Azure
/
review-checklists
зеркало из https://github.com/Azure/review-checklists.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Update links from docs to learn. Based on recent Microsoft Learn changes.

This commit is contained in:
Luke Murray 2023-02-11 07:51:50 +13:00
Родитель 13fa7365cc
Коммит 3b426bee6f
48 изменённых файлов: 3818 добавлений и 3818 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

2
README.md
Просмотреть файл

@ -97,7 +97,7 @@ If you wish to do contributions to the checklists, one option is the following:
## Using Azure Resource Graph to verify Azure environments (advanced)
Some of the checks have associated [Azure Resource Graph](https://docs.microsoft.com/azure/governance/resource-graph/overview) queries, which return a list of related resources and a compliance status for each. Resource Graph queries enable objective verification of the associated checks and make filling out the spreadsheet easier by collecting some environment details for you.
Some of the checks have associated [Azure Resource Graph](https://learn.microsoft.com/azure/governance/resource-graph/overview) queries, which return a list of related resources and a compliance status for each. Resource Graph queries enable objective verification of the associated checks and make filling out the spreadsheet easier by collecting some environment details for you.
Along with the spreadsheet, this repo includes the script [checklist_graph.sh](./scripts/checklist_graph.sh). This script will run the graph queries stored in the JSON checklists and produce an output that can easily be copied and pasted into the spreadsheet, or alternatively generate a JSON file that can then be imported to the spreadsheet.

2
SECURITY.md
Просмотреть файл

@ -4,7 +4,7 @@
Microsoft takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations, which include [Microsoft](https://github.com/Microsoft), [Azure](https://github.com/Azure), [DotNet](https://github.com/dotnet), [AspNet](https://github.com/aspnet), [Xamarin](https://github.com/xamarin), and [our GitHub organizations](https://opensource.microsoft.com/).
If you believe you have found a security vulnerability in any Microsoft-owned repository that meets [Microsoft's definition of a security vulnerability](https://docs.microsoft.com/en-us/previous-versions/tn-archive/cc751383(v=technet.10)), please report it to us as described below.
If you believe you have found a security vulnerability in any Microsoft-owned repository that meets [Microsoft's definition of a security vulnerability](https://learn.microsoft.com/en-us/previous-versions/tn-archive/cc751383(v=technet.10)), please report it to us as described below.
## Reporting Security Issues

144
checklists/aks_checklist.en.json
Просмотреть файл

@ -7,7 +7,7 @@
"guid": "785c2fa5-5b56-4ad4-a408-fe72734c476b",
"cost": 1,
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/architecture/reference-architectures/containers/aks/secure-baseline-aks"
"link": "https://learn.microsoft.com/azure/architecture/reference-architectures/containers/aks/secure-baseline-aks"
},
{
"category": "Application Deployment",
@ -26,7 +26,7 @@
"scale": 1,
"simple": -1,
"severity": "Low",
"link": "https://docs.microsoft.com/azure/azure-functions/functions-kubernetes-keda"
"link": "https://learn.microsoft.com/azure/azure-functions/functions-kubernetes-keda"
},
{
"category": "Application Deployment",
@ -45,7 +45,7 @@
"simple": -1,
"ha": 1,
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/developer/terraform/create-k8s-cluster-with-tf-and-aks"
"link": "https://learn.microsoft.com/azure/developer/terraform/create-k8s-cluster-with-tf-and-aks"
},
{
"category": "BC and DR",
@ -54,7 +54,7 @@
"guid": "36cb45e5-7960-4332-9bdf-8cc23318da61",
"ha": 1,
"severity": "High",
"link": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/business-continuity-and-disaster-recovery"
"link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/business-continuity-and-disaster-recovery"
},
{
"category": "BC and DR",
@ -63,7 +63,7 @@
"guid": "170265f4-bb46-4a39-9af7-f317284797b1",
"ha": 1,
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/aks/operator-best-practices-multi-region"
"link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region"
},
{
"category": "BC and DR",
@ -73,7 +73,7 @@
"ha": 1,
"severity": "Medium",
"graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant= isnotnull(zones) | distinct id,compliant",
"link": "https://docs.microsoft.com/azure/aks/availability-zones"
"link": "https://learn.microsoft.com/azure/aks/availability-zones"
},
{
"category": "BC and DR",
@ -84,7 +84,7 @@
"ha": 2,
"severity": "High",
"graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (sku.tier=='Paid') | distinct id,compliant",
"link": "https://docs.microsoft.com/azure/aks/uptime-sla"
"link": "https://learn.microsoft.com/azure/aks/uptime-sla"
},
{
"category": "BC and DR",
@ -94,7 +94,7 @@
"simple": -1,
"ha": 1,
"severity": "Low",
"link": "https://docs.microsoft.com/azure/aks/operator-best-practices-scheduler"
"link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler"
},
{
"category": "BC and DR",
@ -104,7 +104,7 @@
"cost": -1,
"ha": 1,
"severity": "High",
"link": "https://docs.microsoft.com/azure/container-registry/container-registry-geo-replication"
"link": "https://learn.microsoft.com/azure/container-registry/container-registry-geo-replication"
},
{
"category": "BC and DR",
@ -122,7 +122,7 @@
"guid": "f82cb8eb-8c0a-4a63-a25a-4956eaa8dc4a",
"cost": 1,
"severity": "Low",
"link": "https://docs.microsoft.com/azure/cloud-adoption-framework/scenarios/aks/eslz-cost-governance-with-kubecost"
"link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/aks/eslz-cost-governance-with-kubecost"
},
{
"category": "Cost Governance",
@ -169,7 +169,7 @@
"simple": -1,
"severity": "Medium",
"graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.azurepolicy) and properties.addonProfiles.azurepolicy.enabled==true) | distinct id,compliant",
"link": "https://docs.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes"
"link": "https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes"
},
{
"category": "Governance and Security",
@ -181,7 +181,7 @@
"simple": -1,
"severity": "Medium",
"graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | project id,name,resourceGroup,poolcount=array_length(pools) | extend compliant = (poolcount > 1)",
"link": "https://docs.microsoft.com/azure/aks/use-system-pools"
"link": "https://learn.microsoft.com/azure/aks/use-system-pools"
},
{
"category": "Governance and Security",
@ -191,7 +191,7 @@
"simple": -1,
"ha": 1,
"severity": "Low",
"link": "https://docs.microsoft.com/azure/aks/use-system-pools"
"link": "https://learn.microsoft.com/azure/aks/use-system-pools"
},
{
"category": "Governance and Security",
@ -201,7 +201,7 @@
"security": 1,
"simple": -1,
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/container-registry/"
"link": "https://learn.microsoft.com/azure/container-registry/"
},
{
"category": "Governance and Security",
@ -211,7 +211,7 @@
"security": 1,
"cost": -1,
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/security-center/container-security"
"link": "https://learn.microsoft.com/azure/security-center/container-security"
},
{
"category": "Governance and Security",
@ -221,7 +221,7 @@
"security": 1,
"cost": -1,
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/security-center/container-security"
"link": "https://learn.microsoft.com/azure/security-center/container-security"
},
{
"category": "Governance and Security",
@ -240,7 +240,7 @@
"guid": "d167dd18-2b0a-4c24-8b99-9a646f8389a7",
"security": 1,
"severity": "High",
"link": "https://docs.microsoft.com/azure/aks/operator-best-practices-cluster-isolation"
"link": "https://learn.microsoft.com/azure/aks/operator-best-practices-cluster-isolation"
},
{
"category": "Governance and Security",
@ -259,7 +259,7 @@
"guid": "b03dda6d-58d7-4c89-8ddb-107d5769ae66",
"security": 1,
"severity": "High",
"link": "https://docs.microsoft.com/azure/aks/update-credentials"
"link": "https://learn.microsoft.com/azure/aks/update-credentials"
},
{
"category": "Governance and Security",
@ -299,7 +299,7 @@
"simple": 1,
"severity": "High",
"graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.servicePrincipalProfile.clientId=='msi') | distinct id,compliant",
"link": "https://docs.microsoft.com/azure/aks/use-managed-identity"
"link": "https://learn.microsoft.com/azure/aks/use-managed-identity"
},
{
"category": "Identity and Access Management",
@ -309,7 +309,7 @@
"simple": 1,
"severity": "Medium",
"graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.aadProfile) | distinct id,compliant",
"link": "https://docs.microsoft.com/azure/aks/managed-aad"
"link": "https://learn.microsoft.com/azure/aks/managed-aad"
},
{
"category": "Identity and Access Management",
@ -319,7 +319,7 @@
"security": 1,
"simple": -1,
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/aks/control-kubeconfig-access"
"link": "https://learn.microsoft.com/azure/aks/control-kubeconfig-access"
},
{
"category": "Identity and Access Management",
@ -329,7 +329,7 @@
"security": 1,
"simple": -1,
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/aks/manage-azure-rbac"
"link": "https://learn.microsoft.com/azure/aks/manage-azure-rbac"
},
{
"category": "Identity and Access Management",
@ -340,7 +340,7 @@
"simple": -1,
"ha": 1,
"severity": "High",
"link": "https://docs.microsoft.com/azure/aks/operator-best-practices-identity"
"link": "https://learn.microsoft.com/azure/aks/operator-best-practices-identity"
},
{
"category": "Identity and Access Management",
@ -432,7 +432,7 @@
"simple": -1,
"severity": "High",
"graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnull(properties.addonProfiles.httpApplicationRouting) or properties.addonProfiles.httpApplicationRouting.enabled==false) | distinct id,compliant",
"link": "https://docs.microsoft.com/azure/aks/http-application-routing"
"link": "https://learn.microsoft.com/azure/aks/http-application-routing"
},
{
"category": "Network Topology and Connectivity",
@ -453,7 +453,7 @@
"scale": 1,
"severity": "High",
"graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (tolower(properties.networkProfile.loadBalancerSku)=='standard') | distinct id,compliant",
"link": "https://docs.microsoft.com/azure/aks/load-balancer-standard"
"link": "https://learn.microsoft.com/azure/aks/load-balancer-standard"
},
{
"category": "Network Topology and Connectivity",
@ -473,7 +473,7 @@
"security": 1,
"simple": -1,
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/private-link/private-link-overview"
"link": "https://learn.microsoft.com/azure/private-link/private-link-overview"
},
{
"category": "Network Topology and Connectivity",
@ -483,7 +483,7 @@
"cost": -1,
"ha": 1,
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering"
"link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering"
},
{
"category": "Network Topology and Connectivity",
@ -493,7 +493,7 @@
"simple": 1,
"severity": "High",
"graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.networkPlugin=='azure') | distinct id,compliant",
"link": "https://docs.microsoft.com/azure/aks/operator-best-practices-network"
"link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network"
},
{
"category": "Network Topology and Connectivity",
@ -502,7 +502,7 @@
"guid": "7faf12e7-0943-4f63-8472-2da29c2b1cd6",
"scale": 1,
"severity": "High",
"link": "https://docs.microsoft.com/azure/aks/configure-azure-cni"
"link": "https://learn.microsoft.com/azure/aks/configure-azure-cni"
},
{
"category": "Network Topology and Connectivity",
@ -512,7 +512,7 @@
"scale": 1,
"simple": -1,
"severity": "High",
"link": "https://docs.microsoft.com/azure/aks/configure-azure-cni"
"link": "https://learn.microsoft.com/azure/aks/configure-azure-cni"
},
{
"category": "Network Topology and Connectivity",
@ -523,7 +523,7 @@
"security": 1,
"simple": -1,
"severity": "Low",
"link": "https://docs.microsoft.com/azure/aks/internal-lb"
"link": "https://learn.microsoft.com/azure/aks/internal-lb"
},
{
"category": "Network Topology and Connectivity",
@ -532,7 +532,7 @@
"guid": "43f63047-22d9-429c-8b1c-d622f54b29ba",
"scale": 1,
"severity": "High",
"link": "https://docs.microsoft.com/azure/aks/configure-azure-cni"
"link": "https://learn.microsoft.com/azure/aks/configure-azure-cni"
},
{
"category": "Network Topology and Connectivity",
@ -562,7 +562,7 @@
"scale": 1,
"simple": -1,
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/aks/concepts-network"
"link": "https://learn.microsoft.com/azure/aks/concepts-network"
},
{
"category": "Network Topology and Connectivity",
@ -593,7 +593,7 @@
"simple": -2,
"severity": "High",
"graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.outboundType=='userDefinedRouting') | distinct id,compliant",
"link": "https://docs.microsoft.com/azure/aks/limit-egress-traffic"
"link": "https://learn.microsoft.com/azure/aks/limit-egress-traffic"
},
{
"category": "Network Topology and Connectivity",
@ -604,7 +604,7 @@
"simple": -1,
"severity": "Medium",
"graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = ((isnull(properties.apiServerAccessProfile.enablePrivateCluster) or properties.apiServerAccessProfile.enablePrivateCluster==false) and isnotnull(properties.apiServerAccessProfile.authorizedIPRanges)) | distinct id,compliant",
"link": "https://docs.microsoft.com/azure/aks/api-server-authorized-ip-ranges"
"link": "https://learn.microsoft.com/azure/aks/api-server-authorized-ip-ranges"
},
{
"category": "Network Topology and Connectivity",
@ -615,7 +615,7 @@
"simple": -1,
"severity": "High",
"graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant",
"link": "https://docs.microsoft.com/azure/aks/private-clusters"
"link": "https://learn.microsoft.com/azure/aks/private-clusters"
},
{
"category": "Network Topology and Connectivity",
@ -636,7 +636,7 @@
"security": 1,
"severity": "High",
"graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.networkProfile.networkPolicy) | distinct id,compliant",
"link": "https://docs.microsoft.com/azure/aks/use-network-policies"
"link": "https://learn.microsoft.com/azure/aks/use-network-policies"
},
{
"category": "Network Topology and Connectivity",
@ -646,7 +646,7 @@
"security": 1,
"simple": -1,
"severity": "High",
"link": "https://docs.microsoft.com/azure/aks/operator-best-practices-network"
"link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network"
},
{
"category": "Network Topology and Connectivity",
@ -657,7 +657,7 @@
"cost": -1,
"simple": -1,
"severity": "High",
"link": "https://docs.microsoft.com/azure/aks/operator-best-practices-network"
"link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network"
},
{
"category": "Network Topology and Connectivity",
@ -668,7 +668,7 @@
"cost": -2,
"severity": "Medium",
"graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')",
"link": "https://docs.microsoft.com/azure/virtual-network/ddos-protection-overview"
"link": "https://learn.microsoft.com/azure/virtual-network/ddos-protection-overview"
},
{
"category": "Network Topology and Connectivity",
@ -689,7 +689,7 @@
"security": 1,
"simple": -2,
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/aks/servicemesh-about"
"link": "https://learn.microsoft.com/azure/aks/servicemesh-about"
},
{
"category": "Operations",
@ -699,7 +699,7 @@
"simple": -1,
"ha": 1,
"severity": "High",
"link": "https://docs.microsoft.com/azure/azure-monitor/insights/container-insights-metric-alerts"
"link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-metric-alerts"
},
{
"category": "Operations",
@ -709,7 +709,7 @@
"simple": -1,
"ha": 1,
"severity": "Low",
"link": "https://docs.microsoft.com/azure/advisor/advisor-get-started"
"link": "https://learn.microsoft.com/azure/advisor/advisor-get-started"
},
{
"category": "Operations",
@ -718,7 +718,7 @@
"guid": "5388e9de-d167-4dd1-a2b0-ac241b999a64",
"simple": 1,
"severity": "Low",
"link": "https://docs.microsoft.com/azure/aks/operator-best-practices-scheduler"
"link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler"
},
{
"category": "Operations",
@ -737,7 +737,7 @@
"security": 1,
"simple": -1,
"severity": "High",
"link": "https://docs.microsoft.com/azure/aks/supported-kubernetes-versions"
"link": "https://learn.microsoft.com/azure/aks/supported-kubernetes-versions"
},
{
"category": "Operations",
@ -746,7 +746,7 @@
"guid": "6f7c4c0d-4e51-4464-ad24-57ed67138b82",
"simple": -1,
"severity": "High",
"link": "https://docs.microsoft.com/azure/aks/node-updates-kured"
"link": "https://learn.microsoft.com/azure/aks/node-updates-kured"
},
{
"category": "Operations",
@ -756,7 +756,7 @@
"security": 1,
"simple": -1,
"severity": "High",
"link": "https://docs.microsoft.com/azure/aks/node-image-upgrade"
"link": "https://learn.microsoft.com/azure/aks/node-image-upgrade"
},
{
"category": "Operations",
@ -764,7 +764,7 @@
"text": "Consider gitops to deploy applications or cluster configuration to multiple clusters",
"guid": "0102ce16-ee30-41e6-b882-e52e4621dd68",
"severity": "Low",
"link": "https://docs.microsoft.com/azure/architecture/example-scenario/bedrock/bedrock-automated-deployments"
"link": "https://learn.microsoft.com/azure/architecture/example-scenario/bedrock/bedrock-automated-deployments"
},
{
"category": "Operations",
@ -790,7 +790,7 @@
"guid": "ed0fda7f-211b-47c7-8b6e-c18873fb473c",
"security": 1,
"severity": "High",
"link": "https://docs.microsoft.com/azure/aks/faq"
"link": "https://learn.microsoft.com/azure/aks/faq"
},
{
"category": "Operations",
@ -800,7 +800,7 @@
"simple": 1,
"severity": "Low",
"graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.nodeResourceGroup !startswith 'MC_') | distinct id,compliant",
"link": "https://docs.microsoft.com/azure/aks/cluster-configuration"
"link": "https://learn.microsoft.com/azure/aks/cluster-configuration"
},
{
"category": "Operations",
@ -820,7 +820,7 @@
"simple": -1,
"ha": 1,
"severity": "Low",
"link": "https://docs.microsoft.com/azure-stack/aks-hci/adapt-apps-mixed-os-clusters"
"link": "https://learn.microsoft.com/azure-stack/aks-hci/adapt-apps-mixed-os-clusters"
},
{
"category": "Operations",
@ -828,7 +828,7 @@
"text": "Keep windows containers patch level in sync with host patch level",
"guid": "67138b82-0102-4ce1-9ee3-01e6e882e52e",
"severity": "Low",
"link": "https://docs.microsoft.com/virtualization/windowscontainers/deploy-containers/version-compatibility?tabs=windows-server-20H2%2Cwindows-10-20H2"
"link": "https://learn.microsoft.com/virtualization/windowscontainers/deploy-containers/version-compatibility?tabs=windows-server-20H2%2Cwindows-10-20H2"
},
{
"category": "Operations",
@ -839,7 +839,7 @@
"cost": -1,
"ha": 1,
"severity": "Low",
"link": "https://docs.microsoft.com/azure/aks/monitor-aks"
"link": "https://learn.microsoft.com/azure/aks/monitor-aks"
},
{
"category": "Operations",
@ -849,7 +849,7 @@
"cost": 1,
"simple": -1,
"severity": "Low",
"link": "https://docs.microsoft.com/azure/aks/spot-node-pool"
"link": "https://learn.microsoft.com/azure/aks/spot-node-pool"
},
{
"category": "Operations",
@ -860,7 +860,7 @@
"simple": -1,
"severity": "Low",
"graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.aciConnectorLinux) and properties.addonProfiles.aciConnectorLinux.enabled==true) | distinct id,compliant",
"link": "https://docs.microsoft.com/azure/aks/concepts-scale"
"link": "https://learn.microsoft.com/azure/aks/concepts-scale"
},
{
"category": "Operations",
@ -870,7 +870,7 @@
"simple": -1,
"ha": 1,
"severity": "High",
"link": "https://docs.microsoft.com/azure/azure-monitor/insights/container-insights-overview"
"link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview"
},
{
"category": "Operations",
@ -881,7 +881,7 @@
"ha": 1,
"severity": "High",
"graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.omsagent) and properties.addonProfiles.omsagent.enabled==true) | distinct id,compliant",
"link": "https://docs.microsoft.com/azure/azure-monitor/insights/container-insights-overview"
"link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview"
},
{
"category": "Operations",
@ -891,7 +891,7 @@
"simple": -1,
"ha": 1,
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/azure-monitor/containers/container-insights-analyze"
"link": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-analyze"
},
{
"category": "Operations",
@ -901,7 +901,7 @@
"simple": -1,
"ha": 1,
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/aks/configure-azure-cni"
"link": "https://learn.microsoft.com/azure/aks/configure-azure-cni"
},
{
"category": "Operations",
@ -912,7 +912,7 @@
"simple": -1,
"ha": 1,
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/virtual-machines/premium-storage-performance"
"link": "https://learn.microsoft.com/azure/virtual-machines/premium-storage-performance"
},
{
"category": "Operations",
@ -922,7 +922,7 @@
"simple": -1,
"ha": 1,
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/aks/load-balancer-standard"
"link": "https://learn.microsoft.com/azure/aks/load-balancer-standard"
},
{
"category": "Operations",
@ -931,7 +931,7 @@
"guid": "74c2ee76-569b-4a79-a57e-dedf91b022c9",
"ha": 1,
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/aks/aks-resource-health"
"link": "https://learn.microsoft.com/azure/aks/aks-resource-health"
},
{
"category": "Operations",
@ -941,7 +941,7 @@
"simple": -1,
"ha": 1,
"severity": "High",
"link": "https://docs.microsoft.com/azure/aks/operator-best-practices-scheduler"
"link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler"
},
{
"category": "Operations",
@ -951,7 +951,7 @@
"simple": -1,
"ha": 1,
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/aks/operator-best-practices-scheduler"
"link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler"
},
{
"category": "Operations",
@ -960,7 +960,7 @@
"guid": "081a5417-4158-433e-a3ad-3c2de733165c",
"cost": 1,
"severity": "High",
"link": "https://docs.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits"
"link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits"
},
{
"category": "Operations",
@ -971,7 +971,7 @@
"ha": 1,
"severity": "Medium",
"graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.austoscalerProfile)) | distinct id,compliant",
"link": "https://docs.microsoft.com/azure/aks/concepts-scale"
"link": "https://learn.microsoft.com/azure/aks/concepts-scale"
},
{
"category": "Operations",
@ -992,7 +992,7 @@
"scale": 1,
"simple": -1,
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/aks/concepts-scale"
"link": "https://learn.microsoft.com/azure/aks/concepts-scale"
},
{
"category": "Operations",
@ -1049,7 +1049,7 @@
"scale": 1,
"severity": "High",
"graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | mvexpand pools | extend compliant = (pools.osDiskType=='Ephemeral') | project id,name=strcat(name,'-',pools.name), resourceGroup, compliant",
"link": "https://docs.microsoft.com/azure/aks/cluster-configuration"
"link": "https://learn.microsoft.com/azure/aks/cluster-configuration"
},
{
"category": "Operations",
@ -1059,7 +1059,7 @@
"cost": -1,
"scale": 1,
"severity": "High",
"link": "https://docs.microsoft.com/azure/virtual-machines/disks-types"
"link": "https://learn.microsoft.com/azure/virtual-machines/disks-types"
},
{
"category": "Operations",
@ -1079,7 +1079,7 @@
"simple": -1,
"ha": 1,
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/aks/operator-best-practices-multi-region"
"link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region"
},
{
"category": "Operations",
@ -1089,7 +1089,7 @@
"cost": -1,
"scale": 1,
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/aks/operator-best-practices-storage"
"link": "https://learn.microsoft.com/azure/aks/operator-best-practices-storage"
},
{
"category": "Operations",
@ -1099,7 +1099,7 @@
"simple": -1,
"ha": 1,
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/aks/availability-zones#azure-disk-availability-zone-support"
"link": "https://learn.microsoft.com/azure/aks/availability-zones#azure-disk-availability-zone-support"
}
],
"categories": [

144
checklists/aks_checklist.es.json
Просмотреть файл

@ -27,7 +27,7 @@
"category": "Implementación de aplicaciones",
"cost": 1,
"guid": "785c2fa5-5b56-4ad4-a408-fe72734c476b",
"link": "https://docs.microsoft.com/azure/architecture/reference-architectures/containers/aks/secure-baseline-aks",
"link": "https://learn.microsoft.com/azure/architecture/reference-architectures/containers/aks/secure-baseline-aks",
"severity": "Medio",
"subcategory": "Desarrollo",
"text": "Usar implementaciones canarias o azules/verdes"
@ -44,7 +44,7 @@
{
"category": "Implementación de aplicaciones",
"guid": "a280dcf5-90ce-465d-b8e1-3f9ccbd46926",
"link": "https://docs.microsoft.com/azure/azure-functions/functions-kubernetes-keda",
"link": "https://learn.microsoft.com/azure/azure-functions/functions-kubernetes-keda",
"scale": 1,
"severity": "Bajo",
"simple": -1,
@ -64,7 +64,7 @@
"category": "Implementación de aplicaciones",
"guid": "3acbe04b-be20-49d3-afda-47778424d116",
"ha": 1,
"link": "https://docs.microsoft.com/azure/developer/terraform/create-k8s-cluster-with-tf-and-aks",
"link": "https://learn.microsoft.com/azure/developer/terraform/create-k8s-cluster-with-tf-and-aks",
"severity": "Medio",
"simple": -1,
"subcategory": "Infraestructura como código",
@ -74,7 +74,7 @@
"category": "BC y DR",
"guid": "36cb45e5-7960-4332-9bdf-8cc23318da61",
"ha": 1,
"link": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/business-continuity-and-disaster-recovery",
"link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/business-continuity-and-disaster-recovery",
"severity": "Alto",
"subcategory": "Recuperación ante desastres",
"text": "Programe y realice pruebas de DR regularmente"
@ -83,7 +83,7 @@
"category": "BC y DR",
"guid": "170265f4-bb46-4a39-9af7-f317284797b1",
"ha": 1,
"link": "https://docs.microsoft.com/azure/aks/operator-best-practices-multi-region",
"link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region",
"severity": "Medio",
"subcategory": "Alta disponibilidad",
"text": "Usar Azure Traffic Manager o Azure Front Door como equilibrador de carga global para la conmutación por error de región"
@ -93,7 +93,7 @@
"graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant= isnotnull(zones) | distinct id,compliant",
"guid": "578a219a-46be-4b54-9350-24922634292b",
"ha": 1,
"link": "https://docs.microsoft.com/azure/aks/availability-zones",
"link": "https://learn.microsoft.com/azure/aks/availability-zones",
"severity": "Medio",
"subcategory": "Alta disponibilidad",
"text": "Use zonas de disponibilidad si son compatibles en su región de Azure"
@ -104,7 +104,7 @@
"graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (sku.tier=='Paid') | distinct id,compliant",
"guid": "71d41e36-10cc-457b-9a4b-1410d4395898",
"ha": 2,
"link": "https://docs.microsoft.com/azure/aks/uptime-sla",
"link": "https://learn.microsoft.com/azure/aks/uptime-sla",
"severity": "Alto",
"subcategory": "Alta disponibilidad",
"text": "Usar la oferta de AKS respaldada por SLA"
@ -113,7 +113,7 @@
"category": "BC y DR",
"guid": "c1288b3c-6a57-4cfc-9444-51e1a3d3453a",
"ha": 1,
"link": "https://docs.microsoft.com/azure/aks/operator-best-practices-scheduler",
"link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
"severity": "Bajo",
"simple": -1,
"subcategory": "Alta disponibilidad",
@ -124,7 +124,7 @@
"cost": -1,
"guid": "3c763963-7a55-42d5-a15e-401955387e5c",
"ha": 1,
"link": "https://docs.microsoft.com/azure/container-registry/container-registry-geo-replication",
"link": "https://learn.microsoft.com/azure/container-registry/container-registry-geo-replication",
"severity": "Alto",
"subcategory": "Alta disponibilidad",
"text": "Si utiliza un registro privado, configure la replicación de regiones para almacenar imágenes en varias regiones"
@ -142,7 +142,7 @@
"category": "Gobernanza de costos",
"cost": 1,
"guid": "f82cb8eb-8c0a-4a63-a25a-4956eaa8dc4a",
"link": "https://docs.microsoft.com/azure/cloud-adoption-framework/scenarios/aks/eslz-cost-governance-with-kubecost",
"link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/aks/eslz-cost-governance-with-kubecost",
"severity": "Bajo",
"subcategory": "Costar",
"text": "Usar una aplicación externa como kubecost para asignar costos a diferentes usuarios"
@ -187,7 +187,7 @@
"category": "Gobernanza y seguridad",
"graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.azurepolicy) and properties.addonProfiles.azurepolicy.enabled==true) | distinct id,compliant",
"guid": "9ca48e4a-85e2-4223-bce8-bb12307ca5f1",
"link": "https://docs.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes",
"link": "https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes",
"security": 1,
"severity": "Medio",
"simple": -1,
@ -199,7 +199,7 @@
"cost": -1,
"graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | project id,name,resourceGroup,poolcount=array_length(pools) | extend compliant = (poolcount > 1)",
"guid": "6f158e3e-a3a9-42c2-be7e-2165c3a87af4",
"link": "https://docs.microsoft.com/azure/aks/use-system-pools",
"link": "https://learn.microsoft.com/azure/aks/use-system-pools",
"security": 1,
"severity": "Medio",
"simple": -1,
@ -210,7 +210,7 @@
"category": "Gobernanza y seguridad",
"guid": "a7a1f893-9bda-4477-98f2-4c116775c2ea",
"ha": 1,
"link": "https://docs.microsoft.com/azure/aks/use-system-pools",
"link": "https://learn.microsoft.com/azure/aks/use-system-pools",
"severity": "Bajo",
"simple": -1,
"subcategory": "Conformidad",
@ -219,7 +219,7 @@
{
"category": "Gobernanza y seguridad",
"guid": "55b46a94-8008-4ae7-b7e4-b475b6c8bdbf",
"link": "https://docs.microsoft.com/azure/container-registry/",
"link": "https://learn.microsoft.com/azure/container-registry/",
"security": 1,
"severity": "Medio",
"simple": -1,
@ -230,7 +230,7 @@
"category": "Gobernanza y seguridad",
"cost": -1,
"guid": "59bce65d-e8a0-43f9-9879-468d66a786d6",
"link": "https://docs.microsoft.com/azure/security-center/container-security",
"link": "https://learn.microsoft.com/azure/security-center/container-security",
"security": 1,
"severity": "Medio",
"subcategory": "Conformidad",
@ -240,7 +240,7 @@
"category": "Gobernanza y seguridad",
"cost": -1,
"guid": "cc639637-a652-42ac-89e8-06965388e9de",
"link": "https://docs.microsoft.com/azure/security-center/container-security",
"link": "https://learn.microsoft.com/azure/security-center/container-security",
"security": 1,
"severity": "Medio",
"subcategory": "Conformidad",
@ -259,7 +259,7 @@
{
"category": "Gobernanza y seguridad",
"guid": "d167dd18-2b0a-4c24-8b99-9a646f8389a7",
"link": "https://docs.microsoft.com/azure/aks/operator-best-practices-cluster-isolation",
"link": "https://learn.microsoft.com/azure/aks/operator-best-practices-cluster-isolation",
"security": 1,
"severity": "Alto",
"subcategory": "Conformidad",
@ -278,7 +278,7 @@
{
"category": "Gobernanza y seguridad",
"guid": "b03dda6d-58d7-4c89-8ddb-107d5769ae66",
"link": "https://docs.microsoft.com/azure/aks/update-credentials",
"link": "https://learn.microsoft.com/azure/aks/update-credentials",
"security": 1,
"severity": "Alto",
"subcategory": "Secretos",
@ -318,7 +318,7 @@
"category": "Gestión de identidades y accesos",
"graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.servicePrincipalProfile.clientId=='msi') | distinct id,compliant",
"guid": "ed127dd1-42b0-46b2-8c69-99a646f3389a",
"link": "https://docs.microsoft.com/azure/aks/use-managed-identity",
"link": "https://learn.microsoft.com/azure/aks/use-managed-identity",
"severity": "Alto",
"simple": 1,
"subcategory": "Identidad",
@ -328,7 +328,7 @@
"category": "Gestión de identidades y accesos",
"graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.aadProfile) | distinct id,compliant",
"guid": "7e42c78e-78c0-46a6-8a21-94956e698dc4",
"link": "https://docs.microsoft.com/azure/aks/managed-aad",
"link": "https://learn.microsoft.com/azure/aks/managed-aad",
"severity": "Medio",
"simple": 1,
"subcategory": "Identidad",
@ -337,7 +337,7 @@
{
"category": "Gestión de identidades y accesos",
"guid": "a2fe27b2-e287-401a-8352-beedf79b488d",
"link": "https://docs.microsoft.com/azure/aks/control-kubeconfig-access",
"link": "https://learn.microsoft.com/azure/aks/control-kubeconfig-access",
"security": 1,
"severity": "Medio",
"simple": -1,
@ -347,7 +347,7 @@
{
"category": "Gestión de identidades y accesos",
"guid": "eec4962c-c3bd-421b-b77f-26e5e6b3bec3",
"link": "https://docs.microsoft.com/azure/aks/manage-azure-rbac",
"link": "https://learn.microsoft.com/azure/aks/manage-azure-rbac",
"security": 1,
"severity": "Medio",
"simple": -1,
@ -358,7 +358,7 @@
"category": "Gestión de identidades y accesos",
"guid": "d4f3537c-1346-4dc5-9027-a71ffe1bd05d",
"ha": 1,
"link": "https://docs.microsoft.com/azure/aks/operator-best-practices-identity",
"link": "https://learn.microsoft.com/azure/aks/operator-best-practices-identity",
"security": 1,
"severity": "Alto",
"simple": -1,
@ -450,7 +450,7 @@
"category": "Topología y conectividad de red",
"graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnull(properties.addonProfiles.httpApplicationRouting) or properties.addonProfiles.httpApplicationRouting.enabled==false) | distinct id,compliant",
"guid": "8008ae7d-7e4b-4475-a6c8-bdbf59bce65d",
"link": "https://docs.microsoft.com/azure/aks/http-application-routing",
"link": "https://learn.microsoft.com/azure/aks/http-application-routing",
"scale": 1,
"severity": "Alto",
"simple": -1,
@ -472,7 +472,7 @@
"category": "Topología y conectividad de red",
"graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (tolower(properties.networkProfile.loadBalancerSku)=='standard') | distinct id,compliant",
"guid": "ba7da7be-9952-4914-a384-5d997cb39132",
"link": "https://docs.microsoft.com/azure/aks/load-balancer-standard",
"link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
"scale": 1,
"severity": "Alto",
"subcategory": "Prácticas recomendadas",
@ -491,7 +491,7 @@
{
"category": "Topología y conectividad de red",
"guid": "c3c39c98-6bb2-4c12-859a-114b5e3df584",
"link": "https://docs.microsoft.com/azure/private-link/private-link-overview",
"link": "https://learn.microsoft.com/azure/private-link/private-link-overview",
"security": 1,
"severity": "Medio",
"simple": -1,
@ -503,7 +503,7 @@
"cost": -1,
"guid": "e8a03f97-8794-468d-96a7-86d60f96c97b",
"ha": 1,
"link": "https://docs.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
"link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
"severity": "Medio",
"subcategory": "JA",
"text": "Si se requiere conectividad híbrida, use 2xER o ER+VPN para una mejor disponibilidad"
@ -512,7 +512,7 @@
"category": "Topología y conectividad de red",
"graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.networkPlugin=='azure') | distinct id,compliant",
"guid": "a0f61565-9de5-458f-a372-49c831112dbd",
"link": "https://docs.microsoft.com/azure/aks/operator-best-practices-network",
"link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
"severity": "Alto",
"simple": 1,
"subcategory": "IPAM (en inglés)",
@ -521,7 +521,7 @@
{
"category": "Topología y conectividad de red",
"guid": "7faf12e7-0943-4f63-8472-2da29c2b1cd6",
"link": "https://docs.microsoft.com/azure/aks/configure-azure-cni",
"link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
"scale": 1,
"severity": "Alto",
"subcategory": "IPAM (en inglés)",
@ -530,7 +530,7 @@
{
"category": "Topología y conectividad de red",
"guid": "22f54b29-bade-43aa-b1e8-c38ec9366673",
"link": "https://docs.microsoft.com/azure/aks/configure-azure-cni",
"link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
"scale": 1,
"severity": "Alto",
"simple": -1,
@ -541,7 +541,7 @@
"category": "Topología y conectividad de red",
"description": "Para las aplicaciones internas, las organizaciones suelen abrir toda la subred de AKS en sus firewalls. Esto abre el acceso de red también a los nodos y, potencialmente, también a los pods (si usa Azure CNI). Si las direcciones IP de LoadBalancer están en una subred diferente, solo esta debe estar disponible para los clientes de la aplicación. Otra razón es que si las direcciones IP de la subred AKS son un recurso escaso, consumir sus direcciones IP para servicios reducirá la escalabilidad máxima del clúster.",
"guid": "13c00567-4b1e-4945-a459-c373e7ed6162",
"link": "https://docs.microsoft.com/azure/aks/internal-lb",
"link": "https://learn.microsoft.com/azure/aks/internal-lb",
"security": 1,
"severity": "Bajo",
"simple": -1,
@ -551,7 +551,7 @@
{
"category": "Topología y conectividad de red",
"guid": "43f63047-22d9-429c-8b1c-d622f54b29ba",
"link": "https://docs.microsoft.com/azure/aks/configure-azure-cni",
"link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
"scale": 1,
"severity": "Alto",
"subcategory": "IPAM (en inglés)",
@ -580,7 +580,7 @@
{
"category": "Topología y conectividad de red",
"guid": "b3808b9f-a1cf-4204-ad01-3a923ce474db",
"link": "https://docs.microsoft.com/azure/aks/concepts-network",
"link": "https://learn.microsoft.com/azure/aks/concepts-network",
"scale": 1,
"severity": "Medio",
"simple": -1,
@ -611,7 +611,7 @@
"category": "Topología y conectividad de red",
"graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.outboundType=='userDefinedRouting') | distinct id,compliant",
"guid": "3b365a91-7ecb-4e48-bbe5-4cd7df2e8bba",
"link": "https://docs.microsoft.com/azure/aks/limit-egress-traffic",
"link": "https://learn.microsoft.com/azure/aks/limit-egress-traffic",
"security": 2,
"severity": "Alto",
"simple": -2,
@ -622,7 +622,7 @@
"category": "Topología y conectividad de red",
"graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = ((isnull(properties.apiServerAccessProfile.enablePrivateCluster) or properties.apiServerAccessProfile.enablePrivateCluster==false) and isnotnull(properties.apiServerAccessProfile.authorizedIPRanges)) | distinct id,compliant",
"guid": "c4581559-bb91-463e-a908-aed8c44ce3b2",
"link": "https://docs.microsoft.com/azure/aks/api-server-authorized-ip-ranges",
"link": "https://learn.microsoft.com/azure/aks/api-server-authorized-ip-ranges",
"security": 1,
"severity": "Medio",
"simple": -1,
@ -633,7 +633,7 @@
"category": "Topología y conectividad de red",
"graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant",
"guid": "ecccd979-3b6b-4cda-9b50-eb2eb03dda6d",
"link": "https://docs.microsoft.com/azure/aks/private-clusters",
"link": "https://learn.microsoft.com/azure/aks/private-clusters",
"security": 1,
"severity": "Alto",
"simple": -1,
@ -655,7 +655,7 @@
"category": "Topología y conectividad de red",
"graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.networkProfile.networkPolicy) | distinct id,compliant",
"guid": "58d7c892-ddb1-407d-9769-ae669ca48e4a",
"link": "https://docs.microsoft.com/azure/aks/use-network-policies",
"link": "https://learn.microsoft.com/azure/aks/use-network-policies",
"security": 1,
"severity": "Alto",
"subcategory": "Seguridad",
@ -664,7 +664,7 @@
{
"category": "Topología y conectividad de red",
"guid": "85e2223e-ce8b-4b12-907c-a5f16f158e3e",
"link": "https://docs.microsoft.com/azure/aks/operator-best-practices-network",
"link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
"security": 1,
"severity": "Alto",
"simple": -1,
@ -675,7 +675,7 @@
"category": "Topología y conectividad de red",
"cost": -1,
"guid": "a3a92c2d-e7e2-4165-a3a8-7af4a7a1f893",
"link": "https://docs.microsoft.com/azure/aks/operator-best-practices-network",
"link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
"security": 2,
"severity": "Alto",
"simple": -1,
@ -687,7 +687,7 @@
"cost": -2,
"graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')",
"guid": "9bda4776-8f24-4c11-9775-c2ea55b46a94",
"link": "https://docs.microsoft.com/azure/virtual-network/ddos-protection-overview",
"link": "https://learn.microsoft.com/azure/virtual-network/ddos-protection-overview",
"security": 2,
"severity": "Medio",
"subcategory": "Seguridad",
@ -707,7 +707,7 @@
{
"category": "Topología y conectividad de red",
"guid": "e9855d04-c3c3-49c9-a6bb-2c12159a114b",
"link": "https://docs.microsoft.com/azure/aks/servicemesh-about",
"link": "https://learn.microsoft.com/azure/aks/servicemesh-about",
"security": 1,
"severity": "Medio",
"simple": -2,
@ -718,7 +718,7 @@
"category": "Operaciones",
"guid": "67f7a9ed-5b31-4f38-a3f3-9812b2463cff",
"ha": 1,
"link": "https://docs.microsoft.com/azure/azure-monitor/insights/container-insights-metric-alerts",
"link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-metric-alerts",
"severity": "Alto",
"simple": -1,
"subcategory": "Alertas",
@ -728,7 +728,7 @@
"category": "Operaciones",
"guid": "337453a3-cc63-4963-9a65-22ac19e80696",
"ha": 1,
"link": "https://docs.microsoft.com/azure/advisor/advisor-get-started",
"link": "https://learn.microsoft.com/azure/advisor/advisor-get-started",
"severity": "Bajo",
"simple": -1,
"subcategory": "Conformidad",
@ -737,7 +737,7 @@
{
"category": "Operaciones",
"guid": "5388e9de-d167-4dd1-a2b0-ac241b999a64",
"link": "https://docs.microsoft.com/azure/aks/operator-best-practices-scheduler",
"link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
"severity": "Bajo",
"simple": 1,
"subcategory": "Conformidad",
@ -755,7 +755,7 @@
{
"category": "Operaciones",
"guid": "e189c599-df0d-45a7-9dd4-ce32c1881370",
"link": "https://docs.microsoft.com/azure/aks/supported-kubernetes-versions",
"link": "https://learn.microsoft.com/azure/aks/supported-kubernetes-versions",
"security": 1,
"severity": "Alto",
"simple": -1,
@ -765,7 +765,7 @@
{
"category": "Operaciones",
"guid": "6f7c4c0d-4e51-4464-ad24-57ed67138b82",
"link": "https://docs.microsoft.com/azure/aks/node-updates-kured",
"link": "https://learn.microsoft.com/azure/aks/node-updates-kured",
"severity": "Alto",
"simple": -1,
"subcategory": "Conformidad",
@ -774,7 +774,7 @@
{
"category": "Operaciones",
"guid": "139c9580-ade3-426a-ba09-cf157d9f6477",
"link": "https://docs.microsoft.com/azure/aks/node-image-upgrade",
"link": "https://learn.microsoft.com/azure/aks/node-image-upgrade",
"security": 1,
"severity": "Alto",
"simple": -1,
@ -784,7 +784,7 @@
{
"category": "Operaciones",
"guid": "0102ce16-ee30-41e6-b882-e52e4621dd68",
"link": "https://docs.microsoft.com/azure/architecture/example-scenario/bedrock/bedrock-automated-deployments",
"link": "https://learn.microsoft.com/azure/architecture/example-scenario/bedrock/bedrock-automated-deployments",
"severity": "Bajo",
"subcategory": "Conformidad",
"text": "Considere gitops para implementar aplicaciones o configuración de clústeres en varios clústeres"
@ -809,7 +809,7 @@
{
"category": "Operaciones",
"guid": "ed0fda7f-211b-47c7-8b6e-c18873fb473c",
"link": "https://docs.microsoft.com/azure/aks/faq",
"link": "https://learn.microsoft.com/azure/aks/faq",
"security": 1,
"severity": "Alto",
"subcategory": "Conformidad",
@ -819,7 +819,7 @@
"category": "Operaciones",
"graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.nodeResourceGroup !startswith 'MC_') | distinct id,compliant",
"guid": "73b32a5a-67f7-4a9e-b5b3-1f38c3f39812",
"link": "https://docs.microsoft.com/azure/aks/cluster-configuration",
"link": "https://learn.microsoft.com/azure/aks/cluster-configuration",
"severity": "Bajo",
"simple": 1,
"subcategory": "Conformidad",
@ -839,7 +839,7 @@
"category": "Operaciones",
"guid": "c1881370-6f7c-44c0-b4e5-14648d2457ed",
"ha": 1,
"link": "https://docs.microsoft.com/azure-stack/aks-hci/adapt-apps-mixed-os-clusters",
"link": "https://learn.microsoft.com/azure-stack/aks-hci/adapt-apps-mixed-os-clusters",
"severity": "Bajo",
"simple": -1,
"subcategory": "Conformidad",
@ -848,7 +848,7 @@
{
"category": "Operaciones",
"guid": "67138b82-0102-4ce1-9ee3-01e6e882e52e",
"link": "https://docs.microsoft.com/virtualization/windowscontainers/deploy-containers/version-compatibility?tabs=windows-server-20H2%2Cwindows-10-20H2",
"link": "https://learn.microsoft.com/virtualization/windowscontainers/deploy-containers/version-compatibility?tabs=windows-server-20H2%2Cwindows-10-20H2",
"severity": "Bajo",
"subcategory": "Conformidad",
"text": "Mantenga el nivel de revisión de los contenedores de Windows sincronizado con el nivel de revisión del host"
@ -859,7 +859,7 @@
"description": "Mediante la configuración de diagnóstico en el nivel de clúster",
"guid": "5b56ad48-408f-4e72-934c-476ba280dcf5",
"ha": 1,
"link": "https://docs.microsoft.com/azure/aks/monitor-aks",
"link": "https://learn.microsoft.com/azure/aks/monitor-aks",
"severity": "Bajo",
"subcategory": "Conformidad",
"text": "Enviar registros maestros (también conocidos como registros de API) a Azure Monitor o a su solución de administración de registros preferida"
@ -868,7 +868,7 @@
"category": "Operaciones",
"cost": 1,
"guid": "c5a5b252-1e44-4a59-a9d2-399c4d7b68d0",
"link": "https://docs.microsoft.com/azure/aks/spot-node-pool",
"link": "https://learn.microsoft.com/azure/aks/spot-node-pool",
"severity": "Bajo",
"simple": -1,
"subcategory": "Costar",
@ -878,7 +878,7 @@
"category": "Operaciones",
"graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.aciConnectorLinux) and properties.addonProfiles.aciConnectorLinux.enabled==true) | distinct id,compliant",
"guid": "c755562f-2b4e-4456-9b4d-874a748b662e",
"link": "https://docs.microsoft.com/azure/aks/concepts-scale",
"link": "https://learn.microsoft.com/azure/aks/concepts-scale",
"scale": 1,
"severity": "Bajo",
"simple": -1,
@ -889,7 +889,7 @@
"category": "Operaciones",
"guid": "6f8389a7-f82c-4b8e-a8c0-aa63a25a4956",
"ha": 1,
"link": "https://docs.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
"link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
"severity": "Alto",
"simple": -1,
"subcategory": "Monitorización",
@ -900,7 +900,7 @@
"graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.omsagent) and properties.addonProfiles.omsagent.enabled==true) | distinct id,compliant",
"guid": "eaa8dc4a-2436-47b3-9697-15b1752beee0",
"ha": 1,
"link": "https://docs.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
"link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
"severity": "Alto",
"simple": -1,
"subcategory": "Monitorización",
@ -910,7 +910,7 @@
"category": "Operaciones",
"guid": "4621dd68-c5a5-4be2-bdb1-1726769ef669",
"ha": 1,
"link": "https://docs.microsoft.com/azure/azure-monitor/containers/container-insights-analyze",
"link": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-analyze",
"severity": "Medio",
"simple": -1,
"subcategory": "Monitorización",
@ -920,7 +920,7 @@
"category": "Operaciones",
"guid": "1a4835ac-9422-423e-ae80-b123081a5417",
"ha": 1,
"link": "https://docs.microsoft.com/azure/aks/configure-azure-cni",
"link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
"severity": "Medio",
"simple": -1,
"subcategory": "Monitorización",
@ -931,7 +931,7 @@
"description": "La E/S en el disco del sistema operativo es un recurso crítico. Si el sistema operativo en los nodos se limita en E/S, esto podría conducir a un comportamiento impredecible, que normalmente termina en un nodo que se declara NotReady",
"guid": "415833ea-3ad3-4c2d-b733-165c3acbe04b",
"ha": 1,
"link": "https://docs.microsoft.com/azure/virtual-machines/premium-storage-performance",
"link": "https://learn.microsoft.com/azure/virtual-machines/premium-storage-performance",
"severity": "Medio",
"simple": -1,
"subcategory": "Monitorización",
@ -941,7 +941,7 @@
"category": "Operaciones",
"guid": "be209d39-fda4-4777-a424-d116785c2fa5",
"ha": 1,
"link": "https://docs.microsoft.com/azure/aks/load-balancer-standard",
"link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
"severity": "Medio",
"simple": -1,
"subcategory": "Monitorización",
@ -951,7 +951,7 @@
"category": "Operaciones",
"guid": "74c2ee76-569b-4a79-a57e-dedf91b022c9",
"ha": 1,
"link": "https://docs.microsoft.com/azure/aks/aks-resource-health",
"link": "https://learn.microsoft.com/azure/aks/aks-resource-health",
"severity": "Medio",
"subcategory": "Monitorización",
"text": "Suscribirse a las notificaciones de estado de recursos para el clúster de AKS"
@ -960,7 +960,7 @@
"category": "Operaciones",
"guid": "b54eb2eb-03dd-4aa3-9927-18e2edb11726",
"ha": 1,
"link": "https://docs.microsoft.com/azure/aks/operator-best-practices-scheduler",
"link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
"severity": "Alto",
"simple": -1,
"subcategory": "Recursos",
@ -970,7 +970,7 @@
"category": "Operaciones",
"guid": "769ef669-1a48-435a-a942-223ece80b123",
"ha": 1,
"link": "https://docs.microsoft.com/azure/aks/operator-best-practices-scheduler",
"link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
"severity": "Medio",
"simple": -1,
"subcategory": "Recursos",
@ -980,7 +980,7 @@
"category": "Operaciones",
"cost": 1,
"guid": "081a5417-4158-433e-a3ad-3c2de733165c",
"link": "https://docs.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
"link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
"severity": "Alto",
"subcategory": "Recursos",
"text": "Asegúrese de que su suscripción tenga suficiente cuota para escalar horizontalmente sus grupos de nodos"
@ -991,7 +991,7 @@
"graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.austoscalerProfile)) | distinct id,compliant",
"guid": "90ce65de-8e13-4f9c-abd4-69266abca264",
"ha": 1,
"link": "https://docs.microsoft.com/azure/aks/concepts-scale",
"link": "https://learn.microsoft.com/azure/aks/concepts-scale",
"severity": "Medio",
"subcategory": "Escalabilidad",
"text": "Usar el escalador automático de clúster"
@ -1010,7 +1010,7 @@
{
"category": "Operaciones",
"guid": "faa19bfe-9d55-4d04-a3c4-919ca1b2d121",
"link": "https://docs.microsoft.com/azure/aks/concepts-scale",
"link": "https://learn.microsoft.com/azure/aks/concepts-scale",
"scale": 1,
"severity": "Medio",
"simple": -1,
@ -1068,7 +1068,7 @@
"cost": -1,
"graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | mvexpand pools | extend compliant = (pools.osDiskType=='Ephemeral') | project id,name=strcat(name,'-',pools.name), resourceGroup, compliant",
"guid": "24367b33-6971-45b1-952b-eee0b9b588de",
"link": "https://docs.microsoft.com/azure/aks/cluster-configuration",
"link": "https://learn.microsoft.com/azure/aks/cluster-configuration",
"scale": 1,
"severity": "Alto",
"subcategory": "Almacenamiento",
@ -1078,7 +1078,7 @@
"category": "Operaciones",
"cost": -1,
"guid": "fc4972cc-3cd2-45bf-a707-6e9eab4bed32",
"link": "https://docs.microsoft.com/azure/virtual-machines/disks-types",
"link": "https://learn.microsoft.com/azure/virtual-machines/disks-types",
"scale": 1,
"severity": "Alto",
"subcategory": "Almacenamiento",
@ -1098,7 +1098,7 @@
"category": "Operaciones",
"guid": "9f7547c1-747d-4c56-868a-714435bd19dd",
"ha": 1,
"link": "https://docs.microsoft.com/azure/aks/operator-best-practices-multi-region",
"link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region",
"severity": "Medio",
"simple": -1,
"subcategory": "Almacenamiento",
@ -1108,7 +1108,7 @@
"category": "Operaciones",
"cost": -1,
"guid": "24429eb7-2281-4376-85cc-57b4a4b18142",
"link": "https://docs.microsoft.com/azure/aks/operator-best-practices-storage",
"link": "https://learn.microsoft.com/azure/aks/operator-best-practices-storage",
"scale": 1,
"severity": "Medio",
"subcategory": "Almacenamiento",
@ -1118,7 +1118,7 @@
"category": "Operaciones",
"guid": "83958a8c-2689-4b32-ab57-cfc64546135a",
"ha": 1,
"link": "https://docs.microsoft.com/azure/aks/availability-zones#azure-disk-availability-zone-support",
"link": "https://learn.microsoft.com/azure/aks/availability-zones#azure-disk-availability-zone-support",
"severity": "Medio",
"simple": -1,
"subcategory": "Almacenamiento",

144
checklists/aks_checklist.ja.json
Просмотреть файл

@ -27,7 +27,7 @@
"category": "アプリケーションの展開",
"cost": 1,
"guid": "785c2fa5-5b56-4ad4-a408-fe72734c476b",
"link": "https://docs.microsoft.com/azure/architecture/reference-architectures/containers/aks/secure-baseline-aks",
"link": "https://learn.microsoft.com/azure/architecture/reference-architectures/containers/aks/secure-baseline-aks",
"severity": "中程度",
"subcategory": "発達",
"text": "カナリアまたはブルー/グリーンのデプロイを使用する"
@ -44,7 +44,7 @@
{
"category": "アプリケーションの展開",
"guid": "a280dcf5-90ce-465d-b8e1-3f9ccbd46926",
"link": "https://docs.microsoft.com/azure/azure-functions/functions-kubernetes-keda",
"link": "https://learn.microsoft.com/azure/azure-functions/functions-kubernetes-keda",
"scale": 1,
"severity": "低い",
"simple": -1,
@ -64,7 +64,7 @@
"category": "アプリケーションの展開",
"guid": "3acbe04b-be20-49d3-afda-47778424d116",
"ha": 1,
"link": "https://docs.microsoft.com/azure/developer/terraform/create-k8s-cluster-with-tf-and-aks",
"link": "https://learn.microsoft.com/azure/developer/terraform/create-k8s-cluster-with-tf-and-aks",
"severity": "中程度",
"simple": -1,
"subcategory": "コードとしてのインフラストラクチャ",
@ -74,7 +74,7 @@
"category": "BC および DR",
"guid": "36cb45e5-7960-4332-9bdf-8cc23318da61",
"ha": 1,
"link": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/business-continuity-and-disaster-recovery",
"link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/business-continuity-and-disaster-recovery",
"severity": "高い",
"subcategory": "災害復旧",
"text": "DRテストを定期的にスケジュールして実行する"
@ -83,7 +83,7 @@
"category": "BC および DR",
"guid": "170265f4-bb46-4a39-9af7-f317284797b1",
"ha": 1,
"link": "https://docs.microsoft.com/azure/aks/operator-best-practices-multi-region",
"link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region",
"severity": "中程度",
"subcategory": "高可用性",
"text": "Azure Traffic Manager または Azure Front Door をリージョン フェールオーバーのグローバル ロード バランサーとして使用する"
@ -93,7 +93,7 @@
"graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant= isnotnull(zones) | distinct id,compliant",
"guid": "578a219a-46be-4b54-9350-24922634292b",
"ha": 1,
"link": "https://docs.microsoft.com/azure/aks/availability-zones",
"link": "https://learn.microsoft.com/azure/aks/availability-zones",
"severity": "中程度",
"subcategory": "高可用性",
"text": "可用性ゾーンが Azure リージョンでサポートされている場合は、その可用性ゾーンを使用する"
@ -104,7 +104,7 @@
"graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (sku.tier=='Paid') | distinct id,compliant",
"guid": "71d41e36-10cc-457b-9a4b-1410d4395898",
"ha": 2,
"link": "https://docs.microsoft.com/azure/aks/uptime-sla",
"link": "https://learn.microsoft.com/azure/aks/uptime-sla",
"severity": "高い",
"subcategory": "高可用性",
"text": "SLA でサポートされる AKS オファリングを使用する"
@ -113,7 +113,7 @@
"category": "BC および DR",
"guid": "c1288b3c-6a57-4cfc-9444-51e1a3d3453a",
"ha": 1,
"link": "https://docs.microsoft.com/azure/aks/operator-best-practices-scheduler",
"link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
"severity": "低い",
"simple": -1,
"subcategory": "高可用性",
@ -124,7 +124,7 @@
"cost": -1,
"guid": "3c763963-7a55-42d5-a15e-401955387e5c",
"ha": 1,
"link": "https://docs.microsoft.com/azure/container-registry/container-registry-geo-replication",
"link": "https://learn.microsoft.com/azure/container-registry/container-registry-geo-replication",
"severity": "高い",
"subcategory": "高可用性",
"text": "プライベートレジストリを使用する場合は、複数のリージョンにイメージを格納するようにリージョンレプリケーションを構成します"
@ -142,7 +142,7 @@
"category": "コストガバナンス",
"cost": 1,
"guid": "f82cb8eb-8c0a-4a63-a25a-4956eaa8dc4a",
"link": "https://docs.microsoft.com/azure/cloud-adoption-framework/scenarios/aks/eslz-cost-governance-with-kubecost",
"link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/aks/eslz-cost-governance-with-kubecost",
"severity": "低い",
"subcategory": "費用",
"text": "kubecost などの外部アプリケーションを使用して、さまざまなユーザーにコストを割り当てる"
@ -187,7 +187,7 @@
"category": "ガバナンスとセキュリティ",
"graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.azurepolicy) and properties.addonProfiles.azurepolicy.enabled==true) | distinct id,compliant",
"guid": "9ca48e4a-85e2-4223-bce8-bb12307ca5f1",
"link": "https://docs.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes",
"link": "https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes",
"security": 1,
"severity": "中程度",
"simple": -1,
@ -199,7 +199,7 @@
"cost": -1,
"graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | project id,name,resourceGroup,poolcount=array_length(pools) | extend compliant = (poolcount > 1)",
"guid": "6f158e3e-a3a9-42c2-be7e-2165c3a87af4",
"link": "https://docs.microsoft.com/azure/aks/use-system-pools",
"link": "https://learn.microsoft.com/azure/aks/use-system-pools",
"security": 1,
"severity": "中程度",
"simple": -1,
@ -210,7 +210,7 @@
"category": "ガバナンスとセキュリティ",
"guid": "a7a1f893-9bda-4477-98f2-4c116775c2ea",
"ha": 1,
"link": "https://docs.microsoft.com/azure/aks/use-system-pools",
"link": "https://learn.microsoft.com/azure/aks/use-system-pools",
"severity": "低い",
"simple": -1,
"subcategory": "コンプライアンス",
@ -219,7 +219,7 @@
{
"category": "ガバナンスとセキュリティ",
"guid": "55b46a94-8008-4ae7-b7e4-b475b6c8bdbf",
"link": "https://docs.microsoft.com/azure/container-registry/",
"link": "https://learn.microsoft.com/azure/container-registry/",
"security": 1,
"severity": "中程度",
"simple": -1,
@ -230,7 +230,7 @@
"category": "ガバナンスとセキュリティ",
"cost": -1,
"guid": "59bce65d-e8a0-43f9-9879-468d66a786d6",
"link": "https://docs.microsoft.com/azure/security-center/container-security",
"link": "https://learn.microsoft.com/azure/security-center/container-security",
"security": 1,
"severity": "中程度",
"subcategory": "コンプライアンス",
@ -240,7 +240,7 @@
"category": "ガバナンスとセキュリティ",
"cost": -1,
"guid": "cc639637-a652-42ac-89e8-06965388e9de",
"link": "https://docs.microsoft.com/azure/security-center/container-security",
"link": "https://learn.microsoft.com/azure/security-center/container-security",
"security": 1,
"severity": "中程度",
"subcategory": "コンプライアンス",
@ -259,7 +259,7 @@
{
"category": "ガバナンスとセキュリティ",
"guid": "d167dd18-2b0a-4c24-8b99-9a646f8389a7",
"link": "https://docs.microsoft.com/azure/aks/operator-best-practices-cluster-isolation",
"link": "https://learn.microsoft.com/azure/aks/operator-best-practices-cluster-isolation",
"security": 1,
"severity": "高い",
"subcategory": "コンプライアンス",
@ -278,7 +278,7 @@
{
"category": "ガバナンスとセキュリティ",
"guid": "b03dda6d-58d7-4c89-8ddb-107d5769ae66",
"link": "https://docs.microsoft.com/azure/aks/update-credentials",
"link": "https://learn.microsoft.com/azure/aks/update-credentials",
"security": 1,
"severity": "高い",
"subcategory": "秘密",
@ -318,7 +318,7 @@
"category": "ID およびアクセス管理",
"graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.servicePrincipalProfile.clientId=='msi') | distinct id,compliant",
"guid": "ed127dd1-42b0-46b2-8c69-99a646f3389a",
"link": "https://docs.microsoft.com/azure/aks/use-managed-identity",
"link": "https://learn.microsoft.com/azure/aks/use-managed-identity",
"severity": "高い",
"simple": 1,
"subcategory": "同一性",
@ -328,7 +328,7 @@
"category": "ID およびアクセス管理",
"graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.aadProfile) | distinct id,compliant",
"guid": "7e42c78e-78c0-46a6-8a21-94956e698dc4",
"link": "https://docs.microsoft.com/azure/aks/managed-aad",
"link": "https://learn.microsoft.com/azure/aks/managed-aad",
"severity": "中程度",
"simple": 1,
"subcategory": "同一性",
@ -337,7 +337,7 @@
{
"category": "ID およびアクセス管理",
"guid": "a2fe27b2-e287-401a-8352-beedf79b488d",
"link": "https://docs.microsoft.com/azure/aks/control-kubeconfig-access",
"link": "https://learn.microsoft.com/azure/aks/control-kubeconfig-access",
"security": 1,
"severity": "中程度",
"simple": -1,
@ -347,7 +347,7 @@
{
"category": "ID およびアクセス管理",
"guid": "eec4962c-c3bd-421b-b77f-26e5e6b3bec3",
"link": "https://docs.microsoft.com/azure/aks/manage-azure-rbac",
"link": "https://learn.microsoft.com/azure/aks/manage-azure-rbac",
"security": 1,
"severity": "中程度",
"simple": -1,
@ -358,7 +358,7 @@
"category": "ID およびアクセス管理",
"guid": "d4f3537c-1346-4dc5-9027-a71ffe1bd05d",
"ha": 1,
"link": "https://docs.microsoft.com/azure/aks/operator-best-practices-identity",
"link": "https://learn.microsoft.com/azure/aks/operator-best-practices-identity",
"security": 1,
"severity": "高い",
"simple": -1,
@ -450,7 +450,7 @@
"category": "ネットワーク トポロジと接続性",
"graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnull(properties.addonProfiles.httpApplicationRouting) or properties.addonProfiles.httpApplicationRouting.enabled==false) | distinct id,compliant",
"guid": "8008ae7d-7e4b-4475-a6c8-bdbf59bce65d",
"link": "https://docs.microsoft.com/azure/aks/http-application-routing",
"link": "https://learn.microsoft.com/azure/aks/http-application-routing",
"scale": 1,
"severity": "高い",
"simple": -1,
@ -472,7 +472,7 @@
"category": "ネットワーク トポロジと接続性",
"graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (tolower(properties.networkProfile.loadBalancerSku)=='standard') | distinct id,compliant",
"guid": "ba7da7be-9952-4914-a384-5d997cb39132",
"link": "https://docs.microsoft.com/azure/aks/load-balancer-standard",
"link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
"scale": 1,
"severity": "高い",
"subcategory": "おすすめの方法",
@ -491,7 +491,7 @@
{
"category": "ネットワーク トポロジと接続性",
"guid": "c3c39c98-6bb2-4c12-859a-114b5e3df584",
"link": "https://docs.microsoft.com/azure/private-link/private-link-overview",
"link": "https://learn.microsoft.com/azure/private-link/private-link-overview",
"security": 1,
"severity": "中程度",
"simple": -1,
@ -503,7 +503,7 @@
"cost": -1,
"guid": "e8a03f97-8794-468d-96a7-86d60f96c97b",
"ha": 1,
"link": "https://docs.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
"link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
"severity": "中程度",
"subcategory": "は",
"text": "ハイブリッド接続が必要な場合は、2xER または ER+VPN を使用して可用性を向上させます"
@ -512,7 +512,7 @@
"category": "ネットワーク トポロジと接続性",
"graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.networkPlugin=='azure') | distinct id,compliant",
"guid": "a0f61565-9de5-458f-a372-49c831112dbd",
"link": "https://docs.microsoft.com/azure/aks/operator-best-practices-network",
"link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
"severity": "高い",
"simple": 1,
"subcategory": "ティッカー",
@ -521,7 +521,7 @@
{
"category": "ネットワーク トポロジと接続性",
"guid": "7faf12e7-0943-4f63-8472-2da29c2b1cd6",
"link": "https://docs.microsoft.com/azure/aks/configure-azure-cni",
"link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
"scale": 1,
"severity": "高い",
"subcategory": "ティッカー",
@ -530,7 +530,7 @@
{
"category": "ネットワーク トポロジと接続性",
"guid": "22f54b29-bade-43aa-b1e8-c38ec9366673",
"link": "https://docs.microsoft.com/azure/aks/configure-azure-cni",
"link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
"scale": 1,
"severity": "高い",
"simple": -1,
@ -541,7 +541,7 @@
"category": "ネットワーク トポロジと接続性",
"description": "内部アプリの場合、組織は多くの場合、ファイアウォールで AKS サブネット全体を開きます。これにより、ノードへのネットワーク アクセスも開かれ、ポッドへのネットワーク アクセスも可能になる可能性があります (Azure CNI を使用している場合)。LoadBalancer IP が別のサブネットにある場合は、この IP のみをアプリ クライアントで使用できる必要があります。別の理由は、AKS サブネット内の IP アドレスが不足しているリソースである場合、その IP アドレスをサービスに使用すると、クラスターの最大スケーラビリティが低下することです。",
"guid": "13c00567-4b1e-4945-a459-c373e7ed6162",
"link": "https://docs.microsoft.com/azure/aks/internal-lb",
"link": "https://learn.microsoft.com/azure/aks/internal-lb",
"security": 1,
"severity": "低い",
"simple": -1,
@ -551,7 +551,7 @@
{
"category": "ネットワーク トポロジと接続性",
"guid": "43f63047-22d9-429c-8b1c-d622f54b29ba",
"link": "https://docs.microsoft.com/azure/aks/configure-azure-cni",
"link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
"scale": 1,
"severity": "高い",
"subcategory": "ティッカー",
@ -580,7 +580,7 @@
{
"category": "ネットワーク トポロジと接続性",
"guid": "b3808b9f-a1cf-4204-ad01-3a923ce474db",
"link": "https://docs.microsoft.com/azure/aks/concepts-network",
"link": "https://learn.microsoft.com/azure/aks/concepts-network",
"scale": 1,
"severity": "中程度",
"simple": -1,
@ -611,7 +611,7 @@
"category": "ネットワーク トポロジと接続性",
"graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.outboundType=='userDefinedRouting') | distinct id,compliant",
"guid": "3b365a91-7ecb-4e48-bbe5-4cd7df2e8bba",
"link": "https://docs.microsoft.com/azure/aks/limit-egress-traffic",
"link": "https://learn.microsoft.com/azure/aks/limit-egress-traffic",
"security": 2,
"severity": "高い",
"simple": -2,
@ -622,7 +622,7 @@
"category": "ネットワーク トポロジと接続性",
"graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = ((isnull(properties.apiServerAccessProfile.enablePrivateCluster) or properties.apiServerAccessProfile.enablePrivateCluster==false) and isnotnull(properties.apiServerAccessProfile.authorizedIPRanges)) | distinct id,compliant",
"guid": "c4581559-bb91-463e-a908-aed8c44ce3b2",
"link": "https://docs.microsoft.com/azure/aks/api-server-authorized-ip-ranges",
"link": "https://learn.microsoft.com/azure/aks/api-server-authorized-ip-ranges",
"security": 1,
"severity": "中程度",
"simple": -1,
@ -633,7 +633,7 @@
"category": "ネットワーク トポロジと接続性",
"graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant",
"guid": "ecccd979-3b6b-4cda-9b50-eb2eb03dda6d",
"link": "https://docs.microsoft.com/azure/aks/private-clusters",
"link": "https://learn.microsoft.com/azure/aks/private-clusters",
"security": 1,
"severity": "高い",
"simple": -1,
@ -655,7 +655,7 @@
"category": "ネットワーク トポロジと接続性",
"graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.networkProfile.networkPolicy) | distinct id,compliant",
"guid": "58d7c892-ddb1-407d-9769-ae669ca48e4a",
"link": "https://docs.microsoft.com/azure/aks/use-network-policies",
"link": "https://learn.microsoft.com/azure/aks/use-network-policies",
"security": 1,
"severity": "高い",
"subcategory": "安全",
@ -664,7 +664,7 @@
{
"category": "ネットワーク トポロジと接続性",
"guid": "85e2223e-ce8b-4b12-907c-a5f16f158e3e",
"link": "https://docs.microsoft.com/azure/aks/operator-best-practices-network",
"link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
"security": 1,
"severity": "高い",
"simple": -1,
@ -675,7 +675,7 @@
"category": "ネットワーク トポロジと接続性",
"cost": -1,
"guid": "a3a92c2d-e7e2-4165-a3a8-7af4a7a1f893",
"link": "https://docs.microsoft.com/azure/aks/operator-best-practices-network",
"link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
"security": 2,
"severity": "高い",
"simple": -1,
@ -687,7 +687,7 @@
"cost": -2,
"graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')",
"guid": "9bda4776-8f24-4c11-9775-c2ea55b46a94",
"link": "https://docs.microsoft.com/azure/virtual-network/ddos-protection-overview",
"link": "https://learn.microsoft.com/azure/virtual-network/ddos-protection-overview",
"security": 2,
"severity": "中程度",
"subcategory": "安全",
@ -707,7 +707,7 @@
{
"category": "ネットワーク トポロジと接続性",
"guid": "e9855d04-c3c3-49c9-a6bb-2c12159a114b",
"link": "https://docs.microsoft.com/azure/aks/servicemesh-about",
"link": "https://learn.microsoft.com/azure/aks/servicemesh-about",
"security": 1,
"severity": "中程度",
"simple": -2,
@ -718,7 +718,7 @@
"category": "オペレーションズ",
"guid": "67f7a9ed-5b31-4f38-a3f3-9812b2463cff",
"ha": 1,
"link": "https://docs.microsoft.com/azure/azure-monitor/insights/container-insights-metric-alerts",
"link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-metric-alerts",
"severity": "高い",
"simple": -1,
"subcategory": "警告",
@ -728,7 +728,7 @@
"category": "オペレーションズ",
"guid": "337453a3-cc63-4963-9a65-22ac19e80696",
"ha": 1,
"link": "https://docs.microsoft.com/azure/advisor/advisor-get-started",
"link": "https://learn.microsoft.com/azure/advisor/advisor-get-started",
"severity": "低い",
"simple": -1,
"subcategory": "コンプライアンス",
@ -737,7 +737,7 @@
{
"category": "オペレーションズ",
"guid": "5388e9de-d167-4dd1-a2b0-ac241b999a64",
"link": "https://docs.microsoft.com/azure/aks/operator-best-practices-scheduler",
"link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
"severity": "低い",
"simple": 1,
"subcategory": "コンプライアンス",
@ -755,7 +755,7 @@
{
"category": "オペレーションズ",
"guid": "e189c599-df0d-45a7-9dd4-ce32c1881370",
"link": "https://docs.microsoft.com/azure/aks/supported-kubernetes-versions",
"link": "https://learn.microsoft.com/azure/aks/supported-kubernetes-versions",
"security": 1,
"severity": "高い",
"simple": -1,
@ -765,7 +765,7 @@
{
"category": "オペレーションズ",
"guid": "6f7c4c0d-4e51-4464-ad24-57ed67138b82",
"link": "https://docs.microsoft.com/azure/aks/node-updates-kured",
"link": "https://learn.microsoft.com/azure/aks/node-updates-kured",
"severity": "高い",
"simple": -1,
"subcategory": "コンプライアンス",
@ -774,7 +774,7 @@
{
"category": "オペレーションズ",
"guid": "139c9580-ade3-426a-ba09-cf157d9f6477",
"link": "https://docs.microsoft.com/azure/aks/node-image-upgrade",
"link": "https://learn.microsoft.com/azure/aks/node-image-upgrade",
"security": 1,
"severity": "高い",
"simple": -1,
@ -784,7 +784,7 @@
{
"category": "オペレーションズ",
"guid": "0102ce16-ee30-41e6-b882-e52e4621dd68",
"link": "https://docs.microsoft.com/azure/architecture/example-scenario/bedrock/bedrock-automated-deployments",
"link": "https://learn.microsoft.com/azure/architecture/example-scenario/bedrock/bedrock-automated-deployments",
"severity": "低い",
"subcategory": "コンプライアンス",
"text": "アプリケーションまたはクラスター構成を複数のクラスターにデプロイするための gitops を検討する"
@ -809,7 +809,7 @@
{
"category": "オペレーションズ",
"guid": "ed0fda7f-211b-47c7-8b6e-c18873fb473c",
"link": "https://docs.microsoft.com/azure/aks/faq",
"link": "https://learn.microsoft.com/azure/aks/faq",
"security": 1,
"severity": "高い",
"subcategory": "コンプライアンス",
@ -819,7 +819,7 @@
"category": "オペレーションズ",
"graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.nodeResourceGroup !startswith 'MC_') | distinct id,compliant",
"guid": "73b32a5a-67f7-4a9e-b5b3-1f38c3f39812",
"link": "https://docs.microsoft.com/azure/aks/cluster-configuration",
"link": "https://learn.microsoft.com/azure/aks/cluster-configuration",
"severity": "低い",
"simple": 1,
"subcategory": "コンプライアンス",
@ -839,7 +839,7 @@
"category": "オペレーションズ",
"guid": "c1881370-6f7c-44c0-b4e5-14648d2457ed",
"ha": 1,
"link": "https://docs.microsoft.com/azure-stack/aks-hci/adapt-apps-mixed-os-clusters",
"link": "https://learn.microsoft.com/azure-stack/aks-hci/adapt-apps-mixed-os-clusters",
"severity": "低い",
"simple": -1,
"subcategory": "コンプライアンス",
@ -848,7 +848,7 @@
{
"category": "オペレーションズ",
"guid": "67138b82-0102-4ce1-9ee3-01e6e882e52e",
"link": "https://docs.microsoft.com/virtualization/windowscontainers/deploy-containers/version-compatibility?tabs=windows-server-20H2%2Cwindows-10-20H2",
"link": "https://learn.microsoft.com/virtualization/windowscontainers/deploy-containers/version-compatibility?tabs=windows-server-20H2%2Cwindows-10-20H2",
"severity": "低い",
"subcategory": "コンプライアンス",
"text": "Windowsコンテナのパッチレベルをホストパッチレベルと同期させる"
@ -859,7 +859,7 @@
"description": "クラスター レベルでの診断設定経由",
"guid": "5b56ad48-408f-4e72-934c-476ba280dcf5",
"ha": 1,
"link": "https://docs.microsoft.com/azure/aks/monitor-aks",
"link": "https://learn.microsoft.com/azure/aks/monitor-aks",
"severity": "低い",
"subcategory": "コンプライアンス",
"text": "マスター ログ (API ログ) を Azure Monitor または任意のログ管理ソリューションに送信する"
@ -868,7 +868,7 @@
"category": "オペレーションズ",
"cost": 1,
"guid": "c5a5b252-1e44-4a59-a9d2-399c4d7b68d0",
"link": "https://docs.microsoft.com/azure/aks/spot-node-pool",
"link": "https://learn.microsoft.com/azure/aks/spot-node-pool",
"severity": "低い",
"simple": -1,
"subcategory": "費用",
@ -878,7 +878,7 @@
"category": "オペレーションズ",
"graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.aciConnectorLinux) and properties.addonProfiles.aciConnectorLinux.enabled==true) | distinct id,compliant",
"guid": "c755562f-2b4e-4456-9b4d-874a748b662e",
"link": "https://docs.microsoft.com/azure/aks/concepts-scale",
"link": "https://learn.microsoft.com/azure/aks/concepts-scale",
"scale": 1,
"severity": "低い",
"simple": -1,
@ -889,7 +889,7 @@
"category": "オペレーションズ",
"guid": "6f8389a7-f82c-4b8e-a8c0-aa63a25a4956",
"ha": 1,
"link": "https://docs.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
"link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
"severity": "高い",
"simple": -1,
"subcategory": "モニタリング",
@ -900,7 +900,7 @@
"graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.omsagent) and properties.addonProfiles.omsagent.enabled==true) | distinct id,compliant",
"guid": "eaa8dc4a-2436-47b3-9697-15b1752beee0",
"ha": 1,
"link": "https://docs.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
"link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
"severity": "高い",
"simple": -1,
"subcategory": "モニタリング",
@ -910,7 +910,7 @@
"category": "オペレーションズ",
"guid": "4621dd68-c5a5-4be2-bdb1-1726769ef669",
"ha": 1,
"link": "https://docs.microsoft.com/azure/azure-monitor/containers/container-insights-analyze",
"link": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-analyze",
"severity": "中程度",
"simple": -1,
"subcategory": "モニタリング",
@ -920,7 +920,7 @@
"category": "オペレーションズ",
"guid": "1a4835ac-9422-423e-ae80-b123081a5417",
"ha": 1,
"link": "https://docs.microsoft.com/azure/aks/configure-azure-cni",
"link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
"severity": "中程度",
"simple": -1,
"subcategory": "モニタリング",
@ -931,7 +931,7 @@
"description": "OS ディスク内の I/O は重要なリソースです。ノード内の OS が I/O で調整されると、予期しない動作が発生する可能性があり、通常はノードが NotReady と宣言されることになります。",
"guid": "415833ea-3ad3-4c2d-b733-165c3acbe04b",
"ha": 1,
"link": "https://docs.microsoft.com/azure/virtual-machines/premium-storage-performance",
"link": "https://learn.microsoft.com/azure/virtual-machines/premium-storage-performance",
"severity": "中程度",
"simple": -1,
"subcategory": "モニタリング",
@ -941,7 +941,7 @@
"category": "オペレーションズ",
"guid": "be209d39-fda4-4777-a424-d116785c2fa5",
"ha": 1,
"link": "https://docs.microsoft.com/azure/aks/load-balancer-standard",
"link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
"severity": "中程度",
"simple": -1,
"subcategory": "モニタリング",
@ -951,7 +951,7 @@
"category": "オペレーションズ",
"guid": "74c2ee76-569b-4a79-a57e-dedf91b022c9",
"ha": 1,
"link": "https://docs.microsoft.com/azure/aks/aks-resource-health",
"link": "https://learn.microsoft.com/azure/aks/aks-resource-health",
"severity": "中程度",
"subcategory": "モニタリング",
"text": "AKS クラスターのリソース正常性通知をサブスクライブする"
@ -960,7 +960,7 @@
"category": "オペレーションズ",
"guid": "b54eb2eb-03dd-4aa3-9927-18e2edb11726",
"ha": 1,
"link": "https://docs.microsoft.com/azure/aks/operator-best-practices-scheduler",
"link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
"severity": "高い",
"simple": -1,
"subcategory": "リソース",
@ -970,7 +970,7 @@
"category": "オペレーションズ",
"guid": "769ef669-1a48-435a-a942-223ece80b123",
"ha": 1,
"link": "https://docs.microsoft.com/azure/aks/operator-best-practices-scheduler",
"link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
"severity": "中程度",
"simple": -1,
"subcategory": "リソース",
@ -980,7 +980,7 @@
"category": "オペレーションズ",
"cost": 1,
"guid": "081a5417-4158-433e-a3ad-3c2de733165c",
"link": "https://docs.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
"link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
"severity": "高い",
"subcategory": "リソース",
"text": "サブスクリプションにノードプールをスケールアウトするのに十分なクォータがあることを確認する"
@ -991,7 +991,7 @@
"graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.austoscalerProfile)) | distinct id,compliant",
"guid": "90ce65de-8e13-4f9c-abd4-69266abca264",
"ha": 1,
"link": "https://docs.microsoft.com/azure/aks/concepts-scale",
"link": "https://learn.microsoft.com/azure/aks/concepts-scale",
"severity": "中程度",
"subcategory": "拡張性",
"text": "クラスター オートスケーラーを使用する"
@ -1010,7 +1010,7 @@
{
"category": "オペレーションズ",
"guid": "faa19bfe-9d55-4d04-a3c4-919ca1b2d121",
"link": "https://docs.microsoft.com/azure/aks/concepts-scale",
"link": "https://learn.microsoft.com/azure/aks/concepts-scale",
"scale": 1,
"severity": "中程度",
"simple": -1,
@ -1068,7 +1068,7 @@
"cost": -1,
"graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | mvexpand pools | extend compliant = (pools.osDiskType=='Ephemeral') | project id,name=strcat(name,'-',pools.name), resourceGroup, compliant",
"guid": "24367b33-6971-45b1-952b-eee0b9b588de",
"link": "https://docs.microsoft.com/azure/aks/cluster-configuration",
"link": "https://learn.microsoft.com/azure/aks/cluster-configuration",
"scale": 1,
"severity": "高い",
"subcategory": "貯蔵",
@ -1078,7 +1078,7 @@
"category": "オペレーションズ",
"cost": -1,
"guid": "fc4972cc-3cd2-45bf-a707-6e9eab4bed32",
"link": "https://docs.microsoft.com/azure/virtual-machines/disks-types",
"link": "https://learn.microsoft.com/azure/virtual-machines/disks-types",
"scale": 1,
"severity": "高い",
"subcategory": "貯蔵",
@ -1098,7 +1098,7 @@
"category": "オペレーションズ",
"guid": "9f7547c1-747d-4c56-868a-714435bd19dd",
"ha": 1,
"link": "https://docs.microsoft.com/azure/aks/operator-best-practices-multi-region",
"link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region",
"severity": "中程度",
"simple": -1,
"subcategory": "貯蔵",
@ -1108,7 +1108,7 @@
"category": "オペレーションズ",
"cost": -1,
"guid": "24429eb7-2281-4376-85cc-57b4a4b18142",
"link": "https://docs.microsoft.com/azure/aks/operator-best-practices-storage",
"link": "https://learn.microsoft.com/azure/aks/operator-best-practices-storage",
"scale": 1,
"severity": "中程度",
"subcategory": "貯蔵",
@ -1118,7 +1118,7 @@
"category": "オペレーションズ",
"guid": "83958a8c-2689-4b32-ab57-cfc64546135a",
"ha": 1,
"link": "https://docs.microsoft.com/azure/aks/availability-zones#azure-disk-availability-zone-support",
"link": "https://learn.microsoft.com/azure/aks/availability-zones#azure-disk-availability-zone-support",
"severity": "中程度",
"simple": -1,
"subcategory": "貯蔵",

