Azure
/
review-checklists
зеркало из https://github.com/Azure/review-checklists.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
review-checklists/checklists/avs_checklist.en.json

1156 строки
51 KiB
JSON
Исходник Обычный вид История

[create-pull-request] automated change
2024-01-09 14:23:06 +03:00
{
"items": [
{
"category": "Identity",
"subcategory": "Identity",
"text": "Ensure ADDS domain controller(s) are deployed in the identity subscription in native Azure",
"waf": "Security",
"service": "AVS",
"guid": "32e42e36-11c8-418b-8a0b-c510e43a18a9",
"id": "A01.01",
"severity": "High"
},
{
"category": "Identity",
"subcategory": "Identity",
"text": "Ensure ADDS sites and services is configured to keep authentication requests from Azure-based resources (including Azure VMware Solution) local to Azure",
"waf": "Security",
"service": "AVS",
"guid": "75089c20-990d-4927-b105-885576f76fc2",
"id": "A01.02",
"severity": "Medium"
},
{
"category": "Identity",
"subcategory": "Identity",
"text": "Ensure that vCenter is connected to ADDS to enable authentication based on 'named user accounts'",
"waf": "Security",
"service": "AVS",
"guid": "de3aad1e-7c28-4ec9-9666-b7570449aa80",
"id": "A01.03",
"severity": "High"
},
{
"category": "Identity",
"subcategory": "Identity",
"text": "Ensure that the connection from vCenter to ADDS is using a secure protocol (LDAPS)",
"waf": "Security",
"service": "AVS",
"guid": "cd289ced-6b17-4db8-8554-61e2aee3553a",
"id": "A01.04",
"severity": "Medium"
},
{
"category": "Identity",
"subcategory": "Identity",
"text": "CloudAdmin account in vCenter IdP is used only as an emergency account (break-glass)",
"waf": "Security",
"service": "AVS",
"guid": "b9d37dac-43bc-46cd-8d79-a9b24604489a",
"id": "A01.05",
"severity": "Medium"
},
{
"category": "Identity",
"subcategory": "Identity",
"text": "Ensure that NSX-Manager is integrated with an external Identity provider (LDAPS)",
"waf": "Security",
"service": "AVS",
"guid": "53d88e89-d17b-473b-82a5-a67e7a9ed5b3",
"id": "A01.06",
"severity": "High"
},
{
"category": "Identity",
"subcategory": "Identity",
"text": "Has an RBAC model been created for use within VMware vSphere",
"waf": "Security",
"service": "AVS",
"guid": "ae0e37ce-e297-411b-b352-caaab79b198d",
"id": "A01.07",
"severity": "Medium"
},
{
"category": "Identity",
"subcategory": "Identity",
"text": "RBAC permissions should be granted on ADDS groups and not on specific users",
"waf": "Security",
"service": "AVS",
"guid": "ab81932c-9fc9-4d1b-a780-36f5e6bfbb9e",
"id": "A01.08",
"severity": "Medium"
},
{
"category": "Identity",
"subcategory": "Identity",
"text": "RBAC permissions on the Azure VMware Solution resource in Azure are 'locked down' to a limited set of owners only",
"waf": "Security",
"service": "AVS",
"guid": "d503547c-c447-4e82-9128-a71f0f1cac6d",
"id": "A01.09",
"severity": "High"
},
{
"category": "Identity",
"subcategory": "Identity",
"text": "Ensure all custom roles are scoped with CloudAdmin permitted authorizations",
"waf": "Security",
"service": "AVS",
"guid": "fd9f0df4-68dc-4976-b9a9-e6a79f7682c5",
"id": "A01.10",
"severity": "High"
},
{
"category": "Networking",
"subcategory": "Architecture",
"text": "Is the correct Azure VMware Solution connectivity model selected for the customer use case at hand",
"waf": "Performance",
"service": "AVS",
"guid": "9ef1d5e8-32e4-42e3-911c-818b0a0bc510",
"id": "B01.01",
"severity": "High",
"link": "https://github.com/Azure/AzureCAT-AVS/tree/main/networking"
},
{
"category": "Networking",
"subcategory": "Monitoring",
"text": "Ensure ExpressRoute or VPN connections from on-premises to Azure are monitored using 'connection monitor'",
"waf": "Operations",
"service": "AVS",
"guid": "eb710a37-cbc1-4055-8dd5-a936a8bb7cf5",
"id": "B02.01",
"severity": "High"
},
{
"category": "Networking",
"subcategory": "Monitoring",
"text": "Ensure a connection monitor is created from an Azure native resource to an Azure VMware Solution virtual machine to monitor the Azure VMware Solution back-end ExpressRoute connection",
"waf": "Operations",
"service": "AVS",
"guid": "976e24f2-a7f8-426c-9253-2a92a2a7ed99",
"id": "B02.02",
"severity": "Medium"
},
{
"category": "Networking",
"subcategory": "Monitoring",
"text": "Ensure a connection monitor is created from an on-premises resource to an Azure VMware Solution virtual machine to monitor end-2-end connectivity",
"waf": "Operations",
"service": "AVS",
"guid": "f41ce6a0-64f3-4805-bc65-3ab50df01265",
"id": "B02.03",
"severity": "Medium"
},
{
"category": "Networking",
"subcategory": "Routing",
"text": "When route server is used, ensure no more then 1000 routes are propagated from route server to ExR gateway to on-premises (ARS limit).",
"waf": "Operations",
"service": "AVS",
"guid": "563b4dc7-4a74-48b6-933a-d1a0916a6649",
"id": "B03.01",
"severity": "High"
},
{
"category": "Governance",
"subcategory": "Security (identity)",
