) | Availability | Medium | Verified | Yes | +| [CG-3 - Consider creating TrustedLaunchSupported images where possible](#cg-3---consider-creating-trustedlaunchsupported-images-where-possible) | Availability | Low | Verified | Yes | {{< /table >}} {{< alert style="info" >}} @@ -77,15 +77,15 @@ You can also choose the account type for each of the target regions. The default

-### CG-3 - Consider using hyper-V generation version 2 images where possible +### CG-3 - Consider creating TrustedLaunchSupported images where possible -**Category: Availability** +**Category: Access & Security** **Impact: Low** **Guidance** -We recommend that you create a generation 2 virtual machine to take advantage of features like Secure Boot, vTPM, trusted launch VMs, large boot volume. Your choice to create a generation 1 or generation 2 virtual machine depends on which guest operating system you want to install and the boot method you want to use to deploy the virtual machine. You can't change a virtual machine's generation after you've created it. So it is recommended to review the [considerations](https://learn.microsoft.com/en-us/windows-server/virtualization/hyper-v/plan/should-i-create-a-generation-1-or-2-virtual-machine-in-hyper-v#which-guest-operating-systems-are-supported) first. +We recommend that you create a Trusted Launch Supported Images to take advantage of features like Secure Boot, vTPM, trusted launch VMs, large boot volume. Trusted Launch Supported Images are Gen 2 Images by default. You can’t change a virtual machine’s generation after you’ve created it. So it is recommended to review the [considerations](https://learn.microsoft.com/en-us/windows-server/virtualization/hyper-v/plan/should-i-create-a-generation-1-or-2-virtual-machine-in-hyper-v#which-guest-operating-systems-are-supported) first. **Resources** diff --git a/docs/content/services/compute/image-templates/_index.md b/docs/content/services/compute/image-templates/_index.md index ec9a0ac8..6e0b2700 100644 --- a/docs/content/services/compute/image-templates/_index.md +++ b/docs/content/services/compute/image-templates/_index.md @@ -12,10 +12,10 @@ The presented resiliency recommendations in this guidance include Image Template ## Summary of Recommendations {{< table style="table-striped" >}} -| Recommendation | Category | Impact | State | ARG Query Available | -|:----------------------------------------------------------------------------------------------------------------------------|:-----------------:|:------:|:-------:|:-------------------:| -| [IT-1 - Use Generation 2 virtual machine source image](#it-1---use-generation-2-virtual-machine-source-image) | Availability | Low | Preview | No | -| [IT-2 - Replicate your Image Templates to a secondary region](#it-2---replicate-your-image-templates-to-a-secondary-region) | Disaster Recovery | Low | Preview | Yes | +| Recommendation | Category | Impact | State | ARG Query Available | +|:----------------------------------------------------------------------------------------------------------------------------|:-----------------:|:------:|:--------:|:-------------------:| +| [IT-1 - Use Generation 2 virtual machine source image](#it-1---use-generation-2-virtual-machine-source-image) | Availability | Low | Verified | No | +| [IT-2 - Replicate your Image Templates to a secondary region](#it-2---replicate-your-image-templates-to-a-secondary-region) | Disaster Recovery | Low | Verified | Yes | {{< /table >}} {{< alert style="info" >}} From 7a029ae3f4c5b414cecf84f8b3fd6f67e03372fe Mon Sep 17 00:00:00 2001 From: prasad3017 <67286499+prasad3017@users.noreply.github.com> Date: Wed, 27 Mar 2024 11:09:40 -0600 Subject: [PATCH 08/10] VMSS 9 status and resources added Update _index.md (#397) Co-authored-by: Eric Henry <44706965+ejhenry@users.noreply.github.com> --- .../services/compute/virtual-machine-scale-sets/_index.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/content/services/compute/virtual-machine-scale-sets/_index.md b/docs/content/services/compute/virtual-machine-scale-sets/_index.md index 6952f336..f53f9993 100644 --- a/docs/content/services/compute/virtual-machine-scale-sets/_index.md +++ b/docs/content/services/compute/virtual-machine-scale-sets/_index.md @@ -22,7 +22,7 @@ The presented resiliency recommendations in this guidance include Virtual Machin | [VMSS-6 - Disable Force strictly even balance across zones to avoid scale in and out fail attempts](#vmss-6---disable-force-strictly-even-balance-across-zones-to-avoid-scale-in-and-out-fail-attempts) | Availability | High | Verified | Yes | | [VMSS-7 - Configure Allocation Policy Spreading algorithm to Max Spreading](#vmss-7---configure-allocation-policy-spreading-algorithm-to-max-spreading) | System Efficiency | Medium | Preview | Yes | | [VMSS-8 - Deploy VMSS across availability zones with VMSS Flex](#vmss-8---deploy-vmss-across-availability-zones-with-vmss-flex) | Availability | High | Verified | Yes | -| [VMSS-9 - Set Patch orchestration options to Azure-orchestrated](#vmss-9---set-patch-orchestration-options-to-azure-orchestrated) | Automation | Low | Preview | Yes | +| [VMSS-9 - Set Patch orchestration options to Azure-orchestrated](#vmss-9---set-patch-orchestration-options-to-azure-orchestrated) | Automation | Low | Verified | Yes | | [VMSS-10 - Upgrade VMSS Image versions scheduled to be deprecated or already retired](#vmss-10---upgrade-vmss-image-versions-scheduled-to-be-deprecated-or-already-retired) | Governance | High | Preview | Yes | | [VMSS-11 - Production VMSS instances should be using SSD disks](#vmss-11---production-vmss-instances-should-be-using-ssd-disks) | System Efficiency | High | Verified | Yes | @@ -254,6 +254,7 @@ Enabling automatic VM guest patching for your Azure VMs helps ease update manage **Resources** - [Automatic VM Guest Patching for Azure VMs](https://learn.microsoft.com/azure/virtual-machines/automatic-vm-guest-patching) +- [Auto OS Image Upgrades](https://learn.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-upgrade) **Resource Graph Query** From 3dcab95a84439b1c54afc95430660f2782e0ed1a Mon Sep 17 00:00:00 2001 From: Penny Ko Date: Wed, 27 Mar 2024 10:10:24 -0700 Subject: [PATCH 09/10] Azure Backup APRL verified by PM Nikhil Sarode (#398) --- docs/content/services/migration/azure-backup/_index.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/content/services/migration/azure-backup/_index.md b/docs/content/services/migration/azure-backup/_index.md index 08e6a0aa..c7f2a645 100644 --- a/docs/content/services/migration/azure-backup/_index.md +++ b/docs/content/services/migration/azure-backup/_index.md @@ -15,7 +15,7 @@ The presented resiliency recommendations in this guidance include Backup and ass | Recommendation | Category | Impact | State | ARG Query Available | :--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------------:|--------|:--------:|:-------------------:| -| [BK-1 - Migrate from classic alerts to built-in Azure Monitor alerts for Azure Recovery Services Vaults](#bk-1---migrate-from-classic-alerts-to-built-in-azure-monitor-alerts-for-azure-recovery-services-vaults) | Monitoring | Medium | Preview | Yes | +| [BK-1 - Migrate from classic alerts to built-in Azure Monitor alerts for Azure Recovery Services Vaults](#bk-1---migrate-from-classic-alerts-to-built-in-azure-monitor-alerts-for-azure-recovery-services-vaults) | Monitoring | Medium | Verified | Yes | | [BK-2 - Opt-in to Cross Region Restore for all Geo-Redundant Storage (GRS) Azure Recovery Services vaults](#bk-2---opt-in-to-cross-region-restore-for-all-geo-redundant-storage-grs-azure-recovery-services-vaults) | Disaster Recovery | Medium | Verified | Yes | {{< /table >}} @@ -46,8 +46,8 @@ Using Azure Monitor Alerts you can: **Resources** -- [Move to Azure monitor Alerts](https://learn.microsoft.com/en-us/azure/backup/move-to-azure-monitor-alerts) -- [Classic alerts retirement announcement](https://azure.microsoft.com/en-us/updates/transition-to-builtin-azure-monitor-alerts-for-recovery-services-vaults-in-azure-backup-by-31-march-2026/) +- [Move to Azure monitor Alerts](https://learn.microsoft.com/azure/backup/move-to-azure-monitor-alerts) +- [Classic alerts retirement announcement](https://azure.microsoft.com/updates/transition-to-builtin-azure-monitor-alerts-for-recovery-services-vaults-in-azure-backup-by-31-march-2026/) **Resource Graph Query** @@ -72,7 +72,7 @@ Cross Region Restore allows you to restore Azure VMs in a secondary region, whic - [Set Cross Region Restore](https://learn.microsoft.com/azure/backup/backup-create-recovery-services-vault#set-cross-region-restore) - [Azure Backup Best Practices](https://learn.microsoft.com/azure/backup/guidance-best-practices) - [Minimum Role Requirements for Cross Region Restore](https://learn.microsoft.com/azure/backup/backup-rbac-rs-vault#minimum-role-requirements-for-azure-vm-backup) -- [Recovery Services Vault](https://azure.microsoft.com/documentation/articles/backup-azure-arm-vms-prepare/) +- [Recovery Services Vault](https://learn.microsoft.com/azure/backup/backup-azure-arm-vms-prepare) **Resource Graph Query** From 0668a8bad11ae38360757ee4ff190b577c97f784 Mon Sep 17 00:00:00 2001 From: Penny Ko Date: Wed, 27 Mar 2024 10:11:08 -0700 Subject: [PATCH 10/10] Update asr-1.kql as cannot be validated (#399) --- .../content/services/compute/site-recovery/code/asr-1/asr-1.kql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/services/compute/site-recovery/code/asr-1/asr-1.kql b/docs/content/services/compute/site-recovery/code/asr-1/asr-1.kql index 614a7f9c..fa5cad25 100644 --- a/docs/content/services/compute/site-recovery/code/asr-1/asr-1.kql +++ b/docs/content/services/compute/site-recovery/code/asr-1/asr-1.kql @@ -1 +1 @@ -// under-development +// cannot-be-validated-with-arg