144
checklists/aks_checklist.ko.json
Просмотреть файл

@ -27,7 +27,7 @@
"category": "응용 프로그램 배포",
"cost": 1,
"guid": "785c2fa5-5b56-4ad4-a408-fe72734c476b",
"link": "https://docs.microsoft.com/azure/architecture/reference-architectures/containers/aks/secure-baseline-aks",
"link": "https://learn.microsoft.com/azure/architecture/reference-architectures/containers/aks/secure-baseline-aks",
"severity": "보통",
"subcategory": "발달",
"text": "카나리아 또는 블루/그린 배포 사용"
@ -44,7 +44,7 @@
{
"category": "응용 프로그램 배포",
"guid": "a280dcf5-90ce-465d-b8e1-3f9ccbd46926",
"link": "https://docs.microsoft.com/azure/azure-functions/functions-kubernetes-keda",
"link": "https://learn.microsoft.com/azure/azure-functions/functions-kubernetes-keda",
"scale": 1,
"severity": "낮다",
"simple": -1,
@ -64,7 +64,7 @@
"category": "응용 프로그램 배포",
"guid": "3acbe04b-be20-49d3-afda-47778424d116",
"ha": 1,
"link": "https://docs.microsoft.com/azure/developer/terraform/create-k8s-cluster-with-tf-and-aks",
"link": "https://learn.microsoft.com/azure/developer/terraform/create-k8s-cluster-with-tf-and-aks",
"severity": "보통",
"simple": -1,
"subcategory": "코드형 인프라",
@ -74,7 +74,7 @@
"category": "BC 및 DR",
"guid": "36cb45e5-7960-4332-9bdf-8cc23318da61",
"ha": 1,
"link": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/business-continuity-and-disaster-recovery",
"link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/business-continuity-and-disaster-recovery",
"severity": "높다",
"subcategory": "재해 복구",
"text": "정기적으로 DR 테스트 예약 및 수행"
@ -83,7 +83,7 @@
"category": "BC 및 DR",
"guid": "170265f4-bb46-4a39-9af7-f317284797b1",
"ha": 1,
"link": "https://docs.microsoft.com/azure/aks/operator-best-practices-multi-region",
"link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region",
"severity": "보통",
"subcategory": "고가용성",
"text": "Azure 트래픽 관리자 또는 Azure Front Door를 지역 장애 조치(failover)를 위한 전역 부하 분산 장치로 사용"
@ -93,7 +93,7 @@
"graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant= isnotnull(zones) | distinct id,compliant",
"guid": "578a219a-46be-4b54-9350-24922634292b",
"ha": 1,
"link": "https://docs.microsoft.com/azure/aks/availability-zones",
"link": "https://learn.microsoft.com/azure/aks/availability-zones",
"severity": "보통",
"subcategory": "고가용성",
"text": "Azure 지역에서 지원되는 경우 가용성 영역 사용"
@ -104,7 +104,7 @@
"graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (sku.tier=='Paid') | distinct id,compliant",
"guid": "71d41e36-10cc-457b-9a4b-1410d4395898",
"ha": 2,
"link": "https://docs.microsoft.com/azure/aks/uptime-sla",
"link": "https://learn.microsoft.com/azure/aks/uptime-sla",
"severity": "높다",
"subcategory": "고가용성",
"text": "SLA 지원 AKS 제품 사용"
@ -113,7 +113,7 @@
"category": "BC 및 DR",
"guid": "c1288b3c-6a57-4cfc-9444-51e1a3d3453a",
"ha": 1,
"link": "https://docs.microsoft.com/azure/aks/operator-best-practices-scheduler",
"link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
"severity": "낮다",
"simple": -1,
"subcategory": "고가용성",
@ -124,7 +124,7 @@
"cost": -1,
"guid": "3c763963-7a55-42d5-a15e-401955387e5c",
"ha": 1,
"link": "https://docs.microsoft.com/azure/container-registry/container-registry-geo-replication",
"link": "https://learn.microsoft.com/azure/container-registry/container-registry-geo-replication",
"severity": "높다",
"subcategory": "고가용성",
"text": "개인 레지스트리를 사용하는 경우 여러 지역에 이미지를 저장하도록 지역 복제를 구성합니다."
@ -142,7 +142,7 @@
"category": "비용 거버넌스",
"cost": 1,
"guid": "f82cb8eb-8c0a-4a63-a25a-4956eaa8dc4a",
"link": "https://docs.microsoft.com/azure/cloud-adoption-framework/scenarios/aks/eslz-cost-governance-with-kubecost",
"link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/aks/eslz-cost-governance-with-kubecost",
"severity": "낮다",
"subcategory": "비용",
"text": "kubecost와 같은 외부 애플리케이션을 사용하여 다른 사용자에게 비용을 할당합니다."
@ -187,7 +187,7 @@
"category": "거버넌스 및 보안",
"graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.azurepolicy) and properties.addonProfiles.azurepolicy.enabled==true) | distinct id,compliant",
"guid": "9ca48e4a-85e2-4223-bce8-bb12307ca5f1",
"link": "https://docs.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes",
"link": "https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes",
"security": 1,
"severity": "보통",
"simple": -1,
@ -199,7 +199,7 @@
"cost": -1,
"graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | project id,name,resourceGroup,poolcount=array_length(pools) | extend compliant = (poolcount > 1)",
"guid": "6f158e3e-a3a9-42c2-be7e-2165c3a87af4",
"link": "https://docs.microsoft.com/azure/aks/use-system-pools",
"link": "https://learn.microsoft.com/azure/aks/use-system-pools",
"security": 1,
"severity": "보통",
"simple": -1,
@ -210,7 +210,7 @@
"category": "거버넌스 및 보안",
"guid": "a7a1f893-9bda-4477-98f2-4c116775c2ea",
"ha": 1,
"link": "https://docs.microsoft.com/azure/aks/use-system-pools",
"link": "https://learn.microsoft.com/azure/aks/use-system-pools",
"severity": "낮다",
"simple": -1,
"subcategory": "컴플라이언스",
@ -219,7 +219,7 @@
{
"category": "거버넌스 및 보안",
"guid": "55b46a94-8008-4ae7-b7e4-b475b6c8bdbf",
"link": "https://docs.microsoft.com/azure/container-registry/",
"link": "https://learn.microsoft.com/azure/container-registry/",
"security": 1,
"severity": "보통",
"simple": -1,
@ -230,7 +230,7 @@
"category": "거버넌스 및 보안",
"cost": -1,
"guid": "59bce65d-e8a0-43f9-9879-468d66a786d6",
"link": "https://docs.microsoft.com/azure/security-center/container-security",
"link": "https://learn.microsoft.com/azure/security-center/container-security",
"security": 1,
"severity": "보통",
"subcategory": "컴플라이언스",
@ -240,7 +240,7 @@
"category": "거버넌스 및 보안",
"cost": -1,
"guid": "cc639637-a652-42ac-89e8-06965388e9de",
"link": "https://docs.microsoft.com/azure/security-center/container-security",
"link": "https://learn.microsoft.com/azure/security-center/container-security",
"security": 1,
"severity": "보통",
"subcategory": "컴플라이언스",
@ -259,7 +259,7 @@
{
"category": "거버넌스 및 보안",
"guid": "d167dd18-2b0a-4c24-8b99-9a646f8389a7",
"link": "https://docs.microsoft.com/azure/aks/operator-best-practices-cluster-isolation",
"link": "https://learn.microsoft.com/azure/aks/operator-best-practices-cluster-isolation",
"security": 1,
"severity": "높다",
"subcategory": "컴플라이언스",
@ -278,7 +278,7 @@
{
"category": "거버넌스 및 보안",
"guid": "b03dda6d-58d7-4c89-8ddb-107d5769ae66",
"link": "https://docs.microsoft.com/azure/aks/update-credentials",
"link": "https://learn.microsoft.com/azure/aks/update-credentials",
"security": 1,
"severity": "높다",
"subcategory": "비밀",
@ -318,7 +318,7 @@
"category": "ID 및 액세스 관리",
"graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.servicePrincipalProfile.clientId=='msi') | distinct id,compliant",
"guid": "ed127dd1-42b0-46b2-8c69-99a646f3389a",
"link": "https://docs.microsoft.com/azure/aks/use-managed-identity",
"link": "https://learn.microsoft.com/azure/aks/use-managed-identity",
"severity": "높다",
"simple": 1,
"subcategory": "신원",
@ -328,7 +328,7 @@
"category": "ID 및 액세스 관리",
"graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.aadProfile) | distinct id,compliant",
"guid": "7e42c78e-78c0-46a6-8a21-94956e698dc4",
"link": "https://docs.microsoft.com/azure/aks/managed-aad",
"link": "https://learn.microsoft.com/azure/aks/managed-aad",
"severity": "보통",
"simple": 1,
"subcategory": "신원",
@ -337,7 +337,7 @@
{
"category": "ID 및 액세스 관리",
"guid": "a2fe27b2-e287-401a-8352-beedf79b488d",
"link": "https://docs.microsoft.com/azure/aks/control-kubeconfig-access",
"link": "https://learn.microsoft.com/azure/aks/control-kubeconfig-access",
"security": 1,
"severity": "보통",
"simple": -1,
@ -347,7 +347,7 @@
{
"category": "ID 및 액세스 관리",
"guid": "eec4962c-c3bd-421b-b77f-26e5e6b3bec3",
"link": "https://docs.microsoft.com/azure/aks/manage-azure-rbac",
"link": "https://learn.microsoft.com/azure/aks/manage-azure-rbac",
"security": 1,
"severity": "보통",
"simple": -1,
@ -358,7 +358,7 @@
"category": "ID 및 액세스 관리",
"guid": "d4f3537c-1346-4dc5-9027-a71ffe1bd05d",
"ha": 1,
"link": "https://docs.microsoft.com/azure/aks/operator-best-practices-identity",
"link": "https://learn.microsoft.com/azure/aks/operator-best-practices-identity",
"security": 1,
"severity": "높다",
"simple": -1,
@ -450,7 +450,7 @@
"category": "네트워크 토폴로지 및 연결",
"graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnull(properties.addonProfiles.httpApplicationRouting) or properties.addonProfiles.httpApplicationRouting.enabled==false) | distinct id,compliant",
"guid": "8008ae7d-7e4b-4475-a6c8-bdbf59bce65d",
"link": "https://docs.microsoft.com/azure/aks/http-application-routing",
"link": "https://learn.microsoft.com/azure/aks/http-application-routing",
"scale": 1,
"severity": "높다",
"simple": -1,
@ -472,7 +472,7 @@
"category": "네트워크 토폴로지 및 연결",
"graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (tolower(properties.networkProfile.loadBalancerSku)=='standard') | distinct id,compliant",
"guid": "ba7da7be-9952-4914-a384-5d997cb39132",
"link": "https://docs.microsoft.com/azure/aks/load-balancer-standard",
"link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
"scale": 1,
"severity": "높다",
"subcategory": "권장사항",
@ -491,7 +491,7 @@
{
"category": "네트워크 토폴로지 및 연결",
"guid": "c3c39c98-6bb2-4c12-859a-114b5e3df584",
"link": "https://docs.microsoft.com/azure/private-link/private-link-overview",
"link": "https://learn.microsoft.com/azure/private-link/private-link-overview",
"security": 1,
"severity": "보통",
"simple": -1,
@ -503,7 +503,7 @@
"cost": -1,
"guid": "e8a03f97-8794-468d-96a7-86d60f96c97b",
"ha": 1,
"link": "https://docs.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
"link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
"severity": "보통",
"subcategory": "하",
"text": "하이브리드 연결이 필요한 경우 가용성 향상을 위해 2xER 또는 ER+VPN을 사용합니다."
@ -512,7 +512,7 @@
"category": "네트워크 토폴로지 및 연결",
"graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.networkPlugin=='azure') | distinct id,compliant",
"guid": "a0f61565-9de5-458f-a372-49c831112dbd",
"link": "https://docs.microsoft.com/azure/aks/operator-best-practices-network",
"link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
"severity": "높다",
"simple": 1,
"subcategory": "아이팜",
@ -521,7 +521,7 @@
{
"category": "네트워크 토폴로지 및 연결",
"guid": "7faf12e7-0943-4f63-8472-2da29c2b1cd6",
"link": "https://docs.microsoft.com/azure/aks/configure-azure-cni",
"link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
"scale": 1,
"severity": "높다",
"subcategory": "아이팜",
@ -530,7 +530,7 @@
{
"category": "네트워크 토폴로지 및 연결",
"guid": "22f54b29-bade-43aa-b1e8-c38ec9366673",
"link": "https://docs.microsoft.com/azure/aks/configure-azure-cni",
"link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
"scale": 1,
"severity": "높다",
"simple": -1,
@ -541,7 +541,7 @@
"category": "네트워크 토폴로지 및 연결",
"description": "내부 앱의 경우 조직은 방화벽에서 전체 AKS 서브넷을 여는 경우가 많습니다. 이렇게 하면 노드에 대한 네트워크 액세스도 열리고 잠재적으로 Pod에 대한 네트워크 액세스도 열립니다(Azure CNI를 사용하는 경우). LoadBalancer IP가 다른 서브넷에 있는 경우 앱 클라이언트에서 이 IP만 사용할 수 있어야 합니다. 또 다른 이유는 AKS 서브넷의 IP 주소가 부족한 리소스인 경우 서비스에 해당 IP 주소를 사용하면 클러스터의 최대 확장성이 감소하기 때문입니다.",
"guid": "13c00567-4b1e-4945-a459-c373e7ed6162",
"link": "https://docs.microsoft.com/azure/aks/internal-lb",
"link": "https://learn.microsoft.com/azure/aks/internal-lb",
"security": 1,
"severity": "낮다",
"simple": -1,
@ -551,7 +551,7 @@
{
"category": "네트워크 토폴로지 및 연결",
"guid": "43f63047-22d9-429c-8b1c-d622f54b29ba",
"link": "https://docs.microsoft.com/azure/aks/configure-azure-cni",
"link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
"scale": 1,
"severity": "높다",
"subcategory": "아이팜",
@ -580,7 +580,7 @@
{
"category": "네트워크 토폴로지 및 연결",
"guid": "b3808b9f-a1cf-4204-ad01-3a923ce474db",
"link": "https://docs.microsoft.com/azure/aks/concepts-network",
"link": "https://learn.microsoft.com/azure/aks/concepts-network",
"scale": 1,
"severity": "보통",
"simple": -1,
@ -611,7 +611,7 @@
"category": "네트워크 토폴로지 및 연결",
"graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.outboundType=='userDefinedRouting') | distinct id,compliant",
"guid": "3b365a91-7ecb-4e48-bbe5-4cd7df2e8bba",
"link": "https://docs.microsoft.com/azure/aks/limit-egress-traffic",
"link": "https://learn.microsoft.com/azure/aks/limit-egress-traffic",
"security": 2,
"severity": "높다",
"simple": -2,
@ -622,7 +622,7 @@
"category": "네트워크 토폴로지 및 연결",
"graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = ((isnull(properties.apiServerAccessProfile.enablePrivateCluster) or properties.apiServerAccessProfile.enablePrivateCluster==false) and isnotnull(properties.apiServerAccessProfile.authorizedIPRanges)) | distinct id,compliant",
"guid": "c4581559-bb91-463e-a908-aed8c44ce3b2",
"link": "https://docs.microsoft.com/azure/aks/api-server-authorized-ip-ranges",
"link": "https://learn.microsoft.com/azure/aks/api-server-authorized-ip-ranges",
"security": 1,
"severity": "보통",
"simple": -1,
@ -633,7 +633,7 @@
"category": "네트워크 토폴로지 및 연결",
"graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant",
"guid": "ecccd979-3b6b-4cda-9b50-eb2eb03dda6d",
"link": "https://docs.microsoft.com/azure/aks/private-clusters",
"link": "https://learn.microsoft.com/azure/aks/private-clusters",
"security": 1,
"severity": "높다",
"simple": -1,
@ -655,7 +655,7 @@
"category": "네트워크 토폴로지 및 연결",
"graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.networkProfile.networkPolicy) | distinct id,compliant",
"guid": "58d7c892-ddb1-407d-9769-ae669ca48e4a",
"link": "https://docs.microsoft.com/azure/aks/use-network-policies",
"link": "https://learn.microsoft.com/azure/aks/use-network-policies",
"security": 1,
"severity": "높다",
"subcategory": "안전",
@ -664,7 +664,7 @@
{
"category": "네트워크 토폴로지 및 연결",
"guid": "85e2223e-ce8b-4b12-907c-a5f16f158e3e",
"link": "https://docs.microsoft.com/azure/aks/operator-best-practices-network",
"link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
"security": 1,
"severity": "높다",
"simple": -1,
@ -675,7 +675,7 @@
"category": "네트워크 토폴로지 및 연결",
"cost": -1,
"guid": "a3a92c2d-e7e2-4165-a3a8-7af4a7a1f893",
"link": "https://docs.microsoft.com/azure/aks/operator-best-practices-network",
"link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
"security": 2,
"severity": "높다",
"simple": -1,
@ -687,7 +687,7 @@
"cost": -2,
"graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')",
"guid": "9bda4776-8f24-4c11-9775-c2ea55b46a94",
"link": "https://docs.microsoft.com/azure/virtual-network/ddos-protection-overview",
"link": "https://learn.microsoft.com/azure/virtual-network/ddos-protection-overview",
"security": 2,
"severity": "보통",
"subcategory": "안전",
@ -707,7 +707,7 @@
{
"category": "네트워크 토폴로지 및 연결",
"guid": "e9855d04-c3c3-49c9-a6bb-2c12159a114b",
"link": "https://docs.microsoft.com/azure/aks/servicemesh-about",
"link": "https://learn.microsoft.com/azure/aks/servicemesh-about",
"security": 1,
"severity": "보통",
"simple": -2,
@ -718,7 +718,7 @@
"category": "작업",
"guid": "67f7a9ed-5b31-4f38-a3f3-9812b2463cff",
"ha": 1,
"link": "https://docs.microsoft.com/azure/azure-monitor/insights/container-insights-metric-alerts",
"link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-metric-alerts",
"severity": "높다",
"simple": -1,
"subcategory": "경고",
@ -728,7 +728,7 @@
"category": "작업",
"guid": "337453a3-cc63-4963-9a65-22ac19e80696",
"ha": 1,
"link": "https://docs.microsoft.com/azure/advisor/advisor-get-started",
"link": "https://learn.microsoft.com/azure/advisor/advisor-get-started",
"severity": "낮다",
"simple": -1,
"subcategory": "컴플라이언스",
@ -737,7 +737,7 @@
{
"category": "작업",
"guid": "5388e9de-d167-4dd1-a2b0-ac241b999a64",
"link": "https://docs.microsoft.com/azure/aks/operator-best-practices-scheduler",
"link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
"severity": "낮다",
"simple": 1,
"subcategory": "컴플라이언스",
@ -755,7 +755,7 @@
{
"category": "작업",
"guid": "e189c599-df0d-45a7-9dd4-ce32c1881370",
"link": "https://docs.microsoft.com/azure/aks/supported-kubernetes-versions",
"link": "https://learn.microsoft.com/azure/aks/supported-kubernetes-versions",
"security": 1,
"severity": "높다",
"simple": -1,
@ -765,7 +765,7 @@
{
"category": "작업",
"guid": "6f7c4c0d-4e51-4464-ad24-57ed67138b82",
"link": "https://docs.microsoft.com/azure/aks/node-updates-kured",
"link": "https://learn.microsoft.com/azure/aks/node-updates-kured",
"severity": "높다",
"simple": -1,
"subcategory": "컴플라이언스",
@ -774,7 +774,7 @@
{
"category": "작업",
"guid": "139c9580-ade3-426a-ba09-cf157d9f6477",
"link": "https://docs.microsoft.com/azure/aks/node-image-upgrade",
"link": "https://learn.microsoft.com/azure/aks/node-image-upgrade",
"security": 1,
"severity": "높다",
"simple": -1,
@ -784,7 +784,7 @@
{
"category": "작업",
"guid": "0102ce16-ee30-41e6-b882-e52e4621dd68",
"link": "https://docs.microsoft.com/azure/architecture/example-scenario/bedrock/bedrock-automated-deployments",
"link": "https://learn.microsoft.com/azure/architecture/example-scenario/bedrock/bedrock-automated-deployments",
"severity": "낮다",
"subcategory": "컴플라이언스",
"text": "응용 프로그램 또는 클러스터 구성을 여러 클러스터에 배포하기 위해 gitops 고려"
@ -809,7 +809,7 @@
{
"category": "작업",
"guid": "ed0fda7f-211b-47c7-8b6e-c18873fb473c",
"link": "https://docs.microsoft.com/azure/aks/faq",
"link": "https://learn.microsoft.com/azure/aks/faq",
"security": 1,
"severity": "높다",
"subcategory": "컴플라이언스",
@ -819,7 +819,7 @@
"category": "작업",
"graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.nodeResourceGroup !startswith 'MC_') | distinct id,compliant",
"guid": "73b32a5a-67f7-4a9e-b5b3-1f38c3f39812",
"link": "https://docs.microsoft.com/azure/aks/cluster-configuration",
"link": "https://learn.microsoft.com/azure/aks/cluster-configuration",
"severity": "낮다",
"simple": 1,
"subcategory": "컴플라이언스",
@ -839,7 +839,7 @@
"category": "작업",
"guid": "c1881370-6f7c-44c0-b4e5-14648d2457ed",
"ha": 1,
"link": "https://docs.microsoft.com/azure-stack/aks-hci/adapt-apps-mixed-os-clusters",
"link": "https://learn.microsoft.com/azure-stack/aks-hci/adapt-apps-mixed-os-clusters",
"severity": "낮다",
"simple": -1,
"subcategory": "컴플라이언스",
@ -848,7 +848,7 @@
{
"category": "작업",
"guid": "67138b82-0102-4ce1-9ee3-01e6e882e52e",
"link": "https://docs.microsoft.com/virtualization/windowscontainers/deploy-containers/version-compatibility?tabs=windows-server-20H2%2Cwindows-10-20H2",
"link": "https://learn.microsoft.com/virtualization/windowscontainers/deploy-containers/version-compatibility?tabs=windows-server-20H2%2Cwindows-10-20H2",
"severity": "낮다",
"subcategory": "컴플라이언스",
"text": "Windows 컨테이너 패치 수준을 호스트 패치 수준과 동기화된 상태로 유지"
@ -859,7 +859,7 @@
"description": "클러스터 수준에서 진단 설정을 통해",
"guid": "5b56ad48-408f-4e72-934c-476ba280dcf5",
"ha": 1,
"link": "https://docs.microsoft.com/azure/aks/monitor-aks",
"link": "https://learn.microsoft.com/azure/aks/monitor-aks",
"severity": "낮다",
"subcategory": "컴플라이언스",
"text": "마스터 로그(API 로그라고도 함)를 Azure 모니터 또는 기본 설정 로그 관리 솔루션으로 보냅니다."
@ -868,7 +868,7 @@
"category": "작업",
"cost": 1,
"guid": "c5a5b252-1e44-4a59-a9d2-399c4d7b68d0",
"link": "https://docs.microsoft.com/azure/aks/spot-node-pool",
"link": "https://learn.microsoft.com/azure/aks/spot-node-pool",
"severity": "낮다",
"simple": -1,
"subcategory": "비용",
@ -878,7 +878,7 @@
"category": "작업",
"graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.aciConnectorLinux) and properties.addonProfiles.aciConnectorLinux.enabled==true) | distinct id,compliant",
"guid": "c755562f-2b4e-4456-9b4d-874a748b662e",
"link": "https://docs.microsoft.com/azure/aks/concepts-scale",
"link": "https://learn.microsoft.com/azure/aks/concepts-scale",
"scale": 1,
"severity": "낮다",
"simple": -1,
@ -889,7 +889,7 @@
"category": "작업",
"guid": "6f8389a7-f82c-4b8e-a8c0-aa63a25a4956",
"ha": 1,
"link": "https://docs.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
"link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
"severity": "높다",
"simple": -1,
"subcategory": "모니터링",
@ -900,7 +900,7 @@
"graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.omsagent) and properties.addonProfiles.omsagent.enabled==true) | distinct id,compliant",
"guid": "eaa8dc4a-2436-47b3-9697-15b1752beee0",
"ha": 1,
"link": "https://docs.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
"link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
"severity": "높다",
"simple": -1,
"subcategory": "모니터링",
@ -910,7 +910,7 @@
"category": "작업",
"guid": "4621dd68-c5a5-4be2-bdb1-1726769ef669",
"ha": 1,
"link": "https://docs.microsoft.com/azure/azure-monitor/containers/container-insights-analyze",
"link": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-analyze",
"severity": "보통",
"simple": -1,
"subcategory": "모니터링",
@ -920,7 +920,7 @@
"category": "작업",
"guid": "1a4835ac-9422-423e-ae80-b123081a5417",
"ha": 1,
"link": "https://docs.microsoft.com/azure/aks/configure-azure-cni",
"link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
"severity": "보통",
"simple": -1,
"subcategory": "모니터링",
@ -931,7 +931,7 @@
"description": "OS 디스크의 I/O는 중요한 리소스입니다. 노드의 OS가 I/O에서 제한되면 예기치 않은 동작이 발생할 수 있으며 일반적으로 노드가 NotReady로 선언됩니다.",
"guid": "415833ea-3ad3-4c2d-b733-165c3acbe04b",
"ha": 1,
"link": "https://docs.microsoft.com/azure/virtual-machines/premium-storage-performance",
"link": "https://learn.microsoft.com/azure/virtual-machines/premium-storage-performance",
"severity": "보통",
"simple": -1,
"subcategory": "모니터링",
@ -941,7 +941,7 @@
"category": "작업",
"guid": "be209d39-fda4-4777-a424-d116785c2fa5",
"ha": 1,
"link": "https://docs.microsoft.com/azure/aks/load-balancer-standard",
"link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
"severity": "보통",
"simple": -1,
"subcategory": "모니터링",
@ -951,7 +951,7 @@
"category": "작업",
"guid": "74c2ee76-569b-4a79-a57e-dedf91b022c9",
"ha": 1,
"link": "https://docs.microsoft.com/azure/aks/aks-resource-health",
"link": "https://learn.microsoft.com/azure/aks/aks-resource-health",
"severity": "보통",
"subcategory": "모니터링",
"text": "AKS 클러스터에 대한 리소스 상태 알림 구독"
@ -960,7 +960,7 @@
"category": "작업",
"guid": "b54eb2eb-03dd-4aa3-9927-18e2edb11726",
"ha": 1,
"link": "https://docs.microsoft.com/azure/aks/operator-best-practices-scheduler",
"link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
"severity": "높다",
"simple": -1,
"subcategory": "리소스",
@ -970,7 +970,7 @@
"category": "작업",
"guid": "769ef669-1a48-435a-a942-223ece80b123",
"ha": 1,
"link": "https://docs.microsoft.com/azure/aks/operator-best-practices-scheduler",
"link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
"severity": "보통",
"simple": -1,
"subcategory": "리소스",
@ -980,7 +980,7 @@
"category": "작업",
"cost": 1,
"guid": "081a5417-4158-433e-a3ad-3c2de733165c",
"link": "https://docs.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
"link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
"severity": "높다",
"subcategory": "리소스",
"text": "구독에 노드 풀을 확장하기에 충분한 할당량이 있는지 확인"
@ -991,7 +991,7 @@
"graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.austoscalerProfile)) | distinct id,compliant",
"guid": "90ce65de-8e13-4f9c-abd4-69266abca264",
"ha": 1,
"link": "https://docs.microsoft.com/azure/aks/concepts-scale",
"link": "https://learn.microsoft.com/azure/aks/concepts-scale",
"severity": "보통",
"subcategory": "확장성",
"text": "클러스터 자동 크기 조정기 사용"
@ -1010,7 +1010,7 @@
{
"category": "작업",
"guid": "faa19bfe-9d55-4d04-a3c4-919ca1b2d121",
"link": "https://docs.microsoft.com/azure/aks/concepts-scale",
"link": "https://learn.microsoft.com/azure/aks/concepts-scale",
"scale": 1,
"severity": "보통",
"simple": -1,
@ -1068,7 +1068,7 @@
"cost": -1,
"graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | mvexpand pools | extend compliant = (pools.osDiskType=='Ephemeral') | project id,name=strcat(name,'-',pools.name), resourceGroup, compliant",
"guid": "24367b33-6971-45b1-952b-eee0b9b588de",
"link": "https://docs.microsoft.com/azure/aks/cluster-configuration",
"link": "https://learn.microsoft.com/azure/aks/cluster-configuration",
"scale": 1,
"severity": "높다",
"subcategory": "보관",
@ -1078,7 +1078,7 @@
"category": "작업",
"cost": -1,
"guid": "fc4972cc-3cd2-45bf-a707-6e9eab4bed32",
"link": "https://docs.microsoft.com/azure/virtual-machines/disks-types",
"link": "https://learn.microsoft.com/azure/virtual-machines/disks-types",
"scale": 1,
"severity": "높다",
"subcategory": "보관",
@ -1098,7 +1098,7 @@
"category": "작업",
"guid": "9f7547c1-747d-4c56-868a-714435bd19dd",
"ha": 1,
"link": "https://docs.microsoft.com/azure/aks/operator-best-practices-multi-region",
"link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region",
"severity": "보통",
"simple": -1,
"subcategory": "보관",
@ -1108,7 +1108,7 @@
"category": "작업",
"cost": -1,
"guid": "24429eb7-2281-4376-85cc-57b4a4b18142",
"link": "https://docs.microsoft.com/azure/aks/operator-best-practices-storage",
"link": "https://learn.microsoft.com/azure/aks/operator-best-practices-storage",
"scale": 1,
"severity": "보통",
"subcategory": "보관",
@ -1118,7 +1118,7 @@
"category": "작업",
"guid": "83958a8c-2689-4b32-ab57-cfc64546135a",
"ha": 1,
"link": "https://docs.microsoft.com/azure/aks/availability-zones#azure-disk-availability-zone-support",
"link": "https://learn.microsoft.com/azure/aks/availability-zones#azure-disk-availability-zone-support",
"severity": "보통",
"simple": -1,
"subcategory": "보관",

144
checklists/aks_checklist.pt.json
Просмотреть файл

@ -27,7 +27,7 @@
"category": "Implantação de aplicativos",
"cost": 1,
"guid": "785c2fa5-5b56-4ad4-a408-fe72734c476b",
"link": "https://docs.microsoft.com/azure/architecture/reference-architectures/containers/aks/secure-baseline-aks",
"link": "https://learn.microsoft.com/azure/architecture/reference-architectures/containers/aks/secure-baseline-aks",
"severity": "Média",
"subcategory": "Desenvolvimento",
"text": "Usar implantações canárias ou azuis/verdes"
@ -44,7 +44,7 @@
{
"category": "Implantação de aplicativos",
"guid": "a280dcf5-90ce-465d-b8e1-3f9ccbd46926",
"link": "https://docs.microsoft.com/azure/azure-functions/functions-kubernetes-keda",
"link": "https://learn.microsoft.com/azure/azure-functions/functions-kubernetes-keda",
"scale": 1,
"severity": "Baixo",
"simple": -1,
@ -64,7 +64,7 @@
"category": "Implantação de aplicativos",
"guid": "3acbe04b-be20-49d3-afda-47778424d116",
"ha": 1,
"link": "https://docs.microsoft.com/azure/developer/terraform/create-k8s-cluster-with-tf-and-aks",
"link": "https://learn.microsoft.com/azure/developer/terraform/create-k8s-cluster-with-tf-and-aks",
"severity": "Média",
"simple": -1,
"subcategory": "Infraestrutura como código",
@ -74,7 +74,7 @@
"category": "BC e DR",
"guid": "36cb45e5-7960-4332-9bdf-8cc23318da61",
"ha": 1,
"link": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/business-continuity-and-disaster-recovery",
"link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/business-continuity-and-disaster-recovery",
"severity": "Alto",
"subcategory": "Recuperação de desastres",
"text": "Agende e realize testes de DR regularmente"
@ -83,7 +83,7 @@
"category": "BC e DR",
"guid": "170265f4-bb46-4a39-9af7-f317284797b1",
"ha": 1,
"link": "https://docs.microsoft.com/azure/aks/operator-best-practices-multi-region",
"link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region",
"severity": "Média",
"subcategory": "Alta disponibilidade",
"text": "Usar o Gerenciador de Tráfego do Azure ou o Azure Front Door como um balanceador de carga global para failover de região"
@ -93,7 +93,7 @@
"graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant= isnotnull(zones) | distinct id,compliant",
"guid": "578a219a-46be-4b54-9350-24922634292b",
"ha": 1,
"link": "https://docs.microsoft.com/azure/aks/availability-zones",
"link": "https://learn.microsoft.com/azure/aks/availability-zones",
"severity": "Média",
"subcategory": "Alta disponibilidade",
"text": "Usar Zonas de Disponibilidade se elas tiverem suporte em sua região do Azure"
@ -104,7 +104,7 @@
"graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (sku.tier=='Paid') | distinct id,compliant",
"guid": "71d41e36-10cc-457b-9a4b-1410d4395898",
"ha": 2,
"link": "https://docs.microsoft.com/azure/aks/uptime-sla",
"link": "https://learn.microsoft.com/azure/aks/uptime-sla",
"severity": "Alto",
"subcategory": "Alta disponibilidade",
"text": "Use a oferta AKS apoiada por SLA"
@ -113,7 +113,7 @@
"category": "BC e DR",
"guid": "c1288b3c-6a57-4cfc-9444-51e1a3d3453a",
"ha": 1,
"link": "https://docs.microsoft.com/azure/aks/operator-best-practices-scheduler",
"link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
"severity": "Baixo",
"simple": -1,
"subcategory": "Alta disponibilidade",
@ -124,7 +124,7 @@
"cost": -1,
"guid": "3c763963-7a55-42d5-a15e-401955387e5c",
"ha": 1,
"link": "https://docs.microsoft.com/azure/container-registry/container-registry-geo-replication",
"link": "https://learn.microsoft.com/azure/container-registry/container-registry-geo-replication",
"severity": "Alto",
"subcategory": "Alta disponibilidade",
"text": "Se estiver usando um registro privado, configure a replicação de região para armazenar imagens em várias regiões"
@ -142,7 +142,7 @@
"category": "Governança de Custos",
"cost": 1,
"guid": "f82cb8eb-8c0a-4a63-a25a-4956eaa8dc4a",
"link": "https://docs.microsoft.com/azure/cloud-adoption-framework/scenarios/aks/eslz-cost-governance-with-kubecost",
"link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/aks/eslz-cost-governance-with-kubecost",
"severity": "Baixo",
"subcategory": "Custar",
"text": "Use um aplicativo externo, como o kubecost, para alocar custos para diferentes usuários"
@ -187,7 +187,7 @@
"category": "Governança e Segurança",
"graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.azurepolicy) and properties.addonProfiles.azurepolicy.enabled==true) | distinct id,compliant",
"guid": "9ca48e4a-85e2-4223-bce8-bb12307ca5f1",
"link": "https://docs.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes",
"link": "https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes",
"security": 1,
"severity": "Média",
"simple": -1,
@ -199,7 +199,7 @@
"cost": -1,
"graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | project id,name,resourceGroup,poolcount=array_length(pools) | extend compliant = (poolcount > 1)",
"guid": "6f158e3e-a3a9-42c2-be7e-2165c3a87af4",
"link": "https://docs.microsoft.com/azure/aks/use-system-pools",
"link": "https://learn.microsoft.com/azure/aks/use-system-pools",
"security": 1,
"severity": "Média",
"simple": -1,
@ -210,7 +210,7 @@
"category": "Governança e Segurança",
"guid": "a7a1f893-9bda-4477-98f2-4c116775c2ea",
"ha": 1,
"link": "https://docs.microsoft.com/azure/aks/use-system-pools",
"link": "https://learn.microsoft.com/azure/aks/use-system-pools",
"severity": "Baixo",
"simple": -1,
"subcategory": "Conformidade",
@ -219,7 +219,7 @@
{
"category": "Governança e Segurança",
"guid": "55b46a94-8008-4ae7-b7e4-b475b6c8bdbf",
"link": "https://docs.microsoft.com/azure/container-registry/",
"link": "https://learn.microsoft.com/azure/container-registry/",
"security": 1,
"severity": "Média",
"simple": -1,
@ -230,7 +230,7 @@
"category": "Governança e Segurança",
"cost": -1,
"guid": "59bce65d-e8a0-43f9-9879-468d66a786d6",
"link": "https://docs.microsoft.com/azure/security-center/container-security",
"link": "https://learn.microsoft.com/azure/security-center/container-security",
"security": 1,
"severity": "Média",
"subcategory": "Conformidade",
@ -240,7 +240,7 @@
"category": null,
"cost": -1,
"guid": "cc639637-a652-42ac-89e8-06965388e9de",
"link": "https://docs.microsoft.com/azure/security-center/container-security",
"link": "https://learn.microsoft.com/azure/security-center/container-security",
"security": 1,
"severity": "Média",
"subcategory": "Conformidade",
@ -259,7 +259,7 @@
{
"category": "Governança e Segurança",
"guid": "d167dd18-2b0a-4c24-8b99-9a646f8389a7",
"link": "https://docs.microsoft.com/azure/aks/operator-best-practices-cluster-isolation",
"link": "https://learn.microsoft.com/azure/aks/operator-best-practices-cluster-isolation",
"security": 1,
"severity": "Alto",
"subcategory": "Conformidade",
@ -278,7 +278,7 @@
{
"category": "Governança e Segurança",
"guid": "b03dda6d-58d7-4c89-8ddb-107d5769ae66",
"link": "https://docs.microsoft.com/azure/aks/update-credentials",
"link": "https://learn.microsoft.com/azure/aks/update-credentials",
"security": 1,
"severity": "Alto",
"subcategory": "Segredos",
@ -318,7 +318,7 @@
"category": "Gerenciamento de Identidade e Acesso",
"graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.servicePrincipalProfile.clientId=='msi') | distinct id,compliant",
"guid": "ed127dd1-42b0-46b2-8c69-99a646f3389a",
"link": "https://docs.microsoft.com/azure/aks/use-managed-identity",
"link": "https://learn.microsoft.com/azure/aks/use-managed-identity",
"severity": "Alto",
"simple": 1,
"subcategory": "Identidade",
@ -328,7 +328,7 @@
"category": "Gerenciamento de Identidade e Acesso",
"graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.aadProfile) | distinct id,compliant",
"guid": "7e42c78e-78c0-46a6-8a21-94956e698dc4",
"link": "https://docs.microsoft.com/azure/aks/managed-aad",
"link": "https://learn.microsoft.com/azure/aks/managed-aad",
"severity": "Média",
"simple": 1,
"subcategory": "Identidade",
@ -337,7 +337,7 @@
{
"category": "Gerenciamento de Identidade e Acesso",
"guid": "a2fe27b2-e287-401a-8352-beedf79b488d",
"link": "https://docs.microsoft.com/azure/aks/control-kubeconfig-access",
"link": "https://learn.microsoft.com/azure/aks/control-kubeconfig-access",
"security": 1,
"severity": "Média",
"simple": -1,
@ -347,7 +347,7 @@
{
"category": "Gerenciamento de Identidade e Acesso",
"guid": "eec4962c-c3bd-421b-b77f-26e5e6b3bec3",
"link": "https://docs.microsoft.com/azure/aks/manage-azure-rbac",
"link": "https://learn.microsoft.com/azure/aks/manage-azure-rbac",
"security": 1,
"severity": "Média",
"simple": -1,
@ -358,7 +358,7 @@
"category": "Gerenciamento de Identidade e Acesso",
"guid": "d4f3537c-1346-4dc5-9027-a71ffe1bd05d",
"ha": 1,
"link": "https://docs.microsoft.com/azure/aks/operator-best-practices-identity",
"link": "https://learn.microsoft.com/azure/aks/operator-best-practices-identity",
"security": 1,
"severity": "Alto",
"simple": -1,
@ -450,7 +450,7 @@
"category": "Topologia e conectividade de rede",
"graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnull(properties.addonProfiles.httpApplicationRouting) or properties.addonProfiles.httpApplicationRouting.enabled==false) | distinct id,compliant",
"guid": "8008ae7d-7e4b-4475-a6c8-bdbf59bce65d",
"link": "https://docs.microsoft.com/azure/aks/http-application-routing",
"link": "https://learn.microsoft.com/azure/aks/http-application-routing",
"scale": 1,
"severity": "Alto",
"simple": -1,
@ -472,7 +472,7 @@
"category": "Topologia e conectividade de rede",
"graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (tolower(properties.networkProfile.loadBalancerSku)=='standard') | distinct id,compliant",
"guid": "ba7da7be-9952-4914-a384-5d997cb39132",
"link": "https://docs.microsoft.com/azure/aks/load-balancer-standard",
"link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
"scale": 1,
"severity": "Alto",
"subcategory": "Práticas recomendadas",
@ -491,7 +491,7 @@
{
"category": "Topologia e conectividade de rede",
"guid": "c3c39c98-6bb2-4c12-859a-114b5e3df584",
"link": "https://docs.microsoft.com/azure/private-link/private-link-overview",
"link": "https://learn.microsoft.com/azure/private-link/private-link-overview",
"security": 1,
"severity": "Média",
"simple": -1,
@ -503,7 +503,7 @@
"cost": -1,
"guid": "e8a03f97-8794-468d-96a7-86d60f96c97b",
"ha": 1,
"link": "https://docs.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
"link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
"severity": "Média",
"subcategory": "HA",
"text": "Se a conectividade híbrida for necessária, use 2xER ou ER+VPN para melhor disponibilidade"
@ -512,7 +512,7 @@
"category": "Topologia e conectividade de rede",
"graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.networkPlugin=='azure') | distinct id,compliant",
"guid": "a0f61565-9de5-458f-a372-49c831112dbd",
"link": "https://docs.microsoft.com/azure/aks/operator-best-practices-network",
"link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
"severity": "Alto",
"simple": 1,
"subcategory": "IPAM",
@ -521,7 +521,7 @@
{
"category": "Topologia e conectividade de rede",
"guid": "7faf12e7-0943-4f63-8472-2da29c2b1cd6",
"link": "https://docs.microsoft.com/azure/aks/configure-azure-cni",
"link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
"scale": 1,
"severity": "Alto",
"subcategory": "IPAM",
@ -530,7 +530,7 @@
{
"category": "Topologia e conectividade de rede",
"guid": "22f54b29-bade-43aa-b1e8-c38ec9366673",
"link": "https://docs.microsoft.com/azure/aks/configure-azure-cni",
"link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
"scale": 1,
"severity": "Alto",
"simple": -1,
@ -541,7 +541,7 @@
"category": "Topologia e conectividade de rede",
"description": "Para aplicativos internos, as organizações geralmente abrem toda a sub-rede AKS em seus firewalls. Isso também abre o acesso de rede aos nós e, potencialmente, aos pods também (se estiver usando a CNI do Azure). Se os IPs do LoadBalancer estiverem em uma sub-rede diferente, somente este precisará estar disponível para os clientes do aplicativo. Outra razão é que, se os endereços IP na sub-rede AKS forem um recurso escasso, consumir seus endereços IP para serviços reduzirá a escalabilidade máxima do cluster.",
"guid": "13c00567-4b1e-4945-a459-c373e7ed6162",
"link": "https://docs.microsoft.com/azure/aks/internal-lb",
"link": "https://learn.microsoft.com/azure/aks/internal-lb",
"security": 1,
"severity": "Baixo",
"simple": -1,
@ -551,7 +551,7 @@
{
"category": "Topologia e conectividade de rede",
"guid": "43f63047-22d9-429c-8b1c-d622f54b29ba",
"link": "https://docs.microsoft.com/azure/aks/configure-azure-cni",
"link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
"scale": 1,
"severity": "Alto",
"subcategory": "IPAM",
@ -580,7 +580,7 @@
{
"category": "Topologia e conectividade de rede",
"guid": "b3808b9f-a1cf-4204-ad01-3a923ce474db",
"link": "https://docs.microsoft.com/azure/aks/concepts-network",
"link": "https://learn.microsoft.com/azure/aks/concepts-network",
"scale": 1,
"severity": "Média",
"simple": -1,
@ -611,7 +611,7 @@
"category": "Topologia e conectividade de rede",
"graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.outboundType=='userDefinedRouting') | distinct id,compliant",
"guid": "3b365a91-7ecb-4e48-bbe5-4cd7df2e8bba",
"link": "https://docs.microsoft.com/azure/aks/limit-egress-traffic",
"link": "https://learn.microsoft.com/azure/aks/limit-egress-traffic",
"security": 2,
"severity": "Alto",
"simple": -2,
@ -622,7 +622,7 @@
"category": "Topologia e conectividade de rede",
"graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = ((isnull(properties.apiServerAccessProfile.enablePrivateCluster) or properties.apiServerAccessProfile.enablePrivateCluster==false) and isnotnull(properties.apiServerAccessProfile.authorizedIPRanges)) | distinct id,compliant",
"guid": "c4581559-bb91-463e-a908-aed8c44ce3b2",
"link": "https://docs.microsoft.com/azure/aks/api-server-authorized-ip-ranges",
"link": "https://learn.microsoft.com/azure/aks/api-server-authorized-ip-ranges",
"security": 1,
"severity": "Média",
"simple": -1,
@ -633,7 +633,7 @@
"category": "Topologia e conectividade de rede",
"graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant",
"guid": "ecccd979-3b6b-4cda-9b50-eb2eb03dda6d",
"link": "https://docs.microsoft.com/azure/aks/private-clusters",
"link": "https://learn.microsoft.com/azure/aks/private-clusters",
"security": 1,
"severity": "Alto",
"simple": -1,
@ -655,7 +655,7 @@
"category": "Topologia e conectividade de rede",
"graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.networkProfile.networkPolicy) | distinct id,compliant",
"guid": "58d7c892-ddb1-407d-9769-ae669ca48e4a",
"link": "https://docs.microsoft.com/azure/aks/use-network-policies",
"link": "https://learn.microsoft.com/azure/aks/use-network-policies",
"security": 1,
"severity": "Alto",
"subcategory": "Segurança",
@ -664,7 +664,7 @@
{
"category": "Topologia e conectividade de rede",
"guid": "85e2223e-ce8b-4b12-907c-a5f16f158e3e",
"link": "https://docs.microsoft.com/azure/aks/operator-best-practices-network",
"link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
"security": 1,
"severity": "Alto",
"simple": -1,
@ -675,7 +675,7 @@
"category": "Topologia e conectividade de rede",
"cost": -1,
"guid": "a3a92c2d-e7e2-4165-a3a8-7af4a7a1f893",
"link": "https://docs.microsoft.com/azure/aks/operator-best-practices-network",
"link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
"security": 2,
"severity": "Alto",
"simple": -1,
@ -687,7 +687,7 @@
"cost": -2,
"graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')",
"guid": "9bda4776-8f24-4c11-9775-c2ea55b46a94",
"link": "https://docs.microsoft.com/azure/virtual-network/ddos-protection-overview",
"link": "https://learn.microsoft.com/azure/virtual-network/ddos-protection-overview",
"security": 2,
"severity": "Média",
"subcategory": "Segurança",
@ -707,7 +707,7 @@
{
"category": "Topologia e conectividade de rede",
"guid": "e9855d04-c3c3-49c9-a6bb-2c12159a114b",
"link": "https://docs.microsoft.com/azure/aks/servicemesh-about",
"link": "https://learn.microsoft.com/azure/aks/servicemesh-about",
"security": 1,
"severity": "Média",
"simple": -2,
@ -718,7 +718,7 @@
"category": "Operações",
"guid": "67f7a9ed-5b31-4f38-a3f3-9812b2463cff",
"ha": 1,
"link": "https://docs.microsoft.com/azure/azure-monitor/insights/container-insights-metric-alerts",
"link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-metric-alerts",
"severity": "Alto",
"simple": -1,
"subcategory": "Alertando",
@ -728,7 +728,7 @@
"category": "Operações",
"guid": "337453a3-cc63-4963-9a65-22ac19e80696",
"ha": 1,
"link": "https://docs.microsoft.com/azure/advisor/advisor-get-started",
"link": "https://learn.microsoft.com/azure/advisor/advisor-get-started",
"severity": "Baixo",
"simple": -1,
"subcategory": "Conformidade",
@ -737,7 +737,7 @@
{
"category": "Operações",
"guid": "5388e9de-d167-4dd1-a2b0-ac241b999a64",
"link": "https://docs.microsoft.com/azure/aks/operator-best-practices-scheduler",
"link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
"severity": "Baixo",
"simple": 1,
"subcategory": "Conformidade",
@ -755,7 +755,7 @@
{
"category": "Operações",
"guid": "e189c599-df0d-45a7-9dd4-ce32c1881370",
"link": "https://docs.microsoft.com/azure/aks/supported-kubernetes-versions",
"link": "https://learn.microsoft.com/azure/aks/supported-kubernetes-versions",
"security": 1,
"severity": "Alto",
"simple": -1,
@ -765,7 +765,7 @@
{
"category": "Operações",
"guid": "6f7c4c0d-4e51-4464-ad24-57ed67138b82",
"link": "https://docs.microsoft.com/azure/aks/node-updates-kured",
"link": "https://learn.microsoft.com/azure/aks/node-updates-kured",
"severity": "Alto",
"simple": -1,
"subcategory": "Conformidade",
@ -774,7 +774,7 @@
{
"category": "Operações",
"guid": "139c9580-ade3-426a-ba09-cf157d9f6477",
"link": "https://docs.microsoft.com/azure/aks/node-image-upgrade",
"link": "https://learn.microsoft.com/azure/aks/node-image-upgrade",
"security": 1,
"severity": "Alto",
"simple": -1,
@ -784,7 +784,7 @@
{
"category": "Operações",
"guid": "0102ce16-ee30-41e6-b882-e52e4621dd68",
"link": "https://docs.microsoft.com/azure/architecture/example-scenario/bedrock/bedrock-automated-deployments",
"link": "https://learn.microsoft.com/azure/architecture/example-scenario/bedrock/bedrock-automated-deployments",
"severity": "Baixo",
"subcategory": "Conformidade",
"text": "Considere gitops para implantar aplicativos ou configuração de cluster em vários clusters"
@ -809,7 +809,7 @@
{
"category": "Operações",
"guid": "ed0fda7f-211b-47c7-8b6e-c18873fb473c",
"link": "https://docs.microsoft.com/azure/aks/faq",
"link": "https://learn.microsoft.com/azure/aks/faq",
"security": 1,
"severity": "Alto",
"subcategory": "Conformidade",
@ -819,7 +819,7 @@
"category": "Operações",
"graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.nodeResourceGroup !startswith 'MC_') | distinct id,compliant",
"guid": "73b32a5a-67f7-4a9e-b5b3-1f38c3f39812",
"link": "https://docs.microsoft.com/azure/aks/cluster-configuration",
"link": "https://learn.microsoft.com/azure/aks/cluster-configuration",
"severity": "Baixo",
"simple": 1,
"subcategory": "Conformidade",
@ -839,7 +839,7 @@
"category": "Operações",
"guid": "c1881370-6f7c-44c0-b4e5-14648d2457ed",
"ha": 1,
"link": "https://docs.microsoft.com/azure-stack/aks-hci/adapt-apps-mixed-os-clusters",
"link": "https://learn.microsoft.com/azure-stack/aks-hci/adapt-apps-mixed-os-clusters",
"severity": "Baixo",
"simple": -1,
"subcategory": "Conformidade",
@ -848,7 +848,7 @@
{
"category": "Operações",
"guid": "67138b82-0102-4ce1-9ee3-01e6e882e52e",
"link": "https://docs.microsoft.com/virtualization/windowscontainers/deploy-containers/version-compatibility?tabs=windows-server-20H2%2Cwindows-10-20H2",
"link": "https://learn.microsoft.com/virtualization/windowscontainers/deploy-containers/version-compatibility?tabs=windows-server-20H2%2Cwindows-10-20H2",
"severity": "Baixo",
"subcategory": "Conformidade",
"text": "Mantenha o nível de patch dos contêineres do Windows em sincronia com o nível de patch do host"
@ -859,7 +859,7 @@
"description": "Por meio das Configurações de Diagnóstico no nível do cluster",
"guid": "5b56ad48-408f-4e72-934c-476ba280dcf5",
"ha": 1,
"link": "https://docs.microsoft.com/azure/aks/monitor-aks",
"link": "https://learn.microsoft.com/azure/aks/monitor-aks",
"severity": "Baixo",
"subcategory": "Conformidade",
"text": "Enviar logs mestres (também conhecidos como logs de API) para o Azure Monitor ou sua solução de gerenciamento de logs preferida"
@ -868,7 +868,7 @@
"category": "Operações",
"cost": 1,
"guid": "c5a5b252-1e44-4a59-a9d2-399c4d7b68d0",
"link": "https://docs.microsoft.com/azure/aks/spot-node-pool",
"link": "https://learn.microsoft.com/azure/aks/spot-node-pool",
"severity": "Baixo",
"simple": -1,
"subcategory": "Custar",
@ -878,7 +878,7 @@
"category": "Operações",
"graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.aciConnectorLinux) and properties.addonProfiles.aciConnectorLinux.enabled==true) | distinct id,compliant",
"guid": "c755562f-2b4e-4456-9b4d-874a748b662e",
"link": "https://docs.microsoft.com/azure/aks/concepts-scale",
"link": "https://learn.microsoft.com/azure/aks/concepts-scale",
"scale": 1,
"severity": "Baixo",
"simple": -1,
@ -889,7 +889,7 @@
"category": "Operações",
"guid": "6f8389a7-f82c-4b8e-a8c0-aa63a25a4956",
"ha": 1,
"link": "https://docs.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
"link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
"severity": "Alto",
"simple": -1,
"subcategory": "Monitorização",
@ -900,7 +900,7 @@
"graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.omsagent) and properties.addonProfiles.omsagent.enabled==true) | distinct id,compliant",
"guid": "eaa8dc4a-2436-47b3-9697-15b1752beee0",
"ha": 1,
"link": "https://docs.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
"link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
"severity": "Alto",
"simple": -1,
"subcategory": "Monitorização",
@ -910,7 +910,7 @@
"category": "Operações",
"guid": "4621dd68-c5a5-4be2-bdb1-1726769ef669",
"ha": 1,
"link": "https://docs.microsoft.com/azure/azure-monitor/containers/container-insights-analyze",
"link": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-analyze",
"severity": "Média",
"simple": -1,
"subcategory": "Monitorização",
@ -920,7 +920,7 @@
"category": "Operações",
"guid": "1a4835ac-9422-423e-ae80-b123081a5417",
"ha": 1,
"link": "https://docs.microsoft.com/azure/aks/configure-azure-cni",
"link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
"severity": "Média",
"simple": -1,
"subcategory": "Monitorização",
@ -931,7 +931,7 @@
"description": "A E/S no disco do sistema operacional é um recurso crítico. Se o sistema operacional nos nós for limitado na E/S, isso pode levar a um comportamento imprevisível, normalmente terminando no nó sendo declarado NotReady",
"guid": "415833ea-3ad3-4c2d-b733-165c3acbe04b",
"ha": 1,
"link": "https://docs.microsoft.com/azure/virtual-machines/premium-storage-performance",
"link": "https://learn.microsoft.com/azure/virtual-machines/premium-storage-performance",
"severity": "Média",
"simple": -1,
"subcategory": "Monitorização",
@ -941,7 +941,7 @@
"category": "Operações",
"guid": "be209d39-fda4-4777-a424-d116785c2fa5",
"ha": 1,
"link": "https://docs.microsoft.com/azure/aks/load-balancer-standard",
"link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
"severity": "Média",
"simple": -1,
"subcategory": "Monitorização",
@ -951,7 +951,7 @@
"category": "Operações",
"guid": "74c2ee76-569b-4a79-a57e-dedf91b022c9",
"ha": 1,
"link": "https://docs.microsoft.com/azure/aks/aks-resource-health",
"link": "https://learn.microsoft.com/azure/aks/aks-resource-health",
"severity": "Média",
"subcategory": "Monitorização",
"text": "Inscrever-se em notificações de integridade de recursos para seu cluster AKS"
@ -960,7 +960,7 @@
"category": "Operações",
"guid": "b54eb2eb-03dd-4aa3-9927-18e2edb11726",
"ha": 1,
"link": "https://docs.microsoft.com/azure/aks/operator-best-practices-scheduler",
"link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
"severity": "Alto",
"simple": -1,
"subcategory": "Recursos",
@ -970,7 +970,7 @@
"category": "Operações",
"guid": "769ef669-1a48-435a-a942-223ece80b123",
"ha": 1,
"link": "https://docs.microsoft.com/azure/aks/operator-best-practices-scheduler",
"link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
"severity": "Média",
"simple": -1,
"subcategory": "Recursos",
@ -980,7 +980,7 @@
"category": "Operações",
"cost": 1,
"guid": "081a5417-4158-433e-a3ad-3c2de733165c",
"link": "https://docs.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
"link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
"severity": "Alto",
"subcategory": "Recursos",
"text": "Verifique se sua assinatura tem cota suficiente para expandir seus nodepools"
@ -991,7 +991,7 @@
"graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.austoscalerProfile)) | distinct id,compliant",
"guid": "90ce65de-8e13-4f9c-abd4-69266abca264",
"ha": 1,
"link": "https://docs.microsoft.com/azure/aks/concepts-scale",
"link": "https://learn.microsoft.com/azure/aks/concepts-scale",
"severity": "Média",
"subcategory": "Escalabilidade",
"text": "Usar o Cluster Autoscaler"
@ -1010,7 +1010,7 @@
{
"category": "Operações",
"guid": "faa19bfe-9d55-4d04-a3c4-919ca1b2d121",
"link": "https://docs.microsoft.com/azure/aks/concepts-scale",
"link": "https://learn.microsoft.com/azure/aks/concepts-scale",
"scale": 1,
"severity": "Média",
"simple": -1,
@ -1068,7 +1068,7 @@
"cost": -1,
"graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | mvexpand pools | extend compliant = (pools.osDiskType=='Ephemeral') | project id,name=strcat(name,'-',pools.name), resourceGroup, compliant",
"guid": "24367b33-6971-45b1-952b-eee0b9b588de",
"link": "https://docs.microsoft.com/azure/aks/cluster-configuration",
"link": "https://learn.microsoft.com/azure/aks/cluster-configuration",
"scale": 1,
"severity": "Alto",
"subcategory": "Armazenamento",
@ -1078,7 +1078,7 @@
"category": "Operações",
"cost": -1,
"guid": "fc4972cc-3cd2-45bf-a707-6e9eab4bed32",
"link": "https://docs.microsoft.com/azure/virtual-machines/disks-types",
"link": "https://learn.microsoft.com/azure/virtual-machines/disks-types",
"scale": 1,
"severity": "Alto",
"subcategory": "Armazenamento",
@ -1098,7 +1098,7 @@
"category": "Operações",
"guid": "9f7547c1-747d-4c56-868a-714435bd19dd",
"ha": 1,
"link": "https://docs.microsoft.com/azure/aks/operator-best-practices-multi-region",
"link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region",
"severity": "Média",
"simple": -1,
"subcategory": "Armazenamento",
@ -1108,7 +1108,7 @@
"category": "Operações",
"cost": -1,
"guid": "24429eb7-2281-4376-85cc-57b4a4b18142",
"link": "https://docs.microsoft.com/azure/aks/operator-best-practices-storage",
"link": "https://learn.microsoft.com/azure/aks/operator-best-practices-storage",
"scale": 1,
"severity": "Média",
"subcategory": "Armazenamento",
@ -1118,7 +1118,7 @@
"category": "Operações",
"guid": "83958a8c-2689-4b32-ab57-cfc64546135a",
"ha": 1,
"link": "https://docs.microsoft.com/azure/aks/availability-zones#azure-disk-availability-zone-support",
"link": "https://learn.microsoft.com/azure/aks/availability-zones#azure-disk-availability-zone-support",
"severity": "Média",
"simple": -1,
"subcategory": "Armazenamento",