"text": "Is Privileged Identity Management implemented for roles managing the Azure VMware Solution resource in the Azure Portal (no standing permissions allowed)",
"waf": "Security",
"service": "AVS",
"guid": "6128a71f-0f1c-4ac6-b9ef-1d5e832e42e3",
"id": "C01.01",
"severity": "High"
},
{
"category": "Governance",
"subcategory": "Security (identity)",
"text": "Privileged Identity Management audit reporting should be implemented for the Azure VMware Solution PIM roles",
"waf": "Security",
"service": "AVS",
"guid": "c4e2436b-b336-4d71-9f17-960eee0b9b5c",
"id": "C01.02",
"severity": "High"
},
{
"category": "Governance",
"subcategory": "Security (identity)",
"text": "If using Privileged Identity Management is being used, ensure that a valid Entra ID enabled account is created with a valid SMTP record for Azure VMware Solution Automatic Host replacement notifications. (standing permissions required)",
"waf": "Security",
"service": "AVS",
"guid": "78c447a8-26b2-4863-af0f-1cac599ef1d5",
"id": "C01.03",
"severity": "Medium"
},
{
"category": "Governance",
"subcategory": "Security (identity)",
"text": "Limit use of CloudAdmin account to emergency access only",
"waf": "Security",
"service": "AVS",
"guid": "8defc4d7-21d3-41d2-90fb-707ae9eab40e",
"id": "C01.04",
"severity": "High"
},
{
"category": "Governance",
"subcategory": "Security (identity)",
"text": "Create custom RBAC roles in vCenter to implement a least-privilege model inside vCenter",
"waf": "Security",
"service": "AVS",
"guid": "d329f798-bc17-48bd-a5a0-6ca7144351d1",
"id": "C01.05",
"severity": "Medium"
},
{
"category": "Governance",
"subcategory": "Security (identity)",
"text": "Is a process defined to regularly rotate cloudadmin (vCenter) and admin (NSX) credentials",
"waf": "Security",
"service": "AVS",
"guid": "9dd24429-eb72-4281-97a1-51c5bb4e4f18",
"id": "C01.06",
"severity": "Medium"
},
{
"category": "Governance",
"subcategory": "Security (identity)",
"text": "Use a centralized identity provider to be used for workloads (VM's) running on Azure VMware Solution",
"waf": "Security",
"service": "AVS",
"guid": "586cb291-ec16-4a1d-876e-f9f141acdce5",
"id": "C01.07",
"severity": "High"
},
{
"category": "Governance",
"subcategory": "Security (network)",
"text": "Is East-West traffic filtering implemented within NSX-T",
"waf": "Security",
"service": "AVS",
"guid": "79377bcd-b375-41ab-8ab0-ead66e15d3d4",
"id": "C02.01",
"severity": "Medium"
},
{
"category": "Governance",
"subcategory": "Security (network)",
"text": "Workloads on Azure VMware Solution are not directly exposed to the internet. Traffic is filtered and inspected by Azure Application Gateway, Azure Firewall or 3rd party solutions",
"waf": "Security",
"service": "AVS",
"guid": "a2adb1c3-d232-46af-825c-a44e1695fddd",
"id": "C02.02",
"severity": "High"
},
{
"category": "Governance",
"subcategory": "Security (network)",
"text": "Auditing and logging is implemented for inbound internet requests to Azure VMware Solution and Azure VMware Solution based workloads",
"waf": "Security",
"service": "AVS",
"guid": "eace4cb1-deb4-4c65-8c3f-c14eeab36938",
"id": "C02.03",
"severity": "High"
},
{
"category": "Governance",
"subcategory": "Security (network)",
"text": "Session monitoring is implemented for outbound internet connections from Azure VMware Solution or Azure VMware Solution based workloads to identify suspicious/malicious activity",
"waf": "Security",
"service": "AVS",
"guid": "29e3eec2-1836-487a-8077-a2b5945bda43",
"id": "C02.04",
"severity": "Medium"
},
{
"category": "Governance",
"subcategory": "Security (network)",
"text": "Is DDoS standard protection enabled on ExR/VPN Gateway subnet in Azure",
"waf": "Security",
"service": "AVS",
"guid": "334fdf91-c234-4182-a652-75269440b4be",
"id": "C02.05",
Added ARG query for C02.05/D01.02/D01.03/D01.04 in avs_checklist.en.json
2024-09-20 11:30:07 +03:00
"severity": "Medium",
"graph": "resources| where type =~ 'Microsoft.Network/virtualNetworkGateways'| mv-expand ipConfigurations=properties.ipConfigurations| project subnetId=tostring(ipConfigurations.properties.subnet.id)| where isnotempty(subnetId)| join (resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | project id, compliant = (enableDdosProtection == 'true')"
[create-pull-request] automated change
2024-01-09 14:23:06 +03:00
},
{
"category": "Governance",
"subcategory": "Security (network)",
"text": "Use a dedicated privileged access workstation (PAW) to manage Azure VMware Solution, vCenter, NSX manager and HCX manager",
"waf": "Security",
"service": "AVS",
"guid": "3d3e0843-276d-44bd-a015-bcf219e4a1eb",
"id": "C02.06",
"severity": "Medium"
},
{
"category": "Governance",
"subcategory": "Security (guest/VM)",
"text": "Enable Advanced Threat Detection (Microsoft Defender for Cloud aka ASC) for workloads running on Azure VMware Solution",
"waf": "Security",
"service": "AVS",
"guid": "9ccbd869-266a-4cca-874f-aa19bf39d95d",
"id": "C03.01",
