From a66f0834349269e9b754f1f277e0d7b6ec19bd0f Mon Sep 17 00:00:00 2001
From: Charles J Shea <58995422+cshea-msft@users.noreply.github.com>
Date: Tue, 26 Mar 2024 15:08:44 -0400
Subject: [PATCH] adding new fw recommendations (#343)

Co-authored-by: Eric Henry <44706965+ejhenry@users.noreply.github.com>
---
 .../services/networking/firewall/_index.md    | 48 +++++++++++++++++++
 .../networking/firewall/code/afw-5/afw-5.kql  |  1 +
 .../networking/firewall/code/afw-6/afw-6.kql  |  1 +
 3 files changed, 50 insertions(+)
 create mode 100644 docs/content/services/networking/firewall/code/afw-5/afw-5.kql
 create mode 100644 docs/content/services/networking/firewall/code/afw-6/afw-6.kql

diff --git a/docs/content/services/networking/firewall/_index.md b/docs/content/services/networking/firewall/_index.md
index 2a949d864..81f94c3ee 100644
--- a/docs/content/services/networking/firewall/_index.md
+++ b/docs/content/services/networking/firewall/_index.md
@@ -18,6 +18,7 @@ The presented resiliency recommendations in this guidance include Firewall and a
 | [AFW-2 - Monitor Azure Firewall metrics](#afw-2---monitor-azure-firewall-metrics) | Monitoring | Medium | Verified | Yes |
 | [AFW-3 - Configure DDoS Protection on the Azure Firewall VNet](#afw-3---configure-ddos-protection-on-the-azure-firewall-vnet) | Access & Security | High | Verified | Yes |
 | [AFW-4 - Leverage Azure Policy inheritance model](#afw-4---leverage-azure-policy-inheritance-model) | Governance | Medium | Verified | No |
+
 {{< /table >}}
 
 {{< alert style="info" >}}
@@ -129,3 +130,50 @@ Azure Firewall policy allows you to define a rule hierarchy and enforce complian
 {{< /collapse >}}
 
 <br><br>
+
+### AFW-5 - Configure 2-4 PIPs for SNAT Port utilization
+
+**Category: Availability**
+
+**Impact: Medium**
+
+**Guidance**
+
+Configure a minimum of two to four public IP addresses per Azure Firewall to avoid SNAT exhaustion. Azure Firewall provides SNAT capability for all outbound traffic traffic to public IP addresses. Azure Firewall provides 2,496 SNAT ports per each additional PIP.
+
+**Resources**
+
+- [Azure Well-Architected Framework review - Azure Firewall](https://learn.microsoft.com/en-us/azure/well-architected/service-guides/azure-firewall#recommendations)
+
+**Resource Graphy Query/Scripts**
+
+{{< collapse title="Show/Hide Query/Script" >}}
+
+{{< code lang="sql" file="code/afw-5/afw-5.kql" >}} {{< /code >}}
+
+{{< /collapse >}}
+
+<br><br>
+
+### AFW-6 - Monitor AZFW Latency Probes metric
+
+**Category: Monitoring**
+
+**Impact: Medium**
+
+**Guidance**
+
+Create the metric to monitor latency probes 20ms over a long period of time ( > 30mins ). When the latency probe is over a long period of time, it means the firewall instance CPUs are stressed and could possible be causing issues.
+
+**Resources**
+
+- [Azure Well-Architected Framework review - Azure Firewall](https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall#recommendations)
+- [Azure Firewall metrics overview](https://learn.microsoft.com/azure/firewall/metrics)
+
+**Resource Graphy Query/Scripts**
+
+{{< collapse title="Show/Hide Query/Script" >}}
+
+{{< code lang="sql" file="code/afw-6/afw-6.kql" >}} {{< /code >}}
+
+{{< /collapse >}}
diff --git a/docs/content/services/networking/firewall/code/afw-5/afw-5.kql b/docs/content/services/networking/firewall/code/afw-5/afw-5.kql
new file mode 100644
index 000000000..7b5bb5473
--- /dev/null
+++ b/docs/content/services/networking/firewall/code/afw-5/afw-5.kql
@@ -0,0 +1 @@
+// under development
diff --git a/docs/content/services/networking/firewall/code/afw-6/afw-6.kql b/docs/content/services/networking/firewall/code/afw-6/afw-6.kql
new file mode 100644
index 000000000..7b5bb5473
--- /dev/null
+++ b/docs/content/services/networking/firewall/code/afw-6/afw-6.kql
@@ -0,0 +1 @@
+// under development