54
checklists/appsvc_security_checklist.en.json
Просмотреть файл

@ -8,7 +8,7 @@
"description": "Use Azure Key Vault to store any secrets the application needs. Key Vault provides a safe and audited environment for storing secrets and is well-integrated with App Service through the Key Vault SDK or App Service Key Vault References.",
"guid": "834ac932-223e-4ce8-8b12-3071a5416415",
"severity": "High",
"link": "https://docs.microsoft.com/azure/app-service/app-service-key-vault-references"
"link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references"
},
{
"category": "Security",
@ -17,7 +17,7 @@
"description": "Use a Managed Identity to connect to Key Vault either using the Key Vault SDK or through App Service Key Vault References.",
"guid": "833ea3ad-2c2d-4e73-8165-c3acbef4abe1",
"severity": "High",
"link": "https://docs.microsoft.com/azure/app-service/app-service-key-vault-references"
"link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references"
},
{
"category": "Security",
@ -26,7 +26,7 @@
"description": "Store the App Service TLS certificate in Key Vault.",
"guid": "f8d39fda-4776-4831-9c11-5775c2ea55b4",
"severity": "High",
"link": "https://docs.microsoft.com/azure/app-service/configure-ssl-certificate"
"link": "https://learn.microsoft.com/azure/app-service/configure-ssl-certificate"
},
{
"category": "Security",
@ -35,7 +35,7 @@
"description": "Systems that process sensitive information should be isolated. To do so, use separate App Service Plans or App Service Environments and consider the use of different subscriptions or management groups.",
"guid": "6ad48408-ee72-4734-a475-ba18fdbf590c",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/app-service/overview-hosting-plans"
"link": "https://learn.microsoft.com/azure/app-service/overview-hosting-plans"
},
{
"category": "Security",
@ -44,7 +44,7 @@
"description": "Local disks on App Service are not encrypted and sensitive data should not be stored on those. (For example: D:\\\\Local and %TMP%).",
"guid": "e65de8e0-3f9b-4cbd-9682-66abca264f9a",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/app-service/operating-system-functionality#file-access"
"link": "https://learn.microsoft.com/azure/app-service/operating-system-functionality#file-access"
},
{
"category": "Security",
@ -53,7 +53,7 @@
"description": "For authenticated web application, use a well established Identity Provider like Azure AD or Azure AD B2C. Leverage the application framework of your choice to integrate with this provider or use the App Service Authentication / Authorization feature.",
"guid": "919ca0b2-c121-459e-814b-933df574eccc",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/app-service/overview-authentication-authorization"
"link": "https://learn.microsoft.com/azure/app-service/overview-authentication-authorization"
},
{
"category": "Security",
@ -62,7 +62,7 @@
"description": "Deploy code to App Service from a controlled and trusted environment, like a well-managed and secured DevOps deployment pipeline. This avoids code that was not version controlled and verified to be deployed from a malicious host.",
"guid": "3f9bcbd4-6826-46ab-aa26-4f9a19aed9c5",
"severity": "High",
"link": "https://docs.microsoft.com/azure/app-service/deploy-best-practices"
"link": "https://learn.microsoft.com/azure/app-service/deploy-best-practices"
},
{
"category": "Security",
@ -71,7 +71,7 @@
"description": "Disable basic authentication for both FTP/FTPS and for WebDeploy/SCM. This disables access to these services and enforces the use of Azure AD secured endpoints for deployment. Note that the SCM site can also be opened using Azure AD credentials.",
"guid": "5d04c2c3-919c-4a0b-8c12-159e114b933d",
"severity": "High",
"link": "https://docs.microsoft.com/azure/app-service/deploy-configure-credentials#disable-basic-authentication"
"link": "https://learn.microsoft.com/azure/app-service/deploy-configure-credentials#disable-basic-authentication"
},
{
"category": "Security",
@ -80,7 +80,7 @@
"description": "Where possible use Managed Identity to connect to Azure AD secured resources. If this is not possible, store secrets in Key Vault and connect to Key Vault using a Managed Identity instead.",
"guid": "f574eccc-d9bd-43ba-bcda-3b54eb2eb03d",
"severity": "High",
"link": "https://docs.microsoft.com/azure/app-service/overview-managed-identity?tabs=portal%2Chttp"
"link": "https://learn.microsoft.com/azure/app-service/overview-managed-identity?tabs=portal%2Chttp"
},
{
"category": "Security",
@ -89,7 +89,7 @@
"description": "Where using images stored in Azure Container Registry, pull these using a Managed Identity.",
"guid": "d9a25827-18d2-4ddb-8072-5769ee6691a4",
"severity": "High",
"link": "https://docs.microsoft.com/azure/app-service/configure-custom-container#use-managed-identity-to-pull-image-from-azure-container-registry"
"link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-managed-identity-to-pull-image-from-azure-container-registry"
},
{
"category": "Security",
@ -98,7 +98,7 @@
"description": "By configuring the diagnostic settings of App Service, you can send all telemetry to Log Analytics as the central destination for logging and monitoring. This allows you to monitor runtime activity of App Service such as HTTP logs, application logs, platform logs, ...",
"guid": "47768314-c115-4775-a2ea-55b46ad48408",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/app-service/troubleshoot-diagnostic-logs"
"link": "https://learn.microsoft.com/azure/app-service/troubleshoot-diagnostic-logs"
},
{
"category": "Security",
@ -107,7 +107,7 @@
"description": "Set up a diagnostic setting to send the activity log to Log Analytics as the central destination for logging and monitoring. This allows you to monitor control plane activity on the App Service resource itself.",
"guid": "ee72734b-475b-4a18-bdbf-590ce65de8e0",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/azure-monitor/essentials/activity-log"
"link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log"
},
{
"category": "Security",
@ -116,7 +116,7 @@
"description": "Control outbound network access using a combination of regional VNet integration, network security groups and UDR's. Traffic should be routed to an NVA such as Azure Firewall. Ensure to monitor the Firewall's logs.",
"guid": "c12159e1-14b9-433d-b574-ecccd9bd3baf",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/app-service/overview-vnet-integration"
"link": "https://learn.microsoft.com/azure/app-service/overview-vnet-integration"
},
{
"category": "Security",
@ -125,7 +125,7 @@
"description": "You can provide a stable outbound IP by using VNet integration and using a VNet NAT Gateway or an NVA like Azure Firewall. This allows the receiving party to allow-list based on IP, should that be needed. Note that for communications towards Azure Services often there's no need to depend on the IP address and mechanics like Service Endpoints should be used instead. (Also the use of private endpoints on the receiving end avoids for SNAT to happen and provides a stable outbound IP range.)",
"guid": "cda3b54e-b2eb-403d-b9a2-582718d2ddb1",
"severity": "Low",
"link": "https://docs.microsoft.com/azure/app-service/networking/nat-gateway-integration"
"link": "https://learn.microsoft.com/azure/app-service/networking/nat-gateway-integration"
},
{
"category": "Security",
@ -134,7 +134,7 @@
"description": "Control inbound network access using a combination of App Service Access Restrictions, Service Endpoints or Private Endpoints. Different access restrictions can be required and configured for the web app itself and the SCM site.",
"guid": "0725769e-e669-41a4-a34a-c932223ece80",
"severity": "High",
"link": "https://docs.microsoft.com/azure/app-service/networking-features#access-restrictions"
"link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions"
},
{
"category": "Security",
@ -143,7 +143,7 @@
"description": "Protect against malicious inbound traffic using a Web Application Firewall like Application Gateway or Azure Front Door. Make sure to monitor the WAF's logs.",
"guid": "b123071a-5416-4415-a33e-a3ad2c2de732",
"severity": "High",
"link": "https://docs.microsoft.com/azure/app-service/networking/app-gateway-with-service-endpoints"
"link": "https://learn.microsoft.com/azure/app-service/networking/app-gateway-with-service-endpoints"
},
{
"category": "Security",
@ -152,7 +152,7 @@
"description": "Make sure the WAF cannot be bypassed by locking down access to only the WAF. Use a combination of Access Restrictions, Service Endpoints and Private Endpoints.",
"guid": "165c3acb-ef4a-4be1-b8d3-9fda47768314",
"severity": "High",
"link": "https://docs.microsoft.com/azure/app-service/networking-features#access-restrictions"
"link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions"
},
{
"category": "Security",
@ -161,7 +161,7 @@
"description": "Set minimum TLS policy to 1.2 in App Service configuration.",
"guid": "c115775c-2ea5-45b4-9ad4-8408ee72734b",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-tls-versions",
"link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-tls-versions",
"graph": "where (type=='microsoft.web/sites' and (kind == 'app' or kind == 'app,linux' )) | extend compliant = (isnull(properties.siteConfig.minTlsVersion) or properties.siteConfig.minTlsVersion=='1.2') | distinct id,compliant"
},
{
@ -171,7 +171,7 @@
"description": "Configure App Service to use HTTPS only. This causes App Service to redirect from HTTP to HTTPS. Strongly consider the use of HTTP Strict Transport Security (HSTS) in your code or from your WAF, which informs browsers that the site should only be accessed using HTTPS.",
"guid": "475ba18f-dbf5-490c-b65d-e8e03f9bcbd4",
"severity": "High",
"link": "https://docs.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https",
"link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https",
"graph": "where (type=='microsoft.web/sites' and (kind == 'app' or kind == 'app,linux' )) | extend compliant = (properties.httpsOnly==true) | distinct id,compliant"
},
{
@ -181,7 +181,7 @@
"description": "Do not use wildcards in your CORS configuration, as this allows all origins to access the service (thereby defeating the purpose of CORS). Specifically only allow the origins that you expect to be able to access the service.",
"guid": "68266abc-a264-4f9a-89ae-d9c55d04c2c3",
"severity": "High",
"link": "https://docs.microsoft.com/azure/app-service/app-service-web-tutorial-rest-api"
"link": "https://learn.microsoft.com/azure/app-service/app-service-web-tutorial-rest-api"
},
{
"category": "Security",
@ -190,7 +190,7 @@
"description": "Remote debugging must not be turned on in production as this opens additional ports on the service which increases the attack surface. Note that the service does turn of remote debugging automatically after 48 hours.",
"guid": "d9bd3baf-cda3-4b54-bb2e-b03dd9a25827",
"severity": "High",
"link": "https://docs.microsoft.com/azure/app-service/configure-common#configure-general-settings",
"link": "https://learn.microsoft.com/azure/app-service/configure-common#configure-general-settings",
"graph": "where (type=='microsoft.web/sites' and (kind == 'app' or kind == 'app,linux' )) | extend compliant = (properties.siteConfig.remoteDebuggingEnabled!=true) | distinct id,compliant"
},
{
@ -200,7 +200,7 @@
"description": "Enable Defender for App Service. This (amongst other threats) detects communications to known malicious IP addresses. Review the recommendations from Defender for App Service as part of your operations.",
"guid": "18d2ddb1-0725-4769-be66-91a4834ac932",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/defender-for-cloud/defender-for-app-service-introduction"
"link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-app-service-introduction"
},
{
"category": "Security",
@ -209,7 +209,7 @@
"description": "Azure provides DDoS Basic protection on its network, which can be improved with intelligent DDoS Standard capabilities which learns about normal traffic patterns and can detect unusual behaviour. DDoS Standard applies to a Virtual Network so it must be configured for the network resource in front of the app, such as Application Gateway or an NVA.",
"guid": "223ece80-b123-4071-a541-6415833ea3ad",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/ddos-protection/ddos-protection-overview"
"link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview"
},
{
"category": "Security",
@ -218,7 +218,7 @@
"description": "Where using images stored in Azure Container Registry, pull these over a virtual network from Azure Container Registry using its private endpoint and the app setting 'WEBSITE_PULL_IMAGE_OVER_VNET'.",
"guid": "2c2de732-165c-43ac-aef4-abe1f8d39fda",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/app-service/configure-custom-container#use-an-image-from-a-network-protected-registry"
"link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-an-image-from-a-network-protected-registry"
},
{
"category": "Security",
@ -227,7 +227,7 @@
"description": "Conduct a penetration test on the web application following the penetration testing rules of engagement.",
"guid": "eb2eb03d-d9a2-4582-918d-2ddb10725769",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/security/fundamentals/pen-testing"
"link": "https://learn.microsoft.com/azure/security/fundamentals/pen-testing"
},
{
"category": "Security",
@ -236,7 +236,7 @@
"description": "Deploy trusted code that was validated and scanned for vulnerabilities according to DevSecOps practices.",
"guid": "19aed9c5-5d04-4c2c-9919-ca0b2c12159e",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/architecture/solution-ideas/articles/devsecops-in-azure"
"link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/devsecops-in-azure"
},
{
"category": "Security",
@ -245,7 +245,7 @@
"description": "Use the latest versions of supported platforms, programming languages, protocols, and frameworks.",
"guid": "114b933d-f574-4ecc-ad9b-d3bafcda3b54",
"severity": "High",
"link": "https://docs.microsoft.com/azure/app-service/overview-patch-os-runtime"
"link": "https://learn.microsoft.com/azure/app-service/overview-patch-os-runtime"
}
],
"categories": [

54
checklists/appsvc_security_checklist.es.json
Просмотреть файл

@ -10,7 +10,7 @@
"category": "Seguridad",
"description": "Use Azure Key Vault para almacenar los secretos que necesita la aplicación. Key Vault proporciona un entorno seguro y auditado para almacenar secretos y está bien integrado con App Service a través del SDK de Key Vault o las referencias de Key Vault del Servicio de aplicaciones.",
"guid": "834ac932-223e-4ce8-8b12-3071a5416415",
"link": "https://docs.microsoft.com/azure/app-service/app-service-key-vault-references",
"link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references",
"severity": "Alto",
"subcategory": "Protección de datos",
"text": "Usar Key Vault para almacenar secretos"
@ -19,7 +19,7 @@
"category": "Seguridad",
"description": "Use una identidad administrada para conectarse al Almacén de claves mediante el SDK del Almacén de claves o a través de las referencias del Almacén de claves del Servicio de aplicaciones.",
"guid": "833ea3ad-2c2d-4e73-8165-c3acbef4abe1",
"link": "https://docs.microsoft.com/azure/app-service/app-service-key-vault-references",
"link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references",
"severity": "Alto",
"subcategory": "Protección de datos",
"text": "Usar Managed Identity para conectarse a Key Vault"
@ -28,7 +28,7 @@
"category": "Seguridad",
"description": "Almacene el certificado TLS del Servicio de aplicaciones en el Almacén de claves.",
"guid": "f8d39fda-4776-4831-9c11-5775c2ea55b4",
"link": "https://docs.microsoft.com/azure/app-service/configure-ssl-certificate",
"link": "https://learn.microsoft.com/azure/app-service/configure-ssl-certificate",
"severity": "Alto",
"subcategory": "Protección de datos",
"text": "Utilice Key Vault para almacenar el certificado TLS."
@ -37,7 +37,7 @@
"category": "Seguridad",
"description": "Los sistemas que procesan información confidencial deben estar aislados. Para ello, use planes del Servicio de aplicaciones o entornos del Servicio de aplicaciones independientes y considere el uso de diferentes suscripciones o grupos de administración.",
"guid": "6ad48408-ee72-4734-a475-ba18fdbf590c",
"link": "https://docs.microsoft.com/azure/app-service/overview-hosting-plans",
"link": "https://learn.microsoft.com/azure/app-service/overview-hosting-plans",
"severity": "Medio",
"subcategory": "Protección de datos",
"text": "Aislar los sistemas que procesan información confidencial"
@ -46,7 +46,7 @@
"category": "Seguridad",
"description": "Los discos locales del Servicio de aplicaciones no están cifrados y los datos confidenciales no deben almacenarse en ellos. (Por ejemplo: D:\\\\Local y %TMP%).",
"guid": "e65de8e0-3f9b-4cbd-9682-66abca264f9a",
"link": "https://docs.microsoft.com/azure/app-service/operating-system-functionality#file-access",
"link": "https://learn.microsoft.com/azure/app-service/operating-system-functionality#file-access",
"severity": "Medio",
"subcategory": "Protección de datos",
"text": "No almacene datos confidenciales en el disco local"
@ -55,7 +55,7 @@
"category": "Seguridad",
"description": "Para la aplicación web autenticada, use un proveedor de identidades bien establecido, como Azure AD o Azure AD B2C. Aproveche el marco de aplicación de su elección para integrarse con este proveedor o use la característica Autenticación/autorización del Servicio de aplicaciones.",
"guid": "919ca0b2-c121-459e-814b-933df574eccc",
"link": "https://docs.microsoft.com/azure/app-service/overview-authentication-authorization",
"link": "https://learn.microsoft.com/azure/app-service/overview-authentication-authorization",
"severity": "Medio",
"subcategory": "Identidad y control de acceso",
"text": "Usar un proveedor de identidades establecido para la autenticación"
@ -64,7 +64,7 @@
"category": "Seguridad",
"description": "Implemente código en el Servicio de aplicaciones desde un entorno controlado y de confianza, como una canalización de implementación de DevOps bien administrada y segura. Esto evita el código que no estaba controlado por la versión y se verificó que se implementara desde un host malintencionado.",
"guid": "3f9bcbd4-6826-46ab-aa26-4f9a19aed9c5",
"link": "https://docs.microsoft.com/azure/app-service/deploy-best-practices",
"link": "https://learn.microsoft.com/azure/app-service/deploy-best-practices",
"severity": "Alto",
"subcategory": "Identidad y control de acceso",
"text": "Implementación desde un entorno de confianza"
@ -73,7 +73,7 @@
"category": "Seguridad",
"description": "Deshabilite la autenticación básica tanto para FTP/FTPS como para WebDeploy/SCM. Esto deshabilita el acceso a estos servicios y exige el uso de puntos de conexión protegidos de Azure AD para la implementación. Tenga en cuenta que el sitio de SCM también se puede abrir con credenciales de Azure AD.",
"guid": "5d04c2c3-919c-4a0b-8c12-159e114b933d",
"link": "https://docs.microsoft.com/azure/app-service/deploy-configure-credentials#disable-basic-authentication",
"link": "https://learn.microsoft.com/azure/app-service/deploy-configure-credentials#disable-basic-authentication",
"severity": "Alto",
"subcategory": "Identidad y control de acceso",
"text": "Deshabilitar la autenticación básica"
@ -82,7 +82,7 @@
"category": "Seguridad",
"description": "Siempre que sea posible, use Identidad administrada para conectarse a los recursos protegidos de Azure AD. Si esto no es posible, almacene los secretos en Key Vault y conéctese a Key Vault mediante una identidad administrada en su lugar.",
"guid": "f574eccc-d9bd-43ba-bcda-3b54eb2eb03d",
"link": "https://docs.microsoft.com/azure/app-service/overview-managed-identity?tabs=portal%2Chttp",
"link": "https://learn.microsoft.com/azure/app-service/overview-managed-identity?tabs=portal%2Chttp",
"severity": "Alto",
"subcategory": "Identidad y control de acceso",
"text": "Usar la identidad administrada para conectarse a los recursos"
@ -91,7 +91,7 @@
"category": "Seguridad",
"description": "Cuando use imágenes almacenadas en Azure Container Registry, extráigalas mediante una identidad administrada.",
"guid": "d9a25827-18d2-4ddb-8072-5769ee6691a4",
"link": "https://docs.microsoft.com/azure/app-service/configure-custom-container#use-managed-identity-to-pull-image-from-azure-container-registry",
"link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-managed-identity-to-pull-image-from-azure-container-registry",
"severity": "Alto",
"subcategory": "Identidad y control de acceso",
"text": "Extracción de contenedores mediante una identidad administrada"
@ -100,7 +100,7 @@
"category": "Seguridad",
"description": "Al configurar las opciones de diagnóstico del Servicio de aplicaciones, puede enviar toda la telemetría a Log Analytics como destino central para el registro y la supervisión. Esto le permite supervisar la actividad en tiempo de ejecución del Servicio de aplicaciones, como registros HTTP, registros de aplicaciones, registros de plataforma, ...",
"guid": "47768314-c115-4775-a2ea-55b46ad48408",
"link": "https://docs.microsoft.com/azure/app-service/troubleshoot-diagnostic-logs",
"link": "https://learn.microsoft.com/azure/app-service/troubleshoot-diagnostic-logs",
"severity": "Medio",
"subcategory": "Registro y supervisión",
"text": "Enviar registros de tiempo de ejecución del Servicio de aplicaciones a Log Analytics"
@ -109,7 +109,7 @@
"category": "Seguridad",
"description": "Configure una configuración de diagnóstico para enviar el registro de actividad a Log Analytics como destino central para el registro y la supervisión. Esto permite supervisar la actividad del plano de control en el propio recurso del Servicio de aplicaciones.",
"guid": "ee72734b-475b-4a18-bdbf-590ce65de8e0",
"link": "https://docs.microsoft.com/azure/azure-monitor/essentials/activity-log",
"link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log",
"severity": "Medio",
"subcategory": "Registro y supervisión",
"text": "Enviar registros de actividad del Servicio de aplicaciones a Log Analytics"
@ -118,7 +118,7 @@
"category": "Seguridad",
"description": "Controle el acceso saliente a la red mediante una combinación de integración de red virtual regional, grupos de seguridad de red y UDR. El tráfico debe enrutarse a un NVA como Azure Firewall. Asegúrese de supervisar los registros del cortafuegos.",
"guid": "c12159e1-14b9-433d-b574-ecccd9bd3baf",
"link": "https://docs.microsoft.com/azure/app-service/overview-vnet-integration",
"link": "https://learn.microsoft.com/azure/app-service/overview-vnet-integration",
"severity": "Medio",
"subcategory": "Seguridad de red",
"text": "El acceso a la red saliente debe ser controlado"
@ -127,7 +127,7 @@
"category": "Seguridad",
"description": "Puede proporcionar una IP saliente estable mediante la integración de red virtual y una puerta de enlace NAT de red virtual o un NVA como Azure Firewall. Esto permite a la parte receptora permitir la lista basada en IP, en caso de que sea necesario. Tenga en cuenta que para las comunicaciones hacia los servicios de Azure a menudo no es necesario depender de la dirección IP y en su lugar se deben usar mecánicas como los puntos de conexión de servicio. (Además, el uso de extremos privados en el extremo receptor evita que ocurra SNAT y proporciona un rango estable de IP saliente).",
"guid": "cda3b54e-b2eb-403d-b9a2-582718d2ddb1",
"link": "https://docs.microsoft.com/azure/app-service/networking/nat-gateway-integration",
"link": "https://learn.microsoft.com/azure/app-service/networking/nat-gateway-integration",
"severity": "Bajo",
"subcategory": "Seguridad de red",
"text": "Garantizar una IP estable para las comunicaciones salientes hacia direcciones de Internet"
@ -136,7 +136,7 @@
"category": "Seguridad",
"description": "Controle el acceso entrante a la red mediante una combinación de restricciones de acceso al Servicio de aplicaciones, extremos de servicio o extremos privados. Se pueden requerir y configurar diferentes restricciones de acceso para la propia aplicación web y el sitio de SCM.",
"guid": "0725769e-e669-41a4-a34a-c932223ece80",
"link": "https://docs.microsoft.com/azure/app-service/networking-features#access-restrictions",
"link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions",
"severity": "Alto",
"subcategory": "Seguridad de red",
"text": "El acceso a la red entrante debe ser controlado"
@ -145,7 +145,7 @@
"category": "Seguridad",
"description": "Protéjase contra el tráfico entrante malintencionado mediante un firewall de aplicaciones web como Application Gateway o Azure Front Door. Asegúrese de monitorear los registros del WAF.",
"guid": "b123071a-5416-4415-a33e-a3ad2c2de732",
"link": "https://docs.microsoft.com/azure/app-service/networking/app-gateway-with-service-endpoints",
"link": "https://learn.microsoft.com/azure/app-service/networking/app-gateway-with-service-endpoints",
"severity": "Alto",
"subcategory": "Seguridad de red",
"text": "Usar un WAF delante del Servicio de aplicaciones"
@ -154,7 +154,7 @@
"category": "Seguridad",
"description": "Asegúrese de que el WAF no se puede omitir bloqueando el acceso solo al WAF. Use una combinación de restricciones de acceso, extremos de servicio y extremos privados.",
"guid": "165c3acb-ef4a-4be1-b8d3-9fda47768314",
"link": "https://docs.microsoft.com/azure/app-service/networking-features#access-restrictions",
"link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions",
"severity": "Alto",
"subcategory": "Seguridad de red",
"text": "Evitar que se omita WAF"
@ -164,7 +164,7 @@
"description": "Establezca la directiva TLS mínima en 1.2 en Configuración del Servicio de aplicaciones.",
"graph": "where (type=='microsoft.web/sites' and (kind == 'app' or kind == 'app,linux' )) | extend compliant = (isnull(properties.siteConfig.minTlsVersion) or properties.siteConfig.minTlsVersion=='1.2') | distinct id,compliant",
"guid": "c115775c-2ea5-45b4-9ad4-8408ee72734b",
"link": "https://docs.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-tls-versions",
"link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-tls-versions",
"severity": "Medio",
"subcategory": "Seguridad de red",
"text": "Establezca la directiva TLS mínima en 1.2"
@ -174,7 +174,7 @@
"description": "Configure el Servicio de aplicaciones para usar solo HTTPS. Esto hace que el Servicio de aplicaciones redirija de HTTP a HTTPS. Considere seriamente el uso de HTTP Strict Transport Security (HSTS) en su código o desde su WAF, que informa a los navegadores que solo se debe acceder al sitio mediante HTTPS.",
"graph": "where (type=='microsoft.web/sites' and (kind == 'app' or kind == 'app,linux' )) | extend compliant = (properties.httpsOnly==true) | distinct id,compliant",
"guid": "475ba18f-dbf5-490c-b65d-e8e03f9bcbd4",
"link": "https://docs.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https",
"link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https",
"severity": "Alto",
"subcategory": "Seguridad de red",
"text": "Usar solo HTTPS"
@ -183,7 +183,7 @@
"category": "Seguridad",
"description": "No utilice comodines en la configuración de CORS, ya que esto permite que todos los orígenes accedan al servicio (frustrando así el propósito de CORS). Específicamente solo permite los orígenes que esperas poder acceder al servicio.",
"guid": "68266abc-a264-4f9a-89ae-d9c55d04c2c3",
"link": "https://docs.microsoft.com/azure/app-service/app-service-web-tutorial-rest-api",
"link": "https://learn.microsoft.com/azure/app-service/app-service-web-tutorial-rest-api",
"severity": "Alto",
"subcategory": "Seguridad de red",
"text": "Los comodines no deben utilizarse para CORS"
@ -193,7 +193,7 @@
"description": "La depuración remota no debe activarse en producción, ya que esto abre puertos adicionales en el servicio, lo que aumenta la superficie de ataque. Tenga en cuenta que el servicio activa la depuración remota automáticamente después de 48 horas.",
"graph": "where (type=='microsoft.web/sites' and (kind == 'app' or kind == 'app,linux' )) | extend compliant = (properties.siteConfig.remoteDebuggingEnabled!=true) | distinct id,compliant",
"guid": "d9bd3baf-cda3-4b54-bb2e-b03dd9a25827",
"link": "https://docs.microsoft.com/azure/app-service/configure-common#configure-general-settings",
"link": "https://learn.microsoft.com/azure/app-service/configure-common#configure-general-settings",
"severity": "Alto",
"subcategory": "Seguridad de red",
"text": "Desactivar la depuración remota"
@ -202,7 +202,7 @@
"category": "Seguridad",
"description": "Habilite Defender para el Servicio de aplicaciones. Esto (entre otras amenazas) detecta comunicaciones a direcciones IP maliciosas conocidas. Revise las recomendaciones de Defender for App Service como parte de sus operaciones.",
"guid": "18d2ddb1-0725-4769-be66-91a4834ac932",
"link": "https://docs.microsoft.com/azure/defender-for-cloud/defender-for-app-service-introduction",
"link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-app-service-introduction",
"severity": "Medio",
"subcategory": "Seguridad de red",
"text": "Habilitar Defender for Cloud - Defender for App Service"
@ -211,7 +211,7 @@
"category": "Seguridad",
"description": "Azure proporciona protección DDoS Basic en su red, que se puede mejorar con funcionalidades DDoS Standard inteligentes que aprenden sobre los patrones de tráfico normales y pueden detectar comportamientos inusuales. DDoS Standard se aplica a una red virtual, por lo que debe configurarse para el recurso de red frente a la aplicación, como Application Gateway o un NVA.",
"guid": "223ece80-b123-4071-a541-6415833ea3ad",
"link": "https://docs.microsoft.com/azure/ddos-protection/ddos-protection-overview",
"link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
"severity": "Medio",
"subcategory": "Seguridad de red",
"text": "Habilitar el estándar de protección DDOS en la red virtual WAF"
@ -220,7 +220,7 @@
"category": "Seguridad",
"description": "Cuando use imágenes almacenadas en Azure Container Registry, extráigalas a través de una red virtual de Azure Container Registry mediante su punto de conexión privado y la configuración de la aplicación 'WEBSITE_PULL_IMAGE_OVER_VNET'.",
"guid": "2c2de732-165c-43ac-aef4-abe1f8d39fda",
"link": "https://docs.microsoft.com/azure/app-service/configure-custom-container#use-an-image-from-a-network-protected-registry",
"link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-an-image-from-a-network-protected-registry",
"severity": "Medio",
"subcategory": "Seguridad de red",
"text": "Extracción de contenedores a través de una red virtual"
@ -229,7 +229,7 @@
"category": "Seguridad",
"description": "Realice una prueba de penetración en la aplicación web siguiendo las reglas de compromiso de las pruebas de penetración.",
"guid": "eb2eb03d-d9a2-4582-918d-2ddb10725769",
"link": "https://docs.microsoft.com/azure/security/fundamentals/pen-testing",
"link": "https://learn.microsoft.com/azure/security/fundamentals/pen-testing",
"severity": "Medio",
"subcategory": "Pruebas de penetración",
"text": "Realizar una prueba de penetración"
@ -238,7 +238,7 @@
"category": "Seguridad",
"description": "Implemente código de confianza validado y analizado en busca de vulnerabilidades de acuerdo con las prácticas de DevSecOps.",
"guid": "19aed9c5-5d04-4c2c-9919-ca0b2c12159e",
"link": "https://docs.microsoft.com/azure/architecture/solution-ideas/articles/devsecops-in-azure",
"link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/devsecops-in-azure",
"severity": "Medio",
"subcategory": "Gestión de vulnerabilidades",
"text": "Implementar código validado"
@ -247,7 +247,7 @@
"category": "Seguridad",
"description": "Utilice las últimas versiones de plataformas, lenguajes de programación, protocolos y marcos compatibles.",
"guid": "114b933d-f574-4ecc-ad9b-d3bafcda3b54",
"link": "https://docs.microsoft.com/azure/app-service/overview-patch-os-runtime",
"link": "https://learn.microsoft.com/azure/app-service/overview-patch-os-runtime",
"severity": "Alto",
"subcategory": "Gestión de vulnerabilidades",
"text": "Utilice plataformas, lenguajes, protocolos y marcos actualizados"

54
checklists/appsvc_security_checklist.ja.json
Просмотреть файл

@ -10,7 +10,7 @@
"category": "安全",
"description": "Azure Key Vault を使用して、アプリケーションに必要なシークレットを格納します。 Key Vault は、シークレットを格納するための安全で監査された環境を提供し、Key Vault SDK または App Service Key Vault リファレンスを通じて App Service と適切に統合されています。",
"guid": "834ac932-223e-4ce8-8b12-3071a5416415",
"link": "https://docs.microsoft.com/azure/app-service/app-service-key-vault-references",
"link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references",
"severity": "高い",
"subcategory": "データ保護",
"text": "Key Vault を使用してシークレットを格納する"
@ -19,7 +19,7 @@
"category": "安全",
"description": "マネージド ID を使用して、Key Vault SDK を使用するか、App Service Key Vault 参照を使用して Key Vault に接続します。",
"guid": "833ea3ad-2c2d-4e73-8165-c3acbef4abe1",
"link": "https://docs.microsoft.com/azure/app-service/app-service-key-vault-references",
"link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references",
"severity": "高い",
"subcategory": "データ保護",
"text": "マネージド ID を使用して Key Vault に接続する"
@ -28,7 +28,7 @@
"category": "安全",
"description": "アプリ サービスの TLS 証明書をキー コンテナーに格納します。",
"guid": "f8d39fda-4776-4831-9c11-5775c2ea55b4",
"link": "https://docs.microsoft.com/azure/app-service/configure-ssl-certificate",
"link": "https://learn.microsoft.com/azure/app-service/configure-ssl-certificate",
"severity": "高い",
"subcategory": "データ保護",
"text": "キー コンテナーを使用して TLS 証明書を格納します。"
@ -37,7 +37,7 @@
"category": "安全",
"description": "機密情報を処理するシステムは分離する必要があります。 これを行うには、個別の App Service プランまたは App Service 環境を使用し、異なるサブスクリプションまたは管理グループの使用を検討してください。",
"guid": "6ad48408-ee72-4734-a475-ba18fdbf590c",
"link": "https://docs.microsoft.com/azure/app-service/overview-hosting-plans",
"link": "https://learn.microsoft.com/azure/app-service/overview-hosting-plans",
"severity": "中程度",
"subcategory": "データ保護",
"text": "機密情報を処理するシステムを分離する"
@ -46,7 +46,7 @@
"category": "安全",
"description": "App Service 上のローカル ディスクは暗号化されていないため、機密データをそれらのディスクに格納しないでください。 (例: D:\\\\Local および %TMP%)。",
"guid": "e65de8e0-3f9b-4cbd-9682-66abca264f9a",
"link": "https://docs.microsoft.com/azure/app-service/operating-system-functionality#file-access",
"link": "https://learn.microsoft.com/azure/app-service/operating-system-functionality#file-access",
"severity": "中程度",
"subcategory": "データ保護",
"text": "機密データをローカルディスクに保存しない"
@ -55,7 +55,7 @@
"category": "安全",
"description": "認証された Web アプリケーションの場合は、Azure AD や Azure AD B2C などの確立された ID プロバイダーを使用します。 選択したアプリケーション フレームワークを利用して、このプロバイダーと統合するか、App Service の認証/承認機能を使用します。",
"guid": "919ca0b2-c121-459e-814b-933df574eccc",
"link": "https://docs.microsoft.com/azure/app-service/overview-authentication-authorization",
"link": "https://learn.microsoft.com/azure/app-service/overview-authentication-authorization",
"severity": "中程度",
"subcategory": "ID とアクセス制御",
"text": "認証に確立された ID プロバイダーを使用する"
@ -64,7 +64,7 @@
"category": "安全",
"description": "適切に管理され、セキュリティで保護された DevOps デプロイ パイプラインなど、制御された信頼できる環境から App Service にコードをデプロイします。これにより、バージョン管理されておらず、悪意のあるホストから展開されることが確認されていないコードを回避できます。",
"guid": "3f9bcbd4-6826-46ab-aa26-4f9a19aed9c5",
"link": "https://docs.microsoft.com/azure/app-service/deploy-best-practices",
"link": "https://learn.microsoft.com/azure/app-service/deploy-best-practices",
"severity": "高い",
"subcategory": "ID とアクセス制御",
"text": "信頼できる環境からデプロイする"
@ -73,7 +73,7 @@
"category": "安全",
"description": "FTP/FTPS と WebDeploy/SCM の両方の基本認証を無効にします。 これにより、これらのサービスへのアクセスが無効になり、デプロイに Azure AD のセキュリティで保護されたエンドポイントの使用が強制されます。 SCM サイトは、Azure AD 資格情報を使用して開くこともできます。",
"guid": "5d04c2c3-919c-4a0b-8c12-159e114b933d",
"link": "https://docs.microsoft.com/azure/app-service/deploy-configure-credentials#disable-basic-authentication",
"link": "https://learn.microsoft.com/azure/app-service/deploy-configure-credentials#disable-basic-authentication",
"severity": "高い",
"subcategory": "ID とアクセス制御",
"text": "基本認証を無効にする"
@ -82,7 +82,7 @@
"category": "安全",
"description": "可能な場合は、マネージド ID を使用して Azure AD のセキュリティで保護されたリソースに接続します。 これが不可能な場合は、シークレットを Key Vault に格納し、代わりにマネージド ID を使用して Key Vault に接続します。",
"guid": "f574eccc-d9bd-43ba-bcda-3b54eb2eb03d",
"link": "https://docs.microsoft.com/azure/app-service/overview-managed-identity?tabs=portal%2Chttp",
"link": "https://learn.microsoft.com/azure/app-service/overview-managed-identity?tabs=portal%2Chttp",
"severity": "高い",
"subcategory": "ID とアクセス制御",
"text": "マネージド ID を使用してリソースに接続する"
@ -91,7 +91,7 @@
"category": "安全",
"description": "Azure コンテナー レジストリに格納されているイメージを使用する場合は、マネージド ID を使用してこれらをプルします。",
"guid": "d9a25827-18d2-4ddb-8072-5769ee6691a4",
"link": "https://docs.microsoft.com/azure/app-service/configure-custom-container#use-managed-identity-to-pull-image-from-azure-container-registry",
"link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-managed-identity-to-pull-image-from-azure-container-registry",
"severity": "高い",
"subcategory": "ID とアクセス制御",
"text": "マネージド ID を使用したコンテナーのプル"
@ -100,7 +100,7 @@
"category": "安全",
"description": "App Service の診断設定を構成することで、すべてのテレメトリをログ記録と監視の中心的な宛先として Log Analytics に送信できます。これにより、HTTPログ、アプリケーションログ、プラットフォームログなどのApp Serviceの実行時アクティビティを監視できます。",
"guid": "47768314-c115-4775-a2ea-55b46ad48408",
"link": "https://docs.microsoft.com/azure/app-service/troubleshoot-diagnostic-logs",
"link": "https://learn.microsoft.com/azure/app-service/troubleshoot-diagnostic-logs",
"severity": "中程度",
"subcategory": "ログ記録と監視",
"text": "App Service ランタイム ログをログ分析に送信する"
@ -109,7 +109,7 @@
"category": "安全",
"description": "ログ記録と監視の中心的な宛先として Log Analytics にアクティビティ ログを送信するように診断設定を設定します。これにより、App Service リソース自体のコントロール プレーン アクティビティを監視できます。",
"guid": "ee72734b-475b-4a18-bdbf-590ce65de8e0",
"link": "https://docs.microsoft.com/azure/azure-monitor/essentials/activity-log",
"link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log",
"severity": "中程度",
"subcategory": "ログ記録と監視",
"text": "App Service アクティビティ ログをログ分析に送信する"
@ -118,7 +118,7 @@
"category": "安全",
"description": "リージョン VNet 統合、ネットワーク セキュリティ グループ、および UDR の組み合わせを使用して、送信ネットワーク アクセスを制御します。 トラフィックは、Azure ファイアウォールなどの NVA にルーティングする必要があります。 ファイアウォールのログを必ず監視してください。",
"guid": "c12159e1-14b9-433d-b574-ecccd9bd3baf",
"link": "https://docs.microsoft.com/azure/app-service/overview-vnet-integration",
"link": "https://learn.microsoft.com/azure/app-service/overview-vnet-integration",
"severity": "中程度",
"subcategory": "ネットワークセキュリティ",
"text": "送信ネットワーク アクセスを制御する必要がある"
@ -127,7 +127,7 @@
"category": "安全",
"description": "安定した送信 IP を提供するには、VNet 統合を使用し、VNet NAT ゲートウェイまたは Azure ファイアウォールなどの NVA を使用します。 これにより、受信側は必要に応じて IP に基づいて許可リストに登録できます。 Azure Services への通信では、多くの場合、IP アドレスに依存する必要はなく、代わりにサービス エンドポイントなどのメカニズムを使用する必要があることに注意してください。 (また、受信側でプライベート エンドポイントを使用すると、SNAT の発生が回避され、安定した送信 IP 範囲が提供されます)。",
"guid": "cda3b54e-b2eb-403d-b9a2-582718d2ddb1",
"link": "https://docs.microsoft.com/azure/app-service/networking/nat-gateway-integration",
"link": "https://learn.microsoft.com/azure/app-service/networking/nat-gateway-integration",
"severity": "低い",
"subcategory": "ネットワークセキュリティ",
"text": "インターネットアドレスへのアウトバウンド通信のための安定したIPを確保する"
@ -136,7 +136,7 @@
"category": "安全",
"description": "App Service アクセス制限、サービス エンドポイント、またはプライベート エンドポイントの組み合わせを使用して、受信ネットワーク アクセスを制御します。Web アプリ自体と SCM サイトに対して異なるアクセス制限を要求し、構成することができます。",
"guid": "0725769e-e669-41a4-a34a-c932223ece80",
"link": "https://docs.microsoft.com/azure/app-service/networking-features#access-restrictions",
"link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions",
"severity": "高い",
"subcategory": "ネットワークセキュリティ",
"text": "受信ネットワーク アクセスを制御する必要がある"
@ -145,7 +145,7 @@
"category": "安全",
"description": "アプリケーション ゲートウェイや Azure Front Door などの Web アプリケーション ファイアウォールを使用して、悪意のある受信トラフィックから保護します。 WAF のログを必ず監視してください。",
"guid": "b123071a-5416-4415-a33e-a3ad2c2de732",
"link": "https://docs.microsoft.com/azure/app-service/networking/app-gateway-with-service-endpoints",
"link": "https://learn.microsoft.com/azure/app-service/networking/app-gateway-with-service-endpoints",
"severity": "高い",
"subcategory": "ネットワークセキュリティ",
"text": "アプリ サービスの前で WAF を使用する"
@ -154,7 +154,7 @@
"category": "安全",
"description": "WAF のみへのアクセスをロックダウンして、WAF をバイパスできないことを確認します。 アクセス制限、サービス エンドポイント、プライベート エンドポイントを組み合わせて使用します。",
"guid": "165c3acb-ef4a-4be1-b8d3-9fda47768314",
"link": "https://docs.microsoft.com/azure/app-service/networking-features#access-restrictions",
"link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions",
"severity": "高い",
"subcategory": "ネットワークセキュリティ",
"text": "WAFがバイパスされないようにする"
@ -164,7 +164,7 @@
"description": "App Service 構成で最小 TLS ポリシーを 1.2 に設定します。",
"graph": "where (type=='microsoft.web/sites' and (kind == 'app' or kind == 'app,linux' )) | extend compliant = (isnull(properties.siteConfig.minTlsVersion) or properties.siteConfig.minTlsVersion=='1.2') | distinct id,compliant",
"guid": "c115775c-2ea5-45b4-9ad4-8408ee72734b",
"link": "https://docs.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-tls-versions",
"link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-tls-versions",
"severity": "中程度",
"subcategory": "ネットワークセキュリティ",
"text": "最小 TLS ポリシーを 1.2 に設定する"
@ -174,7 +174,7 @@
"description": "HTTPS のみを使用するようにアプリ サービスを構成します。 これにより、App Service は HTTP から HTTPS にリダイレクトされます。 コード内または WAF から HTTP 厳密トランスポート セキュリティ (HSTS) を使用して、HTTPS のみを使用してサイトにアクセスする必要があることをブラウザーに通知することを強く検討してください。",
"graph": "where (type=='microsoft.web/sites' and (kind == 'app' or kind == 'app,linux' )) | extend compliant = (properties.httpsOnly==true) | distinct id,compliant",
"guid": "475ba18f-dbf5-490c-b65d-e8e03f9bcbd4",
"link": "https://docs.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https",
"link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https",
"severity": "高い",
"subcategory": "ネットワークセキュリティ",
"text": "HTTPS のみを使用する"
@ -183,7 +183,7 @@
"category": "安全",
"description": "CORS 設定では、すべてのオリジンがサービスにアクセスできる (CORS の目的が無効になるため) ワイルドカードを使用しないでください。具体的には、サービスにアクセスできると予想されるオリジンのみを許可します。",
"guid": "68266abc-a264-4f9a-89ae-d9c55d04c2c3",
"link": "https://docs.microsoft.com/azure/app-service/app-service-web-tutorial-rest-api",
"link": "https://learn.microsoft.com/azure/app-service/app-service-web-tutorial-rest-api",
"severity": "高い",
"subcategory": "ネットワークセキュリティ",
"text": "ワイルドカードは CORS に使用しないでください"
@ -193,7 +193,7 @@
"description": "リモート デバッグは、サービスに追加のポートが開かれ、攻撃対象領域が増えるため、運用環境で有効にしないでください。サービスは 48 時間後に自動的にリモート デバッグをオンにすることに注意してください。",
"graph": "where (type=='microsoft.web/sites' and (kind == 'app' or kind == 'app,linux' )) | extend compliant = (properties.siteConfig.remoteDebuggingEnabled!=true) | distinct id,compliant",
"guid": "d9bd3baf-cda3-4b54-bb2e-b03dd9a25827",
"link": "https://docs.microsoft.com/azure/app-service/configure-common#configure-general-settings",
"link": "https://learn.microsoft.com/azure/app-service/configure-common#configure-general-settings",
"severity": "高い",
"subcategory": "ネットワークセキュリティ",
"text": "リモート デバッグをオフにする"
@ -202,7 +202,7 @@
"category": "安全",
"description": "アプリ サービスの Defender を有効にします。 これは(他の脅威の中でも)既知の悪意のあるIPアドレスへの通信を検出します。 運用の一環として、アプリ サービスの Defender からの推奨事項を確認します。",
"guid": "18d2ddb1-0725-4769-be66-91a4834ac932",
"link": "https://docs.microsoft.com/azure/defender-for-cloud/defender-for-app-service-introduction",
"link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-app-service-introduction",
"severity": "中程度",
"subcategory": "ネットワークセキュリティ",
"text": "クラウドの Defender を有効にする - アプリ サービスの Defender"
@ -211,7 +211,7 @@
"category": "安全",
"description": "Azure はネットワーク上で DDoS Basic 保護を提供しますが、通常のトラフィック パターンを学習し、異常な動作を検出できるインテリジェントな DDoS 標準機能で強化できます。DDoS 標準は仮想ネットワークに適用されるため、アプリケーション ゲートウェイや NVA など、アプリの前のネットワーク リソース用に構成する必要があります。",
"guid": "223ece80-b123-4071-a541-6415833ea3ad",
"link": "https://docs.microsoft.com/azure/ddos-protection/ddos-protection-overview",
"link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
"severity": "中程度",
"subcategory": "ネットワークセキュリティ",
"text": "WAF VNet で DDOS 保護標準を有効にする"
@ -220,7 +220,7 @@
"category": "安全",
"description": "Azure コンテナー レジストリに格納されているイメージを使用する場合は、プライベート エンドポイントとアプリ設定 \"WEBSITE_PULL_IMAGE_OVER_VNET\" を使用して、Azure コンテナー レジストリから仮想ネットワーク経由でこれらをプルします。",
"guid": "2c2de732-165c-43ac-aef4-abe1f8d39fda",
"link": "https://docs.microsoft.com/azure/app-service/configure-custom-container#use-an-image-from-a-network-protected-registry",
"link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-an-image-from-a-network-protected-registry",
"severity": "中程度",
"subcategory": "ネットワークセキュリティ",
"text": "仮想ネットワーク経由でコンテナーをプルする"
@ -229,7 +229,7 @@
"category": "安全",
"description": "エンゲージメントの侵入テストルールに従って、Webアプリケーションで侵入テストを実施します。",
"guid": "eb2eb03d-d9a2-4582-918d-2ddb10725769",
"link": "https://docs.microsoft.com/azure/security/fundamentals/pen-testing",
"link": "https://learn.microsoft.com/azure/security/fundamentals/pen-testing",
"severity": "中程度",
"subcategory": "ペネトレーションテスト",
"text": "侵入テストの実施"
@ -238,7 +238,7 @@
"category": "安全",
"description": "DevSecOps プラクティスに従って脆弱性が検証およびスキャンされた信頼できるコードをデプロイします。",
"guid": "19aed9c5-5d04-4c2c-9919-ca0b2c12159e",
"link": "https://docs.microsoft.com/azure/architecture/solution-ideas/articles/devsecops-in-azure",
"link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/devsecops-in-azure",
"severity": "中程度",
"subcategory": "脆弱性管理",
"text": "検証済みのコードをデプロイする"
@ -247,7 +247,7 @@
"category": "安全",
"description": "サポートされているプラットフォーム、プログラミング言語、プロトコル、およびフレームワークの最新バージョンを使用します。",
"guid": "114b933d-f574-4ecc-ad9b-d3bafcda3b54",
"link": "https://docs.microsoft.com/azure/app-service/overview-patch-os-runtime",
"link": "https://learn.microsoft.com/azure/app-service/overview-patch-os-runtime",
"severity": "高い",
"subcategory": "脆弱性管理",
"text": "最新のプラットフォーム、言語、プロトコル、フレームワークを使用する"

54
checklists/appsvc_security_checklist.ko.json
Просмотреть файл

@ -10,7 +10,7 @@
"category": "안전",
"description": "Azure 키 자격 증명 모음을 사용하여 애플리케이션에 필요한 모든 비밀을 저장합니다. Key Vault는 비밀을 저장하기 위한 안전하고 감사된 환경을 제공하며 Key Vault SDK 또는 앱 서비스 키 자격 증명 모음 참조를 통해 앱 서비스와 잘 통합됩니다.",
"guid": "834ac932-223e-4ce8-8b12-3071a5416415",
"link": "https://docs.microsoft.com/azure/app-service/app-service-key-vault-references",
"link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references",
"severity": "높다",
"subcategory": "데이터 보호",
"text": "키 자격 증명 모음을 사용하여 비밀 저장"
@ -19,7 +19,7 @@
"category": "안전",
"description": "관리 ID를 사용하여 키 자격 증명 모음 SDK를 사용하거나 앱 서비스 키 자격 증명 모음 참조를 통해 키 자격 증명 모음에 연결합니다.",
"guid": "833ea3ad-2c2d-4e73-8165-c3acbef4abe1",
"link": "https://docs.microsoft.com/azure/app-service/app-service-key-vault-references",
"link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references",
"severity": "높다",
"subcategory": "데이터 보호",
"text": "관리 ID를 사용하여 키 자격 증명 모음에 연결"
@ -28,7 +28,7 @@
"category": "안전",
"description": "앱 서비스 TLS 인증서를 키 자격 증명 모음에 저장합니다.",
"guid": "f8d39fda-4776-4831-9c11-5775c2ea55b4",
"link": "https://docs.microsoft.com/azure/app-service/configure-ssl-certificate",
"link": "https://learn.microsoft.com/azure/app-service/configure-ssl-certificate",
"severity": "높다",
"subcategory": "데이터 보호",
"text": "키 자격 증명 모음을 사용하여 TLS 인증서를 저장합니다."
@ -37,7 +37,7 @@
"category": "안전",
"description": "중요한 정보를 처리하는 시스템은 격리되어야 합니다. 이렇게 하려면 별도의 앱 서비스 계획 또는 앱 서비스 환경을 사용하고 다른 구독 또는 관리 그룹의 사용을 고려합니다.",
"guid": "6ad48408-ee72-4734-a475-ba18fdbf590c",
"link": "https://docs.microsoft.com/azure/app-service/overview-hosting-plans",
"link": "https://learn.microsoft.com/azure/app-service/overview-hosting-plans",
"severity": "보통",
"subcategory": "데이터 보호",
"text": "중요한 정보를 처리하는 시스템 격리"
@ -46,7 +46,7 @@
"category": "안전",
"description": "App Service의 로컬 디스크는 암호화되지 않으며 중요한 데이터를 저장해서는 안 됩니다. (예: D:\\\\Local 및 %TMP%).",
"guid": "e65de8e0-3f9b-4cbd-9682-66abca264f9a",
"link": "https://docs.microsoft.com/azure/app-service/operating-system-functionality#file-access",
"link": "https://learn.microsoft.com/azure/app-service/operating-system-functionality#file-access",
"severity": "보통",
"subcategory": "데이터 보호",
"text": "중요한 데이터를 로컬 디스크에 저장하지 마십시오."
@ -55,7 +55,7 @@
"category": "안전",
"description": "인증된 웹 애플리케이션의 경우 Azure AD 또는 Azure AD B2C와 같은 잘 설정된 ID 공급자를 사용합니다. 선택한 응용 프로그램 프레임워크를 활용하여 이 공급자와 통합하거나 App Service 인증/권한 부여 기능을 사용합니다.",
"guid": "919ca0b2-c121-459e-814b-933df574eccc",
"link": "https://docs.microsoft.com/azure/app-service/overview-authentication-authorization",
"link": "https://learn.microsoft.com/azure/app-service/overview-authentication-authorization",
"severity": "보통",
"subcategory": "ID 및 액세스 제어",
"text": "인증을 위해 설정된 ID 공급자 사용"
@ -64,7 +64,7 @@
"category": "안전",
"description": "잘 관리되고 안전한 DevOps 배포 파이프라인과 같이 제어되고 신뢰할 수 있는 환경에서 App Service에 코드를 배포합니다. 이렇게 하면 버전이 제어되지 않고 확인되지 않은 코드가 악성 호스트에서 배포되는 것을 방지할 수 있습니다.",
"guid": "3f9bcbd4-6826-46ab-aa26-4f9a19aed9c5",
"link": "https://docs.microsoft.com/azure/app-service/deploy-best-practices",
"link": "https://learn.microsoft.com/azure/app-service/deploy-best-practices",
"severity": "높다",
"subcategory": "ID 및 액세스 제어",
"text": "신뢰할 수 있는 환경에서 배포"
@ -73,7 +73,7 @@
"category": "안전",
"description": "FTP/FTPS 및 웹 배포/SCM 모두에 대해 기본 인증을 사용하지 않도록 설정합니다. 이렇게 하면 이러한 서비스에 대한 액세스가 비활성화되고 배포에 Azure AD 보안 엔드포인트를 사용하도록 적용됩니다. SCM 사이트는 Azure AD 자격 증명을 사용하여 열 수도 있습니다.",
"guid": "5d04c2c3-919c-4a0b-8c12-159e114b933d",
"link": "https://docs.microsoft.com/azure/app-service/deploy-configure-credentials#disable-basic-authentication",
"link": "https://learn.microsoft.com/azure/app-service/deploy-configure-credentials#disable-basic-authentication",
"severity": "높다",
"subcategory": "ID 및 액세스 제어",
"text": "기본 인증 사용 안 함"
@ -82,7 +82,7 @@
"category": "안전",
"description": "가능한 경우 관리 ID를 사용하여 Azure AD 보안 리소스에 연결합니다. 이렇게 할 수 없는 경우 Key Vault에 비밀을 저장하고 대신 관리 ID를 사용하여 Key Vault에 연결합니다.",
"guid": "f574eccc-d9bd-43ba-bcda-3b54eb2eb03d",
"link": "https://docs.microsoft.com/azure/app-service/overview-managed-identity?tabs=portal%2Chttp",
"link": "https://learn.microsoft.com/azure/app-service/overview-managed-identity?tabs=portal%2Chttp",
"severity": "높다",
"subcategory": "ID 및 액세스 제어",
"text": "관리 ID를 사용하여 리소스에 연결"
@ -91,7 +91,7 @@
"category": "안전",
"description": "Azure 컨테이너 레지스트리에 저장된 이미지를 사용하는 경우 관리 ID를 사용하여 이미지를 끌어옵니다.",
"guid": "d9a25827-18d2-4ddb-8072-5769ee6691a4",
"link": "https://docs.microsoft.com/azure/app-service/configure-custom-container#use-managed-identity-to-pull-image-from-azure-container-registry",
"link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-managed-identity-to-pull-image-from-azure-container-registry",
"severity": "높다",
"subcategory": "ID 및 액세스 제어",
"text": "관리 ID를 사용하여 컨테이너 끌어오기"
@ -100,7 +100,7 @@
"category": "안전",
"description": "App Service의 진단 설정을 구성하여 로깅 및 모니터링을 위한 중앙 대상으로 Log Analytics에 모든 원격 분석을 보낼 수 있습니다. 이를 통해 HTTP 로그, 응용 프로그램 로그, 플랫폼 로그 등과 같은 App Service의 런타임 활동을 모니터링할 수 있습니다.",
"guid": "47768314-c115-4775-a2ea-55b46ad48408",
"link": "https://docs.microsoft.com/azure/app-service/troubleshoot-diagnostic-logs",
"link": "https://learn.microsoft.com/azure/app-service/troubleshoot-diagnostic-logs",
"severity": "보통",
"subcategory": "로깅 및 모니터링",
"text": "앱 서비스 런타임 로그를 로그 분석으로 보내기"
@ -109,7 +109,7 @@
"category": "안전",
"description": "활동 로그를 로깅 및 모니터링을 위한 중앙 대상으로 Log Analytics로 보내도록 진단 설정을 지정합니다. 이렇게 하면 App Service 리소스 자체에서 컨트롤 평면 작업을 모니터링할 수 있습니다.",
"guid": "ee72734b-475b-4a18-bdbf-590ce65de8e0",
"link": "https://docs.microsoft.com/azure/azure-monitor/essentials/activity-log",
"link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log",
"severity": "보통",
"subcategory": "로깅 및 모니터링",
"text": "로그 분석에 앱 서비스 활동 로그 보내기"
@ -118,7 +118,7 @@
"category": "안전",
"description": "지역 VNet 통합, 네트워크 보안 그룹 및 UDR의 조합을 사용하여 아웃바운드 네트워크 액세스를 제어합니다. 트래픽은 Azure 방화벽과 같은 NVA로 라우팅되어야 합니다. 방화벽의 로그를 모니터링해야 합니다.",
"guid": "c12159e1-14b9-433d-b574-ecccd9bd3baf",
"link": "https://docs.microsoft.com/azure/app-service/overview-vnet-integration",
"link": "https://learn.microsoft.com/azure/app-service/overview-vnet-integration",
"severity": "보통",
"subcategory": "네트워크 보안",
"text": "아웃바운드 네트워크 액세스를 제어해야 합니다."
@ -127,7 +127,7 @@
"category": "안전",
"description": "VNet 통합을 사용하고 VNet NAT 게이트웨이 또는 Azure 방화벽과 같은 NVA를 사용하여 안정적인 아웃바운드 IP를 제공할 수 있습니다. 이렇게 하면 수신 당사자가 필요한 경우 IP를 기반으로 허용 목록에 추가할 수 있습니다. Azure 서비스에 대한 통신의 경우 IP 주소에 의존할 필요가 없는 경우가 많으며 서비스 엔드포인트와 같은 메커니즘을 대신 사용해야 합니다. (또한 수신 쪽에서 프라이빗 엔드포인트를 사용하면 SNAT가 발생하지 않고 안정적인 아웃바운드 IP 범위가 제공됩니다.)",
"guid": "cda3b54e-b2eb-403d-b9a2-582718d2ddb1",
"link": "https://docs.microsoft.com/azure/app-service/networking/nat-gateway-integration",
"link": "https://learn.microsoft.com/azure/app-service/networking/nat-gateway-integration",
"severity": "낮다",
"subcategory": "네트워크 보안",
"text": "인터넷 주소로 향하는 아웃바운드 통신을 위한 안정적인 IP 보장"
@ -136,7 +136,7 @@
"category": "안전",
"description": "App Service 액세스 제한, 서비스 엔드포인트 또는 프라이빗 엔드포인트의 조합을 사용하여 인바운드 네트워크 액세스를 제어합니다. 웹앱 자체와 SCM 사이트에 대해 서로 다른 액세스 제한이 필요하고 구성할 수 있습니다.",
"guid": "0725769e-e669-41a4-a34a-c932223ece80",
"link": "https://docs.microsoft.com/azure/app-service/networking-features#access-restrictions",
"link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions",
"severity": "높다",
"subcategory": "네트워크 보안",
"text": "인바운드 네트워크 액세스를 제어해야 합니다."
@ -145,7 +145,7 @@
"category": "안전",
"description": "응용 프로그램 게이트웨이 또는 Azure Front Door와 같은 웹 응용 프로그램 방화벽을 사용하여 악의적인 인바운드 트래픽으로부터 보호합니다. WAF의 로그를 모니터링해야 합니다.",
"guid": "b123071a-5416-4415-a33e-a3ad2c2de732",
"link": "https://docs.microsoft.com/azure/app-service/networking/app-gateway-with-service-endpoints",
"link": "https://learn.microsoft.com/azure/app-service/networking/app-gateway-with-service-endpoints",
"severity": "높다",
"subcategory": "네트워크 보안",
"text": "앱 서비스 앞에서 WAF 사용"
@ -154,7 +154,7 @@
"category": "안전",
"description": "WAF에 대한 액세스만 잠가 WAF를 우회할 수 없는지 확인합니다. 액세스 제한, 서비스 엔드포인트 및 프라이빗 엔드포인트의 조합을 사용합니다.",
"guid": "165c3acb-ef4a-4be1-b8d3-9fda47768314",
"link": "https://docs.microsoft.com/azure/app-service/networking-features#access-restrictions",
"link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions",
"severity": "높다",
"subcategory": "네트워크 보안",
"text": "WAF가 우회되지 않도록 합니다."
@ -164,7 +164,7 @@
"description": "앱 서비스 구성에서 최소 TLS 정책을 1.2로 설정합니다.",
"graph": "where (type=='microsoft.web/sites' and (kind == 'app' or kind == 'app,linux' )) | extend compliant = (isnull(properties.siteConfig.minTlsVersion) or properties.siteConfig.minTlsVersion=='1.2') | distinct id,compliant",
"guid": "c115775c-2ea5-45b4-9ad4-8408ee72734b",
"link": "https://docs.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-tls-versions",
"link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-tls-versions",
"severity": "보통",
"subcategory": "네트워크 보안",
"text": "최소 TLS 정책을 1.2로 설정"
@ -174,7 +174,7 @@
"description": "HTTPS만 사용하도록 앱 서비스를 구성합니다. 이로 인해 앱 서비스가 HTTP에서 HTTPS로 리디렉션됩니다. 코드 또는 WAF에서 HTTP 엄격한 전송 보안(HSTS)을 사용하여 HTTPS를 통해서만 사이트에 액세스해야 함을 브라우저에 알리는 것이 좋습니다.",
"graph": "where (type=='microsoft.web/sites' and (kind == 'app' or kind == 'app,linux' )) | extend compliant = (properties.httpsOnly==true) | distinct id,compliant",
"guid": "475ba18f-dbf5-490c-b65d-e8e03f9bcbd4",
"link": "https://docs.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https",
"link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https",
"severity": "높다",
"subcategory": "네트워크 보안",
"text": "HTTPS만 사용"
@ -183,7 +183,7 @@
"category": "안전",
"description": "CORS 구성에서 와일드카드를 사용하면 모든 원본이 서비스에 액세스할 수 있으므로 CORS의 목적이 무효화됩니다. 특히 서비스에 액세스할 수 있을 것으로 예상되는 원본만 허용합니다.",
"guid": "68266abc-a264-4f9a-89ae-d9c55d04c2c3",
"link": "https://docs.microsoft.com/azure/app-service/app-service-web-tutorial-rest-api",
"link": "https://learn.microsoft.com/azure/app-service/app-service-web-tutorial-rest-api",
"severity": "높다",
"subcategory": "네트워크 보안",
"text": "와일드카드는 CORS에 사용할 수 없습니다."
@ -193,7 +193,7 @@
"description": "원격 디버깅은 서비스에서 추가 포트를 열어 공격 노출 영역을 증가시키므로 프로덕션 환경에서 설정해서는 안 됩니다. 서비스는 48시간 후에 자동으로 원격 디버깅을 설정합니다.",
"graph": "where (type=='microsoft.web/sites' and (kind == 'app' or kind == 'app,linux' )) | extend compliant = (properties.siteConfig.remoteDebuggingEnabled!=true) | distinct id,compliant",
"guid": "d9bd3baf-cda3-4b54-bb2e-b03dd9a25827",
"link": "https://docs.microsoft.com/azure/app-service/configure-common#configure-general-settings",
"link": "https://learn.microsoft.com/azure/app-service/configure-common#configure-general-settings",
"severity": "높다",
"subcategory": "네트워크 보안",
"text": "원격 디버깅 끄기"
@ -202,7 +202,7 @@
"category": "안전",
"description": "앱 서비스에 대해 Defender를 사용하도록 설정합니다. 이것은 (다른 위협 중에서도) 알려진 악성 IP 주소에 대한 통신을 탐지합니다. 작업의 일부로 앱 서비스용 Defender의 권장 사항을 검토합니다.",
"guid": "18d2ddb1-0725-4769-be66-91a4834ac932",
"link": "https://docs.microsoft.com/azure/defender-for-cloud/defender-for-app-service-introduction",
"link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-app-service-introduction",
"severity": "보통",
"subcategory": "네트워크 보안",
"text": "클라우드용 수비수 - 앱 서비스용 수비수 사용"
@ -211,7 +211,7 @@
"category": "안전",
"description": "Azure는 네트워크에서 DDoS 기본 보호를 제공하며, 이는 정상적인 트래픽 패턴을 학습하고 비정상적인 동작을 검색할 수 있는 지능형 DDoS 표준 기능으로 개선할 수 있습니다. DDoS 표준은 가상 네트워크에 적용되므로 응용 프로그램 게이트웨이 또는 NVA와 같은 앱 앞의 네트워크 리소스에 대해 구성해야 합니다.",
"guid": "223ece80-b123-4071-a541-6415833ea3ad",
"link": "https://docs.microsoft.com/azure/ddos-protection/ddos-protection-overview",
"link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
"severity": "보통",
"subcategory": "네트워크 보안",
"text": "WAF VNet에서 DDOS 보호 표준 사용"
@ -220,7 +220,7 @@
"category": "안전",
"description": "Azure 컨테이너 레지스트리에 저장된 이미지를 사용하는 경우 프라이빗 엔드포인트 및 앱 설정 'WEBSITE_PULL_IMAGE_OVER_VNET'을 사용하여 Azure 컨테이너 레지스트리에서 가상 네트워크를 통해 이미지를 끌어옵니다.",
"guid": "2c2de732-165c-43ac-aef4-abe1f8d39fda",
"link": "https://docs.microsoft.com/azure/app-service/configure-custom-container#use-an-image-from-a-network-protected-registry",
"link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-an-image-from-a-network-protected-registry",
"severity": "보통",
"subcategory": "네트워크 보안",
"text": "가상 네트워크를 통해 컨테이너 끌어오기"
@ -229,7 +229,7 @@
"category": "안전",
"description": "침투 테스트 참여 규칙에 따라 웹 응용 프로그램에서 침투 테스트를 수행합니다.",
"guid": "eb2eb03d-d9a2-4582-918d-2ddb10725769",
"link": "https://docs.microsoft.com/azure/security/fundamentals/pen-testing",
"link": "https://learn.microsoft.com/azure/security/fundamentals/pen-testing",
"severity": "보통",
"subcategory": "침투 테스트",
"text": "침투 테스트 수행"
@ -238,7 +238,7 @@
"category": "안전",
"description": "DevSecOps 사례에 따라 취약성에 대해 유효성을 검사하고 검사한 신뢰할 수 있는 코드를 배포합니다.",
"guid": "19aed9c5-5d04-4c2c-9919-ca0b2c12159e",
"link": "https://docs.microsoft.com/azure/architecture/solution-ideas/articles/devsecops-in-azure",
"link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/devsecops-in-azure",
"severity": "보통",
"subcategory": "취약성 관리",
"text": "검증된 코드 배포"
@ -247,7 +247,7 @@
"category": "안전",
"description": "지원되는 플랫폼, 프로그래밍 언어, 프로토콜 및 프레임워크의 최신 버전을 사용합니다.",
"guid": "114b933d-f574-4ecc-ad9b-d3bafcda3b54",
"link": "https://docs.microsoft.com/azure/app-service/overview-patch-os-runtime",
"link": "https://learn.microsoft.com/azure/app-service/overview-patch-os-runtime",
"severity": "높다",
"subcategory": "취약성 관리",
"text": "최신 플랫폼, 언어, 프로토콜 및 프레임워크 사용"