"severity": "Medium"
},
{
"category": "Governance",
"subcategory": "Security (guest/VM)",
"text": "Use Azure ARC for Servers to properly govern workloads running on Azure VMware Solution using Azure native technologies (Azure ARC for Azure VMware Solution is not yet available)",
"waf": "Security",
"service": "AVS",
"guid": "44c7c891-9ca1-4f6d-9315-ae524ba34d45",
"id": "C03.02",
"severity": "Medium"
},
{
"category": "Governance",
"subcategory": "Security (guest/VM)",
"text": "Ensure workloads on Azure VMware Solution use sufficient data encryption during run-time (like in-guest disk encryption and SQL TDE). (vSAN encryption at rest is default)",
"waf": "Security",
"service": "AVS",
"guid": "85e12139-bd7b-4b01-8f7b-95ef6e043e2a",
"id": "C03.03",
"severity": "Low"
},
{
"category": "Governance",
"subcategory": "Security (guest/VM)",
"text": "When in-guest encryption is used, store encryption keys in Azure Key vault when possible",
"waf": "Security",
"service": "AVS",
"guid": "a3592718-e6e2-4051-9267-6ae46691e883",
"id": "C03.04",
"severity": "Low"
},
{
"category": "Governance",
"subcategory": "Security (guest/VM)",
"text": "Consider using extended security update support for workloads running on Azure VMware Solution (Azure VMware Solution is eligible for ESU)",
"waf": "Security",
"service": "AVS",
"guid": "5ac94222-3e13-4810-9230-81a941741583",
"id": "C03.05",
"severity": "Medium"
},
{
"category": "Governance",
"subcategory": "Governance (platform)",
"text": "Ensure that the appropriate vSAN Data redundancy method is used (RAID specification)",
"waf": "Reliability",
"service": "AVS",
"guid": "3ef7ad7c-6d37-4331-95c7-acbe44bbe609",
"id": "C04.01",
"severity": "High"
},
{
"category": "Governance",
"subcategory": "Governance (platform)",
"text": "Ensure that the Failure-to-tolerate policy is in place to meet your vSAN storage needs",
"waf": "Reliability",
"service": "AVS",
"guid": "d88408f3-7273-44c8-96ba-280214590146",
"id": "C04.02",
"severity": "High"
},
{
"category": "Governance",
"subcategory": "Governance (platform)",
"text": "Ensure that you have requested enough quota, ensuring you have considered growth and Disaster Recovery requirement",
"waf": "Reliability",
"service": "AVS",
"guid": "d89f2e87-7784-424d-9167-85c6fa95b96a",
"id": "C04.03",
"severity": "High"
},
{
"category": "Governance",
"subcategory": "Governance (platform)",
"text": "Ensure that access constraints to ESXi are understood, there are access limits which might affect 3rd party solutions.",
"waf": "Operations",
"service": "AVS",
"guid": "5d38e53f-9ccb-4d86-a266-acca274faa19",
"id": "C04.04",
"severity": "Medium"
},
{
"category": "Governance",
"subcategory": "Governance (platform)",
"text": "Ensure that you have a policy around ESXi host density and efficiency, keeping in mind the lead time for requesting new nodes",
"waf": "Operations",
"service": "AVS",
"guid": "bf39d95d-44c7-4c89-89ca-1f6d5315ae52",
"id": "C04.05",
"severity": "Medium"
},
{
"category": "Governance",
"subcategory": "Governance (platform)",
"text": "Ensure a good cost management process is in place for Azure VMware Solution - Azure Cost Management can be used",
"waf": "Cost",
"service": "AVS",
"guid": "4ba34d45-85e1-4213-abd7-bb012f7b95ef",
"id": "C04.06",
"severity": "Medium"
},
{
"category": "Governance",
"subcategory": "Governance (platform)",
"text": "Are Azure reserved instances used to optimize cost for using Azure VMware Solution",
"waf": "Cost",
"service": "AVS",
"guid": "6e043e2a-a359-4271-ae6e-205172676ae4",
"id": "C04.07",
"severity": "Low"
},
{
"category": "Governance",
"subcategory": "Governance (platform)",
"text": "Consider the use of Azure Private-Link when using other Azure Native Services",
"waf": "Security",
"service": "AVS",
"guid": "6691e883-5ac9-4422-83e1-3810523081a9",
"id": "C04.08",
"severity": "Medium"
},
{
"category": "Governance",
"subcategory": "Governance (platform)",
"text": "Ensure all required resource reside within the same Azure availability zone(s)",
"waf": "Performance",
"service": "AVS",
"guid": "db611712-6904-40b4-aa3d-3e0803276d4b",
"id": "C04.09",
"severity": "High"
},
{
"category": "Governance",
"subcategory": "Governance (guest/VM)",
"text": "Enable Microsoft Defender for Cloud for Azure VMware Solution guest VM workloads",
"waf": "Security",
"service": "AVS",
"guid": "48b262d6-cc5f-4512-a253-98e6db9d37da",
"id": "C05.01",
"severity": "Medium"
},
{
"category": "Governance",
"subcategory": "Governance (guest/VM)",
"text": "Use Azure Arc enabled servers to manage your Azure VMware Solution guest VM workloads",
"waf": "Security",
"service": "AVS",
"guid": "41741583-3ef7-4ad7-a6d3-733165c7acbe",
"id": "C05.02",
"severity": "Medium"
},
{
"category": "Governance",
"subcategory": "Governance (guest/VM)",
"text": "Enable Diagnostic and metric logging on Azure VMware Solution",
"waf": "Operations",
"service": "AVS",
"guid": "88f03a4d-2cd4-463c-abbc-868295abc91a",
