adding new fw recommendations (#343)

Co-authored-by: Eric Henry <[email protected]>
Azure · Mar 26, 2024 · a66f083 · a66f083
1 parent ef32fb3
commit a66f083
Show file tree

Hide file tree

Showing 3 changed files with 50 additions and 0 deletions.
diff --git a/docs/content/services/networking/firewall/_index.md b/docs/content/services/networking/firewall/_index.md
@@ -18,6 +18,7 @@ The presented resiliency recommendations in this guidance include Firewall and a
 | [AFW-2 - Monitor Azure Firewall metrics](#afw-2---monitor-azure-firewall-metrics) | Monitoring | Medium | Verified | Yes |
 | [AFW-3 - Configure DDoS Protection on the Azure Firewall VNet](#afw-3---configure-ddos-protection-on-the-azure-firewall-vnet) | Access & Security | High | Verified | Yes |
 | [AFW-4 - Leverage Azure Policy inheritance model](#afw-4---leverage-azure-policy-inheritance-model) | Governance | Medium | Verified | No |
+
 {{< /table >}}
 
 {{< alert style="info" >}}
@@ -129,3 +130,50 @@ Azure Firewall policy allows you to define a rule hierarchy and enforce complian
 {{< /collapse >}}
 
 <br><br>
+
+### AFW-5 - Configure 2-4 PIPs for SNAT Port utilization
+
+**Category: Availability**
+
+**Impact: Medium**
+
+**Guidance**
+
+Configure a minimum of two to four public IP addresses per Azure Firewall to avoid SNAT exhaustion. Azure Firewall provides SNAT capability for all outbound traffic traffic to public IP addresses. Azure Firewall provides 2,496 SNAT ports per each additional PIP.
+
+**Resources**
+
+- [Azure Well-Architected Framework review - Azure Firewall](https://learn.microsoft.com/en-us/azure/well-architected/service-guides/azure-firewall#recommendations)
+
+**Resource Graphy Query/Scripts**
+
+{{< collapse title="Show/Hide Query/Script" >}}
+
+{{< code lang="sql" file="code/afw-5/afw-5.kql" >}} {{< /code >}}
+
+{{< /collapse >}}
+
+<br><br>
+
+### AFW-6 - Monitor AZFW Latency Probes metric
+
+**Category: Monitoring**
+
+**Impact: Medium**
+
+**Guidance**
+
+Create the metric to monitor latency probes 20ms over a long period of time ( > 30mins ). When the latency probe is over a long period of time, it means the firewall instance CPUs are stressed and could possible be causing issues.
+
+**Resources**
+
+- [Azure Well-Architected Framework review - Azure Firewall](https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall#recommendations)
+- [Azure Firewall metrics overview](https://learn.microsoft.com/azure/firewall/metrics)
+
+**Resource Graphy Query/Scripts**
+
+{{< collapse title="Show/Hide Query/Script" >}}
+
+{{< code lang="sql" file="code/afw-6/afw-6.kql" >}} {{< /code >}}
+
+{{< /collapse >}}
diff --git a/docs/content/services/networking/firewall/code/afw-5/afw-5.kql b/docs/content/services/networking/firewall/code/afw-5/afw-5.kql
@@ -0,0 +1 @@
+// under development
diff --git a/docs/content/services/networking/firewall/code/afw-6/afw-6.kql b/docs/content/services/networking/firewall/code/afw-6/afw-6.kql
@@ -0,0 +1 @@
+// under development