54
checklists/appsvc_security_checklist.pt.json
Просмотреть файл

@ -10,7 +10,7 @@
"category": "Segurança",
"description": "Use o Cofre da Chave do Azure para armazenar todos os segredos de que o aplicativo precisa. O Cofre da Chave fornece um ambiente seguro e auditado para armazenar segredos e está bem integrado ao Serviço de Aplicativo por meio do SDK do Cofre da Chave ou das Referências do Cofre da Chave do Serviço de Aplicativo.",
"guid": "834ac932-223e-4ce8-8b12-3071a5416415",
"link": "https://docs.microsoft.com/azure/app-service/app-service-key-vault-references",
"link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references",
"severity": "Alto",
"subcategory": "Proteção de Dados",
"text": "Usar o Cofre da Chave para armazenar segredos"
@ -19,7 +19,7 @@
"category": "Segurança",
"description": "Use uma Identidade Gerenciada para se conectar ao Cofre da Chave usando o SDK do Cofre da Chave ou por meio das Referências do Cofre da Chave do Serviço de Aplicativo.",
"guid": "833ea3ad-2c2d-4e73-8165-c3acbef4abe1",
"link": "https://docs.microsoft.com/azure/app-service/app-service-key-vault-references",
"link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references",
"severity": "Alto",
"subcategory": "Proteção de Dados",
"text": "Usar a Identidade Gerenciada para se conectar ao Cofre da Chave"
@ -28,7 +28,7 @@
"category": "Segurança",
"description": "Armazene o certificado TLS do Serviço de Aplicativo no Cofre da Chave.",
"guid": "f8d39fda-4776-4831-9c11-5775c2ea55b4",
"link": "https://docs.microsoft.com/azure/app-service/configure-ssl-certificate",
"link": "https://learn.microsoft.com/azure/app-service/configure-ssl-certificate",
"severity": "Alto",
"subcategory": "Proteção de Dados",
"text": "Use o Cofre da Chave para armazenar o certificado TLS."
@ -37,7 +37,7 @@
"category": "Segurança",
"description": "Os sistemas que processam informações confidenciais devem ser isolados. Para fazer isso, use Planos de Serviço de Aplicativo ou Ambientes de Serviço de Aplicativo separados e considere o uso de diferentes assinaturas ou grupos de gerenciamento.",
"guid": "6ad48408-ee72-4734-a475-ba18fdbf590c",
"link": "https://docs.microsoft.com/azure/app-service/overview-hosting-plans",
"link": "https://learn.microsoft.com/azure/app-service/overview-hosting-plans",
"severity": "Média",
"subcategory": "Proteção de Dados",
"text": "Isolar sistemas que processam informações confidenciais"
@ -46,7 +46,7 @@
"category": "Segurança",
"description": "Os discos locais no Serviço de Aplicativo não são criptografados e os dados confidenciais não devem ser armazenados neles. (Por exemplo: D:\\\\Local e %TMP%).",
"guid": "e65de8e0-3f9b-4cbd-9682-66abca264f9a",
"link": "https://docs.microsoft.com/azure/app-service/operating-system-functionality#file-access",
"link": "https://learn.microsoft.com/azure/app-service/operating-system-functionality#file-access",
"severity": "Média",
"subcategory": "Proteção de Dados",
"text": "Não armazene dados confidenciais no disco local"
@ -55,7 +55,7 @@
"category": "Segurança",
"description": "Para aplicativos Web autenticados, use um Provedor de Identidade bem estabelecido, como o Azure AD ou o Azure AD B2C. Aproveite a estrutura do aplicativo de sua escolha para se integrar a esse provedor ou use o recurso de Autenticação/Autorização do Serviço de Aplicativo.",
"guid": "919ca0b2-c121-459e-814b-933df574eccc",
"link": "https://docs.microsoft.com/azure/app-service/overview-authentication-authorization",
"link": "https://learn.microsoft.com/azure/app-service/overview-authentication-authorization",
"severity": "Média",
"subcategory": "Controle de Identidade e Acesso",
"text": "Usar um Provedor de Identidade estabelecido para autenticação"
@ -64,7 +64,7 @@
"category": "Segurança",
"description": "Implante código no Serviço de Aplicativo a partir de um ambiente controlado e confiável, como um pipeline de implantação de DevOps bem gerenciado e seguro. Isso evita que o código que não foi controlado por versão e verificado seja implantado a partir de um host mal-intencionado.",
"guid": "3f9bcbd4-6826-46ab-aa26-4f9a19aed9c5",
"link": "https://docs.microsoft.com/azure/app-service/deploy-best-practices",
"link": "https://learn.microsoft.com/azure/app-service/deploy-best-practices",
"severity": "Alto",
"subcategory": "Controle de Identidade e Acesso",
"text": "Implantar a partir de um ambiente confiável"
@ -73,7 +73,7 @@
"category": "Segurança",
"description": "Desative a autenticação básica para FTP/FTPS e para WebDeploy/SCM. Isso desabilita o acesso a esses serviços e impõe o uso de pontos de extremidade protegidos do Azure AD para implantação. Observe que o site do SCM também pode ser aberto usando credenciais do Azure AD.",
"guid": "5d04c2c3-919c-4a0b-8c12-159e114b933d",
"link": "https://docs.microsoft.com/azure/app-service/deploy-configure-credentials#disable-basic-authentication",
"link": "https://learn.microsoft.com/azure/app-service/deploy-configure-credentials#disable-basic-authentication",
"severity": "Alto",
"subcategory": "Controle de Identidade e Acesso",
"text": "Desabilitar a autenticação básica"
@ -82,7 +82,7 @@
"category": "Segurança",
"description": "Sempre que possível, use a Identidade Gerenciada para se conectar aos recursos protegidos do Azure AD. Se isso não for possível, armazene segredos no Cofre da Chave e conecte-se ao Cofre da Chave usando uma Identidade Gerenciada.",
"guid": "f574eccc-d9bd-43ba-bcda-3b54eb2eb03d",
"link": "https://docs.microsoft.com/azure/app-service/overview-managed-identity?tabs=portal%2Chttp",
"link": "https://learn.microsoft.com/azure/app-service/overview-managed-identity?tabs=portal%2Chttp",
"severity": "Alto",
"subcategory": "Controle de Identidade e Acesso",
"text": "Usar a Identidade Gerenciada para se conectar a recursos"
@ -91,7 +91,7 @@
"category": "Segurança",
"description": "Ao usar imagens armazenadas no Registro de Contêiner do Azure, extraia-as usando uma Identidade Gerenciada.",
"guid": "d9a25827-18d2-4ddb-8072-5769ee6691a4",
"link": "https://docs.microsoft.com/azure/app-service/configure-custom-container#use-managed-identity-to-pull-image-from-azure-container-registry",
"link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-managed-identity-to-pull-image-from-azure-container-registry",
"severity": "Alto",
"subcategory": "Controle de Identidade e Acesso",
"text": "Extrair contêineres usando uma identidade gerenciada"
@ -100,7 +100,7 @@
"category": "Segurança",
"description": "Ao definir as configurações de diagnóstico do Serviço de Aplicativo, você pode enviar toda a telemetria para o Log Analytics como o destino central para registro em log e monitoramento. Isso permite que você monitore a atividade de tempo de execução do Serviço de Aplicativo, como logs HTTP, logs de aplicativos, logs de plataforma, ...",
"guid": "47768314-c115-4775-a2ea-55b46ad48408",
"link": "https://docs.microsoft.com/azure/app-service/troubleshoot-diagnostic-logs",
"link": "https://learn.microsoft.com/azure/app-service/troubleshoot-diagnostic-logs",
"severity": "Média",
"subcategory": "Registro em log e monitoramento",
"text": "Enviar logs de tempo de execução do Serviço de Aplicativo para o Log Analytics"
@ -109,7 +109,7 @@
"category": "Segurança",
"description": "Configure uma configuração de diagnóstico para enviar o registro de atividades para o Log Analytics como o destino central para registro em log e monitoramento. Isso permite que você monitore a atividade do plano de controle no próprio recurso do Serviço de Aplicativo.",
"guid": "ee72734b-475b-4a18-bdbf-590ce65de8e0",
"link": "https://docs.microsoft.com/azure/azure-monitor/essentials/activity-log",
"link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log",
"severity": "Média",
"subcategory": "Registro em log e monitoramento",
"text": "Enviar logs de atividade do Serviço de Aplicativo para o Log Analytics"
@ -118,7 +118,7 @@
"category": "Segurança",
"description": "Controle o acesso à rede de saída usando uma combinação de integração de rede virtual regional, grupos de segurança de rede e UDR's. O tráfego deve ser roteado para um NVA, como o Firewall do Azure. Certifique-se de monitorar os logs do Firewall.",
"guid": "c12159e1-14b9-433d-b574-ecccd9bd3baf",
"link": "https://docs.microsoft.com/azure/app-service/overview-vnet-integration",
"link": "https://learn.microsoft.com/azure/app-service/overview-vnet-integration",
"severity": "Média",
"subcategory": "Segurança de rede",
"text": "O acesso à rede de saída deve ser controlado"
@ -127,7 +127,7 @@
"category": "Segurança",
"description": "Você pode fornecer um IP de saída estável usando a integração de rede virtual e um gateway NAT de rede virtual ou um NVA como o Firewall do Azure. Isso permite que a parte receptora permita a lista de permissões com base no IP, caso isso seja necessário. Observe que, para comunicações com os Serviços do Azure, muitas vezes não há necessidade de depender do endereço IP e mecanismos como Pontos de Extremidade de Serviço devem ser usados. (Além disso, o uso de pontos de extremidade privados na extremidade receptora evita que o SNAT aconteça e fornece um intervalo de IP de saída estável.)",
"guid": "cda3b54e-b2eb-403d-b9a2-582718d2ddb1",
"link": "https://docs.microsoft.com/azure/app-service/networking/nat-gateway-integration",
"link": "https://learn.microsoft.com/azure/app-service/networking/nat-gateway-integration",
"severity": "Baixo",
"subcategory": "Segurança de rede",
"text": "Garantir um IP estável para comunicações de saída para endereços de Internet"
@ -136,7 +136,7 @@
"category": "Segurança",
"description": "Controle o acesso à rede de entrada usando uma combinação de Restrições de Acesso ao Serviço de Aplicativo, Pontos de Extremidade de Serviço ou Pontos de Extremidade Privados. Diferentes restrições de acesso podem ser necessárias e configuradas para o próprio aplicativo Web e o site do SCM.",
"guid": "0725769e-e669-41a4-a34a-c932223ece80",
"link": "https://docs.microsoft.com/azure/app-service/networking-features#access-restrictions",
"link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions",
"severity": "Alto",
"subcategory": "Segurança de rede",
"text": "O acesso à rede de entrada deve ser controlado"
@ -145,7 +145,7 @@
"category": "Segurança",
"description": "Proteja-se contra tráfego de entrada mal-intencionado usando um Firewall de Aplicativo Web, como o Gateway de Aplicativo ou o Azure Front Door. Certifique-se de monitorar os logs do WAF.",
"guid": "b123071a-5416-4415-a33e-a3ad2c2de732",
"link": "https://docs.microsoft.com/azure/app-service/networking/app-gateway-with-service-endpoints",
"link": "https://learn.microsoft.com/azure/app-service/networking/app-gateway-with-service-endpoints",
"severity": "Alto",
"subcategory": "Segurança de rede",
"text": "Usar um WAF na frente do Serviço de Aplicativo"
@ -154,7 +154,7 @@
"category": "Segurança",
"description": "Certifique-se de que o WAF não pode ser ignorado bloqueando o acesso apenas ao WAF. Use uma combinação de Restrições de Acesso, Pontos de Extremidade de Serviço e Pontos de Extremidade Privados.",
"guid": "165c3acb-ef4a-4be1-b8d3-9fda47768314",
"link": "https://docs.microsoft.com/azure/app-service/networking-features#access-restrictions",
"link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions",
"severity": "Alto",
"subcategory": "Segurança de rede",
"text": "Evite que o WAF seja ignorado"
@ -164,7 +164,7 @@
"description": "Defina a política TLS mínima como 1.2 na configuração do Serviço de Aplicativo.",
"graph": "where (type=='microsoft.web/sites' and (kind == 'app' or kind == 'app,linux' )) | extend compliant = (isnull(properties.siteConfig.minTlsVersion) or properties.siteConfig.minTlsVersion=='1.2') | distinct id,compliant",
"guid": "c115775c-2ea5-45b4-9ad4-8408ee72734b",
"link": "https://docs.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-tls-versions",
"link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-tls-versions",
"severity": "Média",
"subcategory": "Segurança de rede",
"text": "Definir a política TLS mínima como 1.2"
@ -174,7 +174,7 @@
"description": "Configure o Serviço de Aplicativo para usar somente HTTPS. Isso faz com que o Serviço de Aplicativo redirecione de HTTP para HTTPS. Considere fortemente o uso de HTTP Strict Transport Security (HSTS) em seu código ou em seu WAF, que informa aos navegadores que o site só deve ser acessado usando HTTPS.",
"graph": "where (type=='microsoft.web/sites' and (kind == 'app' or kind == 'app,linux' )) | extend compliant = (properties.httpsOnly==true) | distinct id,compliant",
"guid": "475ba18f-dbf5-490c-b65d-e8e03f9bcbd4",
"link": "https://docs.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https",
"link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https",
"severity": "Alto",
"subcategory": "Segurança de rede",
"text": "Usar somente HTTPS"
@ -183,7 +183,7 @@
"category": "Segurança",
"description": "Não use curingas em sua configuração de CORS, pois isso permite que todas as origens acessem o serviço (derrotando assim o propósito do CORS). Especificamente, permita apenas as origens que você espera que possam acessar o serviço.",
"guid": "68266abc-a264-4f9a-89ae-d9c55d04c2c3",
"link": "https://docs.microsoft.com/azure/app-service/app-service-web-tutorial-rest-api",
"link": "https://learn.microsoft.com/azure/app-service/app-service-web-tutorial-rest-api",
"severity": "Alto",
"subcategory": "Segurança de rede",
"text": "Curingas não devem ser usados para CORS"
@ -193,7 +193,7 @@
"description": "A depuração remota não deve ser ativada na produção, pois isso abre portas adicionais no serviço, o que aumenta a superfície de ataque. Observe que o serviço ativa a depuração remota automaticamente após 48 horas.",
"graph": "where (type=='microsoft.web/sites' and (kind == 'app' or kind == 'app,linux' )) | extend compliant = (properties.siteConfig.remoteDebuggingEnabled!=true) | distinct id,compliant",
"guid": "d9bd3baf-cda3-4b54-bb2e-b03dd9a25827",
"link": "https://docs.microsoft.com/azure/app-service/configure-common#configure-general-settings",
"link": "https://learn.microsoft.com/azure/app-service/configure-common#configure-general-settings",
"severity": "Alto",
"subcategory": "Segurança de rede",
"text": "Desativar a depuração remota"
@ -202,7 +202,7 @@
"category": "Segurança",
"description": "Habilite o Defender para o Serviço de Aplicativo. Isso (entre outras ameaças) detecta comunicações com endereços IP maliciosos conhecidos. Revise as recomendações do Defender for App Service como parte de suas operações.",
"guid": "18d2ddb1-0725-4769-be66-91a4834ac932",
"link": "https://docs.microsoft.com/azure/defender-for-cloud/defender-for-app-service-introduction",
"link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-app-service-introduction",
"severity": "Média",
"subcategory": "Segurança de rede",
"text": "Habilitar o Defender para Nuvem - Defender para o Serviço de Aplicativo"
@ -211,7 +211,7 @@
"category": "Segurança",
"description": "O Azure fornece proteção DDoS Basic em sua rede, que pode ser aprimorada com recursos inteligentes do DDoS Standard que aprendem sobre padrões normais de tráfego e podem detectar comportamentos incomuns. O DDoS Standard se aplica a uma Rede Virtual, portanto, ele deve ser configurado para o recurso de rede na frente do aplicativo, como o Gateway de Aplicativo ou um NVA.",
"guid": "223ece80-b123-4071-a541-6415833ea3ad",
"link": "https://docs.microsoft.com/azure/ddos-protection/ddos-protection-overview",
"link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
"severity": "Média",
"subcategory": "Segurança de rede",
"text": "Habilitar o padrão de proteção DDOS na rede virtual WAF"
@ -220,7 +220,7 @@
"category": "Segurança",
"description": "Ao usar imagens armazenadas no Registro de Contêiner do Azure, extraia-as em uma rede virtual do Registro de Contêiner do Azure usando seu ponto de extremidade privado e a configuração do aplicativo 'WEBSITE_PULL_IMAGE_OVER_VNET'.",
"guid": "2c2de732-165c-43ac-aef4-abe1f8d39fda",
"link": "https://docs.microsoft.com/azure/app-service/configure-custom-container#use-an-image-from-a-network-protected-registry",
"link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-an-image-from-a-network-protected-registry",
"severity": "Média",
"subcategory": "Segurança de rede",
"text": "Puxar contêineres por uma rede virtual"
@ -229,7 +229,7 @@
"category": "Segurança",
"description": "Realizar um teste de penetração no aplicativo web seguindo as regras de teste de penetração de engajamento.",
"guid": "eb2eb03d-d9a2-4582-918d-2ddb10725769",
"link": "https://docs.microsoft.com/azure/security/fundamentals/pen-testing",
"link": "https://learn.microsoft.com/azure/security/fundamentals/pen-testing",
"severity": "Média",
"subcategory": "Testes de Penetração",
"text": "Realizar um teste de penetração"
@ -238,7 +238,7 @@
"category": "Segurança",
"description": "Implante código confiável que foi validado e verificado em busca de vulnerabilidades de acordo com as práticas de DevSecOps.",
"guid": "19aed9c5-5d04-4c2c-9919-ca0b2c12159e",
"link": "https://docs.microsoft.com/azure/architecture/solution-ideas/articles/devsecops-in-azure",
"link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/devsecops-in-azure",
"severity": "Média",
"subcategory": "Gerenciamento de vulnerabilidades",
"text": "Implantar código validado"
@ -247,7 +247,7 @@
"category": "Segurança",
"description": "Use as versões mais recentes de plataformas, linguagens de programação, protocolos e estruturas suportados.",
"guid": "114b933d-f574-4ecc-ad9b-d3bafcda3b54",
"link": "https://docs.microsoft.com/azure/app-service/overview-patch-os-runtime",
"link": "https://learn.microsoft.com/azure/app-service/overview-patch-os-runtime",
"severity": "Alto",
"subcategory": "Gerenciamento de vulnerabilidades",
"text": "Use plataformas, linguagens, protocolos e frameworks atualizados"

16
checklists/asb_security_checklist.en.json
Просмотреть файл

@ -7,7 +7,7 @@
"description": "Azure Service Bus Premium provides encryption of data at rest. If you use your own key, the data is still encrypted using the Microsoft-managed key, but in addition the Microsoft-managed key will be encrypted using the customer-managed key. ",
"guid": "87af4a79-1f89-439b-ba47-768e14c11567",
"severity": "Low",
"training": "https://docs.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
"training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
"link": "https://learn.microsoft.com/azure/service-bus-messaging/configure-customer-managed-key"
},
{
@ -17,7 +17,7 @@
"description": "Communication between a client application and an Azure Service Bus namespace is encrypted using Transport Layer Security (TLS). Azure Service Bus namespaces permit clients to send and receive data with TLS 1.0 and above. To enforce stricter security measures, you can configure your Service Bus namespace to require that clients send and receive data with a newer version of TLS.",
"guid": "5c1ea55b-46a9-448f-b8ae-7d7e4b475b6c",
"severity": "Medium",
"training": "https://docs.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
"training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
"link": "https://learn.microsoft.com/azure/service-bus-messaging/transport-layer-security-enforce-minimum-version"
},
{
@ -27,7 +27,7 @@
"description": "When you create a Service Bus namespace, a SAS rule named RootManageSharedAccessKey is automatically created for the namespace. This policy has Manage permissions for the entire namespace. It's recommended that you treat this rule like an administrative root account and don't use it in your application. Using AAD as an authentication provider with RBAC is recommended. ",
"guid": "8bcbf59b-ce65-4de8-a03f-97879468d66a",
"severity": "Medium",
"training": "https://docs.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/",
"training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/",
"link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-sas#shared-access-authorization-policies"
},
{
@ -37,7 +37,7 @@
"description": "A Service Bus client app running inside an Azure App Service application or in a virtual machine with enabled managed entities for Azure resources support does not need to handle SAS rules and keys, or any other access tokens. The client app only needs the endpoint address of the Service Bus Messaging namespace. ",
"guid": "786d60f9-6c96-4ad8-a55d-04c2b39c986b",
"severity": "Medium",
"training": "https://docs.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
"training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
"link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-managed-service-identity"
},
{
@ -47,7 +47,7 @@
"description": "When creating permissions, provide fine-grained control over a client's access to Azure Service Bus. Permissions in Azure Service Bus can and should be scoped to the individual resource level e.g. queue, topic or subscription. ",
"guid": "f615658d-e558-4f93-9249-b831112dbd7e",
"severity": "High",
"training": "https://docs.microsoft.com/learn/modules/explore-basic-services-identity-types/",
"training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
"link": "https://learn.microsoft.com/azure/service-bus-messaging/authenticate-application#azure-built-in-roles-for-azure-service-bus"
},
{
@ -57,7 +57,7 @@
"description": "Azure Service Bus resource logs include operational logs, virtual network and IP filtering logs. Runtime audit logs capture aggregated diagnostic information for various data plane access operations (such as send or receive messages) in Service Bus.",
"guid": "af12e7f9-43f6-4304-922d-929c2b1cd622",
"severity": "Medium",
"training": "https://docs.microsoft.com/learn/paths/manage-identity-and-access/",
"training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
"link": "https://learn.microsoft.com/azure/service-bus-messaging/monitor-service-bus-reference"
},
{
@ -67,7 +67,7 @@
"description": "Azure Service Bus by default has a public IP address and is Internet-reachable. Private endpoints allow traffic between your virtual network and Azure Service Bus traverses over the Microsoft backbone network. In addition to that, you should disable public endpoints if those are not used. ",
"guid": "9ae669ca-48e4-4a85-b222-3ece8bb12307",
"severity": "Medium",
"training": "https://docs.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
"training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
"link": "https://learn.microsoft.com/azure/service-bus-messaging/private-link-service"
},
{
@ -77,7 +77,7 @@
"description": "With IP firewall, you can restrict the public endpoint further to only a set of IPv4 addresses or IPv4 address ranges in CIDR (Classless Inter-Domain Routing) notation. ",
"guid": "ca5f06f1-58e3-4ea3-a92c-2de7e2165c3a",
"severity": "Medium",
"training": "https://docs.microsoft.com/learn/paths/implement-resource-mgmt-security/",
"training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
"link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-ip-filtering"
}
],

16
checklists/asb_security_checklist.es.json
Просмотреть файл

@ -13,7 +13,7 @@
"severity": "Bajo",
"subcategory": "Protección de datos",
"text": "Usar la opción de clave administrada por el cliente en el cifrado de datos en reposo cuando sea necesario",
"training": "https://docs.microsoft.com/learn/modules/plan-implement-administer-conditional-access/"
"training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/"
},
{
"category": "Seguridad",
@ -23,7 +23,7 @@
"severity": "Medio",
"subcategory": "Protección de datos",
"text": "Aplicar una versión mínima requerida de Seguridad de la capa de transporte (TLS) para las solicitudes ",
"training": "https://docs.microsoft.com/learn/modules/secure-aad-users-with-mfa/"
"training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/"
},
{
"category": "Seguridad",
@ -33,7 +33,7 @@
"severity": "Medio",
"subcategory": "Gestión de identidades y accesos",
"text": "Evite usar una cuenta root cuando no sea necesario",
"training": "https://docs.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/"
"training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/"
},
{
"category": "Seguridad",
@ -43,7 +43,7 @@
"severity": "Medio",
"subcategory": "Gestión de identidades y accesos",
"text": "Siempre que sea posible, la aplicación debe usar una identidad administrada para autenticarse en Azure Service Bus. Si no es así, considere la posibilidad de tener la credencial de almacenamiento (SAS, credencial de entidad de servicio) en Azure Key Vault o un servicio equivalente",
"training": "https://docs.microsoft.com/learn/modules/azure-ad-privileged-identity-management/"
"training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/"
},
{
"category": "Seguridad",
@ -53,7 +53,7 @@
"severity": "Alto",
"subcategory": "Gestión de identidades y accesos",
"text": "Usar RBAC del plano de datos con privilegios mínimos",
"training": "https://docs.microsoft.com/learn/modules/explore-basic-services-identity-types/"
"training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/"
},
{
"category": "Seguridad",
@ -63,7 +63,7 @@
"severity": "Medio",
"subcategory": "Monitorización",
"text": "Habilite el registro para la investigación de seguridad. Usar Azure Monitor para realizar un seguimiento de los registros de recursos y los registros de auditoría en tiempo de ejecución (actualmente disponible solo en el nivel premium)",
"training": "https://docs.microsoft.com/learn/paths/manage-identity-and-access/"
"training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/"
},
{
"category": "Seguridad",
@ -73,7 +73,7 @@
"severity": "Medio",
"subcategory": "Gestión de redes",
"text": "Considere la posibilidad de usar puntos de conexión privados para acceder a Azure Service Bus y deshabilitar el acceso a la red pública cuando corresponda.",
"training": "https://docs.microsoft.com/learn/modules/azure-ad-privileged-identity-management/"
"training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/"
},
{
"category": "Seguridad",
@ -83,7 +83,7 @@
"severity": "Medio",
"subcategory": "Gestión de redes",
"text": "Considere la posibilidad de permitir solo el acceso al espacio de nombres de Azure Service Bus desde direcciones IP o intervalos específicos",
"training": "https://docs.microsoft.com/learn/paths/implement-resource-mgmt-security/"
"training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/"
}
],
"metadata": {

16
checklists/asb_security_checklist.ja.json
Просмотреть файл

@ -13,7 +13,7 @@
"severity": "低い",
"subcategory": "データ保護",
"text": "必要に応じて、保存データの暗号化でカスタマー マネージド キー オプションを使用する",
"training": "https://docs.microsoft.com/learn/modules/plan-implement-administer-conditional-access/"
"training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/"
},
{
"category": "安全",
@ -23,7 +23,7 @@
"severity": "中程度",
"subcategory": "データ保護",
"text": "要求に最低限必要なバージョンのトランスポート層セキュリティ (TLS) を適用する",
"training": "https://docs.microsoft.com/learn/modules/secure-aad-users-with-mfa/"
"training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/"
},
{
"category": "安全",
@ -33,7 +33,7 @@
"severity": "中程度",
"subcategory": "ID およびアクセス管理",
"text": "不要な場合はrootアカウントを使用しないでください",
"training": "https://docs.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/"
"training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/"
},
{
"category": "安全",
@ -43,7 +43,7 @@
"severity": "中程度",
"subcategory": "ID およびアクセス管理",
"text": "可能であれば、アプリケーションはマネージド ID を使用して Azure Service Bus に対する認証を行う必要があります。そうでない場合は、ストレージ資格情報 (SAS、サービス プリンシパル資格情報) を Azure Key Vault または同等のサービスに配置することを検討してください。",
"training": "https://docs.microsoft.com/learn/modules/azure-ad-privileged-identity-management/"
"training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/"
},
{
"category": "安全",
@ -53,7 +53,7 @@
"severity": "高い",
"subcategory": "ID およびアクセス管理",
"text": "最小特権データ プレーン RBAC を使用する",
"training": "https://docs.microsoft.com/learn/modules/explore-basic-services-identity-types/"
"training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/"
},
{
"category": "安全",
@ -63,7 +63,7 @@
"severity": "中程度",
"subcategory": "モニタリング",
"text": "セキュリティ調査のログ記録を有効にします。Azure Monitor を使用してリソース ログとランタイム監査ログをトレースする (現在は Premium レベルでのみ使用可能)",
"training": "https://docs.microsoft.com/learn/paths/manage-identity-and-access/"
"training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/"
},
{
"category": "安全",
@ -73,7 +73,7 @@
"severity": "中程度",
"subcategory": "ネットワーキング",
"text": "プライベート エンドポイントを使用して Azure Service Bus にアクセスし、該当する場合はパブリック ネットワーク アクセスを無効にすることを検討してください。",
"training": "https://docs.microsoft.com/learn/modules/azure-ad-privileged-identity-management/"
"training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/"
},
{
"category": "安全",
@ -83,7 +83,7 @@
"severity": "中程度",
"subcategory": "ネットワーキング",
"text": "特定の IP アドレスまたは範囲からの Azure Service Bus 名前空間へのアクセスのみを許可することを検討してください",
"training": "https://docs.microsoft.com/learn/paths/implement-resource-mgmt-security/"
"training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/"
}
],
"metadata": {

16
checklists/asb_security_checklist.ko.json
Просмотреть файл

@ -13,7 +13,7 @@
"severity": "낮다",
"subcategory": "데이터 보호",
"text": "필요한 경우 미사용 데이터 암호화에서 고객 관리형 키 옵션 사용",
"training": "https://docs.microsoft.com/learn/modules/plan-implement-administer-conditional-access/"
"training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/"
},
{
"category": "안전",
@ -23,7 +23,7 @@
"severity": "보통",
"subcategory": "데이터 보호",
"text": "요청에 필요한 최소 버전의 TLS(전송 계층 보안) 적용 ",
"training": "https://docs.microsoft.com/learn/modules/secure-aad-users-with-mfa/"
"training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/"
},
{
"category": "안전",
@ -33,7 +33,7 @@
"severity": "보통",
"subcategory": "ID 및 액세스 관리",
"text": "필요하지 않은 경우 루트 계정을 사용하지 마십시오.",
"training": "https://docs.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/"
"training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/"
},
{
"category": "안전",
@ -43,7 +43,7 @@
"severity": "보통",
"subcategory": "ID 및 액세스 관리",
"text": "가능한 경우 응용 프로그램에서 관리 ID를 사용하여 Azure 서비스 버스에 인증해야 합니다. 그렇지 않은 경우 Azure Key Vault 또는 이와 동등한 서비스에 스토리지 자격 증명(SAS, 서비스 주체 자격 증명)이 있는 것이 좋습니다.",
"training": "https://docs.microsoft.com/learn/modules/azure-ad-privileged-identity-management/"
"training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/"
},
{
"category": "안전",
@ -53,7 +53,7 @@
"severity": "높다",
"subcategory": "ID 및 액세스 관리",
"text": "최소 권한 데이터부 RBAC 사용",
"training": "https://docs.microsoft.com/learn/modules/explore-basic-services-identity-types/"
"training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/"
},
{
"category": "안전",
@ -63,7 +63,7 @@
"severity": "보통",
"subcategory": "모니터링",
"text": "보안 조사를 위해 로깅을 사용하도록 설정합니다. Azure Monitor를 사용하여 리소스 로그 및 런타임 감사 로그 추적(현재 프리미엄 계층에서만 사용 가능)",
"training": "https://docs.microsoft.com/learn/paths/manage-identity-and-access/"
"training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/"
},
{
"category": "안전",
@ -73,7 +73,7 @@
"severity": "보통",
"subcategory": "네트워킹",
"text": "프라이빗 엔드포인트를 사용하여 Azure Service Bus에 액세스하고 해당하는 경우 공용 네트워크 액세스를 사용하지 않도록 설정하는 것이 좋습니다.",
"training": "https://docs.microsoft.com/learn/modules/azure-ad-privileged-identity-management/"
"training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/"
},
{
"category": "안전",
@ -83,7 +83,7 @@
"severity": "보통",
"subcategory": "네트워킹",
"text": "특정 IP 주소 또는 범위에서 Azure 서비스 버스 네임스페이스에 대한 액세스만 허용하는 것이 좋습니다.",
"training": "https://docs.microsoft.com/learn/paths/implement-resource-mgmt-security/"
"training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/"
}
],
"metadata": {

16
checklists/asb_security_checklist.pt.json
Просмотреть файл

@ -13,7 +13,7 @@
"severity": "Baixo",
"subcategory": "Proteção de Dados",
"text": "Usar a opção de chave gerenciada pelo cliente na criptografia de dados em repouso quando necessário",
"training": "https://docs.microsoft.com/learn/modules/plan-implement-administer-conditional-access/"
"training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/"
},
{
"category": "Segurança",
@ -23,7 +23,7 @@
"severity": "Média",
"subcategory": "Proteção de Dados",
"text": "Impor uma versão mínima necessária do Transport Layer Security (TLS) para solicitações ",
"training": "https://docs.microsoft.com/learn/modules/secure-aad-users-with-mfa/"
"training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/"
},
{
"category": "Segurança",
@ -33,7 +33,7 @@
"severity": "Média",
"subcategory": "Gerenciamento de Identidade e Acesso",
"text": "Evite usar a conta root quando não for necessário",
"training": "https://docs.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/"
"training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/"
},
{
"category": "Segurança",
@ -43,7 +43,7 @@
"severity": "Média",
"subcategory": "Gerenciamento de Identidade e Acesso",
"text": "Quando possível, seu aplicativo deve estar usando uma identidade gerenciada para autenticar no Barramento de Serviço do Azure. Caso contrário, considere ter a credencial de armazenamento (SAS, credencial da entidade de serviço) no Cofre da Chave do Azure ou em um serviço equivalente",
"training": "https://docs.microsoft.com/learn/modules/azure-ad-privileged-identity-management/"
"training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/"
},
{
"category": "Segurança",
@ -53,7 +53,7 @@
"severity": "Alto",
"subcategory": "Gerenciamento de Identidade e Acesso",
"text": "Usar RBAC do plano de dados de privilégios mínimos",
"training": "https://docs.microsoft.com/learn/modules/explore-basic-services-identity-types/"
"training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/"
},
{
"category": "Segurança",
@ -63,7 +63,7 @@
"severity": "Média",
"subcategory": "Monitorização",
"text": "Habilite o log para investigação de segurança. Usar o Azure Monitor para rastrear logs de recursos e logs de auditoria de tempo de execução (atualmente disponíveis somente na camada premium)",
"training": "https://docs.microsoft.com/learn/paths/manage-identity-and-access/"
"training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/"
},
{
"category": "Segurança",
@ -73,7 +73,7 @@
"severity": "Média",
"subcategory": "Rede",
"text": "Considere o uso de pontos de extremidade privados para acessar o Barramento de Serviço do Azure e desabilitar o acesso à rede pública, quando aplicável.",
"training": "https://docs.microsoft.com/learn/modules/azure-ad-privileged-identity-management/"
"training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/"
},
{
"category": "Segurança",
@ -83,7 +83,7 @@
"severity": "Média",
"subcategory": "Rede",
"text": "Considere permitir apenas o acesso ao namespace do Barramento de Serviço do Azure a partir de endereços IP ou intervalos específicos",
"training": "https://docs.microsoft.com/learn/paths/implement-resource-mgmt-security/"
"training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/"
}
],
"metadata": {

226
checklists/avd_checklist.en.json
Просмотреть файл

@ -17,7 +17,7 @@
"description": "If required to connect to on-premises environment, assess the current connectivity option or plan for the required connectivity. ",
"guid": "dd399cfd-7b28-4dc8-9555-6202bfe4563b",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/"
"link": "https://learn.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/"
},
{
"category": "Foundation",
@ -35,7 +35,7 @@
"description": "AVD store metadata only to run the service in specific geographic locations, determine what is available today and if suitable based on customer requirements. ",
"guid": "bad37ead-53cc-47ce-8d7a-aab3571449ab",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/virtual-desktop/data-locations"
"link": "https://learn.microsoft.com/azure/virtual-desktop/data-locations"
},
{
"category": "Foundation",
@ -44,7 +44,7 @@
"description": "Check for specific VM SKUs, especially if you need GPU or high-specs SKUs, and eventually Azure NetApp Files availability if used. ",
"guid": "8053d89e-89dc-47b3-9be2-a1a27f7a9e91",
"severity": "Low",
"link": "https://docs.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits"
"link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits"
},
{
"category": "Foundation",
@ -53,7 +53,7 @@
"description": "See BCDR section for more details.",
"guid": "be1f38ce-f398-412b-b463-cbbac89c199d",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/availability-zones/az-region"
"link": "https://learn.microsoft.com/azure/availability-zones/az-region"
},
{
"category": "Foundation",
@ -62,7 +62,7 @@
"description": "For proper planning and and deployment, it is important to asses the maximum number of users and average concurrent sessions. ",
"guid": "bb91a33d-90ca-4e2c-a881-3706f7c0cb9f",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/virtual-desktop/faq"
"link": "https://learn.microsoft.com/azure/virtual-desktop/faq"
},
{
"category": "Foundation",
@ -71,7 +71,7 @@
"description": "Mutiple Host Pools maybe required to support different set of users, it is recommended to estimate how many will be necessary. ",
"guid": "a1cf2049-9013-4a5d-9ce4-74dbcbd8682a",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/virtual-desktop/environment-setup"
"link": "https://learn.microsoft.com/azure/virtual-desktop/environment-setup"
},
{
"category": "Foundation",
@ -80,7 +80,7 @@
"description": "The dependencies on resources external to the AVD pool should be assessed and reviewed, for example Active Directory, external file shares or other storage, on-premises services and resources, network infrastructure components like VPN and or Express Route, external services and 3rd-party components. For all these resources, latency from the AVD Host Pool needs to be evaluated and connectivity considered. Additionally, BCDR considerations need to be applied to these dependencies as well.",
"guid": "6abca2a4-fda1-4dbf-9dc9-5d48c7c791dc",
"severity": "Low",
"link": "https://docs.microsoft.com/azure/virtual-desktop/overview"
"link": "https://learn.microsoft.com/azure/virtual-desktop/overview"
},
{
"category": "Foundation",
@ -89,7 +89,7 @@
"description": "Review limitations of each client and compare multiple options when possible.",
"guid": "a1f6d565-99e5-458b-a37d-4985e1112dbd",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/virtual-desktop/connect-windows-7-10"
"link": "https://learn.microsoft.com/azure/virtual-desktop/connect-windows-7-10"
},
{
"category": "Foundation",
@ -116,7 +116,7 @@
"description": "Determine if users will be offered full desktops and/or Remote Application Groups. ",
"guid": "13c00567-4b1e-4945-a459-837ee7ad6c6d",
"severity": "Low",
"link": "https://docs.microsoft.com/azure/virtual-desktop/manage-app-groups"
"link": "https://learn.microsoft.com/azure/virtual-desktop/manage-app-groups"
},
{
"category": "Foundation",
@ -125,7 +125,7 @@
"description": "RDP settings can currently only be configured at the host pool level, not per user / group.",
"guid": "3b365a5c-7acb-4e48-abe5-4cd79f2e8776",
"severity": "Low",
"link": "https://docs.microsoft.com/azure/virtual-desktop/customize-rdp-properties"
"link": "https://learn.microsoft.com/azure/virtual-desktop/customize-rdp-properties"
},
{
"category": "Foundation",
@ -134,7 +134,7 @@
"description": "RDP Shortpath for managed networks is a feature of Azure Virtual Desktop that establishes a direct UDP-based transport between Remote Desktop Client and Session host. The removal of extra relay reduces the round-trip time, which improves user experience with latency-sensitive applications and input methods. To support RDP Shortpath, the Azure Virtual Desktop client needs a direct line of sight to the session host, and must be running either Windows 10 or Windows 7 and have the Windows Desktop client installed.",
"guid": "b2074747-d01a-4f61-b1aa-92ad793d9ff4",
"severity": "Medium",
"link": "https://docs.microsoft.com/en-us/azure/virtual-desktop/shortpath"
"link": "https://learn.microsoft.com/en-us/azure/virtual-desktop/shortpath"
},
{
"category": "Foundation",
@ -143,7 +143,7 @@
"description": "Shared/Pooled or Dedicated/Personal",
"guid": "8468c55a-775c-46ee-a5b8-6ad8844ce3b2",
"severity": "High",
"link": "https://docs.microsoft.com/azure/virtual-desktop/create-host-pools-azure-marketplace"
"link": "https://learn.microsoft.com/azure/virtual-desktop/create-host-pools-azure-marketplace"
},
{
"category": "Foundation",
@ -152,7 +152,7 @@
"description": "Confirm that the difference between automatic and direct assignment is well understood and the selected option is appropriate for the scenario in question.",
"guid": "b38b875b-a1cf-4204-a901-3a5d3ce474db",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/virtual-desktop/configure-host-pool-personal-desktop-assignment-type"
"link": "https://learn.microsoft.com/azure/virtual-desktop/configure-host-pool-personal-desktop-assignment-type"
},
{
"category": "Foundation",
@ -161,16 +161,16 @@
"description": "Check which one to use and available options, be aware that if autoscaling will be used, it sets it to breadth-first. ",
"guid": "cbd8682a-6abc-4a2a-9fda-1dbf3dc95d48",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/virtual-desktop/host-pool-load-balancing"
"link": "https://learn.microsoft.com/azure/virtual-desktop/host-pool-load-balancing"
},
{
"category": "Foundation",
"subcategory": "Capacity Planning",
"text": "Estimate the number of different Host Pools to deploy ",
"description": "Based on your selection criterias, how many Host Pools you would need? You should consider to have multiple ones if:? Multiple OS images? Multiple regions? Different HW required? Different Host Pool type (shared vs. personal)? Different user requirements and SLA (Top users, Execs, Office Worker vs. Developers, etc.)? Different RDP settings (applied at Host Pool level), see https://docs.microsoft.com/azure/virtual-desktop/customize-rdp-properties? Required number of VMs in the host pool exceeding maximum capabilities",
"description": "Based on your selection criterias, how many Host Pools you would need? You should consider to have multiple ones if:? Multiple OS images? Multiple regions? Different HW required? Different Host Pool type (shared vs. personal)? Different user requirements and SLA (Top users, Execs, Office Worker vs. Developers, etc.)? Different RDP settings (applied at Host Pool level), see https://learn.microsoft.com/azure/virtual-desktop/customize-rdp-properties? Required number of VMs in the host pool exceeding maximum capabilities",
"guid": "c7c791dc-a1f6-4d56-999e-558b937d4985",
"severity": "High",
"link": "https://docs.microsoft.com/azure/virtual-desktop/environment-setup"
"link": "https://learn.microsoft.com/azure/virtual-desktop/environment-setup"
},
{
"category": "Foundation",
@ -179,7 +179,7 @@
"description": "Use the link provided to set a starting point for SKU decision, then validate using a performance test. Ensure a minimum of 4 cores for Production is selected per Session Host (multi-session)",
"guid": "e1112dbd-7ba0-412e-9b94-ef6e047d2ea2",
"severity": "Medium",
"link": "https://docs.microsoft.com/windows-server/remote/remote-desktop-services/virtual-machine-recs"
"link": "https://learn.microsoft.com/windows-server/remote/remote-desktop-services/virtual-machine-recs"
},
{
"category": "Foundation",
@ -188,7 +188,7 @@
"description": "It is critical to check AVD capacioty and limits reported in the referenced article. ",
"guid": "992b1cd6-d2f5-44b2-a769-e3a691e8838a",
"severity": "High",
"link": "https://docs.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop"
"link": "https://learn.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop"
},
{
"category": "Foundation",
@ -197,7 +197,7 @@
"description": "Host Pools with GPU require special configuration, please be sure to review the referenced article. ",
"guid": "c936667e-13c0-4056-94b1-e945a459837e",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/virtual-desktop/configure-vm-gpu"
"link": "https://learn.microsoft.com/azure/virtual-desktop/configure-vm-gpu"
},
{
"category": "Foundation",
@ -206,7 +206,7 @@
"description": "Whenever is possible, it is recommended to leverage VM SKUs with Accelerated Networking feature. Today pnly Windows Server OS are supported (see list in the article), in the future Windows Client OS maybe also included. ",
"guid": "b47a393a-0803-4272-a479-8b1578b219a4",
"severity": "Low",
"link": "https://docs.microsoft.com/azure/virtual-network/create-vm-accelerated-networking-powershell"
"link": "https://learn.microsoft.com/azure/virtual-network/create-vm-accelerated-networking-powershell"
},
{
"category": "Identity",
@ -215,7 +215,7 @@
"description": "An Azure subscription must be parented to the same Azure AD tenant, that contains a virtual network that either contains or is connected to the Windows Server Active Directory or Azure AD DS instance.",
"guid": "6ceb5443-5125-4922-9442-93bb628537a5",
"severity": "High",
"link": "https://docs.microsoft.com/azure/virtual-desktop/overview"
"link": "https://learn.microsoft.com/azure/virtual-desktop/overview"
},
{
"category": "Identity",
@ -224,7 +224,7 @@
"description": "You can configure this using Azure AD Connect (for hybrid organizations) or Azure AD Domain Services (for hybrid or cloud organizations).",
"guid": "5119bf8e-8f58-4542-a7d9-cec166cd072a",
"severity": "High",
"link": "https://docs.microsoft.com/azure/virtual-desktop/overview"
"link": "https://learn.microsoft.com/azure/virtual-desktop/overview"
},
{
"category": "Identity",
@ -233,7 +233,7 @@
"description": "(1) The user must be sourced from the same Active Directory that's connected to Azure AD. Windows Virtual Desktop does not support B2B or MSA accounts. (2) The UPN you use to subscribe to Windows Virtual Desktop must exist in the Active Directory domain the VM is joined to.",
"guid": "f9b141a8-98a5-435e-9378-97e71ca7da7b",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/virtual-desktop/overview"
"link": "https://learn.microsoft.com/azure/virtual-desktop/overview"
},
{
"category": "Identity",
@ -242,7 +242,7 @@
"description": "VMs must be Standard domain-joined or Hybrid AD-joined. Virtual machines can't be Azure AD-joined.",
"guid": "ea962a15-9394-46da-a7cc-3923266b2258",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/virtual-desktop/overview"
"link": "https://learn.microsoft.com/azure/virtual-desktop/overview"
},
{
"category": "Identity",
@ -251,7 +251,7 @@
"description": "Compare self-managed Active Directory Domain Services, Azure Active Directory, and managed Azure Active Directory Domain Services",
"guid": "6f4a1651-bddd-4ea8-a487-cdeb4861bc3b",
"severity": "Low",
"link": "https://docs.microsoft.com/azure/active-directory-domain-services/compare-identity-solutions"
"link": "https://learn.microsoft.com/azure/active-directory-domain-services/compare-identity-solutions"
},
{
"category": "Identity",
@ -260,7 +260,7 @@
"description": "AD DCs in Azure are recommended to reduce latency for users logging into AVD session hosts, and eventually for Azure NetApp Files and AD integration. ADC need to be able to talk to DCs for ALL child domains. As alternative, on-premise connectivity must be used to reach AD DCs. ",
"guid": "c14aea7e-65e8-4d9a-9aec-218e6436b073",
"severity": "Medium",
"link": "https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/identity/adds-extend-domain"
"link": "https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/identity/adds-extend-domain"
},
{
"category": "Identity",
@ -269,7 +269,7 @@
"description": "Recommended to create a separate OU per Host Pool under a separate OU hierarchy. These OUs will contain machine accounts of AVD Session Hosts. ",
"guid": "6db55f57-9603-4334-adf9-cc23418db612",
"severity": "Low",
"link": "https://docs.microsoft.com/azure/virtual-desktop/create-host-pools-azure-marketplace"
"link": "https://learn.microsoft.com/azure/virtual-desktop/create-host-pools-azure-marketplace"
},
{
"category": "Identity",
@ -278,7 +278,7 @@
"description": "Carefully review, and eventually block/filter inheritance of GPOs to the OUs containing AVD Host Pools. ",
"guid": "7126504b-b47a-4393-a080-327294798b15",
"severity": "Medium",
"link": "https://docs.microsoft.com/previous-versions/windows/desktop/Policy/group-policy-hierarchy"
"link": "https://learn.microsoft.com/previous-versions/windows/desktop/Policy/group-policy-hierarchy"
},
{
"category": "Identity",
@ -287,7 +287,7 @@
"description": "Recommended to have a specific dedicated account with specific permissions, and without the default 10 joins limitation. ",
"guid": "347dc560-28a7-41ff-b1cd-15dd2f0d5e77",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/virtual-desktop/create-host-pools-azure-marketplace"
"link": "https://learn.microsoft.com/azure/virtual-desktop/create-host-pools-azure-marketplace"
},
{
"category": "Identity",
@ -296,7 +296,7 @@
"description": "Avoid granting access per user, instead use AD groups and replicate them using ADC in Azure AD. ",
"guid": "2d41e361-1cc5-47b4-a4b1-410d43958a8c",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/virtual-desktop/manage-app-groups"
"link": "https://learn.microsoft.com/azure/virtual-desktop/manage-app-groups"
},
{
"category": "Identity",
@ -305,7 +305,7 @@