"id": "C05.03",
"severity": "High"
},
{
"category": "Governance",
"subcategory": "Governance (guest/VM)",
"text": "Deploy the Log Analytics Agents to Azure VMware Solution guest VM workloads",
"waf": "Operations",
"service": "AVS",
"guid": "4ed90dae-2cc8-44c4-9b6b-781cbafe6c46",
"id": "C05.04",
"severity": "Medium"
},
{
"category": "Governance",
"subcategory": "Governance (guest/VM)",
"text": "Ensure you have a documented and implemented backup policy and solution for Azure VMware Solution VM workloads",
"waf": "Operations",
"service": "AVS",
"guid": "589d457a-927c-4397-9d11-02cad6aae11e",
"id": "C05.05",
"severity": "Medium"
},
{
"category": "Governance",
"subcategory": "Compliance",
"text": "Use Microsoft Defender for Cloud for compliance monitoring of workloads running on Azure VMware Solution",
"waf": "Security",
"service": "AVS",
"guid": "ee29711b-d352-4caa-ab79-b198dab81932",
"id": "C06.01",
"severity": "Medium"
},
{
"category": "Governance",
"subcategory": "Compliance",
"text": "Are the applicable compliance baselines added to Microsoft Defender for Cloud",
"waf": "Security",
"service": "AVS",
"guid": "c9fc9d1b-b780-436f-9e6b-fbb9ed503547",
"id": "C06.02",
"severity": "Medium"
},
{
"category": "Governance",
"subcategory": "Compliance",
"text": "Was data residency evaluated when selecting Azure regions to use for Azure VMware Solution deployment",
"waf": "Security",
"service": "AVS",
"guid": "cc447e82-6128-4a71-b0f1-cac6d9ef1d5e",
"id": "C06.03",
"severity": "High"
},
{
"category": "Governance",
"subcategory": "Compliance",
"text": "Are data processing implications (service provider / service consumer model) clear and documented",
"waf": "Security",
"service": "AVS",
"guid": "832e42e3-611c-4818-a0a0-bc510e43a18a",
"id": "C06.04",
"severity": "High"
},
{
"category": "Governance",
"subcategory": "Compliance",
"text": "Consider using CMK (Customer Managed Key) for vSAN only if needed for compliance reason(s).",
"waf": "Security",
"service": "AVS",
"guid": "547c1747-dc56-4068-a714-435cd19dd244",
"id": "C06.05",
"severity": "Medium"
},
{
"category": "Management",
"subcategory": "Monitoring",
"text": "Create dashboards to enable core Azure VMware Solution monitoring insights",
"waf": "Operations",
"service": "AVS",
"guid": "e43a18a9-cd28-49ce-b6b1-7db8255461e2",
"id": "D01.01",
"severity": "High"
},
{
"category": "Management",
"subcategory": "Monitoring",
"text": "Create warning alerts for critical thresholds for automatic alerting on Azure VMware Solution performance (CPU >80%, Avg Memory >80%, vSAN >70%)",
"waf": "Operations",
"service": "AVS",
"guid": "6b84ee5d-f47d-42d9-8881-b1cd5d1e54a2",
"id": "D01.02",
Added ARG query for C02.05/D01.02/D01.03/D01.04 in avs_checklist.en.json
2024-09-20 11:30:07 +03:00
"severity": "High",
"graph": "resources| where type =~ 'Microsoft.AVS/privateClouds'| join kind=leftouter(resources| where type =~ 'Microsoft.Insights/metricalerts'| mv-expand scopes=properties.scopes| mv-expand criteria=properties.criteria.allOf| extend metricName=criteria.metricName| distinct tostring(scopes), tostring(metricName))on $left.id == $right.scopes| extend compliant=toint(metricName in ('UsageAverage', 'EffectiveCpuAverage', 'DiskUsedPercentage'))| summarize compliant=min(compliant) by id"
[create-pull-request] automated change
2024-01-09 14:23:06 +03:00
},
{
"category": "Management",
"subcategory": "Monitoring",
"text": "Ensure critical alert is created to monitor if vSAN consumption is below 75% as this is a support threshold from VMware",
"waf": "Operations",
"service": "AVS",
"guid": "9659e396-80e7-4828-ac93-5657d02bff45",
"id": "D01.03",
Added ARG query for C02.05/D01.02/D01.03/D01.04 in avs_checklist.en.json
2024-09-20 11:30:07 +03:00
"severity": "High",
"graph": "resources| where type =~ 'Microsoft.AVS/privateClouds'| join kind=leftouter(resources| where type =~ 'Microsoft.Insights/metricalerts'| mv-expand scopes=properties.scopes| mv-expand criteria=properties.criteria.allOf| extend metricName=criteria.metricName| distinct tostring(scopes), tostring(metricName))on $left.id == $right.scopes| extend compliant=toint(metricName in ('UsageAverage', 'EffectiveCpuAverage', 'DiskUsedPercentage'))| summarize compliant=min(compliant) by id"
[create-pull-request] automated change
2024-01-09 14:23:06 +03:00
},
{
"category": "Management",
"subcategory": "Monitoring",
"text": "Ensure alerts are configured for Azure Service Health alerts and notifications",
"waf": "Operations",
"service": "AVS",
"guid": "64b0d934-a348-4726-be79-d6b5c3a36495",
"id": "D01.04",
Added ARG query for C02.05/D01.02/D01.03/D01.04 in avs_checklist.en.json
2024-09-20 11:30:07 +03:00
"severity": "High",