"description": "As part of the procedure to integrate Azure File Share and Active Directory authenticaton, an AD account to represent the storage account (file share) will be created. You can choose to register as a computer account or service logon account, see FAQ for details. For computer accounts, there is a default password expiration age set in AD at 30 days. Similarly, the service logon account may have a default password expiration age set on the AD domain or Organizational Unit (OU). For both account types, we recommend you check the password expiration age configured in your AD environment and plan to update the password of your storage account identity of the AD account before the maximum password age. You can consider creating a new AD Organizational Unit (OU) in AD and disabling password expiration policy on computer accounts or service logon accounts accordingly.",
"guid": "2289b3d6-b57c-4fc6-9546-1e1a3e3453a3",
"severity": "Low",
"link": "https://docs.microsoft.com/azure/storage/files/storage-files-identity-ad-ds-enable"
"link": "https://learn.microsoft.com/azure/storage/files/storage-files-identity-ad-ds-enable"
},
{
"category": "Networking",
@ -314,7 +314,7 @@
"description": "Which type of hybrid connectivity? Express Route, VPN, NVA?",
"guid": "c8639648-a652-4d6c-85e5-02965388e5de",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/"
"link": "https://learn.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/"
},
{
"category": "Networking",
@ -323,7 +323,7 @@
"description": "Evaluate the bandwidth requirements, ensure VPN/ER bandwidth will be enough, and latency tolerable. ",
"guid": "d227dd14-2b06-4c21-a799-9a646f4389a7",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/"
"link": "https://learn.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/"
},
{
"category": "Networking",
@ -332,7 +332,7 @@
"description": "Review or recommend a new one where to place AVD Host Pools based on CAF (vWAN vs. Hub & Spoke)",
"guid": "f42c78e7-8c06-4a63-a21a-4956e6a8dc4a",
"severity": "High",
"link": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/considerations/networking-options"
"link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/networking-options"
},
{
"category": "Networking",
@ -341,13 +341,13 @@
"description": "Ensure each subnet will have enough space to scale the AVD Host Pool. For different Host Pools, it is recommended to use separate subnets if possible. ",
"guid": "20e27b3e-2971-41b1-952b-eee079b588de",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix"
"link": "https://learn.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix"
},
{
"category": "Networking",
"subcategory": "Networking",
"text": "Need to control/restrict Internet outbound traffic for AVD hosts? ",
"description": "Several options are available. You can use Azure Firewall or NVA Firewall, NSG and/or Proxy. NSG is not able to enable/disable by URL, only ports and protocols.Proxy should be used only as explicit setting in user browser. Details on using Azure Firewall Premium with AVD are here on https://aka.ms/AVDfirewall and here https://docs.microsoft.com/azure/firewall/protect-windows-virtual-desktop. Be sure to review full list of requirements for AVD URLs access.",
"description": "Several options are available. You can use Azure Firewall or NVA Firewall, NSG and/or Proxy. NSG is not able to enable/disable by URL, only ports and protocols.Proxy should be used only as explicit setting in user browser. Details on using Azure Firewall Premium with AVD are here on https://aka.ms/AVDfirewall and here https://learn.microsoft.com/azure/firewall/protect-windows-virtual-desktop. Be sure to review full list of requirements for AVD URLs access.",
"guid": "fc4972cd-3cd2-41bf-9703-6e5e6b4bed3d",
"severity": "Medium",
"link": "https://aka.ms/AVDfirewall"
@ -365,19 +365,19 @@
"category": "Networking",
"subcategory": "Networking",
"text": "Review UDR for AVD Host Pool subnet",
"description": "Custom UDR can be applied to AVD Host Pool subnet, for example to redirect to Azure Firewall or NVA. In this case is recommended to carefully review to ensure optimal path for outbound traffic to AVD control plane is used. Service Tags can now be used with UDR, then AVD management plane traffic can be easily whitelisted. https://docs.microsoft.com/azure/firewall/protect-windows-virtual-desktop#host-pool-outbound-access-to-windows-virtual-desktop ",
"description": "Custom UDR can be applied to AVD Host Pool subnet, for example to redirect to Azure Firewall or NVA. In this case is recommended to carefully review to ensure optimal path for outbound traffic to AVD control plane is used. Service Tags can now be used with UDR, then AVD management plane traffic can be easily whitelisted. https://learn.microsoft.com/azure/firewall/protect-windows-virtual-desktop#host-pool-outbound-access-to-windows-virtual-desktop ",
"guid": "523181a9-4174-4158-93ff-7ae7c6d37431",
"severity": "Low",
"link": "https://docs.microsoft.com/azure/firewall/protect-windows-virtual-desktop"
"link": "https://learn.microsoft.com/azure/firewall/protect-windows-virtual-desktop"
},
{
"category": "Networking",
"subcategory": "Networking",
"text": "Ensure AVD control plane endpoints are accessible",
"description": "Required URLs for AVD control plane access by session hosts are documented here: https://docs.microsoft.com/azure/virtual-desktop/safe-url-list. A check tool is available to verify connectivity from the session hosts: https://docs.microsoft.com/azure/virtual-desktop/safe-url-list#required-url-check-tool.",
"description": "Required URLs for AVD control plane access by session hosts are documented here: https://learn.microsoft.com/azure/virtual-desktop/safe-url-list. A check tool is available to verify connectivity from the session hosts: https://learn.microsoft.com/azure/virtual-desktop/safe-url-list#required-url-check-tool.",
"guid": "65c7acbe-45bb-4e60-ad89-f2e87778424d",
"severity": "High",
"link": "https://docs.microsoft.com/azure/virtual-desktop/safe-url-list"
"link": "https://learn.microsoft.com/azure/virtual-desktop/safe-url-list"
},
{
"category": "Networking",
@ -386,7 +386,7 @@
"description": "It is recommended to assess and review networking bandwidth requirements for users, based on the specific workload type. The referenced article provide general estimations and recommendations, but specific measure are required for proper sizing. ",
"guid": "516785c6-fa96-4c96-ad88-408f372734c8",
"severity": "Low",
"link": "https://docs.microsoft.com/windows-server/remote/remote-desktop-services/network-guidance"
"link": "https://learn.microsoft.com/windows-server/remote/remote-desktop-services/network-guidance"
},
{
"category": "Compute",
@ -395,7 +395,7 @@
"description": "Once selected the VM SKU that will be used for Host Pool deployment, it is recommended to use Gen2 type of the SKU for higher security and improved capabilities.",
"guid": "e4633254-3185-40a1-b120-bd563a1c8e9d",
"severity": "Medium",
"link": "https://docs.microsoft.com/en-us/azure/virtual-machines/generation-2"
"link": "https://learn.microsoft.com/en-us/azure/virtual-machines/generation-2"
},
{
"category": "Compute",
@ -404,7 +404,7 @@
"description": "Applications can be preinstalled in the golden image/s, can be attached using MSIX & AppAttach feature or distributing to hosts after pool deployment using traditional SW distribution methods.",
"guid": "86ba2802-1459-4014-95d3-8e5309ccbd97",
"severity": "High",
"link": "https://docs.microsoft.com/azure/virtual-desktop/set-up-customize-master-image"
"link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-customize-master-image"
},
{
"category": "Compute",
@ -413,7 +413,7 @@
"description": "Will they use fslogix application masking which would lend itself to a single image, or multi images with different applications baked in: what is necessitating more than one image to be used?",
"guid": "9266bcca-274f-4aa1-abf3-9d95d44c7c89",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/virtual-desktop/create-host-pools-azure-marketplace"
"link": "https://learn.microsoft.com/azure/virtual-desktop/create-host-pools-azure-marketplace"
},
{
"category": "Compute",
@ -422,7 +422,7 @@
"description": "Determine which Guest OS will be used to deploy each Host Pool: Windows 10 vs. Windows Server, Marketplace vs. Custom images",
"guid": "19ca1f6d-5315-4ae5-84ba-34d4585e2213",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/virtual-desktop/overview"
"link": "https://learn.microsoft.com/azure/virtual-desktop/overview"
},
{
"category": "Compute",
@ -431,7 +431,7 @@
"description": "If nothing exists, consider using Azure Image Builder to automate the build process. ",
"guid": "9bd7bb01-2f7b-495e-86e1-54e2aa359282",
"severity": "Low",
"link": "https://docs.microsoft.com/azure/virtual-machines/image-builder-overview"
"link": "https://learn.microsoft.com/azure/virtual-machines/image-builder-overview"
},
{
"category": "Compute",
@ -440,7 +440,7 @@
"description": "Evaluate Azure Compute Gallery.",
"guid": "5a2adb2c-3e23-426b-b225-ca44e1696fdd",
"severity": "Low",
"link": "https://docs.microsoft.com/azure/virtual-machines/windows/shared-image-galleries"
"link": "https://learn.microsoft.com/azure/virtual-machines/windows/shared-image-galleries"
},
{
"category": "Compute",
@ -449,13 +449,13 @@
"description": "There are some known best practices and recommendations for the golden image customization, be sure to check the referenced article. ",
"guid": "deace4cb-1dec-44c6-90c3-fc14eebb36a3",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/virtual-desktop/set-up-customize-master-image"
"link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-customize-master-image"
},
{
"category": "Compute",
"subcategory": "Golden Image/s",
"text": "Evaluate the usage of Virtual-Desktop-Optimization-Tool",
"description": "This tool-set has been created to automatically apply setting referenced in white paper 'Optimizing Windows 10, version 2004 for a Virtual Desktop Infrastructure (VDI) role': https://docs.microsoft.com/windows-server/remote/remote-desktop-services/rds-vdi-recommendations-2004. Usage of the tool and/or optimizations mentioned in the white-paper should be considered. ",
"description": "This tool-set has been created to automatically apply setting referenced in white paper 'Optimizing Windows 10, version 2004 for a Virtual Desktop Infrastructure (VDI) role': https://learn.microsoft.com/windows-server/remote/remote-desktop-services/rds-vdi-recommendations-2004. Usage of the tool and/or optimizations mentioned in the white-paper should be considered. ",
"guid": "829e3fec-2183-4687-a017-7a2b5945bda4",
"severity": "Medium",
"link": "https://github.com/The-Virtual-Desktop-Team/Virtual-Desktop-Optimization-Tool"
@ -467,7 +467,7 @@
"description": "Determine if a configuration management tool is already in place to manage Host Pool VM configuration after initial deployment, For example SCCM, MEM/Intune, GPO, 3rd-party solutions.",
"guid": "3334fdf9-1c23-4418-8b65-285269440b4b",
"severity": "Low",
"link": "https://docs.microsoft.com/mem/intune/fundamentals/windows-virtual-desktop-multi-session"
"link": "https://learn.microsoft.com/mem/intune/fundamentals/windows-virtual-desktop-multi-session"
},
{
"category": "Compute",
@ -476,7 +476,7 @@
"description": "Review article provided and check 'Known Folder Redirection' and 'Files OnDemand' OneDrive features should be considered and eventually adopted.",
"guid": "e3d3e084-4276-4d4b-bc01-5bcf219e4a1e",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/virtual-desktop/install-office-on-AVD-master-image"
"link": "https://learn.microsoft.com/azure/virtual-desktop/install-office-on-AVD-master-image"
},
{
"category": "Compute",
@ -485,7 +485,7 @@
"description": "Be sure to review this article and use the latest version, review and evaluate Teams exclusions to reduce profile size.",
"guid": "b5887953-5d22-4788-9d30-b66c67be5951",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/virtual-desktop/teams-on-AVD"
"link": "https://learn.microsoft.com/azure/virtual-desktop/teams-on-AVD"
},
{
"category": "Compute",
@ -494,7 +494,7 @@
"description": "It is highly recommended to use separate storage accounts/shares to store MSIX packages. If necessary, storage can scale out independently and not being impacted by profile I/O activities. Azure offers multiple storage options that can be used for MISX app attach. We recommend using Azure Files or Azure NetApp Files as those options offer the best value between cost and management overhead. ",
"guid": "90083845-c587-4cb3-a1ec-16a1d076ef9f",
"severity": "High",
"link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-file-share"
"link": "https://learn.microsoft.com/azure/virtual-desktop/app-attach-file-share"
},
{
"category": "Compute",
@ -503,7 +503,7 @@
"description": "In the referenced article, we reported few but important performance considerations for MSIX usage in AVD context, be sure to carefully review.",
"guid": "241addce-5793-477b-adb3-751ab2ac1fad",
"severity": "High",
"link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-file-share"
"link": "https://learn.microsoft.com/azure/virtual-desktop/app-attach-file-share"
},
{
"category": "Compute",
@ -512,7 +512,7 @@
"description": "MSIX app attach requires read-only permissions to access the file share. If you're storing your MSIX applications in Azure Files, then for your session hosts, you'll need to assign all session host VMs both storage account role-based access control (RBAC) and file share New Technology File System (NTFS) permissions on the share.",
"guid": "66e15d4d-5a2a-4db2-a3e2-326bf225ca41",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-file-share"
"link": "https://learn.microsoft.com/azure/virtual-desktop/app-attach-file-share"
},
{
"category": "Compute",
@ -521,7 +521,7 @@
"description": "3rd-party software vendor must provide a MSIX package, it is not recommended for customer to attempt the conversion procedure without proper support from the application owner.",
"guid": "bd362caa-ab79-4b19-adab-81932c9fc9d1",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-faq"
"link": "https://learn.microsoft.com/azure/virtual-desktop/app-attach-faq"
},
{
"category": "Compute",
@ -530,7 +530,7 @@
"description": "MSIX app attach doesn't support auto-update for MSIX applications, then should be disabled.",
"guid": "bb88037f-5e6b-4fbb-aed5-03547cc447e8",
"severity": "Low",
"link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-faq"
"link": "https://learn.microsoft.com/azure/virtual-desktop/app-attach-faq"
},
{
"category": "Compute",
@ -539,7 +539,7 @@
"description": "In order to leverage MSIX & App Attach, guest OS image for AVD Host pool must be Windows 10 Enterprise or Windows 10 Enterprise Multi-session, version 2004 or later.",
"guid": "26128a71-f0f1-4cac-9d9e-f1d5e832e42e",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-faq"
"link": "https://learn.microsoft.com/azure/virtual-desktop/app-attach-faq"
},
{
"category": "Storage",
@ -548,7 +548,7 @@
"description": "Standard HDD, Standard SSD, or Premium SSD, Ephemeral disks are not supported, Ultra-Disks not recommended. Recommended to evaluate Premium for OS disk if user density is not low, and if you are going to use Cloud Cache. ",
"guid": "3611c818-b0a0-4bc5-80e4-3a18a9cd289c",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/virtual-machines/disks-types"
"link": "https://learn.microsoft.com/azure/virtual-machines/disks-types"
},
{
"category": "Storage",
@ -557,16 +557,16 @@
"description": "Azure NetApp Files, Azure Files, VM based File Server. File-server not recommended. Azure Files Premium typically a good starting point. NetApp only usually required for large scale / high-performant environment. ",
"guid": "ed6b17db-8255-4462-b2ae-e4553afc8339",
"severity": "High",
"link": "https://docs.microsoft.com/azure/virtual-desktop/store-fslogix-profile"
"link": "https://learn.microsoft.com/azure/virtual-desktop/store-fslogix-profile"
},
{
"category": "Storage",
"subcategory": "FSLogix",
"text": "Evaluate the possibility to separate Profile Containers from Office Containers",
"description": "The recommendation in Windows Virtual Desktop is to use Profile Container without Office Container unless you are planning for specific Business Continuity and Disaster Recovery (BCDR) scenarios as described in the Disaster Recovery section below. https://docs.microsoft.com/fslogix/profile-container-office-container-cncpt ",
"description": "The recommendation in Windows Virtual Desktop is to use Profile Container without Office Container unless you are planning for specific Business Continuity and Disaster Recovery (BCDR) scenarios as described in the Disaster Recovery section below. https://learn.microsoft.com/fslogix/profile-container-office-container-cncpt ",
"guid": "df47d2d9-2881-4b1c-b5d1-e54a29759e39",
"severity": "Low",
"link": "https://docs.microsoft.com/fslogix/profile-container-office-container-cncpt"
"link": "https://learn.microsoft.com/fslogix/profile-container-office-container-cncpt"
},
{
"category": "Storage",
@ -575,7 +575,7 @@
"description": "As a starting point for estimating profile container storage performance requirements we recommend to assume 10 IOPS per user in the steady state and 50 IOPS per user during sign-in/sign-out.",
"guid": "680e7828-9c93-4665-9d02-bff4564b0d93",
"severity": "High",
"link": "https://docs.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix"
"link": "https://learn.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix"
},
{
"category": "Storage",
@ -593,7 +593,7 @@
"description": "Avoid introducing additional latency and costs associated with cross-region network traffic where possible.",
"guid": "8aad53cc-79e2-4e86-9673-57c549675c5e",
"severity": "High",
"link": "https://docs.microsoft.com/azure/virtual-desktop/fslogix-containers-azure-files"
"link": "https://learn.microsoft.com/azure/virtual-desktop/fslogix-containers-azure-files"
},
{
"category": "Storage",
@ -602,16 +602,16 @@
"description": "Make sure to configure the following antivirus exclusions for FSLogix Profile Container virtual hard drives, as documented in the referenced article.",
"guid": "83f63047-22ee-479d-9b5c-3632054b69ba",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix"
"link": "https://learn.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix"
},
{
"category": "Storage",
"subcategory": "FSLogix",
"text": "Review FSLogix registry keys and determine which ones to apply",
"description": "Default basic and recommended settings are here: https://docs.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix#best-practice-settings-for-enterprises See here for core set: https://docs.microsoft.com/fslogix/configure-profile-container-tutorialSee here for complete reference: https://docs.microsoft.com/fslogix/profile-container-configuration-reference ",
"description": "Default basic and recommended settings are here: https://learn.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix#best-practice-settings-for-enterprises See here for core set: https://learn.microsoft.com/fslogix/configure-profile-container-tutorialSee here for complete reference: https://learn.microsoft.com/fslogix/profile-container-configuration-reference ",
"guid": "d34aad5e-8c78-4e1d-9666-7313c405674c",
"severity": "High",
"link": "https://docs.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix"
"link": "https://learn.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix"
},
{
"category": "Storage",
@ -620,7 +620,7 @@
"description": "Concurrent or multiple connections are discouraged in Windows Virtual Desktop. The best practice is to create a different profile location for each session (as a host pool).",
"guid": "5e985b85-9c77-43e7-b261-623b775a917e",
"severity": "High",
"link": "https://docs.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix"
"link": "https://learn.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix"
},
{
"category": "Storage",
@ -629,7 +629,7 @@
"description": "As a general estimation, to be validated in a test environment, for each user 5 - 15 IOPS should be first considered, depending on the workload. Azure Files: Premium max 100k IOPS per share (max 100TB) and up to 5Gbps with 3ms latency. Be aware of how Azure Files is provisioned, that is IOPS strictly tied t'o provisioned SIZE. Burst sizing capability in some cases. Be sure to provision UPFRONT more space than required to be sure to have enough IOPS. NOTE: Azure Premium maybe cheaper than Standard because you don't pay transactions, then important detail to keep in mind.Azure NetApp Files: remember max 1000 IPs connected, can adjust IOPS on the fly, minimum 4TB provisioned capacity. ",
"guid": "1f348ff3-64d2-47d4-8e8b-bbc868155abb",
"severity": "High",
"link": "https://docs.microsoft.com/azure/virtual-desktop/store-fslogix-profile"
"link": "https://learn.microsoft.com/azure/virtual-desktop/store-fslogix-profile"
},
{
"category": "Storage",
@ -638,7 +638,7 @@
"description": "Make sure to check the list of best practices and recommendations described in the referenced article.",
"guid": "9164e990-9ae2-48c8-9c33-b6b7808bafe6",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix"
"link": "https://learn.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix"
},
{
"category": "Storage",
@ -647,7 +647,7 @@
"description": "Make sure to check the list of best practices and recommendations described in the referenced article.",
"guid": "c42149d4-13a9-423c-9574-d11028ac6aae",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix"
"link": "https://learn.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix"
},
{
"category": "Storage",
@ -656,7 +656,7 @@
"description": "Profile containers have a default max size of 30GB. If large Profile Containers are anticipated, and customers wants to try to keep them small, consider using OneDrive to host Office 365 files outside the FSLogix profile.",
"guid": "01e6a84d-e5df-443d-8992-481718d5d1e5",
"severity": "High",
"link": "https://docs.microsoft.com/fslogix/profile-container-configuration-reference"
"link": "https://learn.microsoft.com/fslogix/profile-container-configuration-reference"
},
{
"category": "Storage",
@ -665,7 +665,7 @@
"description": "Cloud Cache uses local disk as cache and may generate lot of pressure on the VM disk. Recommended to leverage the power of temporary (and locally attached) VM disk, if possible based on the VM SKU. ",
"guid": "b2d1215a-e114-4ba3-9df5-85ecdcd9bd3b",
"severity": "Medium",
"link": "https://docs.microsoft.com/fslogix/cloud-cache-configuration-reference"
"link": "https://learn.microsoft.com/fslogix/cloud-cache-configuration-reference"
},
{
"category": "Storage",
@ -674,7 +674,7 @@
"description": "REDIRECTION.XML file is used to control what folders are redirected out of the profile container to the C: drive. Exclusions should be the exception and should never be used unless the specific exclusion is completely understood by the person configuring the exclusion. Exclusions should always be fully tested in the environment where they are intended to be implemented. Configuring exclusions may impact functionality, stability and performance.",
"guid": "0b50ca97-b1d2-473c-b4d9-6e98b0f912de",
"severity": "Medium",
"link": "https://docs.microsoft.com/fslogix/manage-profile-content-cncpt#redirectionsxml"
"link": "https://learn.microsoft.com/fslogix/manage-profile-content-cncpt#redirectionsxml"
},
{
"category": "Storage",
@ -683,7 +683,7 @@
"description": "An Active Directory Site should be created for the Azure virtual network environment where ANF subnet will be created, and that site name should be specified in the ANF connection property when executing the join procedure as explained in the reference article.",
"guid": "6647e977-db49-48a8-bc35-743f17499d42",
"severity": "High",
"link": "https://docs.microsoft.com/en-us/azure/azure-netapp-files/create-active-directory-connections"
"link": "https://learn.microsoft.com/en-us/azure/azure-netapp-files/create-active-directory-connections"
},
{
"category": "Storage",
@ -701,34 +701,34 @@
"description": "We recommend you don't grant your users admin access to virtual desktops. If you need software packages, we recommend you make them available through configuration management utilities like Microsoft Endpoint Manager. In a multi-session environment, we recommend you don't let users install software directly.",
"guid": "a0cdb3b5-4eb2-4eb0-9dda-a3592718e2ed",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/virtual-desktop/security-guide"
"link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide"
},
{
"category": "Security",
"subcategory": "Host Configuration",
"text": "Ensure anti-virus and anti-malware solution is used",
"description": "Microsoft Defender for Endpoint now supports Windows Virtual Desktop for Windows 10 Enterprise multi-session.Check article for onboarding non-persistent virtual desktop infrastructure (VDI) devices: https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi",
"description": "Microsoft Defender for Endpoint now supports Windows Virtual Desktop for Windows 10 Enterprise multi-session.Check article for onboarding non-persistent virtual desktop infrastructure (VDI) devices: https://learn.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi",
"guid": "b1172576-9ef6-4691-a483-5ac932223ece",
"severity": "High",
"link": "https://docs.microsoft.com/azure/virtual-desktop/security-guide"
"link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide"
},
{
"category": "Security",
"subcategory": "Host Configuration",
"text": "Ensure proper AV exclusions are in place",
"description": "Be sure the following exclusions are in place: https://docs.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix#antivirus-exclusions .",
"description": "Be sure the following exclusions are in place: https://learn.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix#antivirus-exclusions .",
"guid": "80b12308-1a54-4174-8583-3ea3ad2c2de7",
"severity": "High",
"link": "https://docs.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix"
"link": "https://learn.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix"
},
{
"category": "Security",
"subcategory": "Host Configuration",
"text": "Assess disk encryption requirements for AVD Hosts",
"description": "Disks in Azure are already encrypted at rest by default with Microsoft managed keys.Host VM OS disk encryption is possible and supported using ADE and DES: sensible and peristent user data should not be storedf on the Session Host disk, then it should be used only if strictly required for compliance reason. Encryption of FSLogix storage using Azure Files can be done using SSE on Azure Storage.For OneDrive encryption, see this article: https://docs.microsoft.com/compliance/assurance/assurance-encryption-for-microsoft-365-services.",
"description": "Disks in Azure are already encrypted at rest by default with Microsoft managed keys.Host VM OS disk encryption is possible and supported using ADE and DES: sensible and peristent user data should not be storedf on the Session Host disk, then it should be used only if strictly required for compliance reason. Encryption of FSLogix storage using Azure Files can be done using SSE on Azure Storage.For OneDrive encryption, see this article: https://learn.microsoft.com/compliance/assurance/assurance-encryption-for-microsoft-365-services.",
"guid": "0fd32907-98bc-4178-adc5-a06ca7144351",
"severity": "Low",
"link": "https://docs.microsoft.com/azure/virtual-desktop/security-guide"
"link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide"
},
{
"category": "Security",
@ -746,7 +746,7 @@
"description": "We recommend you enable Azure Security Center Standard for subscriptions, virtual machines, key vaults, and storage accounts.With Azure Security Center Standard is possible to assess and manage vulnerabilities, assess compliance with common frameworks like PCI, strengthen the overall security of your AVD environment.",
"guid": "1814387e-5ca9-4c26-a9b3-2ab5bdfc6998",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/virtual-desktop/security-guide"
"link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide"
},
{
"category": "Security",
@ -755,7 +755,7 @@
"description": "Should be used, for example to impose desktop lockout and idle session termination. Existing GPOs applied to on-premises environment should be reviewed and eventually applied to secure also AVD Hosts. ",
"guid": "a135e337-897e-431c-97d6-8cb6a22ac19f",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/virtual-desktop/security-guide"
"link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide"
},
{
"category": "Security",
@ -764,7 +764,7 @@
"description": "For additional details and insights, see this article: https://christiaanbrinkhoff.com/2020/03/23/learn-how-to-increase-the-security-level-of-your-windows-virtual-desktop-environment-e-g-windows-client-with-azure-mfa-and-conditional-access",
"guid": "916d697d-8ead-4ed2-9bdd-186f1ac252b9",
"severity": "Low",
"link": "https://docs.microsoft.com/azure/virtual-desktop/set-up-mfa"
"link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-mfa"
},
{
"category": "Security",
@ -773,7 +773,7 @@
"description": "Enabling Conditional Access lets you manage risks before you grant users access to your Windows Virtual Desktop environment. When deciding which users to grant access to, we recommend you also consider who the user is, how they sign in, and which device they're using.",
"guid": "556246b4-3856-44b4-bc74-a748b6633ad2",
"severity": "Low",
"link": "https://docs.microsoft.com/azure/virtual-desktop/security-guide"
"link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide"
},
{
"category": "Security",
@ -782,7 +782,7 @@
"description": "Enabling audit log collection lets you view user and admin activity related to Windows Virtual Desktop. This is also a requirement to eanble and use AVD Monitoring tool. Highly recommended to enable. ",
"guid": "a0916a76-4980-4ad0-b278-ee293c1bc352",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/virtual-desktop/security-guide"
"link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide"
},
{
"category": "Security",
@ -791,7 +791,7 @@
"description": "AVD uses Azure role-based access controls (RBAC) to assign roles to users and admins. These roles give admins permission to carry out certain tasks. If separation of duties is required, Windows Virtual Desktop has additional roles that let you separate management roles for host pools, app groups, and workspaces. This separation lets you have more granular control over administrative tasks. These roles are named in compliance with Azure's standard roles and least-privilege methodology.",
"guid": "baaab757-1849-4ab8-893d-c9fc9d1bb73b",
"severity": "Low",
"link": "https://docs.microsoft.com/azure/virtual-desktop/rbac"
"link": "https://learn.microsoft.com/azure/virtual-desktop/rbac"
},
{
"category": "Security",
@ -800,7 +800,7 @@
"description": "A comprehensive set of security best practices and recommendations are contained in the referenced article, it is recommended to review. ",
"guid": "36a5a67f-bb9e-4d5b-9547-8c4479816b28",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/virtual-desktop/security-guide"
"link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide"
},
{
"category": "Monitoring and Management",
@ -809,7 +809,7 @@
"description": "Azure Monitor for Windows Virtual Desktop is a dashboard built on Azure Monitor Workbooks that helps IT professionals understand their Windows Virtual Desktop environments. Read the referenced article to learn how to set up Azure Monitor for Windows Virtual Desktop to monitor your Windows Virtual Desktop environments.",
"guid": "63cfff1c-ac59-49ef-8d5a-83dd4de36c1c",
"severity": "High",
"link": "https://docs.microsoft.com/azure/virtual-desktop/azure-monitor"
"link": "https://learn.microsoft.com/azure/virtual-desktop/azure-monitor"
},
{
"category": "Monitoring and Management",
@ -818,16 +818,16 @@
"description": "Windows Virtual Desktop uses Azure Monitor and Log Analytics for monitoring and alerts like many other Azure services. This lets admins identify issues through a single interface. The service creates activity logs for both user and administrative actions. Each activity log falls under the following categories: Management, Feed, Connections, Host Registration, Errors, Checkpoints. ",
"guid": "81770afb-c4c0-4e43-a186-58d2857ed671",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/virtual-desktop/diagnostics-log-analytics"
"link": "https://learn.microsoft.com/azure/virtual-desktop/diagnostics-log-analytics"
},
{
"category": "Monitoring and Management",
"subcategory": "Monitoring",
"text": "Create alerts on the profile storage to be alerted in case of high usage and throttling",
"description": "See the referenced article and this additional one to setup proper monitoring and alerting for storage: https://docs.microsoft.com/azure/storage/files/storage-troubleshooting-files-performance. ",
"description": "See the referenced article and this additional one to setup proper monitoring and alerting for storage: https://learn.microsoft.com/azure/storage/files/storage-troubleshooting-files-performance. ",
"guid": "2463cffe-179c-4599-be0d-5973dd4ce32c",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/storage/files/storage-files-monitoring?tabs=azure-portal"
"link": "https://learn.microsoft.com/azure/storage/files/storage-files-monitoring?tabs=azure-portal"
},
{
"category": "Monitoring and Management",
@ -836,7 +836,7 @@
"description": "You can use Azure Service Health to monitor service issues and health advisories for Windows Virtual Desktop. Azure Service Health can notify you with different types of alerts (for example, email or SMS), help you understand the effect of an issue, and keep you updated as the issue resolves.",
"guid": "18813706-f7c4-4c0d-9e51-4548d2457ed6",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/virtual-desktop/set-up-service-alerts"
"link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-service-alerts"
},
{
"category": "Monitoring and Management",
@ -845,7 +845,7 @@
"description": "The scaling tool provides a low-cost automation option for customers who want to optimize their session host VM costs. You can use the scaling tool to schedule VMs to start and stop based on Peak and Off-Peak business hours, scale out VMs based on number of sessions per CPU core, scale in VMs during Off-Peak hours, leaving the minimum number of session host VMs running. Not available yet for Personal Host Pool type, recommended to have a separate setup for each host pool. ",
"guid": "7138b820-102c-4e16-be30-1e6e872e52e3",
"severity": "Low",
"link": "https://docs.microsoft.com/azure/virtual-desktop/set-up-scaling-script"
"link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-scaling-script"
},
{
"category": "Monitoring and Management",
@ -854,7 +854,7 @@
"description": "Azure Advisor analyzes your configurations and telemetry to offer personalized recommendations to solve common problems. With these recommendations, you can optimize your Azure resources for reliability, security, operational excellence, performance, and cost.",
"guid": "611dd68c-5a4b-4252-8e44-a59a9c2399c4",
"severity": "Low",
"link": "https://docs.microsoft.com/azure/virtual-desktop/azure-advisor"
"link": "https://learn.microsoft.com/azure/virtual-desktop/azure-advisor"
},
{
"category": "Monitoring and Management",
@ -863,16 +863,16 @@
"description": "Prepare a strategy to manage updates to golden images, for example to apply security hotfixes and/or update applications installed inside the image. Azure Image Builder Service is a 1st party solution for automating the build and customisation of VMs.ARM templates can be used to create new hosts, then decommission the old ones: https://github.com/Azure/RDS-Templates/tree/master/ARM-AVD-templates/AddVirtualMachinesToHostPool Recommended approach is to create a new pool side-by-side, easier to rollback, not usable for dedicated poolRe-deploy and increase the number of VMs with the ARM template is also a viable option. Customers may also want to use existing software distribution methods to update image without re-deploy, for exampel with SCCM or similar.",
"guid": "d7b68d0c-7555-462f-8b3e-4563b4d874a7",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/virtual-machines/windows/image-builder-virtual-desktop"
"link": "https://learn.microsoft.com/azure/virtual-machines/windows/image-builder-virtual-desktop"
},
{
"category": "Monitoring and Management",
"subcategory": "Management",
"text": "Plan for a Session Host patching and update strategy",
"description": "Customers can have several options:- Microsoft Endpoint Configuration Manager, this article explains how to configure Microsoft Endpoint Configuration Manager to automatically apply updates to a Windows Virtual Desktop host running Windows 10 Enterprise multi-session: https://docs.microsoft.com/azure/virtual-desktop/configure-automatic-updates- Microsoft Intune: https://docs.microsoft.com/mem/intune/fundamentals/windows-virtual-desktop-multi-session- Windows Server Update Services (WSUS)- 3rd Party that supports you OS.- Azure Update Management (Azure Automation), today not supported for client OS: https://docs.microsoft.com/azure/automation/update-management/overview#unsupported-operating-systemsIt is recommended to move away from a patching strategy and move to a re-imaging strategy if possible. ",
"description": "Customers can have several options:- Microsoft Endpoint Configuration Manager, this article explains how to configure Microsoft Endpoint Configuration Manager to automatically apply updates to a Windows Virtual Desktop host running Windows 10 Enterprise multi-session: https://learn.microsoft.com/azure/virtual-desktop/configure-automatic-updates- Microsoft Intune: https://learn.microsoft.com/mem/intune/fundamentals/windows-virtual-desktop-multi-session- Windows Server Update Services (WSUS)- 3rd Party that supports you OS.- Azure Update Management (Azure Automation), today not supported for client OS: https://learn.microsoft.com/azure/automation/update-management/overview#unsupported-operating-systemsIt is recommended to move away from a patching strategy and move to a re-imaging strategy if possible. ",
"guid": "04722da2-9c2b-41cd-922f-54b29bade3aa",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/virtual-machines/windows/image-builder-virtual-desktop"
"link": "https://learn.microsoft.com/azure/virtual-machines/windows/image-builder-virtual-desktop"
},
{
"category": "Monitoring and Management",
@ -881,7 +881,7 @@
"description": "Host pools are a collection of one or more identical virtual machines within Windows Virtual Desktop environment. We highly recommend you create a validation host pool where service updates are applied first. This allows you to monitor service updates before the service applies them to your standard or non-validation environment.",
"guid": "d1e8c38e-c936-4667-913c-005674b1e944",
"severity": "Low",
"link": "https://docs.microsoft.com/azure/virtual-desktop/create-validation-host-pool"
"link": "https://learn.microsoft.com/azure/virtual-desktop/create-validation-host-pool"
},
{
"category": "Monitoring and Management",
@ -899,7 +899,7 @@
"description": "After you register a VM to a host pool within the Windows Virtual Desktop service, the agent regularly refreshes the VM's token whenever the VM is active. The certificate for the registration token is valid for 90 days. Because of this 90-day limit, we recommend VMs to be online for 20 minutes every 90 days so that the machine can refresh its tokens and update the agent and side-by-side stack components.",
"guid": "ebe54cd7-df2e-48bb-ac35-81559bb9153e",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/virtual-desktop/faq"
"link": "https://learn.microsoft.com/azure/virtual-desktop/faq"
},
{
"category": "BC/DR",
@ -917,7 +917,7 @@
"description": "Active-Active' model can be achieved with multiple host pools in different regions. A single Host Pool with VMs from different regions is not recommended.If multiple pools for same users will be used, the problem of how to synchronize/replicate user profiles must be solved. FSLogix Cloud Cache could be used, but need to be carefully reviewed and planned, or customers can decide to do not synchronize/replicate at all. 'Active-Passive' can be achieved using Azure Site Recovery (ASR) or on-demand Pool deployment with automated mechanism.",
"guid": "6acc076e-f9b1-441a-a989-579e76b897e7",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery"
"link": "https://learn.microsoft.com/azure/virtual-desktop/disaster-recovery"
},
{
"category": "BC/DR",
@ -926,7 +926,7 @@
"description": "Before approaching Windows Virtual Desktop BCDR planning and design, it is important to initially consider which applications are consumed through AVD are critical. You may want to separate them from non-critical apps and use a separate Host Pool with a different disaster recovery approach and capabilities.",
"guid": "10a7da7b-e996-46e1-9d3c-4ada97cc3d13",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery"
"link": "https://learn.microsoft.com/azure/virtual-desktop/disaster-recovery"
},
{
"category": "BC/DR",
@ -935,7 +935,7 @@
"description": "? Did you select the proper resiliency level for your Host Pool VMs (Availability Set vs. Availability Zones)?? Are you aware of implications on HA SLA and scalability limits that come with AS or AZ? ? You can currently deploy 399 VMs per Windows Virtual Desktop ARM template deployment without Availability Sets, or 200 VMs per Availability Set.? You can increase the number of VMs per deployment by switching off Availability Sets in either the ARM template or the Azure portal host pool enrollment.Deploying AZ is now possible, one AZ at time at the moment, need to manually create a fraction of VMs in each desired AZ. ",
"guid": "25ab225c-6f4e-4168-9fdd-dea8a4b7cdeb",
"severity": "High",
"link": "https://docs.microsoft.com/azure/virtual-desktop/faq"
"link": "https://learn.microsoft.com/azure/virtual-desktop/faq"
},
{
"category": "BC/DR",
@ -944,7 +944,7 @@
"description": "Azure Backup can be used also to protect Host Pool VMs, this practice is supported, even if Host Pool VMs should be stateless. This option could be considered for Personal Host Pools. ",
"guid": "4c61fc3f-c14e-4ea6-b69e-8d9a3eec218e",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery"
"link": "https://learn.microsoft.com/azure/virtual-desktop/disaster-recovery"
},
{
"category": "BC/DR",
@ -953,7 +953,7 @@
"description": "Not all data inside FSLogix user profiles may deserve protection from disaster. Additionally, if external storage is used, for example OneDrive or File Servers/Shares, what is remaining in the FSLogix profile is minimal and could be lost in some extreme circumstances. In other cases, data inside the profile can be rebuilt from other storages (for example Outlook Inbox in cached mode). ",
"guid": "687ab077-adb5-49e5-a960-3334fdf8cc23",
"severity": "Medium",
"link": "https://docs.microsoft.com/fslogix/manage-profile-content-cncpt"
"link": "https://learn.microsoft.com/fslogix/manage-profile-content-cncpt"
},
{
"category": "BC/DR",
@ -962,7 +962,7 @@
"description": "Preventing data loss for critical user data is important, first step is to assess which data need to be saved and protected. If using OneDrive or other external storage, saving user Profile and/or Office Containers data maybe not necessary. Appropriate mechanism must be considered to provide protection for critical user data. Azure Backup service can be used to protect Profile and Office Containers data when stored on Azure Files Standard and Premium tiers. Azure NetApp Files Snapshots and Policies can be used for Azure NetApp Files (all tiers).",
"guid": "fc4972cc-3cd2-45bf-a707-6e9eab4bed32",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery"
"link": "https://learn.microsoft.com/azure/virtual-desktop/disaster-recovery"
},
{
"category": "BC/DR",
@ -971,16 +971,16 @@
"description": "In AVD, multiple replication mechanisms and strategies can be used for user data residing in FSLogix containers:? Profile Pattern #1: Native Azure storage replication mechanisms, for example Azure Files Standard GRS replication, Azure NetApp Files Cross Region Replication, or Azure Files Sync for VM-based file servers? Use Zone Replicated Storage (ZRS) or Geo replicated storage (GRS) for Azure Files is recommended.? LRS with local only resiliency can be used if no zone/region protection is required.? NOTE: Azure Files Share Standard is LRS/ZRS/GRS, but with 100TB large support enabled only LRS/ZRS are supported. ? Profile Pattern #2: FSLogix Cloud Cache is built in automatic mechanism to replicate containers between different (up to 4) storage accounts. Cloud Cache should be used only when:? User Profile or Office containers data availability required high-availability SLA is critical and need to be resilient to region failure.? Selected storage option is not able to satisfy BCDR requirements. For example, with Azure File Share Premium tier, or Azure File Share Standard with Large File Support enabled, GRS is not available.? When replication between disparate storage is required.? Profile Pattern #3: Only set up geo disaster recovery for application data and not for user data/profile containers: store important application data in separate storages, like OneDrive or other external storage with its own built-in DR mechanism.",
"guid": "9f7547c1-746d-4c56-868a-714435bd09dd",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery"
"link": "https://learn.microsoft.com/azure/virtual-desktop/disaster-recovery"
},
{
"category": "BC/DR",
"subcategory": "Storage",
"text": "Review Azure NetApp Files DR strategy",
"description": "Geo Disaster Recovery: Azure NetApp Files is essentially is LRS (locally replicated storage), then you need to architect something more if you want cross-region replication. The recommendation for cross-region at the moment is NetApp Cloud Sync, replicating to another Azure region (and NetApp Volume). Backup: Backups are handled by snapshots, but are not automatic, need to scheduled using policies. https://docs.microsoft.com/azure/azure-netapp-files/azure-netapp-files-manage-snapshots. There is a maximum limit of snapshots (255) per volume as documented here: https://docs.microsoft.com/azure/azure-netapp-files/azure-netapp-files-resource-limits.",
"description": "Geo Disaster Recovery: Azure NetApp Files is essentially is LRS (locally replicated storage), then you need to architect something more if you want cross-region replication. The recommendation for cross-region at the moment is NetApp Cloud Sync, replicating to another Azure region (and NetApp Volume). Backup: Backups are handled by snapshots, but are not automatic, need to scheduled using policies. https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-manage-snapshots. There is a maximum limit of snapshots (255) per volume as documented here: https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-resource-limits.",
"guid": "23429db7-2281-4376-85cc-57b4a4b18142",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/azure-netapp-files/azure-netapp-files-manage-snapshots"
"link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-manage-snapshots"
},
{
"category": "BC/DR",
@ -989,7 +989,7 @@
"description": "Geo Disaster Recovery: GRS for Azure Files is only available with standard SKU and no large share support, then not suitable in most customer scenarios. If geo-replication is required, when using Azure File Share Premium, replication with FSLogix Cloud Cache should be evaluated, or 'in-region' Availability Zone (AZ) only resiliency should be considered. Backup: Azure Backup fully supports Azure File Share all SKUs, and is the recommended solution to protect Profile Containers. If using OneDrive or other external storage, saving user Profile and/or Office Containers data maybe not necessary.",
"guid": "3d4f3537-c134-46dc-9602-7a71efe1bd05",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/backup/backup-afs"
"link": "https://learn.microsoft.com/azure/backup/backup-afs"
},
{
"category": "BC/DR",
@ -998,7 +998,7 @@
"description": "If custom images are used to deploy AVD Host Pool VMs, it is important to ensure those artifacts are available in all regions, even if in case of a major disaster. Azure Compute Gallery service can be used to replicate images across all regions where a Host Pool is deployed, with redundant storage and in multiple copies.",
"guid": "dd2e0d5d-771d-441e-9610-cc57b4a4a141",
"severity": "Low",
"link": "https://docs.microsoft.com/azure/virtual-machines/windows/shared-images-portal"
"link": "https://learn.microsoft.com/azure/virtual-machines/windows/shared-images-portal"
},
{
"category": "BC/DR",
@ -1007,7 +1007,7 @@
"description": "If users of the AVD infrastructure need on-premises resource access, high availability of network infrastructure required to connect is also critical and should be considered. Resiliency of authentication infrastructure needs to be assessed and evaluated. BCDR aspects for dependent applications and other resources need to be considered to ensure availability in the secondary DR location.",
"guid": "fd339489-8c12-488b-9c6a-57cfb644451e",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery"
"link": "https://learn.microsoft.com/azure/virtual-desktop/disaster-recovery"
}
],
"categories": [

226
checklists/avd_checklist.es.json
Просмотреть файл

@ -40,7 +40,7 @@
"category": "Fundación",
"description": "Si es necesario conectarse al entorno local, evalúe la opción de conectividad actual o planee la conectividad necesaria. ",
"guid": "dd399cfd-7b28-4dc8-9555-6202bfe4563b",
"link": "https://docs.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/",
"link": "https://learn.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/",
"severity": "Medio",
"subcategory": "General",
"text": "Determinar si se requiere conectividad híbrida para conectarse al entorno local"
@ -58,7 +58,7 @@
"category": "Fundación",
"description": "AVD almacena metadatos solo para ejecutar el servicio en ubicaciones geográficas específicas, determinar qué está disponible hoy y, si es adecuado, según los requisitos del cliente. ",
"guid": "bad37ead-53cc-47ce-8d7a-aab3571449ab",
"link": "https://docs.microsoft.com/azure/virtual-desktop/data-locations",
"link": "https://learn.microsoft.com/azure/virtual-desktop/data-locations",
"severity": "Medio",
"subcategory": "General",
"text": "Determinar la ubicación de metadatos para el servicio AVD"
@ -67,7 +67,7 @@
"category": "Fundación",
"description": "Compruebe si hay SKU de máquina virtual específicas, especialmente si necesita GPU o SKU de especificaciones altas y, finalmente, la disponibilidad de Azure NetApp Files si se usa. ",
"guid": "8053d89e-89dc-47b3-9be2-a1a27f7a9e91",
"link": "https://docs.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
"link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
"severity": "Bajo",
"subcategory": "General",
"text": "Comprobar las cuotas y la disponibilidad de Azure para tamaños de máquina virtual específicos en las regiones seleccionadas"
@ -76,7 +76,7 @@
"category": "Fundación",
"description": "Consulte la sección BCDR para obtener más detalles.",
"guid": "be1f38ce-f398-412b-b463-cbbac89c199d",
"link": "https://docs.microsoft.com/azure/availability-zones/az-region",
"link": "https://learn.microsoft.com/azure/availability-zones/az-region",
"severity": "Medio",
"subcategory": "General",
"text": "Comprobar la disponibilidad de la zona de disponibilidad (AZ) en la región seleccionada"
@ -85,7 +85,7 @@
"category": "Fundación",
"description": "Para una planificación e implementación adecuadas, es importante evaluar el número máximo de usuarios y el promedio de sesiones simultáneas. ",
"guid": "bb91a33d-90ca-4e2c-a881-3706f7c0cb9f",
"link": "https://docs.microsoft.com/azure/virtual-desktop/faq",
"link": "https://learn.microsoft.com/azure/virtual-desktop/faq",
"severity": "Medio",
"subcategory": "Clientes y Usuarios",
"text": "Evaluar cuántos usuarios se conectarán a AVD y desde qué regiones"
@ -94,7 +94,7 @@
"category": "Fundación",
"description": "Es posible que se requieran varios grupos de hosts para admitir diferentes conjuntos de usuarios, se recomienda estimar cuántos serán necesarios. ",
"guid": "a1cf2049-9013-4a5d-9ce4-74dbcbd8682a",
"link": "https://docs.microsoft.com/azure/virtual-desktop/environment-setup",
"link": "https://learn.microsoft.com/azure/virtual-desktop/environment-setup",
"severity": "Medio",
"subcategory": "Clientes y Usuarios",
"text": "Determinar si todos los usuarios tendrán el mismo conjunto de aplicaciones y/o diferentes configuraciones de grupo de hosts y/o imágenes de sistema operativo"
@ -103,7 +103,7 @@
"category": "Fundación",
"description": "Se deben evaluar y revisar las dependencias de recursos externos al grupo de AVD, por ejemplo, Active Directory, recursos compartidos de archivos externos u otro almacenamiento, servicios y recursos locales, componentes de infraestructura de red como VPN y/o Express Route, servicios externos y componentes de 3rd-party. Para todos estos recursos, es necesario evaluar la latencia del grupo de hosts AVD y considerar la conectividad. Además, las consideraciones de BCDR también deben aplicarse a estas dependencias.",
"guid": "6abca2a4-fda1-4dbf-9dc9-5d48c7c791dc",
"link": "https://docs.microsoft.com/azure/virtual-desktop/overview",
"link": "https://learn.microsoft.com/azure/virtual-desktop/overview",
"severity": "Bajo",
"subcategory": "Clientes y Usuarios",
"text": "Evaluar las dependencias externas para cada grupo de hosts"
@ -112,7 +112,7 @@
"category": "Fundación",
"description": "Revise las limitaciones de cada cliente y compare múltiples opciones cuando sea posible.",
"guid": "a1f6d565-99e5-458b-a37d-4985e1112dbd",
"link": "https://docs.microsoft.com/azure/virtual-desktop/connect-windows-7-10",
"link": "https://learn.microsoft.com/azure/virtual-desktop/connect-windows-7-10",
"severity": "Medio",
"subcategory": "Clientes y Usuarios",
"text": "Revisar el sistema operativo del cliente utilizado y el tipo de cliente AVD"
@ -139,7 +139,7 @@
"category": "Fundación",
"description": "Determine si a los usuarios se les ofrecerán escritorios completos y/o grupos de aplicaciones remotas. ",
"guid": "13c00567-4b1e-4945-a459-837ee7ad6c6d",
"link": "https://docs.microsoft.com/azure/virtual-desktop/manage-app-groups",
"link": "https://learn.microsoft.com/azure/virtual-desktop/manage-app-groups",
"severity": "Bajo",
"subcategory": "Clientes y Usuarios",
"text": "Determinar si los usuarios accederán a AVD utilizando escritorios completos y/o aplicaciones remotas "
@ -148,7 +148,7 @@
"category": "Fundación",
"description": "Actualmente, la configuración de RDP solo se puede configurar en el nivel del grupo de hosts, no por usuario o grupo.",
"guid": "3b365a5c-7acb-4e48-abe5-4cd79f2e8776",
"link": "https://docs.microsoft.com/azure/virtual-desktop/customize-rdp-properties",
"link": "https://learn.microsoft.com/azure/virtual-desktop/customize-rdp-properties",
"severity": "Bajo",
"subcategory": "Clientes y Usuarios",
"text": "¿Todos los usuarios tendrán la misma configuración de RDP? "
@ -157,7 +157,7 @@
"category": "Fundación",
"description": "RDP Shortpath para redes administradas es una característica de Azure Virtual Desktop que establece un transporte directo basado en UDP entre el cliente de Escritorio remoto y el host de sesión. La eliminación del relé adicional reduce el tiempo de ida y vuelta, lo que mejora la experiencia del usuario con aplicaciones y métodos de entrada sensibles a la latencia. Para admitir RDP Shortpath, el cliente de Azure Virtual Desktop necesita una línea de visión directa al host de sesión y debe ejecutar Windows 10 o Windows 7 y tener instalado el cliente de escritorio de Windows.",
"guid": "b2074747-d01a-4f61-b1aa-92ad793d9ff4",
"link": "https://docs.microsoft.com/en-us/azure/virtual-desktop/shortpath",
"link": "https://learn.microsoft.com/en-us/azure/virtual-desktop/shortpath",
"severity": "Medio",
"subcategory": "Clientes y Usuarios",
"text": "Evaluar RDP ShortPath para clientes que se conectan desde redes internas administradas"
@ -166,7 +166,7 @@
"category": "Fundación",
"description": "Compartido/Agrupado o Dedicado/Personal",
"guid": "8468c55a-775c-46ee-a5b8-6ad8844ce3b2",
"link": "https://docs.microsoft.com/azure/virtual-desktop/create-host-pools-azure-marketplace",
"link": "https://learn.microsoft.com/azure/virtual-desktop/create-host-pools-azure-marketplace",
"severity": "Alto",
"subcategory": "Planificación de la capacidad",
"text": "Determinación del tipo de grupo de hosts que se va a usar"
@ -175,7 +175,7 @@
"category": "Fundación",
"description": "Confirme que la diferencia entre asignación automática y directa se entiende bien y que la opción seleccionada es apropiada para el escenario en cuestión.",
"guid": "b38b875b-a1cf-4204-a901-3a5d3ce474db",
"link": "https://docs.microsoft.com/azure/virtual-desktop/configure-host-pool-personal-desktop-assignment-type",
"link": "https://learn.microsoft.com/azure/virtual-desktop/configure-host-pool-personal-desktop-assignment-type",
"severity": "Medio",
"subcategory": "Planificación de la capacidad",
"text": "Para el tipo de grupo de hosts personales, decida el tipo de asignación"
@ -184,16 +184,16 @@
"category": "Fundación",
"description": "Compruebe cuál usar y las opciones disponibles, tenga en cuenta que si se utilizará el escalado automático, lo establece en amplitud primero. ",
"guid": "cbd8682a-6abc-4a2a-9fda-1dbf3dc95d48",
"link": "https://docs.microsoft.com/azure/virtual-desktop/host-pool-load-balancing",
"link": "https://learn.microsoft.com/azure/virtual-desktop/host-pool-load-balancing",
"severity": "Medio",
"subcategory": "Planificación de la capacidad",
"text": "Para Tipo de grupo de hosts agrupados, decida el método de equilibrio de carga"
},
{
"category": "Fundación",
"description": "Según sus criterios de selección, ¿cuántos grupos de hosts necesitaría? Deberías considerar tener varios si:? ¿Múltiples imágenes del sistema operativo? ¿Varias regiones? ¿Se requiere un HW diferente? ¿Diferentes tipos de grupo de hosts (compartido vs. personal)? ¿Diferentes requisitos de usuario y SLA (usuarios principales, ejecutivos, trabajadores de oficina frente a desarrolladores, etc.)? Diferentes configuraciones de RDP (aplicadas a nivel de grupo de hosts), consulte https://docs.microsoft.com/azure/virtual-desktop/customize-rdp-properties? Número requerido de máquinas virtuales en el grupo de hosts que supera las capacidades máximas",
"description": "Según sus criterios de selección, ¿cuántos grupos de hosts necesitaría? Deberías considerar tener varios si:? ¿Múltiples imágenes del sistema operativo? ¿Varias regiones? ¿Se requiere un HW diferente? ¿Diferentes tipos de grupo de hosts (compartido vs. personal)? ¿Diferentes requisitos de usuario y SLA (usuarios principales, ejecutivos, trabajadores de oficina frente a desarrolladores, etc.)? Diferentes configuraciones de RDP (aplicadas a nivel de grupo de hosts), consulte https://learn.microsoft.com/azure/virtual-desktop/customize-rdp-properties? Número requerido de máquinas virtuales en el grupo de hosts que supera las capacidades máximas",
"guid": "c7c791dc-a1f6-4d56-999e-558b937d4985",
"link": "https://docs.microsoft.com/azure/virtual-desktop/environment-setup",
"link": "https://learn.microsoft.com/azure/virtual-desktop/environment-setup",
"severity": "Alto",
"subcategory": "Planificación de la capacidad",
"text": "Estimar el número de grupos de hosts diferentes para implementar "
@ -202,7 +202,7 @@
"category": "Fundación",
"description": "Utilice el enlace proporcionado para establecer un punto de partida para la decisión de SKU y, a continuación, valide mediante una prueba de rendimiento. Asegúrese de seleccionar un mínimo de 4 núcleos para producción por host de sesión (multisesión)",
"guid": "e1112dbd-7ba0-412e-9b94-ef6e047d2ea2",
"link": "https://docs.microsoft.com/windows-server/remote/remote-desktop-services/virtual-machine-recs",
"link": "https://learn.microsoft.com/windows-server/remote/remote-desktop-services/virtual-machine-recs",
"severity": "Medio",
"subcategory": "Planificación de la capacidad",
"text": "Ejecute una prueba de rendimiento de carga de trabajo para determinar el mejor SKU de máquina virtual de Azure y el tamaño que se debe usar (determinar el número de hosts por grupo)"
@ -211,7 +211,7 @@
"category": "Fundación",
"description": "Es fundamental verificar la capacidad de AVD y los límites informados en el artículo al que se hace referencia. ",
"guid": "992b1cd6-d2f5-44b2-a769-e3a691e8838a",
"link": "https://docs.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop",
"link": "https://learn.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop",
"severity": "Alto",
"subcategory": "Planificación de la capacidad",
"text": "Comprobar los límites de escalabilidad de AVD para el entorno"
@ -220,7 +220,7 @@
"category": "Fundación",
"description": "Los grupos de hosts con GPU requieren una configuración especial, asegúrese de revisar el artículo al que se hace referencia. ",
"guid": "c936667e-13c0-4056-94b1-e945a459837e",
"link": "https://docs.microsoft.com/azure/virtual-desktop/configure-vm-gpu",
"link": "https://learn.microsoft.com/azure/virtual-desktop/configure-vm-gpu",
"severity": "Medio",
"subcategory": "Planificación de la capacidad",
"text": "Determinar si los hosts de sesión requerirán GPU"
@ -229,7 +229,7 @@
"category": "Fundación",
"description": "Siempre que sea posible, se recomienda aprovechar las SKU de VM con la función de red acelerada. Hoy en día, los sistemas operativos Windows Server son compatibles (consulte la lista en el artículo), en el futuro el sistema operativo cliente de Windows también puede incluirse. ",
"guid": "b47a393a-0803-4272-a479-8b1578b219a4",
"link": "https://docs.microsoft.com/azure/virtual-network/create-vm-accelerated-networking-powershell",
"link": "https://learn.microsoft.com/azure/virtual-network/create-vm-accelerated-networking-powershell",
"severity": "Bajo",
"subcategory": "Planificación de la capacidad",
"text": "Se recomienda usar SKU de máquina virtual capaces de aprovechar la característica de redes aceleradas en Azure."
@ -238,7 +238,7 @@
"category": "Identidad",
"description": "Una suscripción de Azure debe ser primaria al mismo inquilino de Azure AD, que contiene una red virtual que contiene o está conectada a la instancia de Windows Server Active Directory o Azure AD DS.",
"guid": "6ceb5443-5125-4922-9442-93bb628537a5",
"link": "https://docs.microsoft.com/azure/virtual-desktop/overview",
"link": "https://learn.microsoft.com/azure/virtual-desktop/overview",
"severity": "Alto",
"subcategory": "Requisitos",
"text": "Un inquilino de Azure Active Directory debe estar disponible con al menos una suscripción vinculada"
@ -247,7 +247,7 @@
"category": "Identidad",
"description": "Puede configurarlo mediante Azure AD Connect (para organizaciones híbridas) o Servicios de dominio de Azure AD (para organizaciones híbridas o en la nube).",
"guid": "5119bf8e-8f58-4542-a7d9-cec166cd072a",
"link": "https://docs.microsoft.com/azure/virtual-desktop/overview",
"link": "https://learn.microsoft.com/azure/virtual-desktop/overview",
"severity": "Alto",
"subcategory": "Requisitos",
"text": "Un bosque/dominio de Windows Server Active Directory está sincronizado con Azure Active Directory"
@ -256,7 +256,7 @@
"category": "Identidad",
"description": "(1) El usuario debe provenir del mismo Active Directory que está conectado a Azure AD. Windows Virtual Desktop no admite cuentas B2B o MSA. (2) El UPN que use para suscribirse a Windows Virtual Desktop debe existir en el dominio de Active Directory al que está unida la máquina virtual.",
"guid": "f9b141a8-98a5-435e-9378-97e71ca7da7b",
"link": "https://docs.microsoft.com/azure/virtual-desktop/overview",
"link": "https://learn.microsoft.com/azure/virtual-desktop/overview",
"severity": "Medio",
"subcategory": "Requisitos",
"text": "Compruebe los requisitos de la cuenta de usuario para conectarse a Windows Virtual Desktop"
@ -265,7 +265,7 @@
"category": "Identidad",
"description": "Las máquinas virtuales deben estar unidas a un dominio estándar o híbridas a AD. Las máquinas virtuales no se pueden unir a Azure AD.",
"guid": "ea962a15-9394-46da-a7cc-3923266b2258",
"link": "https://docs.microsoft.com/azure/virtual-desktop/overview",
"link": "https://learn.microsoft.com/azure/virtual-desktop/overview",
"severity": "Medio",
"subcategory": "Requisitos",
"text": "Compruebe los requisitos de VM para los hosts de sesión AVD que se crearán"
@ -274,7 +274,7 @@
"category": "Identidad",
"description": "Comparación de Servicios de dominio de Active Directory autoadministrados, Azure Active Directory y Servicios de dominio de Azure Active Directory administrados",
"guid": "6f4a1651-bddd-4ea8-a487-cdeb4861bc3b",
"link": "https://docs.microsoft.com/azure/active-directory-domain-services/compare-identity-solutions",
"link": "https://learn.microsoft.com/azure/active-directory-domain-services/compare-identity-solutions",
"severity": "Bajo",
"subcategory": "Requisitos",
"text": "Antes de usar los Servicios de dominio de Azure Active Directory (AAD-DS) para AVD, asegúrese de revisar las limitaciones. "
@ -283,7 +283,7 @@
"category": "Identidad",
"description": "Se recomiendan los controladores de dominio de AD en Azure para reducir la latencia de los usuarios que inician sesión en hosts de sesión de AVD y, finalmente, para la integración de Azure NetApp Files y AD. ADC debe poder comunicarse con los controladores de dominio para TODOS los dominios secundarios. Como alternativa, se debe usar la conectividad local para llegar a los controladores de dominio de AD. ",
"guid": "c14aea7e-65e8-4d9a-9aec-218e6436b073",
"link": "https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/identity/adds-extend-domain",
"link": "https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/identity/adds-extend-domain",
"severity": "Medio",
"subcategory": "Active Directory",
"text": "Creación de al menos dos controladores de dominio (DC) de Active Directory en un entorno de red virtual de Azure cerca del grupo de hosts AVD"
@ -292,7 +292,7 @@
"category": "Identidad",
"description": "Se recomienda crear una unidad organizativa independiente por grupo de hosts en una jerarquía de unidades organizativas independiente. Estas unidades organizativas contendrán cuentas de máquina de hosts de sesión AVD. ",
"guid": "6db55f57-9603-4334-adf9-cc23418db612",
"link": "https://docs.microsoft.com/azure/virtual-desktop/create-host-pools-azure-marketplace",
"link": "https://learn.microsoft.com/azure/virtual-desktop/create-host-pools-azure-marketplace",
"severity": "Bajo",
"subcategory": "Active Directory",
"text": "Crear una unidad organizativa específica en Active Directory para cada grupo de hosts"
@ -301,7 +301,7 @@
"category": "Identidad",
"description": "Revise cuidadosamente y, finalmente, bloquee o filtre la herencia de GPO a las unidades organizativas que contienen grupos de hosts AVD. ",
"guid": "7126504b-b47a-4393-a080-327294798b15",
"link": "https://docs.microsoft.com/previous-versions/windows/desktop/Policy/group-policy-hierarchy",
"link": "https://learn.microsoft.com/previous-versions/windows/desktop/Policy/group-policy-hierarchy",
"severity": "Medio",
"subcategory": "Active Directory",
"text": "Revisar el GPO de dominio que se aplicará a la unidad organizativa y que afecta a las funcionalidades de la máquina virtual del grupo de hosts"
@ -310,7 +310,7 @@
"category": "Identidad",
"description": "Se recomienda tener una cuenta dedicada específica con permisos específicos y sin la limitación predeterminada de 10 uniones. ",
"guid": "347dc560-28a7-41ff-b1cd-15dd2f0d5e77",
"link": "https://docs.microsoft.com/azure/virtual-desktop/create-host-pools-azure-marketplace",
"link": "https://learn.microsoft.com/azure/virtual-desktop/create-host-pools-azure-marketplace",
"severity": "Medio",
"subcategory": "Active Directory",
"text": "Crear una cuenta de usuario dedicada con solo permisos para unir la máquina virtual al dominio"
@ -319,7 +319,7 @@
"category": "Identidad",
"description": "Evite conceder acceso por usuario, en su lugar use grupos de AD y replíquelos con ADC en Azure AD. ",
"guid": "2d41e361-1cc5-47b4-a4b1-410d43958a8c",
"link": "https://docs.microsoft.com/azure/virtual-desktop/manage-app-groups",
"link": "https://learn.microsoft.com/azure/virtual-desktop/manage-app-groups",
"severity": "Medio",
"subcategory": "Active Directory",
"text": "Crear un grupo de usuarios de dominio para cada conjunto de usuarios a los que se concederá acceso a cada grupo de aplicaciones del grupo de servidores host (DAG o RAG)"
@ -328,7 +328,7 @@
"category": "Identidad",
"description": "Como parte del procedimiento para integrar el recurso compartido de archivos de Azure y la autenticación de Active Directory, se creará una cuenta de AD para representar la cuenta de almacenamiento (recurso compartido de archivos). Puede elegir registrarse como cuenta de equipo o cuenta de inicio de sesión de servicio, consulte Preguntas frecuentes para obtener más información. Para las cuentas de equipo, hay una antigüedad de caducidad de contraseña predeterminada establecida en AD en 30 días. Del mismo modo, la cuenta de inicio de sesión del servicio puede tener una antigüedad de caducidad de contraseña predeterminada establecida en el dominio de AD o la unidad organizativa (OU). Para ambos tipos de cuenta, le recomendamos que compruebe la antigüedad de caducidad de la contraseña configurada en su entorno de AD y planee actualizar la contraseña de la identidad de la cuenta de almacenamiento de la cuenta de AD antes de la antigüedad máxima de la contraseña. Puede considerar la posibilidad de crear una nueva unidad organizativa (OU) de AD en AD y deshabilitar la directiva de caducidad de contraseñas en cuentas de equipo o cuentas de inicio de sesión de servicio en consecuencia.",
"guid": "2289b3d6-b57c-4fc6-9546-1e1a3e3453a3",
"link": "https://docs.microsoft.com/azure/storage/files/storage-files-identity-ad-ds-enable",
"link": "https://learn.microsoft.com/azure/storage/files/storage-files-identity-ad-ds-enable",
"severity": "Bajo",
"subcategory": "Active Directory",
"text": "Revisión de la directiva de expiración de contraseñas de la organización para las cuentas usadas por la integración de Azure Files AD"
@ -337,7 +337,7 @@
"category": "Gestión de redes",
"description": "¿Qué tipo de conectividad híbrida? ¿Ruta Express, VPN, NVA?",
"guid": "c8639648-a652-4d6c-85e5-02965388e5de",
"link": "https://docs.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/",
"link": "https://learn.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/",
"severity": "Medio",
"subcategory": "Gestión de redes",
"text": "Revisar la arquitectura de conectividad híbrida para el entorno local"
@ -346,7 +346,7 @@
"category": "Gestión de redes",
"description": "Evalúe los requisitos de ancho de banda, asegúrese de que el ancho de banda VPN/ER sea suficiente y que la latencia sea tolerable. ",
"guid": "d227dd14-2b06-4c21-a799-9a646f4389a7",
"link": "https://docs.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/",
"link": "https://learn.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/",
"severity": "Medio",
"subcategory": "Gestión de redes",
"text": "Evaluar qué recursos necesitarán los usuarios para acceder desde grupos de hosts AVD a las instalaciones"
@ -355,7 +355,7 @@
"category": "Gestión de redes",
"description": "Revise o recomiende uno nuevo donde colocar grupos de hosts AVD basados en CAF (vWAN vs. Hub & Spoke)",
"guid": "f42c78e7-8c06-4a63-a21a-4956e6a8dc4a",
"link": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/considerations/networking-options",
"link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/networking-options",
"severity": "Alto",
"subcategory": "Gestión de redes",
"text": "Revisar la topología de red de la zona de aterrizaje para el servicio AVD"
@ -364,14 +364,14 @@
"category": "Gestión de redes",
"description": "Asegúrese de que cada subred tenga suficiente espacio para escalar el grupo de hosts AVD. Para diferentes grupos de hosts, se recomienda usar subredes independientes si es posible. ",
"guid": "20e27b3e-2971-41b1-952b-eee079b588de",
"link": "https://docs.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix",
"link": "https://learn.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix",
"severity": "Medio",
"subcategory": "Gestión de redes",
"text": "Evaluación de la ubicación de redes virtuales y subredes para varios grupos de servidores host"
},
{
"category": "Gestión de redes",
"description": "Hay varias opciones disponibles. Puede usar Azure Firewall o NVA Firewall, NSG y/o Proxy. NSG no puede habilitar/deshabilitar por URL, solo puertos y protocolos. El proxy debe usarse solo como configuración explícita en el navegador del usuario. Los detalles sobre el uso de Azure Firewall Premium con AVD están aquí en https://aka.ms/AVDfirewall y aquí https://docs.microsoft.com/azure/firewall/protect-windows-virtual-desktop. Asegúrese de revisar la lista completa de requisitos para el acceso a las URL de AVD.",
"description": "Hay varias opciones disponibles. Puede usar Azure Firewall o NVA Firewall, NSG y/o Proxy. NSG no puede habilitar/deshabilitar por URL, solo puertos y protocolos. El proxy debe usarse solo como configuración explícita en el navegador del usuario. Los detalles sobre el uso de Azure Firewall Premium con AVD están aquí en https://aka.ms/AVDfirewall y aquí https://learn.microsoft.com/azure/firewall/protect-windows-virtual-desktop. Asegúrese de revisar la lista completa de requisitos para el acceso a las URL de AVD.",
"guid": "fc4972cd-3cd2-41bf-9703-6e5e6b4bed3d",
"link": "https://aka.ms/AVDfirewall",
"severity": "Medio",
@ -389,18 +389,18 @@
},
{
"category": "Gestión de redes",
"description": "UDR personalizado se puede aplicar a la subred del grupo de hosts de AVD, por ejemplo, para redirigir a Azure Firewall o NVA. En este caso se recomienda revisar cuidadosamente para asegurarse de que se utiliza la ruta óptima para el tráfico saliente al plano de control AVD. Las etiquetas de servicio ahora se pueden usar con UDR, luego el tráfico del plano de administración de AVD se puede incluir fácilmente en la lista blanca. https://docs.microsoft.com/azure/firewall/protect-windows-virtual-desktop#host-pool-outbound-access-to-windows-virtual-desktop ",
"description": "UDR personalizado se puede aplicar a la subred del grupo de hosts de AVD, por ejemplo, para redirigir a Azure Firewall o NVA. En este caso se recomienda revisar cuidadosamente para asegurarse de que se utiliza la ruta óptima para el tráfico saliente al plano de control AVD. Las etiquetas de servicio ahora se pueden usar con UDR, luego el tráfico del plano de administración de AVD se puede incluir fácilmente en la lista blanca. https://learn.microsoft.com/azure/firewall/protect-windows-virtual-desktop#host-pool-outbound-access-to-windows-virtual-desktop ",
"guid": "523181a9-4174-4158-93ff-7ae7c6d37431",
"link": "https://docs.microsoft.com/azure/firewall/protect-windows-virtual-desktop",
"link": "https://learn.microsoft.com/azure/firewall/protect-windows-virtual-desktop",
"severity": "Bajo",
"subcategory": "Gestión de redes",
"text": "Revisar UDR para la subred del grupo de hosts AVD"
},
{
"category": "Gestión de redes",
"description": "Las URL necesarias para el acceso al plano de control AVD por parte de los hosts de sesión se documentan aquí: https://docs.microsoft.com/azure/virtual-desktop/safe-url-list. Hay disponible una herramienta de comprobación para verificar la conectividad de los hosts de sesión: https://docs.microsoft.com/azure/virtual-desktop/safe-url-list#required-url-check-tool.",
"description": "Las URL necesarias para el acceso al plano de control AVD por parte de los hosts de sesión se documentan aquí: https://learn.microsoft.com/azure/virtual-desktop/safe-url-list. Hay disponible una herramienta de comprobación para verificar la conectividad de los hosts de sesión: https://learn.microsoft.com/azure/virtual-desktop/safe-url-list#required-url-check-tool.",
"guid": "65c7acbe-45bb-4e60-ad89-f2e87778424d",
"link": "https://docs.microsoft.com/azure/virtual-desktop/safe-url-list",
"link": "https://learn.microsoft.com/azure/virtual-desktop/safe-url-list",
"severity": "Alto",
"subcategory": "Gestión de redes",
"text": "Asegúrese de que los puntos finales del plano de control AVD sean accesibles"
@ -409,7 +409,7 @@
"category": "Gestión de redes",
"description": "Se recomienda evaluar y revisar los requisitos de ancho de banda de red para los usuarios, en función del tipo de carga de trabajo específico. El artículo al que se hace referencia proporciona estimaciones y recomendaciones generales, pero se requieren medidas específicas para un tamaño adecuado. ",
"guid": "516785c6-fa96-4c96-ad88-408f372734c8",
"link": "https://docs.microsoft.com/windows-server/remote/remote-desktop-services/network-guidance",
"link": "https://learn.microsoft.com/windows-server/remote/remote-desktop-services/network-guidance",
"severity": "Bajo",
"subcategory": "Gestión de redes",
"text": "Compruebe el ancho de banda de red necesario para cada usuario y, en total, para la SKU de máquina virtual"
@ -418,7 +418,7 @@
"category": "Calcular",
"description": "Una vez seleccionada la SKU de máquina virtual que se usará para la implementación del grupo de hosts, se recomienda usar el tipo Gen2 de la SKU para una mayor seguridad y capacidades mejoradas.",
"guid": "e4633254-3185-40a1-b120-bd563a1c8e9d",
"link": "https://docs.microsoft.com/en-us/azure/virtual-machines/generation-2",
"link": "https://learn.microsoft.com/en-us/azure/virtual-machines/generation-2",
"severity": "Medio",
"subcategory": "Host de sesión",
"text": "Evaluar el uso de la máquina virtual Gen2 para la implementación del grupo de hosts"
@ -427,7 +427,7 @@
"category": "Calcular",
"description": "Las aplicaciones se pueden preinstalar en la(s) imagen(es) dorada, se pueden adjuntar utilizando la función MSIX & AppAttach o distribuyendo a hosts después de la implementación del grupo utilizando métodos tradicionales de distribución de SW.",
"guid": "86ba2802-1459-4014-95d3-8e5309ccbd97",
"link": "https://docs.microsoft.com/azure/virtual-desktop/set-up-customize-master-image",
"link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-customize-master-image",
"severity": "Alto",
"subcategory": "Imagen/es dorada/s",
"text": "Determinar cómo se implementarán las aplicaciones en los grupos de hosts AVD"
@ -436,7 +436,7 @@
"category": "Calcular",
"description": "¿Usarán el enmascaramiento de aplicaciones fslogix que se prestaría a una sola imagen, o múltiples imágenes con diferentes aplicaciones incorporadas: ¿qué es lo que requiere que se use más de una imagen?",
"guid": "9266bcca-274f-4aa1-abf3-9d95d44c7c89",
"link": "https://docs.microsoft.com/azure/virtual-desktop/create-host-pools-azure-marketplace",
"link": "https://learn.microsoft.com/azure/virtual-desktop/create-host-pools-azure-marketplace",
"severity": "Medio",
"subcategory": "Imagen/es dorada/s",
"text": "Estimar el número de imágenes doradas que se requerirán"
@ -445,7 +445,7 @@
"category": "Calcular",
"description": "Determine qué SO invitado se usará para implementar cada grupo de hosts: Windows 10 frente a Windows Server, Marketplace frente a imágenes personalizadas",
"guid": "19ca1f6d-5315-4ae5-84ba-34d4585e2213",
"link": "https://docs.microsoft.com/azure/virtual-desktop/overview",
"link": "https://learn.microsoft.com/azure/virtual-desktop/overview",
"severity": "Medio",
"subcategory": "Imagen/es dorada/s",
"text": "Determinar qué imagenes del sistema operativo usará para la implementación del grupo de hosts"
@ -454,7 +454,7 @@
"category": "Calcular",
"description": "Si no existe nada, considere la posibilidad de usar Azure Image Builder para automatizar el proceso de compilación. ",
"guid": "9bd7bb01-2f7b-495e-86e1-54e2aa359282",
"link": "https://docs.microsoft.com/azure/virtual-machines/image-builder-overview",
"link": "https://learn.microsoft.com/azure/virtual-machines/image-builder-overview",
"severity": "Bajo",
"subcategory": "Imagen/es dorada/s",
"text": "Si se va a utilizar una imagen personalizada, determine si existe un proceso de compilación automatizado."
@ -463,7 +463,7 @@
"category": "Calcular",
"description": "Evalúe la Galería de proceso de Azure.",
"guid": "5a2adb2c-3e23-426b-b225-ca44e1696fdd",
"link": "https://docs.microsoft.com/azure/virtual-machines/windows/shared-image-galleries",
"link": "https://learn.microsoft.com/azure/virtual-machines/windows/shared-image-galleries",
"severity": "Bajo",
"subcategory": "Imagen/es dorada/s",
"text": "Si se va a utilizar una imagen personalizada, ¿existe un plan para organizar y gestionar el ciclo de vida de las imágenes?"
@ -472,14 +472,14 @@
"category": "Calcular",
"description": "Hay algunas mejores prácticas y recomendaciones conocidas para la personalización de la imagen dorada, asegúrese de consultar el artículo al que se hace referencia. ",
"guid": "deace4cb-1dec-44c6-90c3-fc14eebb36a3",
"link": "https://docs.microsoft.com/azure/virtual-desktop/set-up-customize-master-image",
"link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-customize-master-image",
"severity": "Medio",
"subcategory": "Imagen/es dorada/s",
"text": "Si se va a utilizar una imagen personalizada, consulte las prácticas recomendadas para AVD sobre cómo crear una imagen maestra"
},
{
"category": "Calcular",
"description": "Este conjunto de herramientas se ha creado para aplicar automáticamente la configuración a la que se hace referencia en las notas del producto 'Optimización de Windows 10, versión 2004 para un rol de infraestructura de escritorio virtual (VDI)': https://docs.microsoft.com/windows-server/remote/remote-desktop-services/rds-vdi-recommendations-2004. Se debe considerar el uso de la herramienta y / o las optimizaciones mencionadas en el documento técnico. ",
"description": "Este conjunto de herramientas se ha creado para aplicar automáticamente la configuración a la que se hace referencia en las notas del producto 'Optimización de Windows 10, versión 2004 para un rol de infraestructura de escritorio virtual (VDI)': https://learn.microsoft.com/windows-server/remote/remote-desktop-services/rds-vdi-recommendations-2004. Se debe considerar el uso de la herramienta y / o las optimizaciones mencionadas en el documento técnico. ",
"guid": "829e3fec-2183-4687-a017-7a2b5945bda4",
"link": "https://github.com/The-Virtual-Desktop-Team/Virtual-Desktop-Optimization-Tool",
"severity": "Medio",
@ -490,7 +490,7 @@
"category": "Calcular",
"description": "Determine si ya existe una herramienta de administración de configuración para administrar la configuración de la máquina virtual del grupo de hosts después de la implementación inicial, por ejemplo, SCCM, MEM/Intune, GPO, soluciones de 3rd-party.",
"guid": "3334fdf9-1c23-4418-8b65-285269440b4b",
"link": "https://docs.microsoft.com/mem/intune/fundamentals/windows-virtual-desktop-multi-session",
"link": "https://learn.microsoft.com/mem/intune/fundamentals/windows-virtual-desktop-multi-session",
"severity": "Bajo",
"subcategory": "Imagen/es dorada/s",
"text": "Planificar/evaluar la estrategia de gestión de la configuración del host de sesión AVD"
@ -499,7 +499,7 @@
"category": "Calcular",
"description": "Revise el artículo proporcionado y marque 'Redirección de carpetas conocidas' y 'Archivos a petición' Las características de OneDrive deben considerarse y, finalmente, adoptarse.",
"guid": "e3d3e084-4276-4d4b-bc01-5bcf219e4a1e",
"link": "https://docs.microsoft.com/azure/virtual-desktop/install-office-on-AVD-master-image",
"link": "https://learn.microsoft.com/azure/virtual-desktop/install-office-on-AVD-master-image",
"severity": "Medio",
"subcategory": "Imagen/es dorada/s",
"text": "Determinar si Microsoft OneDrive formará parte de la implementación de AVD"
@ -508,7 +508,7 @@
"category": "Calcular",
"description": "Asegúrese de revisar este artículo y usar la versión más reciente, revisar y evaluar las exclusiones de Teams para reducir el tamaño del perfil.",
"guid": "b5887953-5d22-4788-9d30-b66c67be5951",
"link": "https://docs.microsoft.com/azure/virtual-desktop/teams-on-AVD",
"link": "https://learn.microsoft.com/azure/virtual-desktop/teams-on-AVD",
"severity": "Medio",
"subcategory": "Imagen/es dorada/s",
"text": "Determinar si Microsoft Teams formará parte de la implementación de AVD"
@ -517,7 +517,7 @@
"category": "Calcular",
"description": "Se recomienda encarecidamente utilizar cuentas de almacenamiento/recursos compartidos independientes para almacenar paquetes MSIX. Si es necesario, el almacenamiento puede escalar horizontalmente de forma independiente y no verse afectado por las actividades de E/S del perfil. Azure ofrece varias opciones de almacenamiento que se pueden usar para la conexión de aplicaciones MISX. Se recomienda usar Azure Files o Azure NetApp Files, ya que estas opciones ofrecen el mejor valor entre costo y gastos generales de administración. ",
"guid": "90083845-c587-4cb3-a1ec-16a1d076ef9f",
"link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-file-share",
"link": "https://learn.microsoft.com/azure/virtual-desktop/app-attach-file-share",
"severity": "Alto",
"subcategory": "MSIX y AppAttach",
"text": "No use la misma cuenta/recurso compartido de almacenamiento que los contenedores de perfil/Office "
@ -526,7 +526,7 @@
"category": "Calcular",
"description": "En el artículo al que se hace referencia, informamos pocas pero importantes consideraciones de rendimiento para el uso de MSIX en el contexto AVD, asegúrese de revisarlo cuidadosamente.",
"guid": "241addce-5793-477b-adb3-751ab2ac1fad",
"link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-file-share",
"link": "https://learn.microsoft.com/azure/virtual-desktop/app-attach-file-share",
"severity": "Alto",
"subcategory": "MSIX y AppAttach",
"text": "Revisar las consideraciones de rendimiento para MSIX"
@ -535,7 +535,7 @@
"category": "Calcular",
"description": "La conexión de la aplicación MSIX requiere permisos de solo lectura para acceder al recurso compartido de archivos. Si va a almacenar las aplicaciones MSIX en Azure Files, deberá asignar a todas las máquinas virtuales host de sesión permisos de control de acceso basado en roles (RBAC) de cuentas de almacenamiento y permisos del sistema de archivos de nueva tecnología (NTFS) en el recurso compartido.",
"guid": "66e15d4d-5a2a-4db2-a3e2-326bf225ca41",
"link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-file-share",
"link": "https://learn.microsoft.com/azure/virtual-desktop/app-attach-file-share",
"severity": "Medio",
"subcategory": "MSIX y AppAttach",
"text": "Comprobar los permisos de host de sesión adecuados para el recurso compartido MSIX"
@ -544,7 +544,7 @@
"category": "Calcular",
"description": "El proveedor de software de 3rd party debe proporcionar un paquete MSIX, no se recomienda que el cliente intente el procedimiento de conversión sin el soporte adecuado del propietario de la aplicación.",
"guid": "bd362caa-ab79-4b19-adab-81932c9fc9d1",
"link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-faq",
"link": "https://learn.microsoft.com/azure/virtual-desktop/app-attach-faq",
"severity": "Medio",
"subcategory": "MSIX y AppAttach",
"text": "Paquetes MSIX para aplicaciones de 3ª parte"
@ -553,7 +553,7 @@
"category": "Calcular",
"description": "La aplicación MSIX adjunta no admite la actualización automática para aplicaciones MSIX, por lo que debe deshabilitarse.",
"guid": "bb88037f-5e6b-4fbb-aed5-03547cc447e8",
"link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-faq",
"link": "https://learn.microsoft.com/azure/virtual-desktop/app-attach-faq",
"severity": "Bajo",
"subcategory": "MSIX y AppAttach",
"text": "Deshabilitar la actualización automática para paquetes MSIX"
@ -562,7 +562,7 @@
"category": "Calcular",
"description": "Para aprovechar MSIX & App Attach, la imagen del sistema operativo invitado para el grupo de hosts AVD debe ser Windows 10 Enterprise o Windows 10 Enterprise Multi-session, versión 2004 o posterior.",
"guid": "26128a71-f0f1-4cac-9d9e-f1d5e832e42e",
"link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-faq",
"link": "https://learn.microsoft.com/azure/virtual-desktop/app-attach-faq",
"severity": "Medio",
"subcategory": "MSIX y AppAttach",
"text": "Revisar la compatibilidad con sistemas operativos"
@ -571,7 +571,7 @@
"category": "Almacenamiento",
"description": "HDD estándar, SSD estándar o SSD premium, discos efímeros no son compatibles, no se recomiendan discos Ultra. Se recomienda evaluar Premium para el disco del sistema operativo si la densidad de usuarios no es baja y si va a utilizar Cloud Cache. ",
"guid": "3611c818-b0a0-4bc5-80e4-3a18a9cd289c",
"link": "https://docs.microsoft.com/azure/virtual-machines/disks-types",
"link": "https://learn.microsoft.com/azure/virtual-machines/disks-types",
"severity": "Medio",
"subcategory": "Host de sesión ",
"text": "Determinar qué tipo de disco administrado se utilizará para los hosts de sesión "
@ -580,16 +580,16 @@
"category": "Almacenamiento",
"description": "Azure NetApp Files, Azure Files, servidor de archivos basado en VM. No se recomienda el servidor de archivos. Azure Files Premium suele ser un buen punto de partida. Por lo general, NetApp solo se requiere para entornos de gran escala / alto rendimiento. ",
"guid": "ed6b17db-8255-4462-b2ae-e4553afc8339",
"link": "https://docs.microsoft.com/azure/virtual-desktop/store-fslogix-profile",
"link": "https://learn.microsoft.com/azure/virtual-desktop/store-fslogix-profile",
"severity": "Alto",
"subcategory": "FSLogix",
"text": "Determinar qué solución back-end de almacenamiento se usará para FSLogix Profile y Office Containers"
},
{
"category": "Almacenamiento",
"description": "La recomendación de Windows Virtual Desktop es usar el contenedor de perfiles sin el contenedor de Office, a menos que esté planeando escenarios específicos de continuidad empresarial y recuperación ante desastres (BCDR), como se describe en la sección Recuperación ante desastres a continuación. https://docs.microsoft.com/fslogix/profile-container-office-container-cncpt ",
"description": "La recomendación de Windows Virtual Desktop es usar el contenedor de perfiles sin el contenedor de Office, a menos que esté planeando escenarios específicos de continuidad empresarial y recuperación ante desastres (BCDR), como se describe en la sección Recuperación ante desastres a continuación. https://learn.microsoft.com/fslogix/profile-container-office-container-cncpt ",
"guid": "df47d2d9-2881-4b1c-b5d1-e54a29759e39",
"link": "https://docs.microsoft.com/fslogix/profile-container-office-container-cncpt",
"link": "https://learn.microsoft.com/fslogix/profile-container-office-container-cncpt",
"severity": "Bajo",
"subcategory": "FSLogix",
"text": "Evaluar la posibilidad de separar los contenedores de perfiles de los contenedores de Office"
@ -598,7 +598,7 @@
"category": "Almacenamiento",
"description": "Como punto de partida para estimar los requisitos de rendimiento de almacenamiento de contenedores de perfiles, se recomienda asumir 10 IOPS por usuario en estado estable y 50 IOPS por usuario durante el inicio y cierre de sesión.",
"guid": "680e7828-9c93-4665-9d02-bff4564b0d93",
"link": "https://docs.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix",
"link": "https://learn.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix",
"severity": "Alto",
"subcategory": "FSLogix",
"text": "Verificar los límites de escalabilidad del almacenamiento para admitir los requisitos del grupo de hosts"
@ -616,7 +616,7 @@
"category": "Almacenamiento",
"description": "Evite introducir latencia y costos adicionales asociados con el tráfico de red entre regiones siempre que sea posible.",
"guid": "8aad53cc-79e2-4e86-9673-57c549675c5e",
"link": "https://docs.microsoft.com/azure/virtual-desktop/fslogix-containers-azure-files",
"link": "https://learn.microsoft.com/azure/virtual-desktop/fslogix-containers-azure-files",
"severity": "Alto",
"subcategory": "FSLogix",
"text": "Para un rendimiento óptimo, la solución de almacenamiento y el contenedor de perfiles FSLogix deben estar en la misma ubicación del centro de datos."
@ -625,16 +625,16 @@
"category": "Almacenamiento",
"description": "Asegúrese de configurar las siguientes exclusiones antivirus para los discos duros virtuales del contenedor de perfiles FSLogix, como se documenta en el artículo al que se hace referencia.",
"guid": "83f63047-22ee-479d-9b5c-3632054b69ba",
"link": "https://docs.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix",
"link": "https://learn.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix",
"severity": "Medio",
"subcategory": "FSLogix",
"text": "Configure las exclusiones antivirus recomendadas para FSLogix (incluye no analizar archivos VHD(x) al conectarse)."
},
{
"category": "Almacenamiento",
"description": "La configuración básica y recomendada predeterminada está aquí: https://docs.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix#best-practice-settings-for-enterprises Consulte aquí el conjunto básico: https://docs.microsoft.com/fslogix/configure-profile-container-tutorialSee aquí para una referencia completa: https://docs.microsoft.com/fslogix/profile-container-configuration-reference ",
"description": "La configuración básica y recomendada predeterminada está aquí: https://learn.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix#best-practice-settings-for-enterprises Consulte aquí el conjunto básico: https://learn.microsoft.com/fslogix/configure-profile-container-tutorialSee aquí para una referencia completa: https://learn.microsoft.com/fslogix/profile-container-configuration-reference ",
"guid": "d34aad5e-8c78-4e1d-9666-7313c405674c",
"link": "https://docs.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix",
"link": "https://learn.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix",
"severity": "Alto",
"subcategory": "FSLogix",
"text": "Revise las claves del Registro FSLogix y determine cuáles aplicar"
@ -643,7 +643,7 @@
"category": "Almacenamiento",
"description": "Se desaconsejan las conexiones simultáneas o múltiples en Windows Virtual Desktop. La práctica recomendada es crear una ubicación de perfil diferente para cada sesión (como grupo de servidores).",
"guid": "5e985b85-9c77-43e7-b261-623b775a917e",
"link": "https://docs.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix",
"link": "https://learn.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix",
"severity": "Alto",
"subcategory": "FSLogix",
"text": "Comprobar el uso de conexiones simultáneas o múltiples al mismo perfil"
@ -652,7 +652,7 @@
"category": "Almacenamiento",
"description": "Como estimación general, para ser validada en un entorno de prueba, para cada usuario se deben considerar primero de 5 a 15 IOPS, dependiendo de la carga de trabajo. Azure Files: Premium max 100k IOPS por recurso compartido (máx. 100TB) y hasta 5Gbps con latencia de 3ms. Tenga en cuenta cómo se aprovisiona Azure Files, es decir, IOPS estrictamente vinculadas a SIZE aprovisionado. Capacidad de dimensionamiento de ráfaga en algunos casos. Asegúrese de aprovisionar por adelantado más espacio del necesario para asegurarse de tener suficientes IOPS. NOTA: Azure Premium puede ser más barato que Standard porque no paga transacciones, luego detalles importantes a tener en cuenta. Azure NetApp Files: recuerde un máximo de 1000 direcciones IP conectadas, puede ajustar IOPS sobre la marcha, capacidad aprovisionada mínima de 4 TB. ",
"guid": "1f348ff3-64d2-47d4-8e8b-bbc868155abb",
"link": "https://docs.microsoft.com/azure/virtual-desktop/store-fslogix-profile",
"link": "https://learn.microsoft.com/azure/virtual-desktop/store-fslogix-profile",
"severity": "Alto",
"subcategory": "FSLogix",
"text": "Revisar las mejores prácticas y las consideraciones clave para el dimensionamiento del almacenamiento"
@ -661,7 +661,7 @@
"category": "Almacenamiento",
"description": "Asegúrese de consultar la lista de prácticas recomendadas y recomendaciones descritas en el artículo al que se hace referencia.",
"guid": "9164e990-9ae2-48c8-9c33-b6b7808bafe6",
"link": "https://docs.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix",
"link": "https://learn.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix",
"severity": "Medio",
"subcategory": "FSLogix",
"text": "Compruebe los procedimientos recomendados para Azure Files (si se usa)"
@ -670,7 +670,7 @@
"category": "Almacenamiento",
"description": "Asegúrese de consultar la lista de prácticas recomendadas y recomendaciones descritas en el artículo al que se hace referencia.",
"guid": "c42149d4-13a9-423c-9574-d11028ac6aae",
"link": "https://docs.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix",
"link": "https://learn.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix",
"severity": "Medio",
"subcategory": "FSLogix",
"text": "Compruebe las prácticas recomendadas para los archivos de NetApp (si se utilizan)"
@ -679,7 +679,7 @@
"category": "Almacenamiento",
"description": "Los contenedores de perfiles tienen un tamaño máximo predeterminado de 30 GB. Si se anticipan contenedores de perfiles grandes y los clientes quieren intentar mantenerlos pequeños, considere la posibilidad de usar OneDrive para hospedar archivos de Office 365 fuera del perfil de FSLogix.",
"guid": "01e6a84d-e5df-443d-8992-481718d5d1e5",
"link": "https://docs.microsoft.com/fslogix/profile-container-configuration-reference",
"link": "https://learn.microsoft.com/fslogix/profile-container-configuration-reference",
"severity": "Alto",
"subcategory": "FSLogix",
"text": "Revisar y confirmar el tamaño máximo de perfil configurado en FSLogix"
@ -688,7 +688,7 @@
"category": "Almacenamiento",
"description": "Cloud Cache utiliza el disco local como caché y puede generar mucha presión en el disco de la máquina virtual. Se recomienda aprovechar la potencia del disco de máquina virtual temporal (y conectado localmente), si es posible en función de la SKU de máquina virtual. ",
"guid": "b2d1215a-e114-4ba3-9df5-85ecdcd9bd3b",
"link": "https://docs.microsoft.com/fslogix/cloud-cache-configuration-reference",
"link": "https://learn.microsoft.com/fslogix/cloud-cache-configuration-reference",
"severity": "Medio",
"subcategory": "FSLogix",
"text": "Si se utiliza FSLogix Cloud Cache, mueva el directorio Cache a la unidad temporal."
@ -697,7 +697,7 @@
"category": "Almacenamiento",
"description": "REDIRECTION.XML archivo se utiliza para controlar qué carpetas se redirigen fuera del contenedor de perfiles a la unidad C:. Las exclusiones deben ser la excepción y nunca deben usarse a menos que la exclusión específica sea completamente entendida por la persona que configura la exclusión. Las exclusiones siempre deben probarse completamente en el entorno donde se pretende implementar. La configuración de exclusiones puede afectar a la funcionalidad, la estabilidad y el rendimiento.",
"guid": "0b50ca97-b1d2-473c-b4d9-6e98b0f912de",
"link": "https://docs.microsoft.com/fslogix/manage-profile-content-cncpt#redirectionsxml",
"link": "https://learn.microsoft.com/fslogix/manage-profile-content-cncpt#redirectionsxml",
"severity": "Medio",
"subcategory": "FSLogix",
"text": "Revise el uso de la redirección FSLogix."
@ -706,7 +706,7 @@
"category": "Almacenamiento",
"description": "Se debe crear un sitio de Active Directory para el entorno de red virtual de Azure donde se creará la subred ANF y ese nombre de sitio debe especificarse en la propiedad de conexión ANF al ejecutar el procedimiento de unión, como se explica en el artículo de referencia.",
"guid": "6647e977-db49-48a8-bc35-743f17499d42",
"link": "https://docs.microsoft.com/en-us/azure/azure-netapp-files/create-active-directory-connections",
"link": "https://learn.microsoft.com/en-us/azure/azure-netapp-files/create-active-directory-connections",
"severity": "Alto",
"subcategory": "FSLogix",
"text": "Si se usa el almacenamiento de Azure NetApp Files, compruebe la configuración del nombre del sitio de AD en la conexión de AD."
@ -724,34 +724,34 @@
"category": "Seguridad",
"description": "Le recomendamos que no conceda a los usuarios acceso de administrador a escritorios virtuales. Si necesita paquetes de software, le recomendamos que los ponga a disposición a través de utilidades de administración de configuración como Microsoft Endpoint Manager. En un entorno multisesión, le recomendamos que no permita que los usuarios instalen software directamente.",
"guid": "a0cdb3b5-4eb2-4eb0-9dda-a3592718e2ed",
"link": "https://docs.microsoft.com/azure/virtual-desktop/security-guide",
"link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide",
"severity": "Medio",
"subcategory": "Configuración del host",
"text": "Asegúrese de que los usuarios de AVD no tengan privilegios de administrador local en los hosts AVD. "
},
{
"category": "Seguridad",
"description": "Microsoft Defender para Endpoint ahora admite Windows Virtual Desktop para Windows 10 Enterprise multisesión. Consulte el artículo para la incorporación de dispositivos de infraestructura de escritorio virtual (VDI) no persistentes: https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi",
"description": "Microsoft Defender para Endpoint ahora admite Windows Virtual Desktop para Windows 10 Enterprise multisesión. Consulte el artículo para la incorporación de dispositivos de infraestructura de escritorio virtual (VDI) no persistentes: https://learn.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi",
"guid": "b1172576-9ef6-4691-a483-5ac932223ece",
"link": "https://docs.microsoft.com/azure/virtual-desktop/security-guide",
"link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide",
"severity": "Alto",
"subcategory": "Configuración del host",
"text": "Asegúrese de que se utiliza una solución antivirus y antimalware"
},
{
"category": "Seguridad",
"description": "Asegúrese de que las siguientes exclusiones estén en su lugar: https://docs.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix#antivirus-exclusions .",
"description": "Asegúrese de que las siguientes exclusiones estén en su lugar: https://learn.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix#antivirus-exclusions .",
"guid": "80b12308-1a54-4174-8583-3ea3ad2c2de7",
"link": "https://docs.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix",
"link": "https://learn.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix",
"severity": "Alto",
"subcategory": "Configuración del host",
"text": "Asegúrese de que las exclusiones AV adecuadas estén en su lugar"
},
{
"category": "Seguridad",
"description": "Los discos de Azure ya están cifrados en reposo de forma predeterminada con claves administradas por Microsoft. El cifrado de disco del sistema operativo de la máquina virtual host es posible y compatible con ADE y DES: los datos de usuario sensibles y peristentes no deben almacenarse en el disco host de sesión, entonces deben usarse solo si es estrictamente necesario por razones de cumplimiento. El cifrado del almacenamiento FSLogix mediante Azure Files se puede realizar mediante SSE en Azure Storage.Para el cifrado de OneDrive, consulte este artículo: https://docs.microsoft.com/compliance/assurance/assurance-encryption-for-microsoft-365-services.",
"description": "Los discos de Azure ya están cifrados en reposo de forma predeterminada con claves administradas por Microsoft. El cifrado de disco del sistema operativo de la máquina virtual host es posible y compatible con ADE y DES: los datos de usuario sensibles y peristentes no deben almacenarse en el disco host de sesión, entonces deben usarse solo si es estrictamente necesario por razones de cumplimiento. El cifrado del almacenamiento FSLogix mediante Azure Files se puede realizar mediante SSE en Azure Storage.Para el cifrado de OneDrive, consulte este artículo: https://learn.microsoft.com/compliance/assurance/assurance-encryption-for-microsoft-365-services.",
"guid": "0fd32907-98bc-4178-adc5-a06ca7144351",
"link": "https://docs.microsoft.com/azure/virtual-desktop/security-guide",
"link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide",
"severity": "Bajo",
"subcategory": "Configuración del host",
"text": "Evaluar los requisitos de cifrado de disco para hosts AVD"
@ -769,7 +769,7 @@
"category": "Seguridad",
"description": "Se recomienda habilitar Azure Security Center Standard para suscripciones, máquinas virtuales, almacenes de claves y cuentas de almacenamiento. Con Azure Security Center Standard es posible evaluar y administrar vulnerabilidades, evaluar el cumplimiento de marcos comunes como PCI, fortalecer la seguridad general de su entorno AVD.",
"guid": "1814387e-5ca9-4c26-a9b3-2ab5bdfc6998",
"link": "https://docs.microsoft.com/azure/virtual-desktop/security-guide",
"link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide",
"severity": "Medio",
"subcategory": "Seguridad",
"text": "Evaluación del uso de Azure Security Center (ASC) para hosts de sesión AVD"
@ -778,7 +778,7 @@
"category": "Seguridad",
"description": "Debe utilizarse, por ejemplo, para imponer el bloqueo del escritorio y la terminación de la sesión inactiva. Los GPO existentes aplicados al entorno local deben revisarse y, finalmente, aplicarse para proteger también los hosts AVD. ",
"guid": "a135e337-897e-431c-97d6-8cb6a22ac19f",
"link": "https://docs.microsoft.com/azure/virtual-desktop/security-guide",
"link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide",
"severity": "Medio",
"subcategory": "Seguridad",
"text": "Revisar los GPO de Active Directory para proteger las sesiones RDP"
@ -787,7 +787,7 @@
"category": "Seguridad",
"description": "Para obtener detalles e información adicionales, consulte este artículo: https://christiaanbrinkhoff.com/2020/03/23/learn-how-to-increase-the-security-level-of-your-windows-virtual-desktop-environment-e-g-windows-client-with-azure-mfa-and-conditional-access",
"guid": "916d697d-8ead-4ed2-9bdd-186f1ac252b9",
"link": "https://docs.microsoft.com/azure/virtual-desktop/set-up-mfa",
"link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-mfa",
"severity": "Bajo",
"subcategory": "Seguridad",
"text": "Evaluar el uso de MFA para usuarios de AVD"
@ -796,7 +796,7 @@
"category": "Seguridad",
"description": "La habilitación del acceso condicional le permite administrar los riesgos antes de conceder a los usuarios acceso a su entorno de Windows Virtual Desktop. Al decidir a qué usuarios conceder acceso, le recomendamos que también tenga en cuenta quién es el usuario, cómo inicia sesión y qué dispositivo está usando.",
"guid": "556246b4-3856-44b4-bc74-a748b6633ad2",
"link": "https://docs.microsoft.com/azure/virtual-desktop/security-guide",
"link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide",
"severity": "Bajo",
"subcategory": "Seguridad",
"text": "Evaluar el uso del acceso condicional para los usuarios"
@ -805,7 +805,7 @@
"category": "Seguridad",
"description": "Habilitar la recopilación de registros de auditoría le permite ver la actividad de usuarios y administradores relacionada con Windows Virtual Desktop. Este es también un requisito para eanble y utilizar la herramienta de monitoreo AVD. Muy recomendable para habilitar. ",
"guid": "a0916a76-4980-4ad0-b278-ee293c1bc352",
"link": "https://docs.microsoft.com/azure/virtual-desktop/security-guide",
"link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide",
"severity": "Medio",
"subcategory": "Seguridad",
"text": "Habilitar el registro de diagnóstico y auditoría en el área de trabajo central de Log Analytics"
@ -814,7 +814,7 @@
"category": "Seguridad",
"description": "AVD usa controles de acceso basados en rol (RBAC) de Azure para asignar roles a usuarios y administradores. Estos roles dan permiso a los administradores para llevar a cabo ciertas tareas. Si se requiere separación de tareas, Windows Virtual Desktop tiene funciones adicionales que permiten separar las funciones de administración para grupos host, grupos de aplicaciones y áreas de trabajo. Esta separación le permite tener un control más granular sobre las tareas administrativas. Estos roles se denominan de conformidad con los roles estándar y la metodología de privilegios mínimos de Azure.",
"guid": "baaab757-1849-4ab8-893d-c9fc9d1bb73b",
"link": "https://docs.microsoft.com/azure/virtual-desktop/rbac",
"link": "https://learn.microsoft.com/azure/virtual-desktop/rbac",
"severity": "Bajo",
"subcategory": "Seguridad",
"text": "Evaluar el requisito de usar roles RBAC personalizados para la administración de AVD "
@ -823,7 +823,7 @@
"category": "Seguridad",
"description": "Un conjunto completo de mejores prácticas de seguridad y recomendaciones se encuentran en el artículo al que se hace referencia, se recomienda revisar. ",
"guid": "36a5a67f-bb9e-4d5b-9547-8c4479816b28",
"link": "https://docs.microsoft.com/azure/virtual-desktop/security-guide",
"link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide",
"severity": "Medio",
"subcategory": "Seguridad",
"text": "Revisar todas las prácticas recomendadas de seguridad para el entorno AVD"
@ -832,7 +832,7 @@
"category": "Monitoreo y Gestión",
"description": "Azure Monitor para Windows Virtual Desktop es un panel basado en libros de Azure Monitor que ayuda a los profesionales de TI a comprender sus entornos de Windows Virtual Desktop. Lea el artículo al que se hace referencia para obtener información sobre cómo configurar Azure Monitor para Windows Virtual Desktop para supervisar los entornos de Windows Virtual Desktop.",
"guid": "63cfff1c-ac59-49ef-8d5a-83dd4de36c1c",
"link": "https://docs.microsoft.com/azure/virtual-desktop/azure-monitor",
"link": "https://learn.microsoft.com/azure/virtual-desktop/azure-monitor",
"severity": "Alto",
"subcategory": "Monitorización",
"text": "Habilitación de la supervisión de Azure para AVD"
@ -841,16 +841,16 @@
"category": "Monitoreo y Gestión",
"description": "Windows Virtual Desktop usa Azure Monitor y Log Analytics para la supervisión y las alertas como muchos otros servicios de Azure. Esto permite a los administradores identificar problemas a través de una única interfaz. El servicio crea registros de actividad para las acciones administrativas y de usuario. Cada registro de actividad se divide en las siguientes categorías: Administración, Fuente, Conexiones, Registro de host, Errores, Puntos de control. ",
"guid": "81770afb-c4c0-4e43-a186-58d2857ed671",
"link": "https://docs.microsoft.com/azure/virtual-desktop/diagnostics-log-analytics",
"link": "https://learn.microsoft.com/azure/virtual-desktop/diagnostics-log-analytics",
"severity": "Medio",
"subcategory": "Monitorización",
"text": "Habilitar y redirigir la configuración de diagnóstico para áreas de trabajo, grupos de hosts, grupos de aplicaciones y máquinas virtuales host al área de trabajo de Log Analytics"
},
{
"category": "Monitoreo y Gestión",
"description": "Consulte el artículo al que se hace referencia y este adicional para configurar la supervisión y las alertas adecuadas para el almacenamiento: https://docs.microsoft.com/azure/storage/files/storage-troubleshooting-files-performance. ",
"description": "Consulte el artículo al que se hace referencia y este adicional para configurar la supervisión y las alertas adecuadas para el almacenamiento: https://learn.microsoft.com/azure/storage/files/storage-troubleshooting-files-performance. ",
"guid": "2463cffe-179c-4599-be0d-5973dd4ce32c",
"link": "https://docs.microsoft.com/azure/storage/files/storage-files-monitoring?tabs=azure-portal",
"link": "https://learn.microsoft.com/azure/storage/files/storage-files-monitoring?tabs=azure-portal",
"severity": "Medio",
"subcategory": "Monitorización",
"text": "Crear alertas en el almacenamiento del perfil para recibir alertas en caso de uso elevado y limitación"
@ -859,7 +859,7 @@
"category": "Monitoreo y Gestión",
"description": "Puede usar Azure Service Health para supervisar problemas de servicio y avisos de mantenimiento para Windows Virtual Desktop. Azure Service Health puede notificarle con diferentes tipos de alertas (por ejemplo, correo electrónico o SMS), ayudarle a comprender el efecto de un problema y mantenerle actualizado a medida que se resuelve el problema.",
"guid": "18813706-f7c4-4c0d-9e51-4548d2457ed6",
"link": "https://docs.microsoft.com/azure/virtual-desktop/set-up-service-alerts",
"link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-service-alerts",
"severity": "Medio",
"subcategory": "Monitorización",
"text": "Configuración del estado del servicio de Azure para alertas AVD "
@ -868,7 +868,7 @@
"category": "Monitoreo y Gestión",
"description": "La herramienta de escalado proporciona una opción de automatización de bajo costo para los clientes que desean optimizar los costos de la máquina virtual del host de sesión. Puede usar la herramienta de escalado para programar máquinas virtuales para que se inicien y detengan en función de las horas comerciales pico y fuera de pico, escalar horizontalmente máquinas virtuales en función del número de sesiones por núcleo de CPU, escalar en máquinas virtuales durante las horas de menor actividad, dejando en ejecución el número mínimo de máquinas virtuales host de sesión. Aún no está disponible para el tipo de grupo de hosts personales, se recomienda tener una configuración independiente para cada grupo de hosts. ",
"guid": "7138b820-102c-4e16-be30-1e6e872e52e3",
"link": "https://docs.microsoft.com/azure/virtual-desktop/set-up-scaling-script",
"link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-scaling-script",
"severity": "Bajo",
"subcategory": "Administración",
"text": "Evaluar el requisito de la capacidad de escalado automático del grupo de hosts"
@ -877,7 +877,7 @@
"category": "Monitoreo y Gestión",
"description": "Azure Advisor analiza las configuraciones y la telemetría para ofrecer recomendaciones personalizadas para resolver problemas comunes. Con estas recomendaciones, puede optimizar sus recursos de Azure para ofrecer confiabilidad, seguridad, excelencia operativa, rendimiento y costo.",
"guid": "611dd68c-5a4b-4252-8e44-a59a9c2399c4",
"link": "https://docs.microsoft.com/azure/virtual-desktop/azure-advisor",
"link": "https://learn.microsoft.com/azure/virtual-desktop/azure-advisor",
"severity": "Bajo",
"subcategory": "Administración",
"text": "Comprobar periódicamente las recomendaciones de Azure Advisor para AVD"
@ -886,16 +886,16 @@
"category": "Monitoreo y Gestión",
"description": "Prepare una estrategia para administrar las actualizaciones de las imágenes doradas, por ejemplo, para aplicar revisiones de seguridad y/o actualizar las aplicaciones instaladas dentro de la imagen. Azure Image Builder Service es una solución de 1ª parte para automatizar la compilación y personalización de máquinas virtuales.Las plantillas ARM se pueden usar para crear nuevos hosts y, a continuación, retirar los antiguos: https://github.com/Azure/RDS-Templates/tree/master/ARM-AVD-templates/AddVirtualMachinesToHostPool El enfoque recomendado es crear un nuevo grupo en paralelo, más fácil de revertir, no utilizable para un grupo dedicadoRe-implementar y aumentar el número de máquinas virtuales con la plantilla ARM también es una opción viable. Los clientes también pueden querer utilizar los métodos de distribución de software existentes para actualizar la imagen sin volver a implementarla, por ejemplo, con SCCM o similar.",
"guid": "d7b68d0c-7555-462f-8b3e-4563b4d874a7",
"link": "https://docs.microsoft.com/azure/virtual-machines/windows/image-builder-virtual-desktop",
"link": "https://learn.microsoft.com/azure/virtual-machines/windows/image-builder-virtual-desktop",
"severity": "Medio",
"subcategory": "Administración",
"text": "Planeación de una estrategia de administración de actualizaciones de imágenes doradas"
},
{
"category": "Monitoreo y Gestión",
"description": "Los clientes pueden tener varias opciones:- Microsoft Endpoint Configuration Manager, este artículo explica cómo configurar Microsoft Endpoint Configuration Manager para aplicar automáticamente actualizaciones a un host de Windows Virtual Desktop que ejecuta Windows 10 Enterprise multisesión: https://docs.microsoft.com/azure/virtual-desktop/configure-automatic-updates- Microsoft Intune: https://docs.microsoft.com/mem/intune/fundamentals/windows-virtual-desktop-multi-session- Windows Server Update Services (WSUS)- 3ª Parte que admite su sistema operativo.- Azure Update Management (Azure Automation), hoy no compatible con el sistema operativo cliente: https://docs.microsoft.com/azure/automation/update-management/overview#unsupported-operating-systemsIt se recomienda alejarse de una estrategia de revisión y pasar a una estrategia de recreación de imágenes si es posible. ",
"description": "Los clientes pueden tener varias opciones:- Microsoft Endpoint Configuration Manager, este artículo explica cómo configurar Microsoft Endpoint Configuration Manager para aplicar automáticamente actualizaciones a un host de Windows Virtual Desktop que ejecuta Windows 10 Enterprise multisesión: https://learn.microsoft.com/azure/virtual-desktop/configure-automatic-updates- Microsoft Intune: https://learn.microsoft.com/mem/intune/fundamentals/windows-virtual-desktop-multi-session- Windows Server Update Services (WSUS)- 3ª Parte que admite su sistema operativo.- Azure Update Management (Azure Automation), hoy no compatible con el sistema operativo cliente: https://learn.microsoft.com/azure/automation/update-management/overview#unsupported-operating-systemsIt se recomienda alejarse de una estrategia de revisión y pasar a una estrategia de recreación de imágenes si es posible. ",
"guid": "04722da2-9c2b-41cd-922f-54b29bade3aa",
"link": "https://docs.microsoft.com/azure/virtual-machines/windows/image-builder-virtual-desktop",
"link": "https://learn.microsoft.com/azure/virtual-machines/windows/image-builder-virtual-desktop",
"severity": "Medio",
"subcategory": "Administración",
"text": "Planeación de una estrategia de actualización y revisión del host de sesión"
@ -904,7 +904,7 @@
"category": "Monitoreo y Gestión",
"description": "Los grupos de servidores host son una colección de una o más máquinas virtuales idénticas dentro del entorno de Windows Virtual Desktop. Se recomienda encarecidamente crear un grupo de hosts de validación donde se apliquen primero las actualizaciones de servicio. Esto le permite supervisar las actualizaciones del servicio antes de que el servicio las aplique a su entorno estándar o de no validación.",
"guid": "d1e8c38e-c936-4667-913c-005674b1e944",
"link": "https://docs.microsoft.com/azure/virtual-desktop/create-validation-host-pool",
"link": "https://learn.microsoft.com/azure/virtual-desktop/create-validation-host-pool",
"severity": "Bajo",
"subcategory": "Administración",
"text": "Evaluar el requisito de un entorno canario de prueba AVD"
@ -922,7 +922,7 @@
"category": "Monitoreo y Gestión",
"description": "Después de registrar una máquina virtual en un grupo de hosts dentro del servicio Windows Virtual Desktop, el agente actualiza regularmente el token de la máquina virtual siempre que la máquina virtual está activa. El certificado para el token de registro es válido durante 90 días. Debido a este límite de 90 días, recomendamos que las máquinas virtuales estén en línea durante 20 minutos cada 90 días para que la máquina pueda actualizar sus tokens y actualizar el agente y los componentes de la pila en paralelo.",
"guid": "ebe54cd7-df2e-48bb-ac35-81559bb9153e",
"link": "https://docs.microsoft.com/azure/virtual-desktop/faq",
"link": "https://learn.microsoft.com/azure/virtual-desktop/faq",
"severity": "Medio",
"subcategory": "Administración",
"text": "Activar máquinas virtuales regularmente cada 90 días para la actualización de tokens"
@ -940,7 +940,7 @@
"category": "BC/DR",
"description": "El modelo Active-Active' se puede lograr con varios grupos de hosts en diferentes regiones. No se recomienda un único grupo de hosts con máquinas virtuales de diferentes regiones. Si se van a utilizar varios grupos para los mismos usuarios, se debe resolver el problema de cómo sincronizar/replicar perfiles de usuario. FSLogix Cloud Cache podría usarse, pero debe revisarse y planificarse cuidadosamente, o los clientes pueden decidir no sincronizar / replicar en absoluto. \"Activo-pasivo\" se puede lograr mediante Azure Site Recovery (ASR) o la implementación de grupos a petición con un mecanismo automatizado.",
"guid": "6acc076e-f9b1-441a-a989-579e76b897e7",
"link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery",
"link": "https://learn.microsoft.com/azure/virtual-desktop/disaster-recovery",
"severity": "Medio",
"subcategory": "Calcular",
"text": "Evaluar la región de recuperación ante desastres geográficos para grupos de hosts AVD"
@ -949,7 +949,7 @@
"category": "BC/DR",
"description": "Antes de abordar la planeación y el diseño de BCDR de Windows Virtual Desktop, es importante considerar inicialmente qué aplicaciones que se consumen a través de AVD son críticas. Es posible que desee separarlas de las aplicaciones no críticas y usar un grupo de hosts independiente con un enfoque y capacidades de recuperación ante desastres diferentes.",
"guid": "10a7da7b-e996-46e1-9d3c-4ada97cc3d13",
"link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery",
"link": "https://learn.microsoft.com/azure/virtual-desktop/disaster-recovery",
"severity": "Medio",
"subcategory": "Calcular",
"text": "Separar las aplicaciones críticas en diferentes grupos de hosts AVD"
@ -958,7 +958,7 @@
"category": "BC/DR",
"description": "? ¿Seleccionó el nivel de resistencia adecuado para las máquinas virtuales del grupo de hosts (conjunto de disponibilidad frente a zonas de disponibilidad)? ¿Conoce las implicaciones en el SLA de alta disponibilidad y los límites de escalabilidad que vienen con AS o AZ? ? Actualmente puede implementar 399 máquinas virtuales por implementación de plantilla ARM de escritorio virtual de Windows sin conjuntos de disponibilidad o 200 máquinas virtuales por conjunto de disponibilidad. Puede aumentar el número de máquinas virtuales por implementación desactivando los conjuntos de disponibilidad en la plantilla de ARM o en la inscripción del grupo de hosts de Azure Portal. Ahora es posible implementar AZ, una AZ a la vez en este momento, necesita crear manualmente una fracción de máquinas virtuales en cada AZ deseada. ",
"guid": "25ab225c-6f4e-4168-9fdd-dea8a4b7cdeb",
"link": "https://docs.microsoft.com/azure/virtual-desktop/faq",
"link": "https://learn.microsoft.com/azure/virtual-desktop/faq",
"severity": "Alto",
"subcategory": "Calcular",
"text": "Planeación de la mejor opción de resistencia para la implementación del grupo de hosts AVD"
@ -967,7 +967,7 @@
"category": "BC/DR",
"description": "Copia de seguridad de Azure también se puede usar para proteger máquinas virtuales del grupo de hosts, esta práctica es compatible, incluso si las máquinas virtuales del grupo de hosts no tienen estado. Esta opción podría considerarse para grupos de hosts personales. ",
"guid": "4c61fc3f-c14e-4ea6-b69e-8d9a3eec218e",
"link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery",
"link": "https://learn.microsoft.com/azure/virtual-desktop/disaster-recovery",
"severity": "Medio",
"subcategory": "Calcular",
"text": "Evaluar el requisito de copia de seguridad de los hosts de sesión AVD"
@ -976,7 +976,7 @@
"category": "BC/DR",
"description": "No todos los datos dentro de los perfiles de usuario de FSLogix pueden merecer protección contra desastres. Además, si se utiliza almacenamiento externo, por ejemplo, OneDrive o servidores de archivos/recursos compartidos, lo que queda en el perfil FSLogix es mínimo y podría perderse en algunas circunstancias extremas. En otros casos, los datos dentro del perfil se pueden reconstruir desde otros almacenamientos (por ejemplo, la Bandeja de entrada de Outlook en modo caché). ",
"guid": "687ab077-adb5-49e5-a960-3334fdf8cc23",
"link": "https://docs.microsoft.com/fslogix/manage-profile-content-cncpt",
"link": "https://learn.microsoft.com/fslogix/manage-profile-content-cncpt",
"severity": "Medio",
"subcategory": "Almacenamiento",
"text": "Evaluar qué datos deben protegerse dentro de los contenedores de perfil y oficina"
@ -985,7 +985,7 @@
"category": "BC/DR",
"description": "Prevenir la pérdida de datos para los datos críticos del usuario es importante, el primer paso es evaluar qué datos deben guardarse y protegerse. Si usa OneDrive u otro almacenamiento externo, es posible que no sea necesario guardar los datos del perfil de usuario o de los contenedores de Office. Se debe considerar un mecanismo apropiado para proporcionar protección a los datos críticos del usuario. El servicio Copia de seguridad de Azure se puede usar para proteger los datos de contenedores de Office y perfiles cuando se almacenan en los niveles Standard y Premium de Azure Files. Azure NetApp Files Snapshots and Policies se puede usar para Azure NetApp Files (todos los niveles).",
"guid": "fc4972cc-3cd2-45bf-a707-6e9eab4bed32",
"link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery",
"link": "https://learn.microsoft.com/azure/virtual-desktop/disaster-recovery",
"severity": "Medio",
"subcategory": "Almacenamiento",
"text": "Crear una estrategia de protección de copia de seguridad para contenedores de perfiles y Office"
@ -994,16 +994,16 @@
"category": "BC/DR",
"description": "En AVD, se pueden usar múltiples mecanismos y estrategias de replicación para los datos de usuario que residen en contenedores FSLogix: Patrón de perfil #1: ¿Mecanismos de replicación de almacenamiento nativos de Azure, por ejemplo, replicación GRS estándar de Azure Files, replicación entre regiones de Azure NetApp Files o Azure Files Sync para servidores de archivos basados en máquinas virtuales? Se recomienda usar el almacenamiento replicado en zona (ZRS) o el almacenamiento con replicación geográfica (GRS) para Azure Files. LRS con resistencia solo local se puede usar si no se requiere protección de zona/región. NOTA: Azure Files Share Standard es LRS/ZRS/GRS, pero con la compatibilidad grande de 100 TB habilitada, solo se admiten LRS/ZRS. ? Patrón de perfil # 2: FSLogix Cloud Cache está integrado en un mecanismo automático para replicar contenedores entre diferentes (hasta 4) cuentas de almacenamiento. Cloud Cache solo debe usarse cuando:? Perfil de usuario o contenedores de Office disponibilidad de datos requeridos SLA de alta disponibilidad es crítico y debe ser resistente a errores de región. La opción de almacenamiento seleccionada no puede satisfacer los requisitos de BCDR. Por ejemplo, con el nivel Premium de Azure File Share o Azure File Share Standard con compatibilidad con archivos grandes habilitada, GRS no está disponible. Cuando se requiere replicación entre almacenamiento de información dispares. Patrón de perfil # 3: Solo configure la recuperación geográfica ante desastres para los datos de la aplicación y no para los contenedores de datos / perfiles del usuario: almacene los datos importantes de la aplicación en almacenamientos separados, como OneDrive u otro almacenamiento externo con su propio mecanismo de DR incorporado.",
"guid": "9f7547c1-746d-4c56-868a-714435bd09dd",
"link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery",
"link": "https://learn.microsoft.com/azure/virtual-desktop/disaster-recovery",
"severity": "Medio",
"subcategory": "Almacenamiento",
"text": "Evaluar los requerimientos de replicación y la resiliencia del almacenamiento de almacenamiento de información de contenedores de perfiles para fines de BCDR"
},
{
"category": "BC/DR",
"description": "Recuperación ante desastres geográfica: Azure NetApp Files es esencialmente LRS (almacenamiento replicado localmente), entonces necesita diseñar algo más si desea la replicación entre regiones. La recomendación para la multiregión en este momento es Cloud Sync de NetApp, replicando en otra región de Azure (y NetApp Volume). Copia de seguridad: Las copias de seguridad son manejadas por instantáneas, pero no son automáticas, deben programarse mediante políticas. https://docs.microsoft.com/azure/azure-netapp-files/azure-netapp-files-manage-snapshots. Hay un límite máximo de instantáneas (255) por volumen, como se documenta aquí: https://docs.microsoft.com/azure/azure-netapp-files/azure-netapp-files-resource-limits.",
"description": "Recuperación ante desastres geográfica: Azure NetApp Files es esencialmente LRS (almacenamiento replicado localmente), entonces necesita diseñar algo más si desea la replicación entre regiones. La recomendación para la multiregión en este momento es Cloud Sync de NetApp, replicando en otra región de Azure (y NetApp Volume). Copia de seguridad: Las copias de seguridad son manejadas por instantáneas, pero no son automáticas, deben programarse mediante políticas. https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-manage-snapshots. Hay un límite máximo de instantáneas (255) por volumen, como se documenta aquí: https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-resource-limits.",
"guid": "23429db7-2281-4376-85cc-57b4a4b18142",
"link": "https://docs.microsoft.com/azure/azure-netapp-files/azure-netapp-files-manage-snapshots",
"link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-manage-snapshots",
"severity": "Medio",
"subcategory": "Almacenamiento",
"text": "Revisión de la estrategia de recuperación ante desastres de Azure NetApp Files"
@ -1012,7 +1012,7 @@
"category": "BC/DR",
"description": "Recuperación ante desastres geográfica: GRS para Azure Files solo está disponible con SKU estándar y sin compatibilidad con recursos compartidos grandes, por lo que no es adecuado en la mayoría de los escenarios de clientes. Si se requiere replicación geográfica, al usar Azure File Share Premium, se debe evaluar la replicación con FSLogix Cloud Cache o solo se debe considerar la resistencia de la zona de disponibilidad (AZ) \"en la región\". Copia de seguridad: Azure Backup es totalmente compatible con Azure File Share todos los SKU y es la solución recomendada para proteger los contenedores de perfiles. Si usa OneDrive u otro almacenamiento externo, es posible que no sea necesario guardar los datos del perfil de usuario o de los contenedores de Office.",
"guid": "3d4f3537-c134-46dc-9602-7a71efe1bd05",
"link": "https://docs.microsoft.com/azure/backup/backup-afs",
"link": "https://learn.microsoft.com/azure/backup/backup-afs",
"severity": "Medio",
"subcategory": "Almacenamiento",
"text": "Revisión de la estrategia de recuperación ante desastres de Azure Files"
@ -1021,7 +1021,7 @@
"category": "BC/DR",
"description": "Si se usan imágenes personalizadas para implementar máquinas virtuales de grupos de hosts AVD, es importante asegurarse de que esos artefactos estén disponibles en todas las regiones, incluso si se trata de un desastre importante. El servicio Galería de proceso de Azure se puede usar para replicar imágenes en todas las regiones donde se implementa un grupo de hosts, con almacenamiento redundante y en varias copias.",
"guid": "dd2e0d5d-771d-441e-9610-cc57b4a4a141",
"link": "https://docs.microsoft.com/azure/virtual-machines/windows/shared-images-portal",
"link": "https://learn.microsoft.com/azure/virtual-machines/windows/shared-images-portal",
"severity": "Bajo",
"subcategory": "Dependencias",
"text": "Planeación de la disponibilidad de Golden Image entre regiones"
@ -1030,7 +1030,7 @@
"category": "BC/DR",
"description": "Si los usuarios de la infraestructura AVD necesitan acceso a recursos locales, la alta disponibilidad de la infraestructura de red necesaria para conectarse también es crítica y debe tenerse en cuenta. Es necesario evaluar la resiliencia de la infraestructura de autenticación. Los aspectos de BCDR para aplicaciones dependientes y otros recursos deben considerarse para garantizar la disponibilidad en la ubicación secundaria de DR.",
"guid": "fd339489-8c12-488b-9c6a-57cfb644451e",
"link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery",
"link": "https://learn.microsoft.com/azure/virtual-desktop/disaster-recovery",
"severity": "Medio",
"subcategory": "Dependencias",
"text": "Evaluar las dependencias de infraestructura y aplicaciones "