"graph": "resources| distinct subscriptionId| join kind=leftouter( resources | where type =~ 'microsoft.insights/activitylogalerts' | mv-expand condition1 = properties.condition.allOf | mv-expand condition2 = condition1.anyOf | extend alertEnabled = tostring(properties.enabled) | summarize set_condition1=make_set(condition1.equals), set_condition2=make_set(condition2.equals) by id, name,type,tenantId,resourceGroup,subscriptionId, alertEnabled | where set_has_element(set_condition1, 'ServiceHealth') | extend category = 'ServiceHealth' | extend all = iff(set_has_element(set_condition1, 'ServiceHealth') and array_length(set_condition2) == 0, true, false) | extend incident = iff(all, true, iff(set_has_element(set_condition1, 'Incident'), true, set_has_element(set_condition2, 'Incident'))) | extend maintenance = iff(all, true, iff(set_has_element(set_condition1, 'Maintenance'), true, set_has_element(set_condition2, 'Maintenance'))) | extend informational = iff(all, true, iff(set_has_element(set_condition1, 'Informational') or set_has_element(set_condition1, 'ActionRequired'), true, set_has_element(set_condition2, 'Informational') or set_has_element(set_condition2, 'ActionRequired'))) | extend security = iff(all, true, iff(set_has_element(set_condition1, 'Security'), true, set_has_element(set_condition2, 'Security'))) | project id, name, subscriptionId, category, tostring(alertEnabled), tostring(incident), tostring(maintenance), tostring(informational), tostring(security) | summarize count_alertEnabled=countif(alertEnabled == 'true'), count_incident=countif(incident == 'True'), count_maintenance=countif(maintenance == 'True'), count_informational=countif(informational == 'True'), count_security=countif(security == 'True') by subscriptionId) on subscriptionId| project subscriptionId, alertEnabled=iff(isnotnull(count_alertEnabled), count_alertEnabled, 0), incident=iff(isnotnull(count_incident), count_incident, 0), security=iff(isnotnull(count_security), count_security, 0), maintenance=iff(isnotnull(count_maintenance), count_maintenance, 0), informational=iff(isnotnull(count_informational), count_informational, 0)| order by incident, maintenance, informational, security desc| project id=subscriptionId, compliant=(alertEnabled > 0 and incident > 0 and security > 0 and maintenance > 0 and informational > 0)"
[create-pull-request] automated change
2024-01-09 14:23:06 +03:00
},
{
"category": "Management",
"subcategory": "Monitoring",
"text": "Configure Azure VMware Solution logging to be send to an Azure Storage account or Azure EventHub for processing",
"waf": "Operations",
"service": "AVS",
"guid": "b6abad38-aad5-43cc-99e1-d86667357c54",
"id": "D01.05",
"severity": "Medium"
},
{
"category": "Management",
"subcategory": "Monitoring",
"text": "If deep insight in VMware vSphere is required: Is vRealize Operations and/or vRealize Network Insights used in the solution?",
"waf": "Operations",
"service": "AVS",
"guid": "9674c5ed-85b8-459c-9733-be2b1a27b775",
"id": "D01.06",
"severity": "Low"
},
{
"category": "Management",
"subcategory": "Operations",
"text": "Ensure the vSAN storage policy for VM's is NOT the default storage policy as this policy applies thick provisioning",
"waf": "Operations",
"service": "AVS",
"guid": "a91be1f3-88f0-43a4-b2cd-463cbbbc8682",
"id": "D02.01",
"severity": "High"
},
{
"category": "Management",
"subcategory": "Operations",
"text": "Ensure vSphere content libraries are not placed on vSAN as vSAN is a finite resource",
"waf": "Operations",
"service": "AVS",
"guid": "d9ef1d5e-832d-442e-9611-c818b0afbc51",
"id": "D02.02",
"severity": "Medium"
},
{
"category": "Management",
"subcategory": "Operations",
"text": "Ensure data repositories for the backup solution are stored outside of vSAN storage. Either in Azure native or on a disk pool-backed datastore",
"waf": "Operations",
"service": "AVS",
"guid": "0e43a18a-9cd2-489b-bd6b-17db8255461e",
"id": "D02.03",
"severity": "Medium"
},
{
"category": "Management",
"subcategory": "Operations",
"text": "Ensure workloads running on Azure VMware Solution are hybrid managed using Azure Arc for Servers (Arc for Azure VMware Solution is in preview)",
"waf": "Operations",
"service": "AVS",
"guid": "2aee3453-aec8-4339-848b-262d6cc5f512",
"id": "D02.04",
"severity": "Medium"
},
{
"category": "Management",
"subcategory": "Operations",
"text": "Ensure workloads running on Azure VMware Solution are monitored using Azure Log Analytics and Azure Monitor",
"waf": "Operations",
"service": "AVS",
"guid": "925398e6-da9d-437d-ac43-bc6cd1d79a9b",
"id": "D02.05",
"severity": "Medium"
},
{
"category": "Management",
"subcategory": "Operations",
"text": "Include workloads running on Azure VMware Solution in existing update management tooling or in Azure Update Management",
"waf": "Operations",
"service": "AVS",
"guid": "24604489-a8f4-42d7-ae78-cb6a33bd2a09",
"id": "D02.06",
"severity": "Medium"
},
{
"category": "Management",
"subcategory": "Operations",
"text": "Use Azure Policy to onboard Azure VMware Solution workloads in the Azure Management, Monitoring and Security solutions",
"waf": "Operations",
"service": "AVS",
"guid": "17e7a8d9-0ae0-4e27-aee2-9711bd352caa",
"id": "D02.07",
"severity": "Medium"
},
{
"category": "Management",
"subcategory": "Security",
"text": "Ensure workloads running on Azure VMware Solution are onboarded to Microsoft Defender for Cloud",
"waf": "Security",
"service": "AVS",
"guid": "aee3553a-fc83-4392-98b2-62d6cc5f5129",
"id": "D03.01",
"severity": "Medium"
},
{
"category": "BCDR",
"subcategory": "Backup",
"text": "Ensure backups are not stored on vSAN as vSAN is a finite resource",
"waf": "Reliability",
"service": "AVS",
"guid": "25398e6d-b9d3-47da-a43b-c6cd1d79a9b2",
"id": "E01.01",
"severity": "Medium"
},
{
"category": "BCDR",
"subcategory": "Disaster Recovery",
"text": "Have all DR solutions been considered and a solution that is best for your business been decided upon? [SRM/JetStream/Zerto/Veeam/...]",
"waf": "Reliability",
"service": "AVS",
"guid": "5e6bfbb9-ed50-4354-9cc4-47e826028a71",
"id": "E02.01",
"severity": "Medium"
},
{
"category": "BCDR",
"subcategory": "Disaster Recovery",
"text": "Use Azure Site Recovery when the Disaster Recovery technology is native Azure IaaS",
"waf": "Reliability",
"service": "AVS",
"guid": "f0f1cac6-d9ef-41d5-b832-d42e3611c818",
"id": "E02.02",
"severity": "Medium"
},
{
"category": "BCDR",
"subcategory": "Disaster Recovery",
"text": "Use Automated recovery plans with either of the Disaster solutions, avoid manual tasks as much as possible",
"waf": "Reliability",
"service": "AVS",
"guid": "b0afbc51-0e43-4a18-a9cd-289bed6b17db",
"id": "E02.03",
"severity": "High"
},
{
"category": "BCDR",
"subcategory": "Disaster Recovery",
"text": "Use the geopolitical region pair as the secondary disaster recovery environment",
"waf": "Reliability",
"service": "AVS",
"guid": "8255461e-2aee-4345-9aec-8339248b262d",
"id": "E02.04",
"severity": "Medium"
},
{
"category": "BCDR",
"subcategory": "Disaster Recovery",
"text": "Use 2 different address spaces between the regions, for example: 10.0.0.0/16 and 192.168.0.0/16 for the different regions",
"waf": "Reliability",
"service": "AVS",
"guid": "6cc5f512-9253-498e-9da9-d37dac43bc6c",
"id": "E02.05",
"severity": "High"
},
{
"category": "BCDR",
"subcategory": "Disaster Recovery",
"text": "Will ExpressRoute Global Reach be used for connectivity between the primary and secondary Azure VMware Solution Private Clouds or is routing done through network virtual appliances?",
"waf": "Reliability",
"service": "AVS",
"guid": "d1d79a9b-2460-4448-aa8f-42d78e78cb6a",
"id": "E02.06",
"severity": "Medium"
},
{
"category": "BCDR",
"subcategory": "Business Continuity",
"text": "Have all Backup solutions been considered and a solution that is best for your business been decided upon? [ MABS/CommVault/Metallic.io/Veeam/\ufffd. ]",
"waf": "Reliability",
"service": "AVS",
"guid": "33bd2a09-17e7-4a8d-a0ae-0e27cee29711",
"id": "E03.01",
"severity": "Medium"
},
{
"category": "BCDR",
"subcategory": "Business Continuity",
"text": "Deploy your backup solution in the same region as your Azure VMware Solution private cloud",
"waf": "Reliability",
"service": "AVS",
"guid": "bd352caa-ab79-4b18-adab-81932c9fc9d1",
"id": "E03.02",
"severity": "Medium"
},
{
"category": "BCDR",
"subcategory": "Business Continuity",
"text": "Deploy your backup solution outside of vSan, on Azure native components",
"waf": "Reliability",
"service": "AVS",
"guid": "bb77036f-5e6b-4fbb-aed5-03547cc447e8",
"id": "E03.03",
"severity": "Medium"
},
{
"category": "BCDR",
"subcategory": "Business Continuity",
"text": "Is a process in place to request a restore of the VMware components managed by the Azure Platform?",
"waf": "Reliability",
"service": "AVS",
"guid": "26028a71-f0f1-4cac-9d9e-f1d5e832d42e",
"id": "E03.04",
"severity": "Low"
},
{
"category": "Platform Automation",
"subcategory": "Deployment strategy",
"text": "For manual deployments, all configuration and deployments must be documented",
"waf": "Operations",
"service": "AVS",
"guid": "4604489a-8f42-4d78-b78c-b7a33bd2a0a1",
"id": "F01.01",
"severity": "Low"
},
{
"category": "Platform Automation",
"subcategory": "Deployment strategy",
"text": "For manual deployments, consider implementing resource locks to prevent accidental actions on your Azure VMware Solution Private Cloud",
"waf": "Operations",
"service": "AVS",
"guid": "7e7a8d90-ae0e-437c-be29-711bd352caaa",
"id": "F01.02",
"severity": "Low"
},
{
"category": "Platform Automation",
"subcategory": "Automated Deployment",
"text": "For automated deployments, deploy a minimal private cloud and scale as needed",
"waf": "Operations",
"service": "AVS",
"guid": "b79b198d-ab81-4932-a9fc-9d1bb78036f5",
"id": "F02.01",
"severity": "Low"
},
{
"category": "Platform Automation",
"subcategory": "Automated Deployment",
"text": "For automated deployments, request or reserve quota prior to starting the deployment",
"waf": "Operations",
"service": "AVS",
"guid": "e6bfbb9e-d503-4547-ac44-7e826128a71f",
"id": "F02.02",