226
checklists/avd_checklist.ja.json
Просмотреть файл

@ -40,7 +40,7 @@
"category": "財団",
"description": "オンプレミス環境に接続する必要がある場合は、現在の接続オプションを評価するか、必要な接続を計画します。",
"guid": "dd399cfd-7b28-4dc8-9555-6202bfe4563b",
"link": "https://docs.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/",
"link": "https://learn.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/",
"severity": "中程度",
"subcategory": "全般",
"text": "オンプレミス環境への接続にハイブリッド接続が必要かどうかを判断する"
@ -58,7 +58,7 @@
"category": "財団",
"description": "AVD は、特定の地理的な場所でサービスを実行するためにのみメタデータを保存し、顧客の要件に基づいて、現在利用可能なものと適切なものを決定します。",
"guid": "bad37ead-53cc-47ce-8d7a-aab3571449ab",
"link": "https://docs.microsoft.com/azure/virtual-desktop/data-locations",
"link": "https://learn.microsoft.com/azure/virtual-desktop/data-locations",
"severity": "中程度",
"subcategory": "全般",
"text": "AVD サービスのメタデータの場所を決定する"
@ -67,7 +67,7 @@
"category": "財団",
"description": "特定の VM SKU を確認し (特に GPU またはハイスペックの SKU が必要な場合は)、最終的には Azure NetApp Files の可用性 (使用されている場合) を確認します。",
"guid": "8053d89e-89dc-47b3-9be2-a1a27f7a9e91",
"link": "https://docs.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
"link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
"severity": "低い",
"subcategory": "全般",
"text": "選択したリージョンの特定の VM サイズの Azure クォータと可用性を確認する"
@ -76,7 +76,7 @@
"category": "財団",
"description": "詳細については、「BCDR 」セクションを参照してください。",
"guid": "be1f38ce-f398-412b-b463-cbbac89c199d",
"link": "https://docs.microsoft.com/azure/availability-zones/az-region",
"link": "https://learn.microsoft.com/azure/availability-zones/az-region",
"severity": "中程度",
"subcategory": "全般",
"text": "選択したリージョンのアベイラビリティーゾーン (AZ) の可用性を確認する"
@ -85,7 +85,7 @@
"category": "財団",
"description": "適切な計画と展開を行うには、最大ユーザー数と平均同時セッション数を評価することが重要です。",
"guid": "bb91a33d-90ca-4e2c-a881-3706f7c0cb9f",
"link": "https://docs.microsoft.com/azure/virtual-desktop/faq",
"link": "https://learn.microsoft.com/azure/virtual-desktop/faq",
"severity": "中程度",
"subcategory": "クライアントとユーザー",
"text": "AVD に接続するユーザーの数と、どのリージョンから接続するかを評価する"
@ -94,7 +94,7 @@
"category": "財団",
"description": "複数のホストプールは、さまざまなユーザーセットをサポートするために必要になる可能性があるため、必要な数を見積もることをお勧めします。",
"guid": "a1cf2049-9013-4a5d-9ce4-74dbcbd8682a",
"link": "https://docs.microsoft.com/azure/virtual-desktop/environment-setup",
"link": "https://learn.microsoft.com/azure/virtual-desktop/environment-setup",
"severity": "中程度",
"subcategory": "クライアントとユーザー",
"text": "すべてのユーザーが同じアプリケーション・セットを持つか、異なるホスト・プール構成やOSイメージを使用するかを決定する"
@ -103,7 +103,7 @@
"category": "財団",
"description": "AVD プールの外部のリソース(Active Directory、外部ファイル共有またはその他のストレージ、オンプレミスのサービスとリソース、VPN や Express Route などのネットワーク インフラストラクチャ コンポーネント、外部サービス、サードパーティ コンポーネントなど)への依存関係を評価および確認する必要があります。これらすべてのリソースについて、AVD ホストプールからの遅延を評価し、接続を考慮する必要があります。さらに、BCDR に関する考慮事項をこれらの依存関係にも適用する必要があります。",
"guid": "6abca2a4-fda1-4dbf-9dc9-5d48c7c791dc",
"link": "https://docs.microsoft.com/azure/virtual-desktop/overview",
"link": "https://learn.microsoft.com/azure/virtual-desktop/overview",
"severity": "低い",
"subcategory": "クライアントとユーザー",
"text": "各ホスト プールの外部依存関係を評価する"
@ -112,7 +112,7 @@
"category": "財団",
"description": "各クライアントの制限事項を確認し、可能な場合は複数のオプションを比較します。",
"guid": "a1f6d565-99e5-458b-a37d-4985e1112dbd",
"link": "https://docs.microsoft.com/azure/virtual-desktop/connect-windows-7-10",
"link": "https://learn.microsoft.com/azure/virtual-desktop/connect-windows-7-10",
"severity": "中程度",
"subcategory": "クライアントとユーザー",
"text": "使用されているクライアント OS と AVD クライアントタイプを確認する"
@ -139,7 +139,7 @@
"category": "財団",
"description": "ユーザーにフルデスクトップまたはリモートアプリケーショングループを提供するかどうかを決定します。",
"guid": "13c00567-4b1e-4945-a459-837ee7ad6c6d",
"link": "https://docs.microsoft.com/azure/virtual-desktop/manage-app-groups",
"link": "https://learn.microsoft.com/azure/virtual-desktop/manage-app-groups",
"severity": "低い",
"subcategory": "クライアントとユーザー",
"text": "ユーザーがフルデスクトップやリモートアプリケーションを使用して AVD にアクセスするかどうかを決定する"
@ -148,7 +148,7 @@
"category": "財団",
"description": "RDP 設定は、現在、ユーザー/グループごとではなく、ホスト プール レベルでのみ構成できます。",
"guid": "3b365a5c-7acb-4e48-abe5-4cd79f2e8776",
"link": "https://docs.microsoft.com/azure/virtual-desktop/customize-rdp-properties",
"link": "https://learn.microsoft.com/azure/virtual-desktop/customize-rdp-properties",
"severity": "低い",
"subcategory": "クライアントとユーザー",
"text": "すべてのユーザーの RDP 設定は同じですか?"
@ -157,7 +157,7 @@
"category": "財団",
"description": "マネージド ネットワークの RDP ショートパスは、リモート デスクトップ クライアントとセッション ホスト間の直接 UDP ベースのトランスポートを確立する Azure 仮想デスクトップの機能です。余分なリレーを削除すると、ラウンドトリップ時間が短縮され、遅延の影響を受けやすいアプリケーションや入力方式のユーザーエクスペリエンスが向上します。RDP ショートパスをサポートするには、Azure 仮想デスクトップ クライアントがセッション ホストへの直接の通信経路を必要とし、Windows 10 または Windows 7 のいずれかを実行し、Windows デスクトップ クライアントがインストールされている必要があります。",
"guid": "b2074747-d01a-4f61-b1aa-92ad793d9ff4",
"link": "https://docs.microsoft.com/en-us/azure/virtual-desktop/shortpath",
"link": "https://learn.microsoft.com/en-us/azure/virtual-desktop/shortpath",
"severity": "中程度",
"subcategory": "クライアントとユーザー",
"text": "管理された内部ネットワークから接続するクライアントの RDP ShortPath を評価する"
@ -166,7 +166,7 @@
"category": "財団",
"description": "共有/プールまたは専用/個人",
"guid": "8468c55a-775c-46ee-a5b8-6ad8844ce3b2",
"link": "https://docs.microsoft.com/azure/virtual-desktop/create-host-pools-azure-marketplace",
"link": "https://learn.microsoft.com/azure/virtual-desktop/create-host-pools-azure-marketplace",
"severity": "高い",
"subcategory": "キャパシティ プランニング",
"text": "使用するホスト・プール・タイプの決定"
@ -175,7 +175,7 @@
"category": "財団",
"description": "自動割り当てと直接割り当ての違いがよく理解されており、選択したオプションが問題のシナリオに適していることを確認します。",
"guid": "b38b875b-a1cf-4204-a901-3a5d3ce474db",
"link": "https://docs.microsoft.com/azure/virtual-desktop/configure-host-pool-personal-desktop-assignment-type",
"link": "https://learn.microsoft.com/azure/virtual-desktop/configure-host-pool-personal-desktop-assignment-type",
"severity": "中程度",
"subcategory": "キャパシティ プランニング",
"text": "パーソナルホストプールタイプで、割り当てタイプを決定します"
@ -184,16 +184,16 @@
"category": "財団",
"description": "使用するものと使用可能なオプションを確認し、自動スケーリングを使用する場合は幅優先に設定されることに注意してください。",
"guid": "cbd8682a-6abc-4a2a-9fda-1dbf3dc95d48",
"link": "https://docs.microsoft.com/azure/virtual-desktop/host-pool-load-balancing",
"link": "https://learn.microsoft.com/azure/virtual-desktop/host-pool-load-balancing",
"severity": "中程度",
"subcategory": "キャパシティ プランニング",
"text": "プールされたホストプールタイプで、負荷分散方法を決定します"
},
{
"category": "財団",
"description": "選択基準に基づいて、必要なホストプールの数はいくつですか。次の場合は、複数のものを持つことを検討する必要があります。複数のOSイメージ?複数の地域?別のハードウェアが必要ですか?異なるホストプールタイプ(共有と個人)?異なるユーザー要件とSLA(トップユーザー、エグゼクティブ、オフィスワーカー対開発者など)?さまざまな RDP 設定 (ホスト プール レベルで適用) については、「https://docs.microsoft.com/azure/virtual-desktop/customize-rdp-properties」を参照してください。ホスト プール内の必要な数の VM が最大機能を超えています",
"description": "選択基準に基づいて、必要なホストプールの数はいくつですか。次の場合は、複数のものを持つことを検討する必要があります。複数のOSイメージ?複数の地域?別のハードウェアが必要ですか?異なるホストプールタイプ(共有と個人)?異なるユーザー要件とSLA(トップユーザー、エグゼクティブ、オフィスワーカー対開発者など)?さまざまな RDP 設定 (ホスト プール レベルで適用) については、「https://learn.microsoft.com/azure/virtual-desktop/customize-rdp-properties」を参照してください。ホスト プール内の必要な数の VM が最大機能を超えています",
"guid": "c7c791dc-a1f6-4d56-999e-558b937d4985",
"link": "https://docs.microsoft.com/azure/virtual-desktop/environment-setup",
"link": "https://learn.microsoft.com/azure/virtual-desktop/environment-setup",
"severity": "高い",
"subcategory": "キャパシティ プランニング",
"text": "展開するさまざまなホスト プールの数を見積もる"
@ -202,7 +202,7 @@
"category": "財団",
"description": "提供されているリンクを使用して SKU 決定の開始点を設定し、パフォーマンス テストを使用して検証します。セッション ホストごとに少なくとも 4 つのコアが本番用に選択されていることを確認します (マルチセッション)",
"guid": "e1112dbd-7ba0-412e-9b94-ef6e047d2ea2",
"link": "https://docs.microsoft.com/windows-server/remote/remote-desktop-services/virtual-machine-recs",
"link": "https://learn.microsoft.com/windows-server/remote/remote-desktop-services/virtual-machine-recs",
"severity": "中程度",
"subcategory": "キャパシティ プランニング",
"text": "ワークロード パフォーマンス テストを実行して、使用する最適な Azure VM SKU とサイズを決定します (プールあたりのホスト数を決定します)"
@ -211,7 +211,7 @@
"category": "財団",
"description": "参照記事で報告されているAVDの容量と制限を確認することが重要です。",
"guid": "992b1cd6-d2f5-44b2-a769-e3a691e8838a",
"link": "https://docs.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop",
"link": "https://learn.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop",
"severity": "高い",
"subcategory": "キャパシティ プランニング",
"text": "環境の AVD スケーラビリティの制限を確認する"
@ -220,7 +220,7 @@
"category": "財団",
"description": "GPU を搭載したホスト プールには特別な構成が必要ですので、参照先の記事を必ず確認してください。",
"guid": "c936667e-13c0-4056-94b1-e945a459837e",
"link": "https://docs.microsoft.com/azure/virtual-desktop/configure-vm-gpu",
"link": "https://learn.microsoft.com/azure/virtual-desktop/configure-vm-gpu",
"severity": "中程度",
"subcategory": "キャパシティ プランニング",
"text": "セッション ホストに GPU が必要かどうかを判断する"
@ -229,7 +229,7 @@
"category": "財団",
"description": "可能な限り、高速ネットワーク機能を備えた VM SKU を活用することをお勧めします。現在、Windows Server OSがサポートされており(記事のリストを参照)、将来的にはWindowsクライアントOSも含まれる可能性があります。",
"guid": "b47a393a-0803-4272-a479-8b1578b219a4",
"link": "https://docs.microsoft.com/azure/virtual-network/create-vm-accelerated-networking-powershell",
"link": "https://learn.microsoft.com/azure/virtual-network/create-vm-accelerated-networking-powershell",
"severity": "低い",
"subcategory": "キャパシティ プランニング",
"text": "Azure の高速ネットワーク機能を利用できる VM SKU を使用することをお勧めします。"
@ -238,7 +238,7 @@
"category": "同一性",
"description": "Azure サブスクリプションは、Windows Server Active Directory または Azure AD DS インスタンスを含む、または Azure AD DS インスタンスに接続されている仮想ネットワークを含む、同じ Azure AD テナントの親である必要があります。",
"guid": "6ceb5443-5125-4922-9442-93bb628537a5",
"link": "https://docs.microsoft.com/azure/virtual-desktop/overview",
"link": "https://learn.microsoft.com/azure/virtual-desktop/overview",
"severity": "高い",
"subcategory": "必要条件",
"text": "Azure Active Directory テナントは、少なくとも 1 つのサブスクリプションがリンクされている状態で使用可能である必要があります"
@ -247,7 +247,7 @@
"category": "同一性",
"description": "これは、Azure AD Connect (ハイブリッド組織の場合) または Azure AD ドメイン サービス (ハイブリッド組織またはクラウド組織の場合) を使用して構成できます。",
"guid": "5119bf8e-8f58-4542-a7d9-cec166cd072a",
"link": "https://docs.microsoft.com/azure/virtual-desktop/overview",
"link": "https://learn.microsoft.com/azure/virtual-desktop/overview",
"severity": "高い",
"subcategory": "必要条件",
"text": "Windows Server Active Directory フォレスト/ドメインが Azure Active Directory と同期している"
@ -256,7 +256,7 @@
"category": "同一性",
"description": "(1) ユーザーは、Azure AD に接続されているのと同じ Active Directory から取得する必要があります。 Windows 仮想デスクトップは、B2B または MSA アカウントをサポートしていません。(2) Windows 仮想デスクトップのサブスクライブに使用する UPN は、VM が参加しているアクティブ ディレクトリ ドメインに存在する必要があります。",
"guid": "f9b141a8-98a5-435e-9378-97e71ca7da7b",
"link": "https://docs.microsoft.com/azure/virtual-desktop/overview",
"link": "https://learn.microsoft.com/azure/virtual-desktop/overview",
"severity": "中程度",
"subcategory": "必要条件",
"text": "Windows 仮想デスクトップに接続するためのユーザー アカウント要件を確認する"
@ -265,7 +265,7 @@
"category": "同一性",
"description": "VM は、Standard ドメイン参加済みまたはハイブリッド AD 参加済みである必要があります。仮想マシンを Azure AD に参加させることはできません。",
"guid": "ea962a15-9394-46da-a7cc-3923266b2258",
"link": "https://docs.microsoft.com/azure/virtual-desktop/overview",
"link": "https://learn.microsoft.com/azure/virtual-desktop/overview",
"severity": "中程度",
"subcategory": "必要条件",
"text": "作成される AVD セッションホストの VM 要件を確認する"
@ -274,7 +274,7 @@
"category": "同一性",
"description": "セルフマネージド Active Directory Domain Services、Azure Active Directory、および管理された Azure Active Directory Domain Services の比較",
"guid": "6f4a1651-bddd-4ea8-a487-cdeb4861bc3b",
"link": "https://docs.microsoft.com/azure/active-directory-domain-services/compare-identity-solutions",
"link": "https://learn.microsoft.com/azure/active-directory-domain-services/compare-identity-solutions",
"severity": "低い",
"subcategory": "必要条件",
"text": "AVD に Azure Active Directory ドメイン サービス (AAD-DS) を使用する前に、制限事項を確認してください。"
@ -283,7 +283,7 @@
"category": "同一性",
"description": "Azure の AD DC は、AVD セッションホストにログインするユーザーのレイテンシーを短縮し、最終的には Azure NetApp Files と AD 統合のレイテンシーを削減するために推奨されます。ADCは、すべての子ドメインのDCと通信できる必要があります。別の方法として、オンプレミス接続を使用して AD DC に到達する必要があります。",
"guid": "c14aea7e-65e8-4d9a-9aec-218e6436b073",
"link": "https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/identity/adds-extend-domain",
"link": "https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/identity/adds-extend-domain",
"severity": "中程度",
"subcategory": "アクティブディレクトリ",
"text": "AVD ホスト プールに近い Azure VNET 環境に少なくとも 2 つのアクティブ ディレクトリ ドメイン コントローラー (DC) を作成します。"
@ -292,7 +292,7 @@
"category": "同一性",
"description": "別の OU 階層の下にホスト プールごとに個別の OU を作成することをお勧めします。これらの OU には、AVD セッションホストのマシンアカウントが含まれます。",
"guid": "6db55f57-9603-4334-adf9-cc23418db612",
"link": "https://docs.microsoft.com/azure/virtual-desktop/create-host-pools-azure-marketplace",
"link": "https://learn.microsoft.com/azure/virtual-desktop/create-host-pools-azure-marketplace",
"severity": "低い",
"subcategory": "アクティブディレクトリ",
"text": "ホスト プールごとにアクティブ ディレクトリに特定の OU を作成する"
@ -301,7 +301,7 @@
"category": "同一性",
"description": "慎重に確認し、最終的に AVD ホストプールを含む OU への GPO の継承をブロック/フィルタリングします。",
"guid": "7126504b-b47a-4393-a080-327294798b15",
"link": "https://docs.microsoft.com/previous-versions/windows/desktop/Policy/group-policy-hierarchy",
"link": "https://learn.microsoft.com/previous-versions/windows/desktop/Policy/group-policy-hierarchy",
"severity": "中程度",
"subcategory": "アクティブディレクトリ",
"text": "OU に適用され、ホスト プール VM の機能に影響を与えるドメイン GPO を確認する"
@ -310,7 +310,7 @@
"category": "同一性",
"description": "特定のアクセス許可を持つ特定の専用アカウントを持ち、既定の 10 回の参加制限がないことをお勧めします。",
"guid": "347dc560-28a7-41ff-b1cd-15dd2f0d5e77",
"link": "https://docs.microsoft.com/azure/virtual-desktop/create-host-pools-azure-marketplace",
"link": "https://learn.microsoft.com/azure/virtual-desktop/create-host-pools-azure-marketplace",
"severity": "中程度",
"subcategory": "アクティブディレクトリ",
"text": "VM をドメインに参加させるためのアクセス許可のみを持つ専用ユーザー アカウントを作成する"
@ -319,7 +319,7 @@
"category": "同一性",
"description": "ユーザーごとにアクセスを許可するのではなく、AD グループを使用し、Azure AD の ADC を使用してレプリケートします。",
"guid": "2d41e361-1cc5-47b4-a4b1-410d43958a8c",
"link": "https://docs.microsoft.com/azure/virtual-desktop/manage-app-groups",
"link": "https://learn.microsoft.com/azure/virtual-desktop/manage-app-groups",
"severity": "中程度",
"subcategory": "アクティブディレクトリ",
"text": "各ホスト プール アプリケーション グループ (DAG または RAG) へのアクセスが許可されるユーザーのセットごとにドメイン ユーザー グループを作成します。"
@ -328,7 +328,7 @@
"category": "同一性",
"description": "Azure ファイル共有と Active Directory 認証を統合する手順の一環として、ストレージ アカウント (ファイル共有) を表す AD アカウントが作成されます。コンピューター アカウントまたはサービス ログオン アカウントとして登録することを選択できます (詳細については、FAQ を参照してください)。コンピューター アカウントの場合、AD には既定のパスワードの有効期限が 30 日に設定されています。同様に、サービス ログオン アカウントには、AD ドメインまたは組織単位 (OU) に既定のパスワード有効期限が設定されている場合があります。どちらのアカウントの種類でも、AD 環境で構成されているパスワードの有効期限を確認し、パスワードの最大有効期間の前に AD アカウントのストレージ アカウント ID のパスワードを更新することを計画することをお勧めします。AD に新しい AD 組織単位 (OU) を作成し、それに応じてコンピューター アカウントまたはサービス ログオン アカウントのパスワード有効期限ポリシーを無効にすることを検討できます。",
"guid": "2289b3d6-b57c-4fc6-9546-1e1a3e3453a3",
"link": "https://docs.microsoft.com/azure/storage/files/storage-files-identity-ad-ds-enable",
"link": "https://learn.microsoft.com/azure/storage/files/storage-files-identity-ad-ds-enable",
"severity": "低い",
"subcategory": "アクティブディレクトリ",
"text": "Azure Files AD 統合で使用されるアカウントの組織のパスワード有効期限ポリシーを確認する"
@ -337,7 +337,7 @@
"category": "ネットワーキング",
"description": "どのタイプのハイブリッド接続ですか?エクスプレスルート、VPN、NVA?",
"guid": "c8639648-a652-4d6c-85e5-02965388e5de",
"link": "https://docs.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/",
"link": "https://learn.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/",
"severity": "中程度",
"subcategory": "ネットワーキング",
"text": "オンプレミス環境のハイブリッド接続アーキテクチャを確認する"
@ -346,7 +346,7 @@
"category": "ネットワーキング",
"description": "帯域幅の要件を評価し、VPN/ER 帯域幅が十分であり、待機時間が許容できることを確認します。",
"guid": "d227dd14-2b06-4c21-a799-9a646f4389a7",
"link": "https://docs.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/",
"link": "https://learn.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/",
"severity": "中程度",
"subcategory": "ネットワーキング",
"text": "ユーザーが AVD ホストプールからオンプレミスにアクセスする必要があるリソースを評価する"
@ -355,7 +355,7 @@
"category": "ネットワーキング",
"description": "CAF に基づいて AVD ホストプールを配置する場所をレビューまたは推奨する(vWAN vs. ハブ&スポーク)",
"guid": "f42c78e7-8c06-4a63-a21a-4956e6a8dc4a",
"link": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/considerations/networking-options",
"link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/networking-options",
"severity": "高い",
"subcategory": "ネットワーキング",
"text": "AVD サービスのランディングゾーンネットワーキングトポロジの確認"
@ -364,14 +364,14 @@
"category": "ネットワーキング",
"description": "各サブネットに AVD ホストプールをスケーリングするのに十分なスペースがあることを確認します。ホスト プールが異なる場合は、可能であれば個別のサブネットを使用することをお勧めします。",
"guid": "20e27b3e-2971-41b1-952b-eee079b588de",
"link": "https://docs.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix",
"link": "https://learn.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix",
"severity": "中程度",
"subcategory": "ネットワーキング",
"text": "複数のホスト プールの VNET とサブネットの配置を評価する"
},
{
"category": "ネットワーキング",
"description": "いくつかのオプションを使用できます。Azure Firewall または NVA ファイアウォール、NSG、プロキシを使用できます。NSG では、URL による有効化/無効化はできず、ポートとプロトコルのみが可能です。プロキシは、ユーザーブラウザの明示的な設定としてのみ使用する必要があります。AVD での Azure Firewall Premium の使用の詳細については、こちら https://aka.ms/AVDfirewall と こちら https://docs.microsoft.com/azure/firewall/protect-windows-virtual-desktop を参照してください。AVD URL アクセスの要件の完全なリストを確認してください。",
"description": "いくつかのオプションを使用できます。Azure Firewall または NVA ファイアウォール、NSG、プロキシを使用できます。NSG では、URL による有効化/無効化はできず、ポートとプロトコルのみが可能です。プロキシは、ユーザーブラウザの明示的な設定としてのみ使用する必要があります。AVD での Azure Firewall Premium の使用の詳細については、こちら https://aka.ms/AVDfirewall と こちら https://learn.microsoft.com/azure/firewall/protect-windows-virtual-desktop を参照してください。AVD URL アクセスの要件の完全なリストを確認してください。",
"guid": "fc4972cd-3cd2-41bf-9703-6e5e6b4bed3d",
"link": "https://aka.ms/AVDfirewall",
"severity": "中程度",
@ -389,18 +389,18 @@
},
{
"category": "ネットワーキング",
"description": "カスタム UDR は、たとえば Azure ファイアウォールや NVA にリダイレクトするために、AVD ホスト プール サブネットに適用できます。この場合、AVD コントロールプレーンへのアウトバウンドトラフィックの最適なパスが使用されていることを慎重に確認することをお勧めします。サービスタグを UDR で使用できるようになり、AVD 管理プレーントラフィックを簡単にホワイトリストに登録できるようになりました。https://docs.microsoft.com/azure/firewall/protect-windows-virtual-desktop#host-pool-outbound-access-to-windows-virtual-desktop",
"description": "カスタム UDR は、たとえば Azure ファイアウォールや NVA にリダイレクトするために、AVD ホスト プール サブネットに適用できます。この場合、AVD コントロールプレーンへのアウトバウンドトラフィックの最適なパスが使用されていることを慎重に確認することをお勧めします。サービスタグを UDR で使用できるようになり、AVD 管理プレーントラフィックを簡単にホワイトリストに登録できるようになりました。https://learn.microsoft.com/azure/firewall/protect-windows-virtual-desktop#host-pool-outbound-access-to-windows-virtual-desktop",
"guid": "523181a9-4174-4158-93ff-7ae7c6d37431",
"link": "https://docs.microsoft.com/azure/firewall/protect-windows-virtual-desktop",
"link": "https://learn.microsoft.com/azure/firewall/protect-windows-virtual-desktop",
"severity": "低い",
"subcategory": "ネットワーキング",
"text": "AVD ホストプールサブネットの UDR の確認"
},
{
"category": "ネットワーキング",
"description": "セッションホストによる AVD コントロールプレーンアクセスに必要な URL については、次の https://docs.microsoft.com/azure/virtual-desktop/safe-url-list を参照してください。セッション ホストからの接続を確認するためのチェック ツールを使用できます。 https://docs.microsoft.com/azure/virtual-desktop/safe-url-list#required-url-check-tool。",
"description": "セッションホストによる AVD コントロールプレーンアクセスに必要な URL については、次の https://learn.microsoft.com/azure/virtual-desktop/safe-url-list を参照してください。セッション ホストからの接続を確認するためのチェック ツールを使用できます。 https://learn.microsoft.com/azure/virtual-desktop/safe-url-list#required-url-check-tool。",
"guid": "65c7acbe-45bb-4e60-ad89-f2e87778424d",
"link": "https://docs.microsoft.com/azure/virtual-desktop/safe-url-list",
"link": "https://learn.microsoft.com/azure/virtual-desktop/safe-url-list",
"severity": "高い",
"subcategory": "ネットワーキング",
"text": "AVD コントロールプレーンエンドポイントにアクセスできることを確認する"
@ -409,7 +409,7 @@
"category": "ネットワーキング",
"description": "特定のワークロードの種類に基づいて、ユーザーのネットワーク帯域幅要件を評価および確認することをお勧めします。参照されている記事は一般的な見積もりと推奨事項を提供しますが、適切なサイズ設定には特定の手段が必要です。",
"guid": "516785c6-fa96-4c96-ad88-408f372734c8",
"link": "https://docs.microsoft.com/windows-server/remote/remote-desktop-services/network-guidance",
"link": "https://learn.microsoft.com/windows-server/remote/remote-desktop-services/network-guidance",
"severity": "低い",
"subcategory": "ネットワーキング",
"text": "VM SKU の各ユーザーおよび合計に必要なネットワーク帯域幅を確認する"
@ -418,7 +418,7 @@
"category": "計算する",
"description": "ホスト プールのデプロイに使用する VM SKU を選択したら、セキュリティを強化し、機能を向上させるために、Gen2 タイプの SKU を使用することをお勧めします。",
"guid": "e4633254-3185-40a1-b120-bd563a1c8e9d",
"link": "https://docs.microsoft.com/en-us/azure/virtual-machines/generation-2",
"link": "https://learn.microsoft.com/en-us/azure/virtual-machines/generation-2",
"severity": "中程度",
"subcategory": "セッション ホスト",
"text": "ホスト プールの展開のための Gen2 VM の使用状況を評価する"
@ -427,7 +427,7 @@
"category": "計算する",
"description": "アプリケーションは、ゴールデン イメージにプレインストールすることも、MSIX & AppAttach 機能を使用してアタッチすることも、従来の SW 配布方法を使用してプールのデプロイ後にホストに配布することもできます。",
"guid": "86ba2802-1459-4014-95d3-8e5309ccbd97",
"link": "https://docs.microsoft.com/azure/virtual-desktop/set-up-customize-master-image",
"link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-customize-master-image",
"severity": "高い",
"subcategory": "ゴールデンイメージ",
"text": "アプリケーションを AVD ホストプールに展開する方法を決定する"
@ -436,7 +436,7 @@
"category": "計算する",
"description": "彼らは、単一のイメージ、または異なるアプリケーションが組み込まれた複数のイメージに役立つfslogixアプリケーションマスキングを使用しますか?",
"guid": "9266bcca-274f-4aa1-abf3-9d95d44c7c89",
"link": "https://docs.microsoft.com/azure/virtual-desktop/create-host-pools-azure-marketplace",
"link": "https://learn.microsoft.com/azure/virtual-desktop/create-host-pools-azure-marketplace",
"severity": "中程度",
"subcategory": "ゴールデンイメージ",
"text": "必要なゴールデン画像の数を見積もる"
@ -445,7 +445,7 @@
"category": "計算する",
"description": "各ホスト プールの展開に使用するゲスト OS を決定します: Windows 10 と Windows Server、マーケットプレースとカスタム イメージ",
"guid": "19ca1f6d-5315-4ae5-84ba-34d4585e2213",
"link": "https://docs.microsoft.com/azure/virtual-desktop/overview",
"link": "https://learn.microsoft.com/azure/virtual-desktop/overview",
"severity": "中程度",
"subcategory": "ゴールデンイメージ",
"text": "ホスト プールの展開に使用する OS イメージを決定する"
@ -454,7 +454,7 @@
"category": "計算する",
"description": "何も存在しない場合は、Azure Image Builder を使用してビルド プロセスを自動化することを検討してください。",
"guid": "9bd7bb01-2f7b-495e-86e1-54e2aa359282",
"link": "https://docs.microsoft.com/azure/virtual-machines/image-builder-overview",
"link": "https://learn.microsoft.com/azure/virtual-machines/image-builder-overview",
"severity": "低い",
"subcategory": "ゴールデンイメージ",
"text": "カスタム イメージを使用する場合は、自動ビルド プロセスがあるかどうかを判断しますか。"
@ -463,7 +463,7 @@
"category": "計算する",
"description": "Azure コンピューティング ギャラリーを評価します。",
"guid": "5a2adb2c-3e23-426b-b225-ca44e1696fdd",
"link": "https://docs.microsoft.com/azure/virtual-machines/windows/shared-image-galleries",
"link": "https://learn.microsoft.com/azure/virtual-machines/windows/shared-image-galleries",
"severity": "低い",
"subcategory": "ゴールデンイメージ",
"text": "カスタム イメージを使用する場合、イメージのライフサイクルを整理および管理する計画はありますか?"
@ -472,14 +472,14 @@
"category": "計算する",
"description": "ゴールデンイメージのカスタマイズに関するいくつかの既知のベストプラクティスと推奨事項がありますので、参照されている記事を確認してください。",
"guid": "deace4cb-1dec-44c6-90c3-fc14eebb36a3",
"link": "https://docs.microsoft.com/azure/virtual-desktop/set-up-customize-master-image",
"link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-customize-master-image",
"severity": "中程度",
"subcategory": "ゴールデンイメージ",
"text": "カスタムイメージを使用する場合は、マスターイメージの構築方法に関する AVD の推奨ベストプラクティスを確認してください。"
},
{
"category": "計算する",
"description": "このツール セットは、ホワイト ペーパー「仮想デスクトップ インフラストラクチャ (VDI) の役割に対する Windows 10 バージョン 2004 の最適化」で参照されている設定を自動的に適用するために作成されました https://docs.microsoft.com/windows-server/remote/remote-desktop-services/rds-vdi-recommendations-2004。ホワイトペーパーに記載されているツールの使用および/または最適化を検討する必要があります。",
"description": "このツール セットは、ホワイト ペーパー「仮想デスクトップ インフラストラクチャ (VDI) の役割に対する Windows 10 バージョン 2004 の最適化」で参照されている設定を自動的に適用するために作成されました https://learn.microsoft.com/windows-server/remote/remote-desktop-services/rds-vdi-recommendations-2004。ホワイトペーパーに記載されているツールの使用および/または最適化を検討する必要があります。",
"guid": "829e3fec-2183-4687-a017-7a2b5945bda4",
"link": "https://github.com/The-Virtual-Desktop-Team/Virtual-Desktop-Optimization-Tool",
"severity": "中程度",
@ -490,7 +490,7 @@
"category": "計算する",
"description": "初期展開後にホスト プール VM の構成を管理するための構成管理ツールが既に導入されているかどうかを確認します (SCCM、MEM/Intune、GPO、3 番目のパーティのソリューションなど)。",
"guid": "3334fdf9-1c23-4418-8b65-285269440b4b",
"link": "https://docs.microsoft.com/mem/intune/fundamentals/windows-virtual-desktop-multi-session",
"link": "https://learn.microsoft.com/mem/intune/fundamentals/windows-virtual-desktop-multi-session",
"severity": "低い",
"subcategory": "ゴールデンイメージ",
"text": "AVD セッションホスト設定管理戦略の計画/評価"
@ -499,7 +499,7 @@
"category": "計算する",
"description": "提供されている記事を確認し、「既知のフォルダーリダイレクト」と「ファイルオンデマンド」を確認します OneDrive 機能を検討し、最終的に採用する必要があります。",
"guid": "e3d3e084-4276-4d4b-bc01-5bcf219e4a1e",
"link": "https://docs.microsoft.com/azure/virtual-desktop/install-office-on-AVD-master-image",
"link": "https://learn.microsoft.com/azure/virtual-desktop/install-office-on-AVD-master-image",
"severity": "中程度",
"subcategory": "ゴールデンイメージ",
"text": "Microsoft OneDrive が AVD 展開の一部になるかどうかを判断する"
@ -508,7 +508,7 @@
"category": "計算する",
"description": "この記事を確認し、最新バージョンを使用し、Teams の除外を確認して評価し、プロファイルのサイズを小さくしてください。",
"guid": "b5887953-5d22-4788-9d30-b66c67be5951",
"link": "https://docs.microsoft.com/azure/virtual-desktop/teams-on-AVD",
"link": "https://learn.microsoft.com/azure/virtual-desktop/teams-on-AVD",
"severity": "中程度",
"subcategory": "ゴールデンイメージ",
"text": "Microsoft Teams が AVD 展開の一部になるかどうかを判断する"
@ -517,7 +517,7 @@
"category": "計算する",
"description": "MSIX パッケージを格納するには、個別のストレージ アカウント/共有を使用することを強くお勧めします。必要に応じて、ストレージは個別にスケールアウトでき、プロファイル I/O アクティビティの影響を受けません。Azure には、MISX アプリのアタッチに使用できる複数のストレージ オプションが用意されています。Azure Files または Azure NetApp Files は、コストと管理オーバーヘッドの間で最適な価値を提供するため、これらのオプションを使用することをお勧めします。",
"guid": "90083845-c587-4cb3-a1ec-16a1d076ef9f",
"link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-file-share",
"link": "https://learn.microsoft.com/azure/virtual-desktop/app-attach-file-share",
"severity": "高い",
"subcategory": "MSIX & AppAttach",
"text": "プロファイル/Office コンテナーと同じストレージ アカウント/共有を使用しないでください"
@ -526,7 +526,7 @@
"category": "計算する",
"description": "参照記事では、AVD コンテキストでの MSIX の使用に関するパフォーマンスに関する考慮事項はほとんどありませんが、慎重に確認してください。",
"guid": "241addce-5793-477b-adb3-751ab2ac1fad",
"link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-file-share",
"link": "https://learn.microsoft.com/azure/virtual-desktop/app-attach-file-share",
"severity": "高い",
"subcategory": "MSIX & AppAttach",
"text": "MSIX のパフォーマンスに関する考慮事項を確認する"
@ -535,7 +535,7 @@
"category": "計算する",
"description": "MSIX アプリのアタッチには、ファイル共有にアクセスするための読み取り専用アクセス許可が必要です。MSIX アプリケーションを Azure Files に格納する場合は、セッション ホストに対して、すべてのセッション ホスト VM に、共有に対するストレージ アカウント ロールベースのアクセス制御 (RBAC) とファイル共有の新技術ファイル システム (NTFS) アクセス許可の両方を割り当てる必要があります。",
"guid": "66e15d4d-5a2a-4db2-a3e2-326bf225ca41",
"link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-file-share",
"link": "https://learn.microsoft.com/azure/virtual-desktop/app-attach-file-share",
"severity": "中程度",
"subcategory": "MSIX & AppAttach",
"text": "MSIX 共有の適切なセッション ホストのアクセス許可を確認する"
@ -544,7 +544,7 @@
"category": "計算する",
"description": "3番目のパーティのソフトウェアベンダーは、MIXパッケージを提供する必要があります、それは顧客アプリケーションの所有者からの適切なサポートなしで変換手順を試みることはお勧めしません。",
"guid": "bd362caa-ab79-4b19-adab-81932c9fc9d1",
"link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-faq",
"link": "https://learn.microsoft.com/azure/virtual-desktop/app-attach-faq",
"severity": "中程度",
"subcategory": "MSIX & AppAttach",
"text": "3番目のパーティ製アプリケーション用の MSIX パッケージ"
@ -553,7 +553,7 @@
"category": "計算する",
"description": "MSIX アプリのアタッチでは、MSIX アプリケーションの自動更新がサポートされないため、無効にする必要があります。",
"guid": "bb88037f-5e6b-4fbb-aed5-03547cc447e8",
"link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-faq",
"link": "https://learn.microsoft.com/azure/virtual-desktop/app-attach-faq",
"severity": "低い",
"subcategory": "MSIX & AppAttach",
"text": "MSIX パッケージの自動更新を無効にする"
@ -562,7 +562,7 @@
"category": "計算する",
"description": "MSIX & App Attach を利用するには、AVD ホスト プールのゲスト OS イメージが Windows 10 Enterprise または Windows 10 Enterprise Multi-session バージョン 2004 以降である必要があります。",
"guid": "26128a71-f0f1-4cac-9d9e-f1d5e832e42e",
"link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-faq",
"link": "https://learn.microsoft.com/azure/virtual-desktop/app-attach-faq",
"severity": "中程度",
"subcategory": "MSIX & AppAttach",
"text": "オペレーティング システムのサポートを確認する"
@ -571,7 +571,7 @@
"category": "貯蔵",
"description": "標準HDD、標準SSD、またはプレミアムSSD、エフェメラルディスクはサポートされておらず、ウルトラディスクは推奨されません。ユーザー密度が低くない場合、およびクラウドキャッシュを使用する場合は、OSディスクのプレミアムを評価することをお勧めします。",
"guid": "3611c818-b0a0-4bc5-80e4-3a18a9cd289c",
"link": "https://docs.microsoft.com/azure/virtual-machines/disks-types",
"link": "https://learn.microsoft.com/azure/virtual-machines/disks-types",
"severity": "中程度",
"subcategory": "セッション ホスト",
"text": "セッション・ホストに使用する管理対象ディスクのタイプを決定する"
@ -580,16 +580,16 @@
"category": "貯蔵",
"description": "Azure NetApp Files、Azure Files、VM ベースのファイル サーバー。ファイルサーバーは推奨されません。通常、Azure Files Premium は出発点として適しています。ネットアップは通常、大規模で高パフォーマンスの環境にのみ必要です。",
"guid": "ed6b17db-8255-4462-b2ae-e4553afc8339",
"link": "https://docs.microsoft.com/azure/virtual-desktop/store-fslogix-profile",
"link": "https://learn.microsoft.com/azure/virtual-desktop/store-fslogix-profile",
"severity": "高い",
"subcategory": "FSLogix",
"text": "FSLogix プロファイルおよびオフィス コンテナーに使用するストレージ バックエンド ソリューションを決定する"
},
{
"category": "貯蔵",
"description": "Windows Virtual Desktop では、以下の「ディザスター リカバリー」セクションで説明するように、特定のビジネス継続性とディザスター リカバリー (BCDR) シナリオを計画していない限り、Office コンテナーなしでプロファイル コンテナーを使用することをお勧めします。https://docs.microsoft.com/fslogix/profile-container-office-container-cncpt",
"description": "Windows Virtual Desktop では、以下の「ディザスター リカバリー」セクションで説明するように、特定のビジネス継続性とディザスター リカバリー (BCDR) シナリオを計画していない限り、Office コンテナーなしでプロファイル コンテナーを使用することをお勧めします。https://learn.microsoft.com/fslogix/profile-container-office-container-cncpt",
"guid": "df47d2d9-2881-4b1c-b5d1-e54a29759e39",
"link": "https://docs.microsoft.com/fslogix/profile-container-office-container-cncpt",
"link": "https://learn.microsoft.com/fslogix/profile-container-office-container-cncpt",
"severity": "低い",
"subcategory": "FSLogix",
"text": "プロファイルコンテナをオフィスコンテナから分離する可能性を評価する"
@ -598,7 +598,7 @@
"category": "貯蔵",
"description": "プロファイル コンテナーのストレージ要件を見積もるための開始点として、定常状態ではユーザーあたり 10 IOPS、サインイン/サインアウト時にはユーザーあたり 50 IOPS を想定することをお勧めします。",
"guid": "680e7828-9c93-4665-9d02-bff4564b0d93",
"link": "https://docs.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix",
"link": "https://learn.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix",
"severity": "高い",
"subcategory": "FSLogix",
"text": "ホスト プールの要件をサポートするための記憶域のスケーラビリティの制限を確認する"
@ -616,7 +616,7 @@
"category": "貯蔵",
"description": "可能な限り、リージョン間のネットワーク トラフィックに関連する追加の待機時間とコストを発生させないようにします。",
"guid": "8aad53cc-79e2-4e86-9673-57c549675c5e",
"link": "https://docs.microsoft.com/azure/virtual-desktop/fslogix-containers-azure-files",
"link": "https://learn.microsoft.com/azure/virtual-desktop/fslogix-containers-azure-files",
"severity": "高い",
"subcategory": "FSLogix",
"text": "最適なパフォーマンスを得るには、ストレージ ソリューションと FSLogix プロファイル コンテナーを同じデータ センターの場所に配置する必要があります。"
@ -625,16 +625,16 @@
"category": "貯蔵",
"description": "参照記事に記載されているように、FSLogix プロファイル コンテナーの仮想ハード ドライブに対して次のウイルス対策の除外を構成してください。",
"guid": "83f63047-22ee-479d-9b5c-3632054b69ba",
"link": "https://docs.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix",
"link": "https://learn.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix",
"severity": "中程度",
"subcategory": "FSLogix",
"text": "FSLogix の推奨されるウイルス対策除外を構成します (接続時に VHD(x) ファイルをスキャンしないことを含む)。"
},
{
"category": "貯蔵",
"description": "デフォルトの基本設定と推奨設定は次のとおりです。 https://docs.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix#best-practice-settings-for-enterprises 基本セットについてはこちらをご覧ください: 完全な参考 https://docs.microsoft.com/fslogix/configure-profile-container-tutorialSee はこちら: https://docs.microsoft.com/fslogix/profile-container-configuration-reference",
"description": "デフォルトの基本設定と推奨設定は次のとおりです。 https://learn.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix#best-practice-settings-for-enterprises 基本セットについてはこちらをご覧ください: 完全な参考 https://learn.microsoft.com/fslogix/configure-profile-container-tutorialSee はこちら: https://learn.microsoft.com/fslogix/profile-container-configuration-reference",
"guid": "d34aad5e-8c78-4e1d-9666-7313c405674c",
"link": "https://docs.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix",
"link": "https://learn.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix",
"severity": "高い",
"subcategory": "FSLogix",
"text": "FSLogix レジストリ キーを確認し、適用するレジストリ キーを決定する"
@ -643,7 +643,7 @@
"category": "貯蔵",
"description": "同時接続または複数接続は、Windows 仮想デスクトップでは推奨されません。ベスト プラクティスは、セッションごとに異なるプロファイルの場所を (ホスト プールとして) 作成することです。",
"guid": "5e985b85-9c77-43e7-b261-623b775a917e",
"link": "https://docs.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix",
"link": "https://learn.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix",
"severity": "高い",
"subcategory": "FSLogix",
"text": "同じプロファイルへの同時接続または複数の接続の使用状況を確認する"
@ -652,7 +652,7 @@
"category": "貯蔵",
"description": "一般的な見積もりとして、テスト環境で検証するには、ワークロードに応じて、ユーザーごとに 5 から 15 IOPS を最初に検討する必要があります。Azure ファイル: プレミアム シェアあたり最大 100k IOPS (最大 100 TB)、および 3 ミリ秒の待機時間で最大 5 Gbps。Azure Files のプロビジョニング方法、つまり IOPS は厳密にプロビジョニングされた SIZE に関連付けられていることに注意してください。場合によってはバーストサイジング機能。十分な IOPS を確保するために、必要以上の領域を事前にプロビジョニングしてください。注: Azure Premium は、トランザクションを支払わないため、標準よりも安くなる可能性がありますが、覚えておくべき重要な詳細。Azure NetApp Files: 最大 1000 個の IP が接続され、その場で IOPS を調整でき、最小 4 TB のプロビジョニング容量を記憶してください。",
"guid": "1f348ff3-64d2-47d4-8e8b-bbc868155abb",
"link": "https://docs.microsoft.com/azure/virtual-desktop/store-fslogix-profile",
"link": "https://learn.microsoft.com/azure/virtual-desktop/store-fslogix-profile",
"severity": "高い",
"subcategory": "FSLogix",
"text": "ストレージのサイズ設定に関するベスト プラクティスと主な考慮事項を確認する"
@ -661,7 +661,7 @@
"category": "貯蔵",
"description": "参照記事で説明されているベストプラクティスと推奨事項のリストを必ず確認してください。",
"guid": "9164e990-9ae2-48c8-9c33-b6b7808bafe6",
"link": "https://docs.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix",
"link": "https://learn.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix",
"severity": "中程度",
"subcategory": "FSLogix",
"text": "Azure ファイルのベスト プラクティスを確認する (使用する場合)"
@ -670,7 +670,7 @@
"category": "貯蔵",
"description": "参照記事で説明されているベストプラクティスと推奨事項のリストを必ず確認してください。",
"guid": "c42149d4-13a9-423c-9574-d11028ac6aae",
"link": "https://docs.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix",
"link": "https://learn.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix",
"severity": "中程度",
"subcategory": "FSLogix",
"text": "ネットアップファイルのベストプラクティスを確認する(使用している場合)"
@ -679,7 +679,7 @@
"category": "貯蔵",
"description": "プロファイルコンテナのデフォルトの最大サイズは30GBです。大きなプロファイル コンテナーが予想され、お客様がそれらを小さく保とうとする場合は、OneDrive を使用して FSLogix プロファイルの外部で Office 365 ファイルをホストすることを検討してください。",
"guid": "01e6a84d-e5df-443d-8992-481718d5d1e5",
"link": "https://docs.microsoft.com/fslogix/profile-container-configuration-reference",
"link": "https://learn.microsoft.com/fslogix/profile-container-configuration-reference",
"severity": "高い",
"subcategory": "FSLogix",
"text": "FSLogix で構成された最大プロファイル サイズを確認して確認する"
@ -688,7 +688,7 @@
"category": "貯蔵",
"description": "Cloud Cache はローカル ディスクをキャッシュとして使用するため、VM ディスクに大きな負荷がかかる可能性があります。可能であれば、VM SKU に基づいて、一時的な (およびローカルに接続された) VM ディスクの機能を活用することをお勧めします。",
"guid": "b2d1215a-e114-4ba3-9df5-85ecdcd9bd3b",
"link": "https://docs.microsoft.com/fslogix/cloud-cache-configuration-reference",
"link": "https://learn.microsoft.com/fslogix/cloud-cache-configuration-reference",
"severity": "中程度",
"subcategory": "FSLogix",
"text": "FSLogix クラウド キャッシュを使用する場合は、キャッシュ ディレクトリを一時ドライブに移動します。"
@ -697,7 +697,7 @@
"category": "貯蔵",
"description": "リダイレクト.XMLファイルは、プロファイルコンテナからC:ドライブにリダイレクトされるフォルダを制御するために使用されます。除外は例外であるべきであり、除外を構成するユーザーが特定の除外を完全に理解しない限り、決して使用しないでください。除外は、実装が意図されている環境で常に完全にテストする必要があります。除外を構成すると、機能、安定性、パフォーマンスに影響を与える可能性があります。",
"guid": "0b50ca97-b1d2-473c-b4d9-6e98b0f912de",
"link": "https://docs.microsoft.com/fslogix/manage-profile-content-cncpt#redirectionsxml",
"link": "https://learn.microsoft.com/fslogix/manage-profile-content-cncpt#redirectionsxml",
"severity": "中程度",
"subcategory": "FSLogix",
"text": "FSLogix リダイレクトの使用法を確認します。"
@ -706,7 +706,7 @@
"category": "貯蔵",
"description": "ANF サブネットが作成される Azure 仮想ネットワーク環境用に Active Directory サイトを作成し、リファレンス記事で説明されているように、参加手順を実行するときにそのサイト名を ANF 接続プロパティで指定する必要があります。",
"guid": "6647e977-db49-48a8-bc35-743f17499d42",
"link": "https://docs.microsoft.com/en-us/azure/azure-netapp-files/create-active-directory-connections",
"link": "https://learn.microsoft.com/en-us/azure/azure-netapp-files/create-active-directory-connections",
"severity": "高い",
"subcategory": "FSLogix",
"text": "Azure ネットアップ ファイル ストレージを使用する場合は、AD 接続の AD サイト名の設定を確認してください。"
@ -724,34 +724,34 @@
"category": "安全",
"description": "仮想デスクトップへの管理者アクセス権をユーザーに付与しないことをお勧めします。ソフトウェア パッケージが必要な場合は、Microsoft エンドポイント マネージャーなどの構成管理ユーティリティを使用して使用できるようにすることをお勧めします。マルチセッション環境では、ユーザーがソフトウェアを直接インストールできないようにすることをお勧めします。",
"guid": "a0cdb3b5-4eb2-4eb0-9dda-a3592718e2ed",
"link": "https://docs.microsoft.com/azure/virtual-desktop/security-guide",
"link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide",
"severity": "中程度",
"subcategory": "ホスト構成",
"text": "AVD ユーザーが AVD ホストのローカル管理者権限を持たないようにします。"
},
{
"category": "安全",
"description": "Microsoft Defender for Endpoint は、Windows Virtual Desktop for Windows 10 Enterprise Multi-session をサポートするようになりました。非永続的な仮想デスクトップ インフラストラクチャ (VDI) デバイスのオンボードに関する記事を確認してください: https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi",
"description": "Microsoft Defender for Endpoint は、Windows Virtual Desktop for Windows 10 Enterprise Multi-session をサポートするようになりました。非永続的な仮想デスクトップ インフラストラクチャ (VDI) デバイスのオンボードに関する記事を確認してください: https://learn.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi",
"guid": "b1172576-9ef6-4691-a483-5ac932223ece",
"link": "https://docs.microsoft.com/azure/virtual-desktop/security-guide",
"link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide",
"severity": "高い",
"subcategory": "ホスト構成",
"text": "ウイルス対策およびマルウェア対策ソリューションが使用されていることを確認します"
},
{
"category": "安全",
"description": "次の除外が設定されていることを確認してください: https://docs.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix#antivirus-exclusions 。",
"description": "次の除外が設定されていることを確認してください: https://learn.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix#antivirus-exclusions 。",
"guid": "80b12308-1a54-4174-8583-3ea3ad2c2de7",
"link": "https://docs.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix",
"link": "https://learn.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix",
"severity": "高い",
"subcategory": "ホスト構成",
"text": "適切なAV除外が実施されていることを確認する"
},
{
"category": "安全",
"description": "Azure のディスクは、既定では Microsoft マネージド キーを使用して保存時に既に暗号化されています。ホスト VM OS ディスクの暗号化は、ADE と DES を使用して可能であり、サポートされています: 賢明で永続的なユーザー データはセッション ホスト ディスクに格納せず、コンプライアンス上の理由で厳密に必要な場合にのみ使用する必要があります。Azure Files を使用した FSLogix ストレージの暗号化は、Azure Storage 上の SSE を使用して実行できます。OneDrive の暗号化については、次の記事を参照してください https://docs.microsoft.com/compliance/assurance/assurance-encryption-for-microsoft-365-services。",
"description": "Azure のディスクは、既定では Microsoft マネージド キーを使用して保存時に既に暗号化されています。ホスト VM OS ディスクの暗号化は、ADE と DES を使用して可能であり、サポートされています: 賢明で永続的なユーザー データはセッション ホスト ディスクに格納せず、コンプライアンス上の理由で厳密に必要な場合にのみ使用する必要があります。Azure Files を使用した FSLogix ストレージの暗号化は、Azure Storage 上の SSE を使用して実行できます。OneDrive の暗号化については、次の記事を参照してください https://learn.microsoft.com/compliance/assurance/assurance-encryption-for-microsoft-365-services。",
"guid": "0fd32907-98bc-4178-adc5-a06ca7144351",
"link": "https://docs.microsoft.com/azure/virtual-desktop/security-guide",
"link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide",
"severity": "低い",
"subcategory": "ホスト構成",
"text": "AVD ホストのディスク暗号化要件を評価する"
@ -769,7 +769,7 @@
"category": "安全",
"description": "サブスクリプション、仮想マシン、キー コンテナー、ストレージ アカウントに対して Azure セキュリティ センター Standard を有効にすることをお勧めします。Azure Security Center Standard を使用すると、脆弱性の評価と管理、PCI などの一般的なフレームワークへの準拠の評価、AVD 環境の全体的なセキュリティの強化が可能になります。",
"guid": "1814387e-5ca9-4c26-a9b3-2ab5bdfc6998",
"link": "https://docs.microsoft.com/azure/virtual-desktop/security-guide",
"link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide",
"severity": "中程度",
"subcategory": "安全",
"text": "AVD セッションホストに対する Azure セキュリティ センター(ASC)の使用状況を評価する"
@ -778,7 +778,7 @@
"category": "安全",
"description": "たとえば、デスクトップのロックアウトやアイドル状態のセッション終了を課すために使用する必要があります。オンプレミス環境に適用されている既存の GPO を確認し、最終的には AVD ホストもセキュリティで保護するために適用する必要があります。",
"guid": "a135e337-897e-431c-97d6-8cb6a22ac19f",
"link": "https://docs.microsoft.com/azure/virtual-desktop/security-guide",
"link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide",
"severity": "中程度",
"subcategory": "安全",
"text": "アクティブ ディレクトリ GPO を確認して RDP セッションをセキュリティで保護する"
@ -787,7 +787,7 @@
"category": "安全",
"description": "詳細と分析情報については、次の記事を参照してください。 https://christiaanbrinkhoff.com/2020/03/23/learn-how-to-increase-the-security-level-of-your-windows-virtual-desktop-environment-e-g-windows-client-with-azure-mfa-and-conditional-access",
"guid": "916d697d-8ead-4ed2-9bdd-186f1ac252b9",
"link": "https://docs.microsoft.com/azure/virtual-desktop/set-up-mfa",
"link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-mfa",
"severity": "低い",
"subcategory": "安全",
"text": "AVD ユーザーの MFA の使用を評価する"
@ -796,7 +796,7 @@
"category": "安全",
"description": "条件付きアクセスを有効にすると、Windows 仮想デスクトップ環境へのアクセス権をユーザーに付与する前にリスクを管理できます。アクセスを許可するユーザーを決定するときは、ユーザーが誰であるか、サインインする方法、使用しているデバイスも考慮することをお勧めします。",
"guid": "556246b4-3856-44b4-bc74-a748b6633ad2",
"link": "https://docs.microsoft.com/azure/virtual-desktop/security-guide",
"link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide",
"severity": "低い",
"subcategory": "安全",
"text": "ユーザーの条件付きアクセスの使用状況を評価する"
@ -805,7 +805,7 @@
"category": "安全",
"description": "監査ログの収集を有効にすると、Windows 仮想デスクトップに関連するユーザーと管理者のアクティビティを表示できます。これは、AVD 監視ツールを取得して使用するための要件でもあります。有効にすることを強くお勧めします。",
"guid": "a0916a76-4980-4ad0-b278-ee293c1bc352",
"link": "https://docs.microsoft.com/azure/virtual-desktop/security-guide",
"link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide",
"severity": "中程度",
"subcategory": "安全",
"text": "中央の Log Analytics ワークスペースへの診断ログと監査ログを有効にする"
@ -814,7 +814,7 @@
"category": "安全",
"description": "AVD は、Azure ロールベースのアクセス制御(RBAC)を使用して、ユーザーと管理者にロールを割り当てます。これらのロールは、管理者に特定のタスクを実行する権限を付与します。職務の分離が必要な場合、Windows Virtual Desktop には、ホスト プール、アプリ グループ、およびワークスペースの管理役割を分離できる追加の役割があります。この分離により、管理タスクをよりきめ細かく制御できます。これらのロールには、Azure の標準ロールと最小特権の方法論に準拠した名前が付けられています。",
"guid": "baaab757-1849-4ab8-893d-c9fc9d1bb73b",
"link": "https://docs.microsoft.com/azure/virtual-desktop/rbac",
"link": "https://learn.microsoft.com/azure/virtual-desktop/rbac",
"severity": "低い",
"subcategory": "安全",
"text": "AVD 管理にカスタム RBAC ロールを使用する要件を評価する"
@ -823,7 +823,7 @@
"category": "安全",
"description": "セキュリティのベストプラクティスと推奨事項の包括的なセットは、参照記事に含まれているため、確認することをお勧めします。",
"guid": "36a5a67f-bb9e-4d5b-9547-8c4479816b28",
"link": "https://docs.microsoft.com/azure/virtual-desktop/security-guide",
"link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide",
"severity": "中程度",
"subcategory": "安全",
"text": "AVD 環境に関するすべてのセキュリティのベストプラクティスを確認する"
@ -832,7 +832,7 @@
"category": "監視と管理",
"description": "Azure Monitor for Windows Virtual Desktop は、Azure Monitor ブック上に構築されたダッシュボードであり、IT プロフェッショナルが Windows 仮想デスクトップ環境を理解するのに役立ちます。Windows 仮想デスクトップ環境を監視するように Windows 仮想デスクトップ用 Azure Monitor を設定する方法については、参照先の記事をお読みください。",
"guid": "63cfff1c-ac59-49ef-8d5a-83dd4de36c1c",
"link": "https://docs.microsoft.com/azure/virtual-desktop/azure-monitor",
"link": "https://learn.microsoft.com/azure/virtual-desktop/azure-monitor",
"severity": "高い",
"subcategory": "モニタリング",
"text": "AVD の Azure モニタリングを有効にする"
@ -841,16 +841,16 @@
"category": "監視と管理",
"description": "Windows Virtual Desktop では、他の多くの Azure サービスと同様に、監視とアラートに Azure Monitor と Log Analytics を使用します。これにより、管理者は単一のインターフェイスから問題を特定できます。このサービスは、ユーザー操作と管理者操作の両方のアクティビティ ログを作成します。 各アクティビティ ログは、管理、フィード、接続、ホスト登録、エラー、チェックポイントのカテゴリに分類されます。",
"guid": "81770afb-c4c0-4e43-a186-58d2857ed671",
"link": "https://docs.microsoft.com/azure/virtual-desktop/diagnostics-log-analytics",
"link": "https://learn.microsoft.com/azure/virtual-desktop/diagnostics-log-analytics",
"severity": "中程度",
"subcategory": "モニタリング",
"text": "ワークスペース、ホスト プール、アプリケーション グループ、ホスト VM の診断設定を有効にして Log Analytics ワークスペースにリダイレクトする"
},
{
"category": "監視と管理",
"description": "参照されている記事と、ストレージの適切な監視とアラートを設定するには、次の追加の記事を参照してください。 https://docs.microsoft.com/azure/storage/files/storage-troubleshooting-files-performance。",
"description": "参照されている記事と、ストレージの適切な監視とアラートを設定するには、次の追加の記事を参照してください。 https://learn.microsoft.com/azure/storage/files/storage-troubleshooting-files-performance。",
"guid": "2463cffe-179c-4599-be0d-5973dd4ce32c",
"link": "https://docs.microsoft.com/azure/storage/files/storage-files-monitoring?tabs=azure-portal",
"link": "https://learn.microsoft.com/azure/storage/files/storage-files-monitoring?tabs=azure-portal",
"severity": "中程度",
"subcategory": "モニタリング",
"text": "プロファイルストレージにアラートを作成して、使用率とスロットリングが高い場合にアラートを受け取る"
@ -859,7 +859,7 @@
"category": "監視と管理",
"description": "Azure サービス正常性を使用して、Windows 仮想デスクトップのサービスの問題と正常性アドバイザリを監視できます。Azure Service Health では、さまざまな種類のアラート (電子メールや SMS など) で通知し、問題の影響を理解し、問題の解決時に最新情報を入手できます。",
"guid": "18813706-f7c4-4c0d-9e51-4548d2457ed6",
"link": "https://docs.microsoft.com/azure/virtual-desktop/set-up-service-alerts",
"link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-service-alerts",
"severity": "中程度",
"subcategory": "モニタリング",
"text": "AVD アラートの Azure サービス正常性を構成する"
@ -868,7 +868,7 @@
"category": "監視と管理",
"description": "スケーリング ツールは、セッション ホスト VM のコストを最適化したいお客様向けに、低コストの自動化オプションを提供します。スケーリング ツールを使用して、ピーク時とオフピーク時の営業時間に基づいて VM を起動および停止するようにスケジュールしたり、CPU コアあたりのセッション数に基づいて VM をスケールアウトしたり、オフピーク時に VM をスケールインしたりして、セッション ホスト VM の最小数を実行したままにすることができます。パーソナルホストプールタイプではまだ使用できないため、ホストプールごとに個別に設定することをお勧めします。",
"guid": "7138b820-102c-4e16-be30-1e6e872e52e3",
"link": "https://docs.microsoft.com/azure/virtual-desktop/set-up-scaling-script",
"link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-scaling-script",
"severity": "低い",
"subcategory": "管理",
"text": "ホスト プールの自動スケーリング機能の要件を評価する"
@ -877,7 +877,7 @@
"category": "監視と管理",
"description": "Azure Advisor は、構成とテレメトリを分析して、一般的な問題を解決するためのパーソナライズされた推奨事項を提供します。これらの推奨事項を使用すると、信頼性、セキュリティ、オペレーショナル エクセレンス、パフォーマンス、コストに関して Azure リソースを最適化できます。",
"guid": "611dd68c-5a4b-4252-8e44-a59a9c2399c4",
"link": "https://docs.microsoft.com/azure/virtual-desktop/azure-advisor",
"link": "https://learn.microsoft.com/azure/virtual-desktop/azure-advisor",
"severity": "低い",
"subcategory": "管理",
"text": "AVD に関する Azure アドバイザーの推奨事項を定期的に確認する"
@ -886,16 +886,16 @@
"category": "監視と管理",
"description": "ゴールデン イメージの更新を管理するための戦略を準備します (たとえば、セキュリティ修正プログラムの適用やイメージ内にインストールされているアプリケーションの更新など)。Azure Image Builder Service は、VM のビルドとカスタマイズを自動化するためのファースト パーティのソリューションです。ARM テンプレートを使用して新しいホストを作成し、古いホストを使用停止にすることができます。 https://github.com/Azure/RDS-Templates/tree/master/ARM-AVD-templates/AddVirtualMachinesToHostPool 推奨されるアプローチは、新しいプールをサイド バイ サイドで作成し、ロールバックしやすく、専用プールに使用できない ARM テンプレートを使用して VM を再デプロイして数を増やすことも実行可能なオプションです。お客様は、既存のソフトウェア配布方法を使用して、SCCM などで検討するために、再展開せずにイメージを更新することもできます。",
"guid": "d7b68d0c-7555-462f-8b3e-4563b4d874a7",
"link": "https://docs.microsoft.com/azure/virtual-machines/windows/image-builder-virtual-desktop",
"link": "https://learn.microsoft.com/azure/virtual-machines/windows/image-builder-virtual-desktop",
"severity": "中程度",
"subcategory": "管理",
"text": "ゴールデンイメージ更新管理戦略を計画する"
},
{
"category": "監視と管理",
"description": "お客様にはいくつかのオプションがあります。- Microsoft エンドポイント構成マネージャー、この記事では、Windows 10 エンタープライズ マルチセッションを実行している Windows 仮想デスクトップ ホストに更新プログラムを自動的に適用するように Microsoft エンドポイント構成マネージャーを構成する方法について説明します。 https://docs.microsoft.com/azure/virtual-desktop/configure-automatic-updates- マイクロソフト Intune : https://docs.microsoft.com/mem/intune/fundamentals/windows-virtual-desktop-multi-session- Windows Server Update Services (WSUS)- OS をサポートする第三者 - Azure Update Management (Azure Automation)、現在はクライアント OS ではサポートされていません: https://docs.microsoft.com/azure/automation/update-management/overview#unsupported-operating-systemsIt は、パッチ適用戦略から離れ、可能であれば再イメージ化戦略に移行することをお勧めします。",
"description": "お客様にはいくつかのオプションがあります。- Microsoft エンドポイント構成マネージャー、この記事では、Windows 10 エンタープライズ マルチセッションを実行している Windows 仮想デスクトップ ホストに更新プログラムを自動的に適用するように Microsoft エンドポイント構成マネージャーを構成する方法について説明します。 https://learn.microsoft.com/azure/virtual-desktop/configure-automatic-updates- マイクロソフト Intune : https://learn.microsoft.com/mem/intune/fundamentals/windows-virtual-desktop-multi-session- Windows Server Update Services (WSUS)- OS をサポートする第三者 - Azure Update Management (Azure Automation)、現在はクライアント OS ではサポートされていません: https://learn.microsoft.com/azure/automation/update-management/overview#unsupported-operating-systemsIt は、パッチ適用戦略から離れ、可能であれば再イメージ化戦略に移行することをお勧めします。",
"guid": "04722da2-9c2b-41cd-922f-54b29bade3aa",
"link": "https://docs.microsoft.com/azure/virtual-machines/windows/image-builder-virtual-desktop",
"link": "https://learn.microsoft.com/azure/virtual-machines/windows/image-builder-virtual-desktop",
"severity": "中程度",
"subcategory": "管理",
"text": "セッションホストのパッチ適用と更新戦略を計画する"
@ -904,7 +904,7 @@
"category": "監視と管理",
"description": "ホスト プールは、Windows 仮想デスクトップ環境内の 1 つ以上の同一の仮想マシンのコレクションです。サービス更新プログラムが最初に適用される検証ホスト プールを作成することを強くお勧めします。これにより、サービスの更新を標準環境または非検証環境に適用する前に監視できます。",
"guid": "d1e8c38e-c936-4667-913c-005674b1e944",
"link": "https://docs.microsoft.com/azure/virtual-desktop/create-validation-host-pool",
"link": "https://learn.microsoft.com/azure/virtual-desktop/create-validation-host-pool",
"severity": "低い",
"subcategory": "管理",
"text": "AVD テストカナリア環境の要件を評価する"
@ -922,7 +922,7 @@
"category": "監視と管理",
"description": "Windows 仮想デスクトップ サービス内のホスト プールに VM を登録すると、VM がアクティブになるたびに、エージェントによって VM のトークンが定期的に更新されます。登録トークンの証明書は 90 日間有効です。この 90 日間の制限のため、マシンがトークンを更新し、エージェントとサイド バイ サイド スタック コンポーネントを更新できるように、VM を 90 日ごとに 20 分間オンラインにすることをお勧めします。",
"guid": "ebe54cd7-df2e-48bb-ac35-81559bb9153e",
"link": "https://docs.microsoft.com/azure/virtual-desktop/faq",
"link": "https://learn.microsoft.com/azure/virtual-desktop/faq",
"severity": "中程度",
"subcategory": "管理",
"text": "トークンの更新のために 90 日ごとに VM を定期的にオンにする"
@ -940,7 +940,7 @@
"category": "BC/DR",
"description": "アクティブ-アクティブ」モデルは、異なるリージョンにある複数のホスト プールで実現できます。異なるリージョンの VM を含む単一のホスト プールは推奨されません。同じユーザーに対して複数のプールを使用する場合は、ユーザー プロファイルを同期/レプリケートする方法の問題を解決する必要があります。FSLogix Cloud Cache を使用することもできますが、慎重に確認して計画する必要があります。または、同期/レプリケートをまったく行わないことをお客様が決定できます。\"アクティブ/パッシブ\" は、Azure Site Recovery (ASR) または自動化されたメカニズムを使用したオンデマンド プール デプロイを使用して実現できます。",
"guid": "6acc076e-f9b1-441a-a989-579e76b897e7",
"link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery",
"link": "https://learn.microsoft.com/azure/virtual-desktop/disaster-recovery",
"severity": "中程度",
"subcategory": "計算する",
"text": "AVD ホストプールの geo ディザスタリカバリリージョンの評価"
@ -949,7 +949,7 @@
"category": "BC/DR",
"description": "Windows 仮想デスクトップ BCDR の計画と設計に取り組む前に、AVD を介して使用されるアプリケーションを最初に検討することが重要です。重要でないアプリから分離し、異なるディザスター リカバリーのアプローチと機能を備えた別のホスト プールを使用することをお勧めします。",
"guid": "10a7da7b-e996-46e1-9d3c-4ada97cc3d13",
"link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery",
"link": "https://learn.microsoft.com/azure/virtual-desktop/disaster-recovery",
"severity": "中程度",
"subcategory": "計算する",
"text": "重要なアプリケーションを異なる AVD ホストプールに分離"
@ -958,7 +958,7 @@
"category": "BC/DR",
"description": "?ホスト プール VM に適切な回復性レベルを選択しましたか (可用性セットと可用性ゾーン)??AS または AZ に伴う HA SLA とスケーラビリティの制限への影響を認識していますか? ?現在、可用性セットなしで Windows 仮想デスクトップ ARM テンプレートのデプロイごとに 399 台の VM をデプロイすることも、可用性セットごとに 200 台の VM をデプロイすることもできます。デプロイあたりの VM の数を増やすには、ARM テンプレートまたは Azure portal ホスト プールの登録で可用性セットをオフにします。AZのデプロイが可能になり、現時点では一度に1つのAZで、目的のAZごとにVMの一部を手動で作成する必要があります。",
"guid": "25ab225c-6f4e-4168-9fdd-dea8a4b7cdeb",
"link": "https://docs.microsoft.com/azure/virtual-desktop/faq",
"link": "https://learn.microsoft.com/azure/virtual-desktop/faq",
"severity": "高い",
"subcategory": "計算する",
"text": "AVD ホストプール展開に最適な復元力オプションを計画する"
@ -967,7 +967,7 @@
"category": "BC/DR",
"description": "Azure Backup はホスト プール VM を保護するためにも使用できますが、ホスト プール VM をステートレスにする必要がある場合でも、この方法はサポートされます。このオプションは、個人用ホスト プールで検討できます。",
"guid": "4c61fc3f-c14e-4ea6-b69e-8d9a3eec218e",
"link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery",
"link": "https://learn.microsoft.com/azure/virtual-desktop/disaster-recovery",
"severity": "中程度",
"subcategory": "計算する",
"text": "AVD セッションホストをバックアップする要件を評価する"
@ -976,7 +976,7 @@
"category": "BC/DR",
"description": "FSLogix ユーザー プロファイル内のすべてのデータが、障害から保護する必要があるわけではありません。さらに、OneDrive やファイル サーバー/共有などの外部ストレージが使用されている場合、FSLogix プロファイルに残っているものは最小限であり、極端な状況では失われる可能性があります。また、プロファイル内のデータを他のストレージ (キャッシュ モードの Outlook 受信トレイなど) から再構築できる場合もあります。",
"guid": "687ab077-adb5-49e5-a960-3334fdf8cc23",
"link": "https://docs.microsoft.com/fslogix/manage-profile-content-cncpt",
"link": "https://learn.microsoft.com/fslogix/manage-profile-content-cncpt",
"severity": "中程度",
"subcategory": "貯蔵",
"text": "プロファイルコンテナとオフィスコンテナ内で保護する必要があるデータを評価します"
@ -985,7 +985,7 @@
"category": "BC/DR",
"description": "重要なユーザーデータのデータ損失を防ぐことは重要であり、最初のステップは、どのデータを保存して保護する必要があるかを評価することです。OneDriveまたはその他の外部ストレージを使用している場合は、ユーザープロファイルやOfficeコンテナのデータを保存する必要がない場合があります。重要なユーザー データを保護するには、適切なメカニズムを検討する必要があります。Azure Backup サービスは、Azure Files Standard レベルと Premium レベルに格納されているときに、プロファイルとオフィス コンテナーのデータを保護するために使用できます。Azure NetApp Files Snapshots と Policies は、Azure NetApp Files (すべての層) に使用できます。",
"guid": "fc4972cc-3cd2-45bf-a707-6e9eab4bed32",
"link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery",
"link": "https://learn.microsoft.com/azure/virtual-desktop/disaster-recovery",
"severity": "中程度",
"subcategory": "貯蔵",
"text": "プロファイルコンテナとオフィスコンテナのバックアップ保護戦略を構築する"
@ -994,16 +994,16 @@
"category": "BC/DR",
"description": "AVD では、FSLogix コンテナに存在するユーザーデータに複数のレプリケーションメカニズムと戦略を使用できます。プロファイル パターン #1: ネイティブの Azure ストレージ レプリケーション メカニズム (Azure Files Standard GRS レプリケーション、Azure NetApp Files クロスリージョン レプリケーション、VM ベースのファイル サーバー用の Azure Files Sync など)Azure Files にゾーン レプリケート ストレージ (ZRS) または geo レプリケート ストレージ (GRS) を使用することをお勧めします。ローカルのみの回復性を持つ LRS は、ゾーン/リージョンの保護が必要ない場合に使用できます。注: Azure ファイル共有標準は LRS/ZRS/GRS ですが、100 TB の大容量サポートが有効になっている場合は LRS/ZRS のみがサポートされます。?プロファイル パターン #2: FSLogix Cloud Cache は、異なる (最大 4 つの) ストレージ アカウント間でコンテナーをレプリケートするための自動メカニズムで構築されています。クラウドキャッシュは、次の場合にのみ使用する必要があります。ユーザー プロファイルまたは Office コンテナーのデータ可用性が必要 高可用性 SLA は重要であり、リージョンの障害に対する回復性が必要です。選択したストレージ オプションは、BCDR 要件を満たすことができません。たとえば、Azure ファイル共有 Premium レベル、または大きなファイルのサポートが有効になっている Azure ファイル共有標準では、GRS は使用できません。異種ストレージ間のレプリケーションが必要な場合。プロファイル パターン #3: ユーザー データ/プロファイル コンテナーではなく、アプリケーション データに対してのみ geo ディザスター リカバリーを設定する: 重要なアプリケーション データを、OneDrive や独自の組み込み DR メカニズムを備えたその他の外部ストレージなどの個別のストレージに格納します。",
"guid": "9f7547c1-746d-4c56-868a-714435bd09dd",
"link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery",
"link": "https://learn.microsoft.com/azure/virtual-desktop/disaster-recovery",
"severity": "中程度",
"subcategory": "貯蔵",
"text": "BCDRを目的としたプロファイルコンテナストレージレプリケーションの要件と回復性を評価する"
},
{
"category": "BC/DR",
"description": "geo ディザスター リカバリー: Azure NetApp Files は基本的に LRS (ローカルにレプリケートされたストレージ) であるため、リージョン間のレプリケーションが必要な場合は、さらに何かを設計する必要があります。現時点でのクロスリージョンの推奨事項は、別の Azure リージョン(およびネットアップボリューム)にレプリケートするネットアップクラウド同期です。バックアップ:バックアップはスナップショットによって処理されますが、自動ではなく、ポリシーを使用してスケジュールする必要があります。https://docs.microsoft.com/azure/azure-netapp-files/azure-netapp-files-manage-snapshots。ここに記載されているように、ボリュームあたりのスナップショットの上限(255)があります:https://docs.microsoft.com/azure/azure-netapp-files/azure-netapp-files-resource-limits。",
"description": "geo ディザスター リカバリー: Azure NetApp Files は基本的に LRS (ローカルにレプリケートされたストレージ) であるため、リージョン間のレプリケーションが必要な場合は、さらに何かを設計する必要があります。現時点でのクロスリージョンの推奨事項は、別の Azure リージョン(およびネットアップボリューム)にレプリケートするネットアップクラウド同期です。バックアップ:バックアップはスナップショットによって処理されますが、自動ではなく、ポリシーを使用してスケジュールする必要があります。https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-manage-snapshots。ここに記載されているように、ボリュームあたりのスナップショットの上限(255)があります:https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-resource-limits。",
"guid": "23429db7-2281-4376-85cc-57b4a4b18142",
"link": "https://docs.microsoft.com/azure/azure-netapp-files/azure-netapp-files-manage-snapshots",
"link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-manage-snapshots",
"severity": "中程度",
"subcategory": "貯蔵",
"text": "Azure ネットアップ ファイルの DR 戦略を確認する"
@ -1012,7 +1012,7 @@
"category": "BC/DR",
"description": "geo ディザスター リカバリー: Azure Files の GRS は、Standard SKU でのみ使用でき、大規模な共有のサポートはないため、ほとんどのお客様のシナリオには適していません。geo レプリケーションが必要な場合は、Azure ファイル共有プレミアムを使用するときに、FSLogix クラウド キャッシュを使用したレプリケーションを評価するか、\"リージョン内\" 可用性ゾーン (AZ) のみの回復性を考慮する必要があります。バックアップ: Azure Backup は、すべての SKU で Azure ファイル共有を完全にサポートしており、プロファイル コンテナーを保護するために推奨されるソリューションです。OneDriveまたはその他の外部ストレージを使用している場合は、ユーザープロファイルやOfficeコンテナのデータを保存する必要がない場合があります。",
"guid": "3d4f3537-c134-46dc-9602-7a71efe1bd05",
"link": "https://docs.microsoft.com/azure/backup/backup-afs",
"link": "https://learn.microsoft.com/azure/backup/backup-afs",
"severity": "中程度",
"subcategory": "貯蔵",
"text": "Azure Files DR 戦略を確認する"
@ -1021,7 +1021,7 @@
"category": "BC/DR",
"description": "カスタムイメージを使用して AVD ホストプール VM を展開する場合は、大規模な災害が発生した場合でも、それらのアーティファクトがすべてのリージョンで使用可能であることを確認することが重要です。Azure コンピューティング ギャラリー サービスを使用すると、ホスト プールがデプロイされているすべてのリージョンで、冗長ストレージと複数のコピーでイメージをレプリケートできます。",
"guid": "dd2e0d5d-771d-441e-9610-cc57b4a4a141",
"link": "https://docs.microsoft.com/azure/virtual-machines/windows/shared-images-portal",
"link": "https://learn.microsoft.com/azure/virtual-machines/windows/shared-images-portal",
"severity": "低い",
"subcategory": "依存 関係",
"text": "ゴールデン イメージのリージョン間の可用性を計画する"
@ -1030,7 +1030,7 @@
"category": "BC/DR",
"description": "AVD インフラストラクチャのユーザがオンプレミスのリソースアクセスを必要とする場合、接続に必要なネットワークインフラストラクチャの高可用性も重要であり、考慮する必要があります。認証インフラストラクチャの回復性を評価および評価する必要があります。依存アプリケーションやその他のリソースの BCDR の側面は、セカンダリ DR の場所の可用性を確保するために考慮する必要があります。",
"guid": "fd339489-8c12-488b-9c6a-57cfb644451e",
"link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery",
"link": "https://learn.microsoft.com/azure/virtual-desktop/disaster-recovery",
"severity": "中程度",
"subcategory": "依存 関係",
"text": "インフラストラクチャとアプリケーションの依存関係を評価する"