"severity": "Low"
},
{
"category": "Platform Automation",
"subcategory": "Automated Deployment",
"text": "For automated deployment, ensure that relevant resource locks are created through the automation or through Azure Policy for proper governance",
"waf": "Operations",
"service": "AVS",
"guid": "0f1cac6d-9ef1-4d5e-a32e-42e3611c818b",
"id": "F02.03",
"severity": "Low"
},
{
"category": "Platform Automation",
"subcategory": "Automated Connectivity",
"text": "Implement human understandable names for ExR authorization keys to allow for easy identification of the keys purpose/use",
"waf": "Operations",
"service": "AVS",
"guid": "e2cc95d4-8c6b-4791-bca0-f6c56589e558",
"id": "F03.01",
"severity": "Low"
},
{
"category": "Platform Automation",
"subcategory": "Automated Connectivity",
"text": "Use Key vault to store secrets and authorization keys when separate Service Principles are used for deploying Azure VMware Solution and ExpressRoute",
"waf": "Operations",
"service": "AVS",
"guid": "255461e2-aee3-4553-afc8-339248b262d6",
"id": "F03.02",
"severity": "Low"
},
{
"category": "Platform Automation",
"subcategory": "Automated Connectivity",
"text": "Define resource dependencies for serializing actions in IaC when many resources need to be deployed in/on Azure VMware Solution as Azure VMware Solution only supports a limited number of parallel operations.",
"waf": "Operations",
"service": "AVS",
"guid": "cc5f5129-2539-48e6-bb9d-37dac43bc6cd",
"id": "F03.03",
"severity": "Low"
},
{
"category": "Platform Automation",
"subcategory": "Automated Connectivity",
"text": "When performing automated configuration of NSX-T segments with a single Tier-1 gateway, use Azure Portal APIs instead of NSX-Manager APIs",
"waf": "Operations",
"service": "AVS",
"guid": "1d79a9b2-4604-4489-a8f4-2d78e78cb7a3",
"id": "F03.04",
"severity": "Low"
},
{
"category": "Platform Automation",
"subcategory": "Automated Scale",
"text": "When intending to use automated scale-out, be sure to apply for sufficient Azure VMware Solution quota for the subscriptions running Azure VMware Solution",
"waf": "Performance",
"service": "AVS",
"guid": "3bd2a0a1-7e7a-48d9-8ae0-e37cee29711b",
"id": "F04.01",
"severity": "Medium"
},
{
"category": "Platform Automation",
"subcategory": "Automated Scale",
"text": "When intending to use automated scale-in, be sure to take storage policy requirements into account before performing such action",
"waf": "Performance",
"service": "AVS",
"guid": "d352caaa-b79b-4198-bab8-1932c9fc9d1b",
"id": "F04.02",
"severity": "Medium"
},
{
"category": "Platform Automation",
"subcategory": "Automated Scale",
"text": "Scaling operations always need to be serialized within a single SDDC as only one scale operation can be performed at a time (even when multiple clusters are used)",
"waf": "Performance",
"service": "AVS",
"guid": "b78036f5-e6bf-4bb9-bd50-3547cc447e82",
"id": "F04.03",
"severity": "Medium"
},
{
"category": "Platform Automation",
"subcategory": "Automated Scale",
"text": "Consider and validate scaling operations on 3rd party solutions used in the architecture (supported or not)",
"waf": "Performance",
"service": "AVS",
"guid": "bf15bce2-19e4-4a0e-a588-79424d226786",
"id": "F04.04",
"severity": "Medium"
},
{
"category": "Platform Automation",
"subcategory": "Automated Scale",
"text": "Define and enforce scale in/out maximum limits for your environment in the automations",
"waf": "Performance",
"service": "AVS",
"guid": "d20b56c5-7be5-4851-a0f8-3835c586cb29",
"id": "F04.05",
"severity": "Medium"
},
{
"category": "Platform Automation",
"subcategory": "Automated Scale",
"text": "Implement monitoring rules to monitor automated scaling operations and monitor success and failure to enable appropriate (automated) responses",
"waf": "Operations",
"service": "AVS",
"guid": "1dc15a1c-075e-4e9f-841a-cccd579376bc",
"id": "F04.06",
"severity": "Medium"
},
{
"category": "Migration",
"subcategory": "Architecture",
"text": "When using MON, be aware of the limits of simulataneously configured VMs (MON Limit for HCX [400 - standard, 1000 - Larger appliance])",
"waf": "Reliability",
"service": "AVS",
"guid": "c5972cd4-cd21-4b07-9036-f5e6b4bfd3d5",
"id": "G01.01",
"severity": "High",
"training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/",
"link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works"
},
{
"category": "Migration",
"subcategory": "Architecture",
"text": "When using MON, you cannot enable MON on more than 100 Network extensions",
"waf": "Reliability",
"service": "AVS",
"guid": "be1f38cf-03a8-422b-b463-cbbbc8ac299e",
"id": "G01.02",
"severity": "High",
"training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
"link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works"
},
{
"category": "Migration",
"subcategory": "Networking",
"text": "If using a VPN connection for migrations, adjust your MTU size accordingly.",
"waf": "Performance",
"service": "AVS",
"guid": "bc91a43d-90da-4e2c-a881-4706f7c1cbaf",
"id": "G02.01",
"severity": "Medium"
},
{
"category": "Migration",
"subcategory": "Networking",
"text": "For low connectivity regions connecting into Azure (500Mbps or less), considering deploying the HCX WAN optimization appliance",
"waf": "Performance",
"service": "AVS",
"guid": "e614658d-d457-4e92-9139-b821102cad6e",
"id": "G02.02",
"severity": "Medium"
},
{
"category": "Migration",
"subcategory": "Process",
"text": "Ensure that migrations are started from the on-premises appliance and NOT from the Cloud appliance (do NOT perform a reverse migration)",
"waf": "Reliability",
"service": "AVS",
"guid": "ae01e6e8-43e5-42f4-922d-928c1b1cd521",
"id": "G03,01",
"severity": "Medium"
},
{
"category": "Data Storage",
"subcategory": "Architecture",
"text": "When Azure Netapp Files is used to extend storage for Azure VMware Solution,consider using this as a VMware datastore instead of attaching directly to a VM.",
"waf": "Reliability",
"service": "AVS",
"guid": "e54a29a9-de39-4ac0-b7c2-8dc935657202",
"id": "H01.01",
"severity": "Medium",
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings"
},
{
"category": "Data Storage",
"subcategory": "Architecture",
"text": "Ensure that a dedicated ExpressRoute Gateway is being used for external data storage solutions",
"waf": "Reliability",
"service": "AVS",
"guid": "bff4564b-0d93-44a3-98b2-63e7dd60513a",
"id": "H01.02",
"severity": "Medium",
"link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door"
},
{
"category": "Data Storage",
"subcategory": "Architecture",
"text": "Ensure that FastPath is enabled on the ExpressRoute Gateway that is being used for external data storage solutions",
"waf": "Reliability",
"service": "AVS",
"guid": "3649906e-bad3-48ea-b53c-c7de1d8aaab3",
"id": "H01.03",
"severity": "Medium",
"link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin"
},
{
"category": "Stretched Cluster",
"subcategory": "Architecture",
"text": "If using stretched cluster, ensure that your selected Disaster Recovery solution is supported by the vendor",
"waf": "Reliability",
"service": "AVS",
"guid": "571549ab-8153-4d89-b89d-c7b33be2b1a2",
"id": "I01.01",
"severity": "High",
"link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group"
},
{
"category": "Stretched Cluster",
"subcategory": "Architecture",
"text": "If using stretched cluster, ensure that the SLA provided will meet your requirements",
"waf": "Reliability",
"service": "AVS",
"guid": "4c486b6d-8bdc-4059-acf7-5ee8a1309888",
"id": "I01.02",
"severity": "High",
"link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints"
},
{
"category": "Stretched Cluster",
"subcategory": "Architecture",
"text": "If using stretched cluster, ensure that both ExpressRoute circuits are connected to your connectivity hub.",
"waf": "Reliability",
"service": "AVS",
"guid": "9579d66b-896d-471f-a6ca-7be9955d04c3",
"id": "I01.03",
"severity": "High",
"link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes"
},
{
"category": "Stretched Cluster",
"subcategory": "Architecture",
"text": "If using stretched cluster, ensure that both ExpressRoute circuits have GlobalReach enabled.",
"waf": "Reliability",
"service": "AVS",
"guid": "c49d987c-b3d1-4325-aa12-4b6e4d0685ed",
"id": "I01.04",
"severity": "High",
"link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity"
},
{
"category": "Stretched Cluster",
"subcategory": "Architecture",
"text": "Have site disaster tolerance settings been properly considered and changed for your business if needed.",
"waf": "Reliability",
"service": "AVS",
"guid": "dce9793b-7bcd-4b3b-91eb-2ec14eea6e59",
"id": "I01.05",
"severity": "High",
"link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates"
}
],
"categories": [
{
"name": "Identity"
},
{
"name": "Networking"
},
{
"name": "Governance"
},
{
"name": "Management"
},
{
"name": "BCDR"
},
{
"name": "Platform Automation"
}
],
"waf": [
{
"name": "Reliability"
},
{
"name": "Security"
},
{
"name": "Cost"
},
{
"name": "Operations"
},
{
"name": "Performance"
}
],
"yesno": [
{
"name": "Yes"
},
{
"name": "No"
}
],
"status": [
{
"name": "Not verified",
"description": "This check has not been looked at yet"
},
{
"name": "Open",
"description": "There is an action item associated to this check"
},
{
"name": "Fulfilled",
"description": "This check has been verified, and there are no further action items associated to it"
},
{
"name": "Not required",
"description": "Recommendation understood, but not needed by current requirements"
},
{
"name": "N/A",
"description": "Not applicable for current design"
}
],
"severities": [
{
"name": "High"
},
{
"name": "Medium"
},
{
"name": "Low"
}
],
"metadata": {
"name": "Azure VMware Solution Design Review",
"state": "preview",
"waf": "all",
"timestamp": "January 09, 2024"
}
Added ARG query for C02.05/D01.02/D01.03/D01.04 in avs_checklist.en.json
2024-09-20 11:30:07 +03:00
}