226
checklists/avd_checklist.ko.json
Просмотреть файл

@ -40,7 +40,7 @@
"category": "토대",
"description": "온-프레미스 환경에 연결해야 하는 경우 현재 연결 옵션을 평가하거나 필요한 연결을 계획합니다. ",
"guid": "dd399cfd-7b28-4dc8-9555-6202bfe4563b",
"link": "https://docs.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/",
"link": "https://learn.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/",
"severity": "보통",
"subcategory": "일반",
"text": "온-프레미스 환경에 연결하는 데 하이브리드 연결이 필요한지 확인"
@ -58,7 +58,7 @@
"category": "토대",
"description": "AVD는 특정 지리적 위치에서만 서비스를 실행하기 위해 메타데이터를 저장하고, 현재 사용 가능한 항목을 결정하고, 고객 요구 사항에 따라 적합한 경우 결정합니다. ",
"guid": "bad37ead-53cc-47ce-8d7a-aab3571449ab",
"link": "https://docs.microsoft.com/azure/virtual-desktop/data-locations",
"link": "https://learn.microsoft.com/azure/virtual-desktop/data-locations",
"severity": "보통",
"subcategory": "일반",
"text": "AVD 서비스의 메타데이터 위치 결정"
@ -67,7 +67,7 @@
"category": "토대",
"description": "특히 GPU 또는 고사양 SKU가 필요한 경우 특정 VM SKU를 확인하고 결국 Azure NetApp 파일 가용성(사용되는 경우)을 확인합니다. ",
"guid": "8053d89e-89dc-47b3-9be2-a1a27f7a9e91",
"link": "https://docs.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
"link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
"severity": "낮다",
"subcategory": "일반",
"text": "선택한 지역의 특정 VM 크기에 대한 Azure 할당량 및 가용성 확인"
@ -76,7 +76,7 @@
"category": "토대",
"description": "자세한 내용은 BCDR 섹션을 참조하세요.",
"guid": "be1f38ce-f398-412b-b463-cbbac89c199d",
"link": "https://docs.microsoft.com/azure/availability-zones/az-region",
"link": "https://learn.microsoft.com/azure/availability-zones/az-region",
"severity": "보통",
"subcategory": "일반",
"text": "선택한 리전의 가용 영역(AZ) 가용성 확인"
@ -85,7 +85,7 @@
"category": "토대",
"description": "적절한 계획 및 배포를 위해서는 최대 사용자 수와 평균 동시 세션 수를 평가하는 것이 중요합니다. ",
"guid": "bb91a33d-90ca-4e2c-a881-3706f7c0cb9f",
"link": "https://docs.microsoft.com/azure/virtual-desktop/faq",
"link": "https://learn.microsoft.com/azure/virtual-desktop/faq",
"severity": "보통",
"subcategory": "클라이언트 및 사용자",
"text": "AVD에 연결할 사용자 수와 지역 평가"
@ -94,7 +94,7 @@
"category": "토대",
"description": "여러 호스트 풀은 다른 사용자 집합을 지원하는 데 필요할 수 있으므로 필요한 사용자 수를 예측하는 것이 좋습니다. ",
"guid": "a1cf2049-9013-4a5d-9ce4-74dbcbd8682a",
"link": "https://docs.microsoft.com/azure/virtual-desktop/environment-setup",
"link": "https://learn.microsoft.com/azure/virtual-desktop/environment-setup",
"severity": "보통",
"subcategory": "클라이언트 및 사용자",
"text": "모든 사용자가 동일한 애플리케이션 집합 및/또는 다른 호스트 풀 구성 및/또는 OS 이미지를 사용하는지 확인"
@ -103,7 +103,7 @@
"category": "토대",
"description": "AVD 풀 외부의 리소스에 대한 종속성(예: Active Directory, 외부 파일 공유 또는 기타 스토리지, 온-프레미스 서비스 및 리소스, VPN 및/또는 Express 경로와 같은 네트워크 인프라 구성 요소, 외부 서비스 및 타사 구성 요소)을 평가하고 검토해야 합니다. 이러한 모든 리소스에 대해 AVD 호스트 풀의 대기 시간을 평가하고 연결을 고려해야 합니다. 또한 BCDR 고려 사항을 이러한 종속성에도 적용해야 합니다.",
"guid": "6abca2a4-fda1-4dbf-9dc9-5d48c7c791dc",
"link": "https://docs.microsoft.com/azure/virtual-desktop/overview",
"link": "https://learn.microsoft.com/azure/virtual-desktop/overview",
"severity": "낮다",
"subcategory": "클라이언트 및 사용자",
"text": "각 호스트 풀에 대한 외부 종속성 평가"
@ -112,7 +112,7 @@
"category": "토대",
"description": "각 클라이언트의 제한 사항을 검토하고 가능한 경우 여러 옵션을 비교합니다.",
"guid": "a1f6d565-99e5-458b-a37d-4985e1112dbd",
"link": "https://docs.microsoft.com/azure/virtual-desktop/connect-windows-7-10",
"link": "https://learn.microsoft.com/azure/virtual-desktop/connect-windows-7-10",
"severity": "보통",
"subcategory": "클라이언트 및 사용자",
"text": "사용된 클라이언트 OS 및 AVD 클라이언트 유형 검토"
@ -139,7 +139,7 @@
"category": "토대",
"description": "사용자에게 전체 데스크톱 및/또는 원격 애플리케이션 그룹이 제공되는지 여부를 결정합니다. ",
"guid": "13c00567-4b1e-4945-a459-837ee7ad6c6d",
"link": "https://docs.microsoft.com/azure/virtual-desktop/manage-app-groups",
"link": "https://learn.microsoft.com/azure/virtual-desktop/manage-app-groups",
"severity": "낮다",
"subcategory": "클라이언트 및 사용자",
"text": "사용자가 전체 데스크톱 및/또는 원격 애플리케이션을 사용하여 AVD에 액세스할지 여부 결정 "
@ -148,7 +148,7 @@
"category": "토대",
"description": "RDP 설정은 현재 사용자/그룹이 아닌 호스트 풀 수준에서만 구성할 수 있습니다.",
"guid": "3b365a5c-7acb-4e48-abe5-4cd79f2e8776",
"link": "https://docs.microsoft.com/azure/virtual-desktop/customize-rdp-properties",
"link": "https://learn.microsoft.com/azure/virtual-desktop/customize-rdp-properties",
"severity": "낮다",
"subcategory": "클라이언트 및 사용자",
"text": "모든 사용자가 동일한 RDP 설정을 사용합니까? "
@ -157,7 +157,7 @@
"category": "토대",
"description": "관리되는 네트워크에 대한 RDP Shortpath는 원격 데스크톱 클라이언트와 세션 호스트 간에 직접 UDP 기반 전송을 설정하는 Azure 가상 데스크톱의 기능입니다. 추가 릴레이를 제거하면 왕복 시간이 줄어들어 대기 시간에 민감한 애플리케이션 및 입력 방법에 대한 사용자 경험이 향상됩니다. RDP 단축 경로를 지원하려면 Azure 가상 데스크톱 클라이언트가 세션 호스트에 대한 직접적인 가시선이 필요하며 Windows 10 또는 Windows 7을 실행하고 Windows 데스크톱 클라이언트가 설치되어 있어야 합니다.",
"guid": "b2074747-d01a-4f61-b1aa-92ad793d9ff4",
"link": "https://docs.microsoft.com/en-us/azure/virtual-desktop/shortpath",
"link": "https://learn.microsoft.com/en-us/azure/virtual-desktop/shortpath",
"severity": "보통",
"subcategory": "클라이언트 및 사용자",
"text": "관리되는 내부 네트워크에서 연결하는 클라이언트에 대한 RDP ShortPath 평가"
@ -166,7 +166,7 @@
"category": "토대",
"description": "공유/공동 또는 전용/개인",
"guid": "8468c55a-775c-46ee-a5b8-6ad8844ce3b2",
"link": "https://docs.microsoft.com/azure/virtual-desktop/create-host-pools-azure-marketplace",
"link": "https://learn.microsoft.com/azure/virtual-desktop/create-host-pools-azure-marketplace",
"severity": "높다",
"subcategory": "용량 계획",
"text": "사용할 호스트 풀 유형 결정"
@ -175,7 +175,7 @@
"category": "토대",
"description": "자동 할당과 직접 할당의 차이점을 잘 이해하고 선택한 옵션이 해당 시나리오에 적합한지 확인합니다.",
"guid": "b38b875b-a1cf-4204-a901-3a5d3ce474db",
"link": "https://docs.microsoft.com/azure/virtual-desktop/configure-host-pool-personal-desktop-assignment-type",
"link": "https://learn.microsoft.com/azure/virtual-desktop/configure-host-pool-personal-desktop-assignment-type",
"severity": "보통",
"subcategory": "용량 계획",
"text": "개인 호스트 풀 유형의 경우 할당 유형을 결정합니다."
@ -184,16 +184,16 @@
"category": "토대",
"description": "사용할 항목과 사용 가능한 옵션을 확인하고 자동 크기 조정을 사용할 경우 너비 우선으로 설정합니다. ",
"guid": "cbd8682a-6abc-4a2a-9fda-1dbf3dc95d48",
"link": "https://docs.microsoft.com/azure/virtual-desktop/host-pool-load-balancing",
"link": "https://learn.microsoft.com/azure/virtual-desktop/host-pool-load-balancing",
"severity": "보통",
"subcategory": "용량 계획",
"text": "풀링된 호스트 풀 유형의 경우 부하 분산 방법 결정"
},
{
"category": "토대",
"description": "선택 기준에 따라 필요한 호스트 풀 수는 몇 개입니까? 다음과 같은 경우 여러 개를 갖는 것을 고려해야합니다. 여러 OS 이미지? 여러 지역? 다른 HW가 필요합니까? 다른 호스트 풀 유형(공유 대 개인)? 다른 사용자 요구 사항 및 SLA (상위 사용자, 임원, 사무원 대 개발자 등)? 다른 RDP 설정(호스트 풀 수준에서 적용됨)은 https://docs.microsoft.com/azure/virtual-desktop/customize-rdp-properties? 최대 용량을 초과하는 호스트 풀의 필수 VM 수",
"description": "선택 기준에 따라 필요한 호스트 풀 수는 몇 개입니까? 다음과 같은 경우 여러 개를 갖는 것을 고려해야합니다. 여러 OS 이미지? 여러 지역? 다른 HW가 필요합니까? 다른 호스트 풀 유형(공유 대 개인)? 다른 사용자 요구 사항 및 SLA (상위 사용자, 임원, 사무원 대 개발자 등)? 다른 RDP 설정(호스트 풀 수준에서 적용됨)은 https://learn.microsoft.com/azure/virtual-desktop/customize-rdp-properties? 최대 용량을 초과하는 호스트 풀의 필수 VM 수",
"guid": "c7c791dc-a1f6-4d56-999e-558b937d4985",
"link": "https://docs.microsoft.com/azure/virtual-desktop/environment-setup",
"link": "https://learn.microsoft.com/azure/virtual-desktop/environment-setup",
"severity": "높다",
"subcategory": "용량 계획",
"text": "배포할 여러 호스트 풀의 수 예상 "
@ -202,7 +202,7 @@
"category": "토대",
"description": "제공된 링크를 사용하여 SKU 결정의 시작점을 설정한 다음, 성능 테스트를 사용하여 유효성을 검사합니다. 프로덕션에 대해 최소 4개의 코어가 세션 호스트(다중 세션)당 선택되었는지 확인합니다.",
"guid": "e1112dbd-7ba0-412e-9b94-ef6e047d2ea2",
"link": "https://docs.microsoft.com/windows-server/remote/remote-desktop-services/virtual-machine-recs",
"link": "https://learn.microsoft.com/windows-server/remote/remote-desktop-services/virtual-machine-recs",
"severity": "보통",
"subcategory": "용량 계획",
"text": "워크로드 성능 테스트를 실행하여 사용할 최상의 Azure VM SKU 및 크기 결정(풀당 호스트 수 결정)"
@ -211,7 +211,7 @@
"category": "토대",
"description": "참조된 문서에 보고된 AVD 용량 및 한계를 확인하는 것이 중요합니다. ",
"guid": "992b1cd6-d2f5-44b2-a769-e3a691e8838a",
"link": "https://docs.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop",
"link": "https://learn.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop",
"severity": "높다",
"subcategory": "용량 계획",
"text": "환경에 대한 AVD 확장성 제한 확인"
@ -220,7 +220,7 @@
"category": "토대",
"description": "GPU가 있는 호스트 풀에는 특별한 구성이 필요하므로 참조된 문서를 검토하세요. ",
"guid": "c936667e-13c0-4056-94b1-e945a459837e",
"link": "https://docs.microsoft.com/azure/virtual-desktop/configure-vm-gpu",
"link": "https://learn.microsoft.com/azure/virtual-desktop/configure-vm-gpu",
"severity": "보통",
"subcategory": "용량 계획",
"text": "세션 호스트에 GPU가 필요한지 여부 결정"
@ -229,7 +229,7 @@
"category": "토대",
"description": "가능하면 가속화된 네트워킹 기능이 있는 VM SKU를 활용하는 것이 좋습니다. 오늘 pnly 윈도우 서버 OS가 지원됩니다 (기사의 목록 참조), 향후 윈도우 클라이언트 OS도 포함될 수 있습니다. ",
"guid": "b47a393a-0803-4272-a479-8b1578b219a4",
"link": "https://docs.microsoft.com/azure/virtual-network/create-vm-accelerated-networking-powershell",
"link": "https://learn.microsoft.com/azure/virtual-network/create-vm-accelerated-networking-powershell",
"severity": "낮다",
"subcategory": "용량 계획",
"text": "Azure에서 가속화된 네트워킹 기능을 활용할 수 있는 VM SKU를 사용하는 것이 좋습니다."
@ -238,7 +238,7 @@
"category": "신원",
"description": "Azure 구독은 Windows 서버 Active Directory 또는 Azure AD DS 인스턴스를 포함하거나 연결된 가상 네트워크를 포함하는 동일한 Azure AD 테넌트의 부모여야 합니다.",
"guid": "6ceb5443-5125-4922-9442-93bb628537a5",
"link": "https://docs.microsoft.com/azure/virtual-desktop/overview",
"link": "https://learn.microsoft.com/azure/virtual-desktop/overview",
"severity": "높다",
"subcategory": "요구 사항",
"text": "Azure Active Directory 테넌트는 하나 이상의 구독이 연결된 상태에서 사용할 수 있어야 합니다."
@ -247,7 +247,7 @@
"category": "신원",
"description": "Azure AD 커넥트(하이브리드 조직의 경우) 또는 Azure AD 도메인 서비스(하이브리드 또는 클라우드 조직의 경우)를 사용하여 이를 구성할 수 있습니다.",
"guid": "5119bf8e-8f58-4542-a7d9-cec166cd072a",
"link": "https://docs.microsoft.com/azure/virtual-desktop/overview",
"link": "https://learn.microsoft.com/azure/virtual-desktop/overview",
"severity": "높다",
"subcategory": "요구 사항",
"text": "Windows Server Active Directory 포리스트/도메인이 Azure Active Directory와 동기화되어 있습니다."
@ -256,7 +256,7 @@
"category": "신원",
"description": "(1) 사용자는 Azure AD에 연결된 동일한 Active Directory에서 제공되어야 합니다. Windows Virtual Desktop은 B2B 또는 MSA 계정을 지원하지 않습니다. (2) Windows 가상 데스크톱을 구독하는 데 사용하는 UPN은 VM이 가입된 Active Directory 도메인에 있어야 합니다.",
"guid": "f9b141a8-98a5-435e-9378-97e71ca7da7b",
"link": "https://docs.microsoft.com/azure/virtual-desktop/overview",
"link": "https://learn.microsoft.com/azure/virtual-desktop/overview",
"severity": "보통",
"subcategory": "요구 사항",
"text": "Windows 가상 데스크톱에 연결하기 위한 사용자 계정 요구 사항 확인"
@ -265,7 +265,7 @@
"category": "신원",
"description": "VM은 표준 도메인 가입 또는 하이브리드 AD 가입이어야 합니다. 가상 머신은 Azure AD에 조인할 수 없습니다.",
"guid": "ea962a15-9394-46da-a7cc-3923266b2258",
"link": "https://docs.microsoft.com/azure/virtual-desktop/overview",
"link": "https://learn.microsoft.com/azure/virtual-desktop/overview",
"severity": "보통",
"subcategory": "요구 사항",
"text": "생성될 AVD 세션 호스트에 대한 VM 요구 사항 확인"
@ -274,7 +274,7 @@
"category": "신원",
"description": "자체 관리형 Active Directory 도메인 서비스, Azure Active Directory 및 관리되는 Azure Active Directory 도메인 서비스 비교",
"guid": "6f4a1651-bddd-4ea8-a487-cdeb4861bc3b",
"link": "https://docs.microsoft.com/azure/active-directory-domain-services/compare-identity-solutions",
"link": "https://learn.microsoft.com/azure/active-directory-domain-services/compare-identity-solutions",
"severity": "낮다",
"subcategory": "요구 사항",
"text": "AVD용 AAD-DS(Azure Active Directory 도메인 서비스)를 사용하기 전에 제한 사항을 검토해야 합니다. "
@ -283,7 +283,7 @@
"category": "신원",
"description": "Azure의 AD DC는 AVD 세션 호스트에 로그인하는 사용자와 결국 Azure NetApp 파일 및 AD 통합에 대한 대기 시간을 줄이는 데 권장됩니다. ADC는 모든 자식 도메인에 대해 DC와 통신할 수 있어야 합니다. 또는 온-프레미스 연결을 사용하여 AD DC에 연결해야 합니다. ",
"guid": "c14aea7e-65e8-4d9a-9aec-218e6436b073",
"link": "https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/identity/adds-extend-domain",
"link": "https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/identity/adds-extend-domain",
"severity": "보통",
"subcategory": "활성 디렉터리",
"text": "AVD 호스트 풀에 가까운 Azure VNET 환경에서 두 개 이상의 활성 디렉터리 DC(도메인 컨트롤러)를 만듭니다."
@ -292,7 +292,7 @@
"category": "신원",
"description": "별도의 OU 계층 구조 아래에 호스트 풀당 별도의 OU를 만드는 것이 좋습니다. 이러한 OU에는 AVD 세션 호스트의 컴퓨터 계정이 포함됩니다. ",
"guid": "6db55f57-9603-4334-adf9-cc23418db612",
"link": "https://docs.microsoft.com/azure/virtual-desktop/create-host-pools-azure-marketplace",
"link": "https://learn.microsoft.com/azure/virtual-desktop/create-host-pools-azure-marketplace",
"severity": "낮다",
"subcategory": "활성 디렉터리",
"text": "각 호스트 풀에 대해 Active Directory에서 특정 OU를 만듭니다."
@ -301,7 +301,7 @@
"category": "신원",
"description": "신중하게 검토하고 AVD 호스트 풀을 포함하는 OU에 대한 GPO 상속을 차단/필터링합니다. ",
"guid": "7126504b-b47a-4393-a080-327294798b15",
"link": "https://docs.microsoft.com/previous-versions/windows/desktop/Policy/group-policy-hierarchy",
"link": "https://learn.microsoft.com/previous-versions/windows/desktop/Policy/group-policy-hierarchy",
"severity": "보통",
"subcategory": "활성 디렉터리",
"text": "OU에 적용되고 호스트 풀 VM 기능에 영향을 주는 도메인 GPO를 검토합니다."
@ -310,7 +310,7 @@
"category": "신원",
"description": "특정 권한이 있고 기본 10개의 조인 제한이 없는 특정 전용 계정을 사용하는 것이 좋습니다. ",
"guid": "347dc560-28a7-41ff-b1cd-15dd2f0d5e77",
"link": "https://docs.microsoft.com/azure/virtual-desktop/create-host-pools-azure-marketplace",
"link": "https://learn.microsoft.com/azure/virtual-desktop/create-host-pools-azure-marketplace",
"severity": "보통",
"subcategory": "활성 디렉터리",
"text": "VM을 도메인에 가입시킬 수 있는 권한만 있는 전용 사용자 계정 만들기"
@ -319,7 +319,7 @@
"category": "신원",
"description": "사용자당 액세스 권한을 부여하지 말고 대신 AD 그룹을 사용하고 Azure AD에서 ADC를 사용하여 복제합니다. ",
"guid": "2d41e361-1cc5-47b4-a4b1-410d43958a8c",
"link": "https://docs.microsoft.com/azure/virtual-desktop/manage-app-groups",
"link": "https://learn.microsoft.com/azure/virtual-desktop/manage-app-groups",
"severity": "보통",
"subcategory": "활성 디렉터리",
"text": "각 호스트 풀 응용 프로그램 그룹(DAG 또는 RAG)에 대한 액세스 권한이 부여될 각 사용자 집합에 대해 도메인 사용자 그룹 만들기"
@ -328,7 +328,7 @@
"category": "신원",
"description": "Azure 파일 공유 및 Active Directory 인증을 통합하는 절차의 일부로 저장소 계정(파일 공유)을 나타내는 AD 계정이 만들어집니다. 컴퓨터 계정 또는 서비스 로그온 계정으로 등록하도록 선택할 수 있으며, 자세한 내용은 FAQ를 참조하세요. 컴퓨터 계정의 경우 AD에 설정된 기본 암호 만료 기간이 30일입니다. 마찬가지로 서비스 로그온 계정에는 AD 도메인 또는 OU(조직 구성 단위)에 설정된 기본 암호 만료 기간이 있을 수 있습니다. 두 계정 유형 모두 AD 환경에 구성된 암호 만료 기간을 확인하고 최대 암호 사용 기간 전에 AD 계정의 스토리지 계정 ID의 암호를 업데이트하도록 계획하는 것이 좋습니다. AD에서 새 AD OU(조직 구성 단위)를 만들고 그에 따라 컴퓨터 계정 또는 서비스 로그온 계정에서 암호 만료 정책을 사용하지 않도록 설정할 수 있습니다.",
"guid": "2289b3d6-b57c-4fc6-9546-1e1a3e3453a3",
"link": "https://docs.microsoft.com/azure/storage/files/storage-files-identity-ad-ds-enable",
"link": "https://learn.microsoft.com/azure/storage/files/storage-files-identity-ad-ds-enable",
"severity": "낮다",
"subcategory": "활성 디렉터리",
"text": "Azure Files AD 통합에 사용되는 계정에 대한 조직 암호 만료 정책 검토"
@ -337,7 +337,7 @@
"category": "네트워킹",
"description": "어떤 유형의 하이브리드 연결? 익스프레스 노선, VPN, NVA?",
"guid": "c8639648-a652-4d6c-85e5-02965388e5de",
"link": "https://docs.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/",
"link": "https://learn.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/",
"severity": "보통",
"subcategory": "네트워킹",
"text": "온-프레미스 환경에 대한 하이브리드 연결 아키텍처 검토"
@ -346,7 +346,7 @@
"category": "네트워킹",
"description": "대역폭 요구 사항을 평가하고 VPN/ER 대역폭이 충분하고 대기 시간이 허용되는지 확인합니다. ",
"guid": "d227dd14-2b06-4c21-a799-9a646f4389a7",
"link": "https://docs.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/",
"link": "https://learn.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/",
"severity": "보통",
"subcategory": "네트워킹",
"text": "사용자가 AVD 호스트 풀에서 온-프레미스로 액세스해야 하는 리소스 평가"
@ -355,7 +355,7 @@
"category": "네트워킹",
"description": "CAF (vWAN 대 Hub & Spoke)를 기반으로 AVD 호스트 풀을 배치 할 새로운 것을 검토하거나 권장합니다.",
"guid": "f42c78e7-8c06-4a63-a21a-4956e6a8dc4a",
"link": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/considerations/networking-options",
"link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/networking-options",
"severity": "높다",
"subcategory": "네트워킹",
"text": "AVD 서비스에 대한 랜딩 존 네트워킹 토폴로지 검토"
@ -364,14 +364,14 @@
"category": "네트워킹",
"description": "각 서브넷에 AVD 호스트 풀의 크기를 조정하기에 충분한 공간이 있는지 확인합니다. 다른 호스트 풀의 경우 가능하면 별도의 서브넷을 사용하는 것이 좋습니다. ",
"guid": "20e27b3e-2971-41b1-952b-eee079b588de",
"link": "https://docs.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix",
"link": "https://learn.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix",
"severity": "보통",
"subcategory": "네트워킹",
"text": "여러 호스트 풀에 대한 VNET 및 서브넷 배치 평가"
},
{
"category": "네트워킹",
"description": "몇 가지 옵션을 사용할 수 있습니다. Azure 방화벽 또는 NVA 방화벽, NSG 및/또는 프록시를 사용할 수 있습니다. NSG는 URL로 사용하거나 사용하지 않도록 설정할 수 없으며 포트 및 프로토콜만 사용할 수 있습니다. 프록시는 사용자 브라우저에서 명시적 설정으로만 사용해야 합니다. AVD와 함께 Azure 방화벽 프리미엄을 사용하는 방법에 대한 자세한 내용은 https://aka.ms/AVDfirewall 및 여기 https://docs.microsoft.com/azure/firewall/protect-windows-virtual-desktop 참조하세요. AVD URL 액세스에 대한 전체 요구사항 목록을 검토하세요.",
"description": "몇 가지 옵션을 사용할 수 있습니다. Azure 방화벽 또는 NVA 방화벽, NSG 및/또는 프록시를 사용할 수 있습니다. NSG는 URL로 사용하거나 사용하지 않도록 설정할 수 없으며 포트 및 프로토콜만 사용할 수 있습니다. 프록시는 사용자 브라우저에서 명시적 설정으로만 사용해야 합니다. AVD와 함께 Azure 방화벽 프리미엄을 사용하는 방법에 대한 자세한 내용은 https://aka.ms/AVDfirewall 및 여기 https://learn.microsoft.com/azure/firewall/protect-windows-virtual-desktop 참조하세요. AVD URL 액세스에 대한 전체 요구사항 목록을 검토하세요.",
"guid": "fc4972cd-3cd2-41bf-9703-6e5e6b4bed3d",
"link": "https://aka.ms/AVDfirewall",
"severity": "보통",
@ -389,18 +389,18 @@
},
{
"category": "네트워킹",
"description": "사용자 지정 UDR은 AVD 호스트 풀 서브넷에 적용할 수 있습니다(예: Azure 방화벽 또는 NVA로 리디렉션). 이 경우 AVD 컨트롤 플레인으로의 아웃바운드 트래픽에 대한 최적의 경로가 사용되는지 신중하게 검토하는 것이 좋습니다. 이제 서비스 태그를 UDR과 함께 사용할 수 있으므로 AVD 관리부 트래픽을 쉽게 화이트리스트에 추가할 수 있습니다. https://docs.microsoft.com/azure/firewall/protect-windows-virtual-desktop#host-pool-outbound-access-to-windows-virtual-desktop ",
"description": "사용자 지정 UDR은 AVD 호스트 풀 서브넷에 적용할 수 있습니다(예: Azure 방화벽 또는 NVA로 리디렉션). 이 경우 AVD 컨트롤 플레인으로의 아웃바운드 트래픽에 대한 최적의 경로가 사용되는지 신중하게 검토하는 것이 좋습니다. 이제 서비스 태그를 UDR과 함께 사용할 수 있으므로 AVD 관리부 트래픽을 쉽게 화이트리스트에 추가할 수 있습니다. https://learn.microsoft.com/azure/firewall/protect-windows-virtual-desktop#host-pool-outbound-access-to-windows-virtual-desktop ",
"guid": "523181a9-4174-4158-93ff-7ae7c6d37431",
"link": "https://docs.microsoft.com/azure/firewall/protect-windows-virtual-desktop",
"link": "https://learn.microsoft.com/azure/firewall/protect-windows-virtual-desktop",
"severity": "낮다",
"subcategory": "네트워킹",
"text": "AVD 호스트 풀 서브넷에 대한 UDR 검토"
},
{
"category": "네트워킹",
"description": "세션 호스트의 AVD 컨트롤 플레인 액세스에 필요한 URL은 https://docs.microsoft.com/azure/virtual-desktop/safe-url-list 에 설명되어 있습니다. 확인 도구를 사용하여 세션 호스트의 연결을 확인할 수 있습니다: https://docs.microsoft.com/azure/virtual-desktop/safe-url-list#required-url-check-tool.",
"description": "세션 호스트의 AVD 컨트롤 플레인 액세스에 필요한 URL은 https://learn.microsoft.com/azure/virtual-desktop/safe-url-list 에 설명되어 있습니다. 확인 도구를 사용하여 세션 호스트의 연결을 확인할 수 있습니다: https://learn.microsoft.com/azure/virtual-desktop/safe-url-list#required-url-check-tool.",
"guid": "65c7acbe-45bb-4e60-ad89-f2e87778424d",
"link": "https://docs.microsoft.com/azure/virtual-desktop/safe-url-list",
"link": "https://learn.microsoft.com/azure/virtual-desktop/safe-url-list",
"severity": "높다",
"subcategory": "네트워킹",
"text": "AVD 컨트롤 플레인 엔드포인트에 액세스할 수 있는지 확인"
@ -409,7 +409,7 @@
"category": "네트워킹",
"description": "특정 워크로드 유형에 따라 사용자에 대한 네트워킹 대역폭 요구 사항을 평가하고 검토하는 것이 좋습니다. 참조된 문서는 일반적인 추정 및 권장 사항을 제공하지만 적절한 크기 조정을 위해서는 특정 조치가 필요합니다. ",
"guid": "516785c6-fa96-4c96-ad88-408f372734c8",
"link": "https://docs.microsoft.com/windows-server/remote/remote-desktop-services/network-guidance",
"link": "https://learn.microsoft.com/windows-server/remote/remote-desktop-services/network-guidance",
"severity": "낮다",
"subcategory": "네트워킹",
"text": "각 사용자에 대해 필요한 네트워크 대역폭 및 VM SKU에 대한 총 네트워크 대역폭 확인"
@ -418,7 +418,7 @@
"category": "계산",
"description": "호스트 풀 배포에 사용할 VM SKU를 선택한 후에는 더 높은 보안 및 향상된 기능을 위해 Gen2 유형의 SKU를 사용하는 것이 좋습니다.",
"guid": "e4633254-3185-40a1-b120-bd563a1c8e9d",
"link": "https://docs.microsoft.com/en-us/azure/virtual-machines/generation-2",
"link": "https://learn.microsoft.com/en-us/azure/virtual-machines/generation-2",
"severity": "보통",
"subcategory": "세션 호스트",
"text": "호스트 풀 배포를 위한 Gen2 VM 사용량 평가"
@ -427,7 +427,7 @@
"category": "계산",
"description": "애플리케이션은 골든 이미지로 사전 설치하거나, MSIX 및 AppAttach 기능을 사용하여 연결하거나, 기존 SW 배포 방법을 사용하여 풀 배포 후 호스트에 배포할 수 있습니다.",
"guid": "86ba2802-1459-4014-95d3-8e5309ccbd97",
"link": "https://docs.microsoft.com/azure/virtual-desktop/set-up-customize-master-image",
"link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-customize-master-image",
"severity": "높다",
"subcategory": "골든 이미지 / s",
"text": "AVD 호스트 풀에 애플리케이션을 배포하는 방법 결정"
@ -436,7 +436,7 @@
"category": "계산",
"description": "단일 이미지에 적합한 fslogix 응용 프로그램 마스킹을 사용합니까, 아니면 다른 응용 프로그램이 구워진 다중 이미지를 사용합니까?",
"guid": "9266bcca-274f-4aa1-abf3-9d95d44c7c89",
"link": "https://docs.microsoft.com/azure/virtual-desktop/create-host-pools-azure-marketplace",
"link": "https://learn.microsoft.com/azure/virtual-desktop/create-host-pools-azure-marketplace",
"severity": "보통",
"subcategory": "골든 이미지 / s",
"text": "필요한 골든 이미지 수 추정"
@ -445,7 +445,7 @@
"category": "계산",
"description": "각 호스트 풀을 배포하는 데 사용할 게스트 OS 결정: Windows 10 대 Windows Server, 마켓플레이스 대 사용자 지정 이미지",
"guid": "19ca1f6d-5315-4ae5-84ba-34d4585e2213",
"link": "https://docs.microsoft.com/azure/virtual-desktop/overview",
"link": "https://learn.microsoft.com/azure/virtual-desktop/overview",
"severity": "보통",
"subcategory": "골든 이미지 / s",
"text": "호스트 풀 배포에 사용할 OS 이미지 결정"
@ -454,7 +454,7 @@
"category": "계산",
"description": "아무 것도 없는 경우 Azure 이미지 빌더를 사용하여 빌드 프로세스를 자동화하는 것이 좋습니다. ",
"guid": "9bd7bb01-2f7b-495e-86e1-54e2aa359282",
"link": "https://docs.microsoft.com/azure/virtual-machines/image-builder-overview",
"link": "https://learn.microsoft.com/azure/virtual-machines/image-builder-overview",
"severity": "낮다",
"subcategory": "골든 이미지 / s",
"text": "사용자 지정 이미지를 사용할 경우 자동화된 빌드 프로세스가 있는지 확인합니다."
@ -463,7 +463,7 @@
"category": "계산",
"description": "Azure 계산 갤러리를 평가합니다.",
"guid": "5a2adb2c-3e23-426b-b225-ca44e1696fdd",
"link": "https://docs.microsoft.com/azure/virtual-machines/windows/shared-image-galleries",
"link": "https://learn.microsoft.com/azure/virtual-machines/windows/shared-image-galleries",
"severity": "낮다",
"subcategory": "골든 이미지 / s",
"text": "사용자 지정 이미지를 사용할 경우 이미지의 수명 주기를 구성하고 관리할 계획이 있습니까?"
@ -472,14 +472,14 @@
"category": "계산",
"description": "골든 이미지 사용자 지정에 대한 몇 가지 알려진 모범 사례 및 권장 사항이 있으므로 참조된 문서를 확인하십시오. ",
"guid": "deace4cb-1dec-44c6-90c3-fc14eebb36a3",
"link": "https://docs.microsoft.com/azure/virtual-desktop/set-up-customize-master-image",
"link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-customize-master-image",
"severity": "보통",
"subcategory": "골든 이미지 / s",
"text": "맞춤 이미지를 사용할 경우 마스터 이미지를 빌드하는 방법에 대한 AVD 권장사항을 확인하세요."
},
{
"category": "계산",
"description": "이 도구 집합은 백서 'VDI(가상 데스크톱 인프라) 역할에 대해 Windows 10 버전 2004 최적화'https://docs.microsoft.com/windows-server/remote/remote-desktop-services/rds-vdi-recommendations-2004 에 참조된 설정을 자동으로 적용하기 위해 만들어졌습니다. 백서에 언급된 도구의 사용 및/또는 최적화를 고려해야 합니다. ",
"description": "이 도구 집합은 백서 'VDI(가상 데스크톱 인프라) 역할에 대해 Windows 10 버전 2004 최적화'https://learn.microsoft.com/windows-server/remote/remote-desktop-services/rds-vdi-recommendations-2004 에 참조된 설정을 자동으로 적용하기 위해 만들어졌습니다. 백서에 언급된 도구의 사용 및/또는 최적화를 고려해야 합니다. ",
"guid": "829e3fec-2183-4687-a017-7a2b5945bda4",
"link": "https://github.com/The-Virtual-Desktop-Team/Virtual-Desktop-Optimization-Tool",
"severity": "보통",
@ -490,7 +490,7 @@
"category": "계산",
"description": "초기 배포 후 호스트 풀 VM 구성을 관리하기 위한 구성 관리 도구(예: SCCM, MEM/Intune, GPO, 타사 솔루션)가 이미 있는지 확인합니다.",
"guid": "3334fdf9-1c23-4418-8b65-285269440b4b",
"link": "https://docs.microsoft.com/mem/intune/fundamentals/windows-virtual-desktop-multi-session",
"link": "https://learn.microsoft.com/mem/intune/fundamentals/windows-virtual-desktop-multi-session",
"severity": "낮다",
"subcategory": "골든 이미지 / s",
"text": "AVD 세션 호스트 구성 관리 전략 계획/평가"
@ -499,7 +499,7 @@
"category": "계산",
"description": "제공된 문서를 검토하고 '알려진 폴더 리디렉션' 및 '주문형 파일'을 확인합니다. OneDrive 기능을 고려하고 결국 채택해야 합니다.",
"guid": "e3d3e084-4276-4d4b-bc01-5bcf219e4a1e",
"link": "https://docs.microsoft.com/azure/virtual-desktop/install-office-on-AVD-master-image",
"link": "https://learn.microsoft.com/azure/virtual-desktop/install-office-on-AVD-master-image",
"severity": "보통",
"subcategory": "골든 이미지 / s",
"text": "마이크로소프트 원드라이브가 AVD 배포의 일부가 될지 확인"
@ -508,7 +508,7 @@
"category": "계산",
"description": "이 문서를 검토하고 최신 버전을 사용하고, Teams 제외를 검토 및 평가하여 프로필 크기를 줄여야 합니다.",
"guid": "b5887953-5d22-4788-9d30-b66c67be5951",
"link": "https://docs.microsoft.com/azure/virtual-desktop/teams-on-AVD",
"link": "https://learn.microsoft.com/azure/virtual-desktop/teams-on-AVD",
"severity": "보통",
"subcategory": "골든 이미지 / s",
"text": "마이크로소프트 팀이 AVD 배포에 포함될 것인지 확인"
@ -517,7 +517,7 @@
"category": "계산",
"description": "별도의 스토리지 계정/공유를 사용하여 MSIX 패키지를 저장하는 것이 좋습니다. 필요한 경우 저장소는 독립적으로 확장할 수 있으며 프로필 I/O 작업의 영향을 받지 않습니다. Azure는 MISX 앱 연결에 사용할 수 있는 여러 저장소 옵션을 제공합니다. Azure 파일 또는 Azure NetApp 파일은 비용과 관리 오버헤드 간에 최상의 가치를 제공하므로 이러한 옵션을 사용하는 것이 좋습니다. ",
"guid": "90083845-c587-4cb3-a1ec-16a1d076ef9f",
"link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-file-share",
"link": "https://learn.microsoft.com/azure/virtual-desktop/app-attach-file-share",
"severity": "높다",
"subcategory": "MSIX 및 AppAttach",
"text": "프로필/Office 컨테이너와 동일한 저장소 계정/공유를 사용하지 마세요. "
@ -526,7 +526,7 @@
"category": "계산",
"description": "참조된 문서에서는 AVD 컨텍스트에서 MSIX 사용에 대한 몇 가지 중요한 성능 고려 사항을 보고했으므로 신중하게 검토해야 합니다.",
"guid": "241addce-5793-477b-adb3-751ab2ac1fad",
"link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-file-share",
"link": "https://learn.microsoft.com/azure/virtual-desktop/app-attach-file-share",
"severity": "높다",
"subcategory": "MSIX 및 AppAttach",
"text": "MSIX에 대한 성능 고려 사항 검토"
@ -535,7 +535,7 @@
"category": "계산",
"description": "MSIX 앱 연결에는 파일 공유에 액세스하기 위한 읽기 전용 권한이 필요합니다. MSIX 애플리케이션을 Azure Files에 저장하는 경우 세션 호스트에 대해 모든 세션 호스트 VM에 공유에 대한 스토리지 계정 RBAC(역할 기반 액세스 제어) 및 파일 공유 NTFS(신기술 파일 시스템) 권한을 모두 할당해야 합니다.",
"guid": "66e15d4d-5a2a-4db2-a3e2-326bf225ca41",
"link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-file-share",
"link": "https://learn.microsoft.com/azure/virtual-desktop/app-attach-file-share",
"severity": "보통",
"subcategory": "MSIX 및 AppAttach",
"text": "MSIX 공유에 대한 적절한 세션 호스트 권한 확인"
@ -544,7 +544,7 @@
"category": "계산",
"description": "타사 소프트웨어 공급업체는 MSIX 패키지를 제공해야 하며, 고객이 애플리케이션 소유자의 적절한 지원 없이 변환 절차를 시도하지 않는 것이 좋습니다.",
"guid": "bd362caa-ab79-4b19-adab-81932c9fc9d1",
"link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-faq",
"link": "https://learn.microsoft.com/azure/virtual-desktop/app-attach-faq",
"severity": "보통",
"subcategory": "MSIX 및 AppAttach",
"text": "제3자 애플리케이션을 위한 MSIX 패키지"
@ -553,7 +553,7 @@
"category": "계산",
"description": "MSIX 앱 연결은 MSIX 애플리케이션에 대한 자동 업데이트를 지원하지 않으므로 사용하지 않도록 설정해야 합니다.",
"guid": "bb88037f-5e6b-4fbb-aed5-03547cc447e8",
"link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-faq",
"link": "https://learn.microsoft.com/azure/virtual-desktop/app-attach-faq",
"severity": "낮다",
"subcategory": "MSIX 및 AppAttach",
"text": "MSIX 패키지에 대한 자동 업데이트 사용 안 함"
@ -562,7 +562,7 @@
"category": "계산",
"description": "MSIX 및 앱 연결을 활용하려면 AVD 호스트 풀의 게스트 OS 이미지가 Windows 10 Enterprise 또는 Windows 10 Enterprise 다중 세션 버전 2004 이상이어야 합니다.",
"guid": "26128a71-f0f1-4cac-9d9e-f1d5e832e42e",
"link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-faq",
"link": "https://learn.microsoft.com/azure/virtual-desktop/app-attach-faq",
"severity": "보통",
"subcategory": "MSIX 및 AppAttach",
"text": "운영 체제 지원 검토"
@ -571,7 +571,7 @@
"category": "보관",
"description": "표준 HDD, 표준 SSD 또는 프리미엄 SSD, 임시 디스크는 지원되지 않으며 울트라 디스크는 권장되지 않습니다. 사용자 밀도가 낮지 않고 클라우드 캐시를 사용하려는 경우 OS 디스크에 대한 Premium을 평가하는 것이 좋습니다. ",
"guid": "3611c818-b0a0-4bc5-80e4-3a18a9cd289c",
"link": "https://docs.microsoft.com/azure/virtual-machines/disks-types",
"link": "https://learn.microsoft.com/azure/virtual-machines/disks-types",
"severity": "보통",
"subcategory": "세션 호스트 ",
"text": "세션 호스트에 사용할 관리 디스크 유형 결정 "
@ -580,16 +580,16 @@
"category": "보관",
"description": "Azure NetApp Files, Azure Files, VM 기반 File Server. 파일 서버는 권장되지 않습니다. Azure 파일 프리미엄은 일반적으로 좋은 시작점입니다. NetApp은 일반적으로 대규모/고성능 환경에만 필요합니다. ",
"guid": "ed6b17db-8255-4462-b2ae-e4553afc8339",
"link": "https://docs.microsoft.com/azure/virtual-desktop/store-fslogix-profile",
"link": "https://learn.microsoft.com/azure/virtual-desktop/store-fslogix-profile",
"severity": "높다",
"subcategory": "에프에스로직스",
"text": "FSLogix 프로필 및 Office 컨테이너에 사용할 스토리지 백 엔드 솔루션 결정"
},
{
"category": "보관",
"description": "Windows 가상 데스크톱에서는 아래의 재해 복구 섹션에 설명된 대로 특정 BCDR(비즈니스 연속성 및 재해 복구) 시나리오를 계획하지 않는 한 Office 컨테이너 없이 프로필 컨테이너를 사용하는 것이 좋습니다. https://docs.microsoft.com/fslogix/profile-container-office-container-cncpt ",
"description": "Windows 가상 데스크톱에서는 아래의 재해 복구 섹션에 설명된 대로 특정 BCDR(비즈니스 연속성 및 재해 복구) 시나리오를 계획하지 않는 한 Office 컨테이너 없이 프로필 컨테이너를 사용하는 것이 좋습니다. https://learn.microsoft.com/fslogix/profile-container-office-container-cncpt ",
"guid": "df47d2d9-2881-4b1c-b5d1-e54a29759e39",
"link": "https://docs.microsoft.com/fslogix/profile-container-office-container-cncpt",
"link": "https://learn.microsoft.com/fslogix/profile-container-office-container-cncpt",
"severity": "낮다",
"subcategory": "에프에스로직스",
"text": "프로필 컨테이너를 Office 컨테이너에서 분리할 수 있는 가능성 평가"
@ -598,7 +598,7 @@
"category": "보관",
"description": "프로필 컨테이너 스토리지 성능 요구 사항을 예측하기 위한 시작점으로 안정적인 상태에서는 사용자당 10 IOPS, 로그인/로그아웃 중에는 사용자당 50 IOPS를 가정하는 것이 좋습니다.",
"guid": "680e7828-9c93-4665-9d02-bff4564b0d93",
"link": "https://docs.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix",
"link": "https://learn.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix",
"severity": "높다",
"subcategory": "에프에스로직스",
"text": "호스트 풀 요구 사항을 지원하기 위한 스토리지 확장성 제한 확인"
@ -616,7 +616,7 @@
"category": "보관",
"description": "가능한 경우 지역 간 네트워크 트래픽과 관련된 추가 대기 시간 및 비용을 도입하지 마십시오.",
"guid": "8aad53cc-79e2-4e86-9673-57c549675c5e",
"link": "https://docs.microsoft.com/azure/virtual-desktop/fslogix-containers-azure-files",
"link": "https://learn.microsoft.com/azure/virtual-desktop/fslogix-containers-azure-files",
"severity": "높다",
"subcategory": "에프에스로직스",
"text": "최적의 성능을 위해 저장소 솔루션과 FSLogix 프로필 컨테이너는 동일한 데이터 센터 위치에 있어야 합니다."
@ -625,16 +625,16 @@
"category": "보관",
"description": "참조된 문서에 설명된 대로 FSLogix 프로필 컨테이너 가상 하드 드라이브에 대해 다음 바이러스 백신 제외를 구성해야 합니다.",
"guid": "83f63047-22ee-479d-9b5c-3632054b69ba",
"link": "https://docs.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix",
"link": "https://learn.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix",
"severity": "보통",
"subcategory": "에프에스로직스",
"text": "FSLogix에 대해 권장되는 바이러스 백신 제외를 구성합니다(연결 시 VHD(x) 파일을 검색하지 않는 것 포함)."
},
{
"category": "보관",
"description": "기본 기본 및 권장 설정은 다음과 같습니다. https://docs.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix#best-practice-settings-for-enterprises 코어 세트는 여기를 참조하십시오. https://docs.microsoft.com/fslogix/configure-profile-container-tutorialSee 전체 참조를 위해 여기: https://docs.microsoft.com/fslogix/profile-container-configuration-reference ",
"description": "기본 기본 및 권장 설정은 다음과 같습니다. https://learn.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix#best-practice-settings-for-enterprises 코어 세트는 여기를 참조하십시오. https://learn.microsoft.com/fslogix/configure-profile-container-tutorialSee 전체 참조를 위해 여기: https://learn.microsoft.com/fslogix/profile-container-configuration-reference ",
"guid": "d34aad5e-8c78-4e1d-9666-7313c405674c",
"link": "https://docs.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix",
"link": "https://learn.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix",
"severity": "높다",
"subcategory": "에프에스로직스",
"text": "FSLogix 레지스트리 키를 검토하고 적용할 레지스트리 키 결정"
@ -643,7 +643,7 @@
"category": "보관",
"description": "동시 또는 다중 연결은 Windows 가상 데스크톱에서 권장되지 않습니다. 가장 좋은 방법은 각 세션에 대해 다른 프로필 위치를 호스트 풀로 만드는 것입니다.",
"guid": "5e985b85-9c77-43e7-b261-623b775a917e",
"link": "https://docs.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix",
"link": "https://learn.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix",
"severity": "높다",
"subcategory": "에프에스로직스",
"text": "동일한 프로필에 대한 동시 또는 다중 연결 사용 확인"
@ -652,7 +652,7 @@
"category": "보관",
"description": "일반적으로 테스트 환경에서 유효성을 검사하려면 워크로드에 따라 각 사용자에 대해 5 - 15 IOPS를 먼저 고려해야 합니다. Azure 파일: 프리미엄 최대 100k IOPS 공유당 (최대 100TB) 및 최대 5Gbps (3ms 대기 시간). Azure 파일이 프로비전되는 방법, 즉 프로비전된 크기에 엄격하게 연결된 IOPS를 알고 있어야 합니다. 경우에 따라 버스트 크기 조정 기능. 충분한 IOPS를 확보하기 위해 필요한 것보다 더 많은 공간을 UPFRONT로 프로비저닝해야 합니다. 참고: Azure Premium은 트랜잭션을 지불하지 않기 때문에 표준보다 저렴할 수 있으며 중요한 세부 정보를 염두에 두어야 합니다. Azure NetApp 파일: 연결된 최대 1000개의 IP를 기억하고, IOPS를 즉시 조정할 수 있으며, 최소 4TB의 프로비저닝된 용량을 기억합니다. ",
"guid": "1f348ff3-64d2-47d4-8e8b-bbc868155abb",
"link": "https://docs.microsoft.com/azure/virtual-desktop/store-fslogix-profile",
"link": "https://learn.microsoft.com/azure/virtual-desktop/store-fslogix-profile",
"severity": "높다",
"subcategory": "에프에스로직스",
"text": "스토리지 크기 조정에 대한 모범 사례 및 주요 고려 사항 검토"
@ -661,7 +661,7 @@
"category": "보관",
"description": "참조된 문서에 설명된 모범 사례 및 권장 사항 목록을 확인하십시오.",
"guid": "9164e990-9ae2-48c8-9c33-b6b7808bafe6",
"link": "https://docs.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix",
"link": "https://learn.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix",
"severity": "보통",
"subcategory": "에프에스로직스",
"text": "Azure 파일에 대한 모범 사례 확인(사용되는 경우)"
@ -670,7 +670,7 @@
"category": "보관",
"description": "참조된 문서에 설명된 모범 사례 및 권장 사항 목록을 확인하십시오.",
"guid": "c42149d4-13a9-423c-9574-d11028ac6aae",
"link": "https://docs.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix",
"link": "https://learn.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix",
"severity": "보통",
"subcategory": "에프에스로직스",
"text": "NetApp 파일에 대한 모범 사례 확인(사용되는 경우)"
@ -679,7 +679,7 @@
"category": "보관",
"description": "프로필 컨테이너의 기본 최대 크기는 30GB입니다. 큰 프로필 컨테이너가 예상되고 고객이 작게 유지하려는 경우 OneDrive를 사용하여 FSLogix 프로필 외부에서 Office 365 파일을 호스트하는 것이 좋습니다.",
"guid": "01e6a84d-e5df-443d-8992-481718d5d1e5",
"link": "https://docs.microsoft.com/fslogix/profile-container-configuration-reference",
"link": "https://learn.microsoft.com/fslogix/profile-container-configuration-reference",
"severity": "높다",
"subcategory": "에프에스로직스",
"text": "FSLogix에서 구성된 최대 프로필 크기를 검토하고 확인합니다."
@ -688,7 +688,7 @@
"category": "보관",
"description": "클라우드 캐시는 로컬 디스크를 캐시로 사용하며 VM 디스크에 많은 압력을 가할 수 있습니다. 가능한 경우 VM SKU를 기반으로 임시(및 로컬로 연결된) VM 디스크의 기능을 활용하는 것이 좋습니다. ",
"guid": "b2d1215a-e114-4ba3-9df5-85ecdcd9bd3b",
"link": "https://docs.microsoft.com/fslogix/cloud-cache-configuration-reference",
"link": "https://learn.microsoft.com/fslogix/cloud-cache-configuration-reference",
"severity": "보통",
"subcategory": "에프에스로직스",
"text": "FSLogix 클라우드 캐시를 사용하는 경우 캐시 디렉터리를 임시 드라이브로 이동합니다."
@ -697,7 +697,7 @@
"category": "보관",
"description": "REDIRECTION.XML 파일은 프로필 컨테이너에서 C: 드라이브로 리디렉션되는 폴더를 제어하는 데 사용됩니다. 제외는 예외여야 하며 제외를 구성하는 사람이 특정 제외를 완전히 이해하지 않는 한 사용해서는 안 됩니다. 제외는 항상 구현하려는 환경에서 완전히 테스트해야 합니다. 제외를 구성하면 기능, 안정성 및 성능에 영향을 줄 수 있습니다.",
"guid": "0b50ca97-b1d2-473c-b4d9-6e98b0f912de",
"link": "https://docs.microsoft.com/fslogix/manage-profile-content-cncpt#redirectionsxml",
"link": "https://learn.microsoft.com/fslogix/manage-profile-content-cncpt#redirectionsxml",
"severity": "보통",
"subcategory": "에프에스로직스",
"text": "FSLogix 리디렉션의 사용법을 검토합니다."
@ -706,7 +706,7 @@
"category": "보관",
"description": "ANF 서브넷을 만들 Azure 가상 네트워크 환경에 대해 Active Directory 사이트를 만들어야 하며, 참조 문서에 설명된 대로 조인 절차를 실행할 때 ANF 연결 속성에 해당 사이트 이름을 지정해야 합니다.",
"guid": "6647e977-db49-48a8-bc35-743f17499d42",
"link": "https://docs.microsoft.com/en-us/azure/azure-netapp-files/create-active-directory-connections",
"link": "https://learn.microsoft.com/en-us/azure/azure-netapp-files/create-active-directory-connections",
"severity": "높다",
"subcategory": "에프에스로직스",
"text": "Azure NetApp 파일 스토리지를 사용하는 경우 AD 연결에서 AD 사이트 이름 설정을 확인합니다."
@ -724,34 +724,34 @@
"category": "안전",
"description": "사용자에게 가상 데스크톱에 대한 관리자 액세스 권한을 부여하지 않는 것이 좋습니다. 소프트웨어 패키지가 필요한 경우 Microsoft 엔드포인트 관리자와 같은 구성 관리 유틸리티를 통해 사용할 수 있도록 하는 것이 좋습니다. 다중 세션 환경에서는 사용자가 소프트웨어를 직접 설치하도록 허용하지 않는 것이 좋습니다.",
"guid": "a0cdb3b5-4eb2-4eb0-9dda-a3592718e2ed",
"link": "https://docs.microsoft.com/azure/virtual-desktop/security-guide",
"link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide",
"severity": "보통",
"subcategory": "호스트 구성",
"text": "AVD 사용자에게 AVD 호스트에 대한 로컬 관리자 권한이 없는지 확인합니다. "
},
{
"category": "안전",
"description": "Microsoft Defender for Endpoint는 이제 Windows 10 Enterprise 다중 세션용 Windows Virtual Desktop을 지원합니다. 비영구 VDI(가상 데스크톱 인프라) 장치 온보딩에 대한 문서를 확인하세요. https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi",
"description": "Microsoft Defender for Endpoint는 이제 Windows 10 Enterprise 다중 세션용 Windows Virtual Desktop을 지원합니다. 비영구 VDI(가상 데스크톱 인프라) 장치 온보딩에 대한 문서를 확인하세요. https://learn.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi",
"guid": "b1172576-9ef6-4691-a483-5ac932223ece",
"link": "https://docs.microsoft.com/azure/virtual-desktop/security-guide",
"link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide",
"severity": "높다",
"subcategory": "호스트 구성",
"text": "바이러스 백신 및 맬웨어 방지 솔루션이 사용되는지 확인"
},
{
"category": "안전",
"description": "다음 제외 사항이 있는지 확인하십시오. https://docs.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix#antivirus-exclusions .",
"description": "다음 제외 사항이 있는지 확인하십시오. https://learn.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix#antivirus-exclusions .",
"guid": "80b12308-1a54-4174-8583-3ea3ad2c2de7",
"link": "https://docs.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix",
"link": "https://learn.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix",
"severity": "높다",
"subcategory": "호스트 구성",
"text": "적절한 AV 제외가 있는지 확인"
},
{
"category": "안전",
"description": "Azure의 디스크는 기본적으로 Microsoft 관리형 키를 사용하여 미사용 시 이미 암호화되어 있습니다. 호스트 VM OS 디스크 암호화는 ADE 및 DES를 사용하여 가능하고 지원됩니다: 합리적이고 적절한 사용자 데이터는 세션 호스트 디스크에 저장해서는 안 되며, 규정 준수를 위해 엄격하게 필요한 경우에만 사용해야 합니다. Azure Files를 사용한 FSLogix 저장소의 암호화는 Azure 저장소에서 SSE를 사용하여 수행할 수 있습니다.OneDrive 암호화에 대해서는 https://docs.microsoft.com/compliance/assurance/assurance-encryption-for-microsoft-365-services 문서를 참조하세요.",
"description": "Azure의 디스크는 기본적으로 Microsoft 관리형 키를 사용하여 미사용 시 이미 암호화되어 있습니다. 호스트 VM OS 디스크 암호화는 ADE 및 DES를 사용하여 가능하고 지원됩니다: 합리적이고 적절한 사용자 데이터는 세션 호스트 디스크에 저장해서는 안 되며, 규정 준수를 위해 엄격하게 필요한 경우에만 사용해야 합니다. Azure Files를 사용한 FSLogix 저장소의 암호화는 Azure 저장소에서 SSE를 사용하여 수행할 수 있습니다.OneDrive 암호화에 대해서는 https://learn.microsoft.com/compliance/assurance/assurance-encryption-for-microsoft-365-services 문서를 참조하세요.",
"guid": "0fd32907-98bc-4178-adc5-a06ca7144351",
"link": "https://docs.microsoft.com/azure/virtual-desktop/security-guide",
"link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide",
"severity": "낮다",
"subcategory": "호스트 구성",
"text": "AVD 호스트의 디스크 암호화 요구 사항 평가"
@ -769,7 +769,7 @@
"category": "안전",
"description": "구독, 가상 머신, 키 자격 증명 모음 및 저장소 계정에 대해 Azure 보안 센터 표준을 사용하도록 설정하는 것이 좋습니다. Azure 보안 센터 표준을 사용하면 취약성을 평가 및 관리하고, PCI와 같은 일반적인 프레임워크의 준수를 평가하고, AVD 환경의 전반적인 보안을 강화할 수 있습니다.",
"guid": "1814387e-5ca9-4c26-a9b3-2ab5bdfc6998",
"link": "https://docs.microsoft.com/azure/virtual-desktop/security-guide",
"link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide",
"severity": "보통",
"subcategory": "안전",
"text": "AVD 세션 호스트에 대한 ASC(Azure 보안 센터) 사용 평가"
@ -778,7 +778,7 @@
"category": "안전",
"description": "예를 들어 데스크톱 잠금 및 유휴 세션 종료를 적용하는 데 사용해야 합니다. 온-프레미스 환경에 적용된 기존 GPO를 검토하고 최종적으로 AVD 호스트도 보호하기 위해 적용해야 합니다. ",
"guid": "a135e337-897e-431c-97d6-8cb6a22ac19f",
"link": "https://docs.microsoft.com/azure/virtual-desktop/security-guide",
"link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide",
"severity": "보통",
"subcategory": "안전",
"text": "활성 디렉터리 GPO를 검토하여 RDP 세션 보호"
@ -787,7 +787,7 @@
"category": "안전",
"description": "자세한 내용과 인사이트는 다음 문서를 참조하세요. https://christiaanbrinkhoff.com/2020/03/23/learn-how-to-increase-the-security-level-of-your-windows-virtual-desktop-environment-e-g-windows-client-with-azure-mfa-and-conditional-access",
"guid": "916d697d-8ead-4ed2-9bdd-186f1ac252b9",
"link": "https://docs.microsoft.com/azure/virtual-desktop/set-up-mfa",
"link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-mfa",
"severity": "낮다",
"subcategory": "안전",
"text": "AVD 사용자의 MFA 사용량 평가"
@ -796,7 +796,7 @@
"category": "안전",
"description": "조건부 액세스를 사용하도록 설정하면 사용자에게 Windows 가상 데스크톱 환경에 대한 액세스 권한을 부여하기 전에 위험을 관리할 수 있습니다. 액세스 권한을 부여할 사용자를 결정할 때는 사용자가 누구인지, 로그인하는 방법, 사용 중인 장치도 고려하는 것이 좋습니다.",
"guid": "556246b4-3856-44b4-bc74-a748b6633ad2",
"link": "https://docs.microsoft.com/azure/virtual-desktop/security-guide",
"link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide",
"severity": "낮다",
"subcategory": "안전",
"text": "사용자에 대한 조건부 액세스 사용 평가"
@ -805,7 +805,7 @@
"category": "안전",
"description": "감사 로그 수집을 사용하도록 설정하면 Windows 가상 데스크톱과 관련된 사용자 및 관리자 활동을 볼 수 있습니다. 이것은 또한 AVD 모니터링 도구를 사용하고 사용하기 위한 요구 사항입니다. 활성화하는 것이 좋습니다. ",
"guid": "a0916a76-4980-4ad0-b278-ee293c1bc352",
"link": "https://docs.microsoft.com/azure/virtual-desktop/security-guide",
"link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide",
"severity": "보통",
"subcategory": "안전",
"text": "중앙 Log Analytics 작업 영역에 대한 진단 및 감사 로깅 사용"
@ -814,7 +814,7 @@
"category": "안전",
"description": "AVD는 Azure RBAC(역할 기반 액세스 제어)를 사용하여 사용자 및 관리자에게 역할을 할당합니다. 이러한 역할은 관리자에게 특정 작업을 수행할 수 있는 권한을 부여합니다. 업무 분리가 필요한 경우 Windows Virtual Desktop에는 호스트 풀, 앱 그룹 및 작업 영역에 대한 관리 역할을 분리할 수 있는 추가 역할이 있습니다. 이러한 분리를 통해 관리 작업을 보다 세부적으로 제어할 수 있습니다. 이러한 역할은 Azure의 표준 역할 및 최소 권한 방법론에 따라 이름이 지정됩니다.",
"guid": "baaab757-1849-4ab8-893d-c9fc9d1bb73b",
"link": "https://docs.microsoft.com/azure/virtual-desktop/rbac",
"link": "https://learn.microsoft.com/azure/virtual-desktop/rbac",
"severity": "낮다",
"subcategory": "안전",
"text": "AVD 관리에 사용자 지정 RBAC 역할을 사용하기 위한 요구 사항 평가 "
@ -823,7 +823,7 @@
"category": "안전",
"description": "포괄적인 보안 모범 사례 및 권장 사항 집합이 참조된 문서에 포함되어 있으므로 검토하는 것이 좋습니다. ",
"guid": "36a5a67f-bb9e-4d5b-9547-8c4479816b28",
"link": "https://docs.microsoft.com/azure/virtual-desktop/security-guide",
"link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide",
"severity": "보통",
"subcategory": "안전",
"text": "AVD 환경에 대한 모든 보안 권장사항 검토"
@ -832,7 +832,7 @@
"category": "모니터링 및 관리",
"description": "Windows 가상 데스크톱용 Azure 모니터는 IT 전문가가 Windows 가상 데스크톱 환경을 이해하는 데 도움이 되는 Azure 모니터 통합 문서를 기반으로 하는 대시보드입니다. Windows 가상 데스크톱 환경을 모니터링하도록 Windows 가상 데스크톱용 Azure 모니터를 설정하는 방법을 알아보려면 참조된 문서를 참조하세요.",
"guid": "63cfff1c-ac59-49ef-8d5a-83dd4de36c1c",
"link": "https://docs.microsoft.com/azure/virtual-desktop/azure-monitor",
"link": "https://learn.microsoft.com/azure/virtual-desktop/azure-monitor",
"severity": "높다",
"subcategory": "모니터링",
"text": "AVD에 대한 Azure 모니터링 사용"
@ -841,16 +841,16 @@
"category": "모니터링 및 관리",
"description": "Windows Virtual Desktop은 다른 많은 Azure 서비스와 마찬가지로 모니터링 및 경고에 Azure Monitor 및 Log Analytics를 사용합니다. 이를 통해 관리자는 단일 인터페이스를 통해 문제를 식별할 수 있습니다. 이 서비스는 사용자 및 관리 작업 모두에 대한 활동 로그를 만듭니다. 각 활동 로그는 관리, 피드, 연결, 호스트 등록, 오류, 검사점 범주에 속합니다. ",
"guid": "81770afb-c4c0-4e43-a186-58d2857ed671",
"link": "https://docs.microsoft.com/azure/virtual-desktop/diagnostics-log-analytics",
"link": "https://learn.microsoft.com/azure/virtual-desktop/diagnostics-log-analytics",
"severity": "보통",
"subcategory": "모니터링",
"text": "작업 영역, 호스트 풀, 애플리케이션 그룹 및 호스트 VM에 대한 진단 설정을 사용하도록 설정하고 Log Analytics 작업 영역으로 리디렉션합니다."
},
{
"category": "모니터링 및 관리",
"description": "참조 된 문서와이 추가 문서를 참조하여 스토리지에 대한 적절한 모니터링 및 경고를 설정하십시오 : https://docs.microsoft.com/azure/storage/files/storage-troubleshooting-files-performance. ",
"description": "참조 된 문서와이 추가 문서를 참조하여 스토리지에 대한 적절한 모니터링 및 경고를 설정하십시오 : https://learn.microsoft.com/azure/storage/files/storage-troubleshooting-files-performance. ",
"guid": "2463cffe-179c-4599-be0d-5973dd4ce32c",
"link": "https://docs.microsoft.com/azure/storage/files/storage-files-monitoring?tabs=azure-portal",
"link": "https://learn.microsoft.com/azure/storage/files/storage-files-monitoring?tabs=azure-portal",
"severity": "보통",
"subcategory": "모니터링",
"text": "사용량이 많고 제한이 많은 경우 경고할 프로필 저장소에 대한 경고 만들기"
@ -859,7 +859,7 @@
"category": "모니터링 및 관리",
"description": "Azure 서비스 상태를 사용하여 Windows 가상 데스크톱에 대한 서비스 문제 및 상태 권고를 모니터링할 수 있습니다. Azure 서비스 상태는 다양한 유형의 경고(예: 이메일 또는 SMS)로 사용자에게 알리고, 문제의 영향을 이해하는 데 도움을 주고, 문제가 해결되면 계속 업데이트할 수 있습니다.",
"guid": "18813706-f7c4-4c0d-9e51-4548d2457ed6",
"link": "https://docs.microsoft.com/azure/virtual-desktop/set-up-service-alerts",
"link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-service-alerts",
"severity": "보통",
"subcategory": "모니터링",
"text": "AVD 경고에 대한 Azure 서비스 상태 구성 "
@ -868,7 +868,7 @@
"category": "모니터링 및 관리",
"description": "크기 조정 도구는 세션 호스트 VM 비용을 최적화하려는 고객에게 저렴한 자동화 옵션을 제공합니다. 크기 조정 도구를 사용하여 사용량이 많은 업무 시간 및 사용량이 적은 업무 시간을 기준으로 VM을 시작 및 중지하도록 예약하고, CPU 코어당 세션 수에 따라 VM을 확장하고, 사용량이 적은 시간 동안 VM을 확장하고, 최소 세션 호스트 VM 수를 실행 상태로 둘 수 있습니다. 개인 호스트 풀 유형에는 아직 사용할 수 없으며 각 호스트 풀에 대해 별도의 설정을 사용하는 것이 좋습니다. ",
"guid": "7138b820-102c-4e16-be30-1e6e872e52e3",
"link": "https://docs.microsoft.com/azure/virtual-desktop/set-up-scaling-script",
"link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-scaling-script",
"severity": "낮다",
"subcategory": "경영",
"text": "호스트 풀 자동 크기 조정 기능에 대한 요구 사항 평가"
@ -877,7 +877,7 @@
"category": "모니터링 및 관리",
"description": "Azure Advisor는 구성 및 원격 분석을 분석하여 일반적인 문제를 해결하기 위한 개인 설정된 권장 사항을 제공합니다. 이러한 권장 사항을 통해 안정성, 보안, 운영 우수성, 성능 및 비용에 대해 Azure 리소스를 최적화할 수 있습니다.",
"guid": "611dd68c-5a4b-4252-8e44-a59a9c2399c4",
"link": "https://docs.microsoft.com/azure/virtual-desktop/azure-advisor",
"link": "https://learn.microsoft.com/azure/virtual-desktop/azure-advisor",
"severity": "낮다",
"subcategory": "경영",
"text": "AVD에 대한 Azure 어드바이저 권장 사항을 주기적으로 확인"
@ -886,16 +886,16 @@
"category": "모니터링 및 관리",
"description": "골든 이미지에 대한 업데이트를 관리하는 전략(예: 보안 핫픽스 적용 및/또는 이미지 내에 설치된 애플리케이션 업데이트)을 준비합니다. Azure 이미지 빌더 서비스는 VM의 빌드 및 사용자 지정을 자동화하기 위한 제1자 솔루션입니다.ARM 템플릿을 사용하여 새 호스트를 만든 다음 이전 호스트를 해제할 수 있습니다. https://github.com/Azure/RDS-Templates/tree/master/ARM-AVD-templates/AddVirtualMachinesToHostPool 권장되는 방법은 새 풀을 나란히 만들고, 롤백하기 쉽고, 전용 풀에 사용할 수 없으며, ARM 템플릿을 사용하여 VM 수를 다시 배포하고 늘리는 것도 실행 가능한 옵션입니다. 고객은 기존 소프트웨어 배포 방법을 사용하여 SCCM 또는 이와 유사한 검사를 위해 다시 배포하지 않고 이미지를 업데이트할 수도 있습니다.",
"guid": "d7b68d0c-7555-462f-8b3e-4563b4d874a7",
"link": "https://docs.microsoft.com/azure/virtual-machines/windows/image-builder-virtual-desktop",
"link": "https://learn.microsoft.com/azure/virtual-machines/windows/image-builder-virtual-desktop",
"severity": "보통",
"subcategory": "경영",
"text": "골든 이미지 업데이트 관리 전략 계획"
},
{
"category": "모니터링 및 관리",
"description": "고객은 몇 가지 옵션을 가질 수 있습니다 : - 마이크로 소프트 엔드 포인트 구성 관리자,이 문서에서는 Windows 10 엔터프라이즈 멀티 세션을 실행하는 Windows 가상 데스크톱 호스트에 업데이트를 자동으로 적용 하도록 Microsoft 엔드 포인트 구성 관리자를 구성 하는 방법을 설명 합니다 : https://docs.microsoft.com/azure/virtual-desktop/configure-automatic-updates - 마이크로 소프트 인튠 : https://docs.microsoft.com/mem/intune/fundamentals/windows-virtual-desktop-multi-session- 윈도우 서버 업데이트 서비스 (WSUS) - OS를 지원하는 제3자.- Azure 업데이트 관리(Azure 자동화), 현재 클라이언트 OS에서 지원되지 않음: https://docs.microsoft.com/azure/automation/update-management/overview#unsupported-operating-systemsIt 패치 전략에서 벗어나 가능한 경우 이미지로 다시 설치하는 전략으로 이동하는 것이 좋습니다. ",
"description": "고객은 몇 가지 옵션을 가질 수 있습니다 : - 마이크로 소프트 엔드 포인트 구성 관리자,이 문서에서는 Windows 10 엔터프라이즈 멀티 세션을 실행하는 Windows 가상 데스크톱 호스트에 업데이트를 자동으로 적용 하도록 Microsoft 엔드 포인트 구성 관리자를 구성 하는 방법을 설명 합니다 : https://learn.microsoft.com/azure/virtual-desktop/configure-automatic-updates - 마이크로 소프트 인튠 : https://learn.microsoft.com/mem/intune/fundamentals/windows-virtual-desktop-multi-session- 윈도우 서버 업데이트 서비스 (WSUS) - OS를 지원하는 제3자.- Azure 업데이트 관리(Azure 자동화), 현재 클라이언트 OS에서 지원되지 않음: https://learn.microsoft.com/azure/automation/update-management/overview#unsupported-operating-systemsIt 패치 전략에서 벗어나 가능한 경우 이미지로 다시 설치하는 전략으로 이동하는 것이 좋습니다. ",
"guid": "04722da2-9c2b-41cd-922f-54b29bade3aa",
"link": "https://docs.microsoft.com/azure/virtual-machines/windows/image-builder-virtual-desktop",
"link": "https://learn.microsoft.com/azure/virtual-machines/windows/image-builder-virtual-desktop",
"severity": "보통",
"subcategory": "경영",
"text": "세션 호스트 패치 및 업데이트 전략 계획"
@ -904,7 +904,7 @@
"category": "모니터링 및 관리",
"description": "호스트 풀은 Windows 가상 데스크톱 환경 내에서 하나 이상의 동일한 가상 컴퓨터의 모음입니다. 서비스 업데이트가 먼저 적용되는 유효성 검사 호스트 풀을 만드는 것이 좋습니다. 이렇게 하면 서비스가 표준 또는 비유효성 검사 환경에 적용하기 전에 서비스 업데이트를 모니터링할 수 있습니다.",
"guid": "d1e8c38e-c936-4667-913c-005674b1e944",
"link": "https://docs.microsoft.com/azure/virtual-desktop/create-validation-host-pool",
"link": "https://learn.microsoft.com/azure/virtual-desktop/create-validation-host-pool",
"severity": "낮다",
"subcategory": "경영",
"text": "AVD 테스트 카나리아 환경에 대한 요구 사항 평가"
@ -922,7 +922,7 @@
"category": "모니터링 및 관리",
"description": "Windows 가상 데스크톱 서비스 내의 호스트 풀에 VM을 등록한 후 에이전트는 VM이 활성 상태일 때마다 VM의 토큰을 정기적으로 새로 고칩니다. 등록 토큰에 대한 인증서는 90일 동안 유효합니다. 이 90일 제한으로 인해 머신이 토큰을 새로 고치고 에이전트 및 병렬 스택 구성 요소를 업데이트할 수 있도록 VM을 90일마다 20분 동안 온라인 상태로 유지하는 것이 좋습니다.",
"guid": "ebe54cd7-df2e-48bb-ac35-81559bb9153e",
"link": "https://docs.microsoft.com/azure/virtual-desktop/faq",
"link": "https://learn.microsoft.com/azure/virtual-desktop/faq",
"severity": "보통",
"subcategory": "경영",
"text": "토큰 새로 고침을 위해 90일마다 정기적으로 VM 켜기"
@ -940,7 +940,7 @@
"category": "BC/DR",
"description": "활성-활성' 모델은 서로 다른 지역의 여러 호스트 풀을 사용하여 달성할 수 있습니다. 다른 지역의 VM이 있는 단일 호스트 풀은 권장되지 않습니다. 동일한 사용자에 대해 여러 풀을 사용하는 경우 사용자 프로필을 동기화/복제하는 방법의 문제를 해결해야 합니다. FSLogix 클라우드 캐시를 사용할 수 있지만 신중하게 검토하고 계획해야 하거나 고객이 동기화/복제를 전혀 사용하지 않도록 결정할 수 있습니다. '활성-수동'은 ASR(Azure 사이트 복구) 또는 자동화된 메커니즘이 있는 주문형 풀 배포를 사용하여 수행할 수 있습니다.",
"guid": "6acc076e-f9b1-441a-a989-579e76b897e7",
"link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery",
"link": "https://learn.microsoft.com/azure/virtual-desktop/disaster-recovery",
"severity": "보통",
"subcategory": "계산",
"text": "AVD 호스트 풀에 대한 지역 재해 복구 지역 평가"
@ -949,7 +949,7 @@
"category": "BC/DR",
"description": "Windows 가상 데스크톱 BCDR 계획 및 디자인에 접근하기 전에 AVD를 통해 사용되는 응용 프로그램이 중요한지 처음에 고려하는 것이 중요합니다. 중요하지 않은 앱과 분리하고 다른 재해 복구 방법 및 기능을 가진 별도의 호스트 풀을 사용할 수 있습니다.",
"guid": "10a7da7b-e996-46e1-9d3c-4ada97cc3d13",
"link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery",
"link": "https://learn.microsoft.com/azure/virtual-desktop/disaster-recovery",
"severity": "보통",
"subcategory": "계산",
"text": "서로 다른 AVD 호스트 풀에서 중요한 애플리케이션 분리"
@ -958,7 +958,7 @@
"category": "BC/DR",
"description": "? 호스트 풀 VM(가용성 집합 및 가용성 영역)에 대해 적절한 복원력 수준을 선택했습니까? AS 또는 AZ와 함께 제공되는 HA SLA 및 확장성 제한에 대한 영향을 알고 있습니까? ? 현재 가용성 집합 없이 Windows 가상 데스크톱 ARM 템플릿 배포당 399개의 VM 또는 가용성 집합당 200개의 VM을 배포할 수 있습니다. ARM 템플릿 또는 Azure Portal 호스트 풀 등록에서 가용성 집합을 해제하여 배포당 VM 수를 늘릴 수 있습니다. 이제 AZ를 배포할 수 있으며, 현재 한 번에 하나의 AZ를 원하는 각 AZ에 VM의 일부를 수동으로 생성해야 합니다. ",
"guid": "25ab225c-6f4e-4168-9fdd-dea8a4b7cdeb",
"link": "https://docs.microsoft.com/azure/virtual-desktop/faq",
"link": "https://learn.microsoft.com/azure/virtual-desktop/faq",
"severity": "높다",
"subcategory": "계산",
"text": "AVD 호스트 풀 배포를 위한 최상의 복원력 옵션 계획"
@ -967,7 +967,7 @@
"category": "BC/DR",
"description": "Azure Backup은 호스트 풀 VM을 보호하는 데도 사용할 수 있으며, 호스트 풀 VM이 상태 비저장이어야 하는 경우에도 이 방법이 지원됩니다. 이 옵션은 개인 호스트 풀에 대해 고려할 수 있습니다. ",
"guid": "4c61fc3f-c14e-4ea6-b69e-8d9a3eec218e",
"link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery",
"link": "https://learn.microsoft.com/azure/virtual-desktop/disaster-recovery",
"severity": "보통",
"subcategory": "계산",
"text": "AVD 세션 호스트 백업 요구 사항 평가"
@ -976,7 +976,7 @@
"category": "BC/DR",
"description": "FSLogix 사용자 프로필 내의 모든 데이터가 재해로부터 보호받을 수 있는 것은 아닙니다. 또한 OneDrive 또는 파일 서버/공유와 같은 외부 저장소를 사용하는 경우 FSLogix 프로필에 남아 있는 항목이 최소화되며 일부 극단적인 상황에서 손실될 수 있습니다. 다른 경우에는 프로필 내의 데이터를 다른 저장소(예: 캐시 모드의 Outlook 받은 편지함)에서 다시 작성할 수 있습니다. ",
"guid": "687ab077-adb5-49e5-a960-3334fdf8cc23",
"link": "https://docs.microsoft.com/fslogix/manage-profile-content-cncpt",
"link": "https://learn.microsoft.com/fslogix/manage-profile-content-cncpt",
"severity": "보통",
"subcategory": "보관",
"text": "프로필 및 Office 컨테이너 내에서 보호해야 하는 데이터 평가"
@ -985,7 +985,7 @@
"category": "BC/DR",
"description": "중요한 사용자 데이터의 데이터 손실을 방지하는 것이 중요하며, 첫 번째 단계는 저장하고 보호해야 하는 데이터를 평가하는 것입니다. OneDrive 또는 기타 외부 저장소를 사용하는 경우 사용자 프로필 및/또는 Office 컨테이너 데이터를 저장할 필요가 없을 수 있습니다. 중요한 사용자 데이터를 보호하기 위해 적절한 메커니즘을 고려해야 합니다. Azure 백업 서비스는 Azure 파일 표준 및 프리미엄 계층에 저장될 때 프로필 및 Office 컨테이너 데이터를 보호하는 데 사용할 수 있습니다. Azure NetApp Files 스냅샷 및 정책은 Azure NetApp Files(모든 계층)에 사용할 수 있습니다.",
"guid": "fc4972cc-3cd2-45bf-a707-6e9eab4bed32",
"link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery",
"link": "https://learn.microsoft.com/azure/virtual-desktop/disaster-recovery",
"severity": "보통",
"subcategory": "보관",
"text": "프로필 및 Office 컨테이너에 대한 백업 보호 전략 구축"
@ -994,16 +994,16 @@
"category": "BC/DR",
"description": "AVD에서는 FSLogix 컨테이너에 있는 사용자 데이터에 대해 여러 복제 메커니즘과 전략을 사용할 수 있습니다. 프로필 패턴 #1: 네이티브 Azure 저장소 복제 메커니즘(예: Azure 파일 표준 GRS 복제, Azure NetApp 파일 지역 간 복제 또는 VM 기반 파일 서버에 대한 Azure 파일 동기화)? Azure Files에 ZRS(영역 복제 스토리지) 또는 GRS(지역 복제 스토리지)를 사용하는 것이 좋습니다.? 영역/지역 보호가 필요하지 않은 경우 로컬 전용 복원력이 있는 LRS를 사용할 수 있습니다. 참고: Azure 파일 공유 표준은 LRS/ZRS/GRS이지만 100TB 대규모 지원을 사용하도록 설정하면 LRS/ZRS만 지원됩니다. ? 프로필 패턴 #2: FSLogix 클라우드 캐시는 서로 다른(최대 4개) 스토리지 계정 간에 컨테이너를 복제하는 자동 메커니즘으로 빌드됩니다. 클라우드 캐시는 다음과 같은 경우에만 사용해야 합니다. 사용자 프로필 또는 Office 컨테이너 데이터 가용성 필요 고가용성 SLA는 중요하며 지역 오류에 탄력적이어야 합니다. 선택한 스토리지 옵션은 BCDR 요구 사항을 충족할 수 없습니다. 예를 들어 Azure 파일 공유 프리미엄 계층 또는 대용량 파일 지원이 있는 Azure 파일 공유 표준을 사용하도록 설정하면 GRS를 사용할 수 없습니다. 서로 다른 스토리지 간의 복제가 필요한 경우.? 프로필 패턴 #3: 사용자 데이터/프로필 컨테이너가 아닌 응용 프로그램 데이터에 대해서만 지역 재해 복구 설정: 중요한 응용 프로그램 데이터를 OneDrive 또는 자체 DR 메커니즘이 내장된 기타 외부 저장소와 같은 별도의 저장소에 저장합니다.",
"guid": "9f7547c1-746d-4c56-868a-714435bd09dd",
"link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery",
"link": "https://learn.microsoft.com/azure/virtual-desktop/disaster-recovery",
"severity": "보통",
"subcategory": "보관",
"text": "프로필 컨테이너 스토리지 복제 요구 사항 및 BCDR 용도의 복원력 평가"
},
{
"category": "BC/DR",
"description": "지리적 재해 복구: Azure NetApp Files는 기본적으로 LRS(로컬로 복제된 스토리지)이므로 지역 간 복제를 원하는 경우 더 많은 것을 설계해야 합니다. 현재 교차 지역에 대한 권장 사항은 다른 Azure 지역(및 NetApp 볼륨)으로 복제하는 NetApp Cloud Sync입니다. 백업: 백업은 스냅샷에 의해 처리되지만 자동이 아니므로 정책을 사용하여 예약해야 합니다. https://docs.microsoft.com/azure/azure-netapp-files/azure-netapp-files-manage-snapshots. 볼륨당 스냅샷의 최대 제한(255)은 여기에 설명된 대로 https://docs.microsoft.com/azure/azure-netapp-files/azure-netapp-files-resource-limits 입니다.",
"description": "지리적 재해 복구: Azure NetApp Files는 기본적으로 LRS(로컬로 복제된 스토리지)이므로 지역 간 복제를 원하는 경우 더 많은 것을 설계해야 합니다. 현재 교차 지역에 대한 권장 사항은 다른 Azure 지역(및 NetApp 볼륨)으로 복제하는 NetApp Cloud Sync입니다. 백업: 백업은 스냅샷에 의해 처리되지만 자동이 아니므로 정책을 사용하여 예약해야 합니다. https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-manage-snapshots. 볼륨당 스냅샷의 최대 제한(255)은 여기에 설명된 대로 https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-resource-limits 입니다.",
"guid": "23429db7-2281-4376-85cc-57b4a4b18142",
"link": "https://docs.microsoft.com/azure/azure-netapp-files/azure-netapp-files-manage-snapshots",
"link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-manage-snapshots",
"severity": "보통",
"subcategory": "보관",
"text": "Azure NetApp Files DR 전략 검토"
@ -1012,7 +1012,7 @@
"category": "BC/DR",
"description": "지역 재해 복구: Azure Files용 GRS는 표준 SKU에서만 사용할 수 있으며 대규모 공유 지원은 없으므로 대부분의 고객 시나리오에 적합하지 않습니다. 지역에서 복제가 필요한 경우 Azure 파일 공유 프리미엄을 사용하는 경우 FSLogix 클라우드 캐시를 사용한 복제를 평가하거나 '지역 내' AZ(가용성 영역) 전용 복원력을 고려해야 합니다. 백업: Azure 백업은 Azure 파일 공유 모든 SKU를 완벽하게 지원하며 프로필 컨테이너를 보호하는 데 권장되는 솔루션입니다. OneDrive 또는 기타 외부 저장소를 사용하는 경우 사용자 프로필 및/또는 Office 컨테이너 데이터를 저장할 필요가 없을 수 있습니다.",
"guid": "3d4f3537-c134-46dc-9602-7a71efe1bd05",
"link": "https://docs.microsoft.com/azure/backup/backup-afs",
"link": "https://learn.microsoft.com/azure/backup/backup-afs",
"severity": "보통",
"subcategory": "보관",
"text": "Azure 파일 DR 전략 검토"
@ -1021,7 +1021,7 @@
"category": "BC/DR",
"description": "사용자 지정 이미지를 사용하여 AVD 호스트 풀 VM을 배포하는 경우 중대한 재해가 발생하더라도 모든 지역에서 해당 아티팩트를 사용할 수 있도록 하는 것이 중요합니다. Azure Compute 갤러리 서비스를 사용하여 호스트 풀이 배포된 모든 지역에서 중복 스토리지 및 여러 복사본으로 이미지를 복제할 수 있습니다.",
"guid": "dd2e0d5d-771d-441e-9610-cc57b4a4a141",
"link": "https://docs.microsoft.com/azure/virtual-machines/windows/shared-images-portal",
"link": "https://learn.microsoft.com/azure/virtual-machines/windows/shared-images-portal",
"severity": "낮다",
"subcategory": "종속성",
"text": "골든 이미지 지역 간 가용성 계획"
@ -1030,7 +1030,7 @@
"category": "BC/DR",
"description": "AVD 인프라 사용자에게 온-프레미스 리소스 액세스가 필요한 경우 연결에 필요한 네트워크 인프라의 고가용성도 중요하므로 고려해야 합니다. 인증 인프라의 복원력을 평가하고 평가해야 합니다. 종속 애플리케이션 및 기타 리소스에 대한 BCDR 측면을 고려하여 보조 DR 위치에서 가용성을 보장해야 합니다.",
"guid": "fd339489-8c12-488b-9c6a-57cfb644451e",
"link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery",
"link": "https://learn.microsoft.com/azure/virtual-desktop/disaster-recovery",
"severity": "보통",
"subcategory": "종속성",
"text": "Assessment Infrastructure & Application Dependencies "

226
checklists/avd_checklist.pt.json
Просмотреть файл

@ -40,7 +40,7 @@
"category": "Fundação",
"description": "Se necessário para se conectar ao ambiente local, avalie a opção de conectividade atual ou planeje a conectividade necessária. ",
"guid": "dd399cfd-7b28-4dc8-9555-6202bfe4563b",
"link": "https://docs.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/",
"link": "https://learn.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/",
"severity": "Média",
"subcategory": "Geral",
"text": "Determinar se a conectividade híbrida é necessária para se conectar ao ambiente local"
@ -58,7 +58,7 @@
"category": "Fundação",
"description": "O AVD armazena metadados apenas para executar o serviço em localizações geográficas específicas, determinar o que está disponível hoje e se for adequado com base nos requisitos do cliente. ",
"guid": "bad37ead-53cc-47ce-8d7a-aab3571449ab",
"link": "https://docs.microsoft.com/azure/virtual-desktop/data-locations",
"link": "https://learn.microsoft.com/azure/virtual-desktop/data-locations",
"severity": "Média",
"subcategory": "Geral",
"text": "Determinar o local dos metadados do serviço AVD"
@ -67,7 +67,7 @@
"category": "Fundação",
"description": "Verifique se há SKUs de VM específicas, especialmente se você precisar de SKUs de GPU ou de alta especificação e, eventualmente, disponibilidade do Azure NetApp Files, se usado. ",
"guid": "8053d89e-89dc-47b3-9be2-a1a27f7a9e91",
"link": "https://docs.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
"link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
"severity": "Baixo",
"subcategory": "Geral",
"text": "Verificar as cotas e a disponibilidade do Azure para tamanhos específicos de VM nas regiões selecionadas"
@ -76,7 +76,7 @@
"category": "Fundação",
"description": "Consulte a seção BCDR para obter mais detalhes.",
"guid": "be1f38ce-f398-412b-b463-cbbac89c199d",
"link": "https://docs.microsoft.com/azure/availability-zones/az-region",
"link": "https://learn.microsoft.com/azure/availability-zones/az-region",
"severity": "Média",
"subcategory": "Geral",
"text": "Verificar a disponibilidade da zona de disponibilidade (AZ) na região selecionada"
@ -85,7 +85,7 @@
"category": "Fundação",
"description": "Para um planejamento e implantação adequados, é importante avaliar o número máximo de usuários e a média de sessões simultâneas. ",
"guid": "bb91a33d-90ca-4e2c-a881-3706f7c0cb9f",
"link": "https://docs.microsoft.com/azure/virtual-desktop/faq",
"link": "https://learn.microsoft.com/azure/virtual-desktop/faq",
"severity": "Média",
"subcategory": "Clientes & Usuários",
"text": "Avalie quantos usuários se conectarão ao AVD e de quais regiões"
@ -94,7 +94,7 @@
"category": "Fundação",
"description": "Mutiple Host Pools talvez necessário para suportar diferentes conjuntos de usuários, recomenda-se estimar quantos serão necessários. ",
"guid": "a1cf2049-9013-4a5d-9ce4-74dbcbd8682a",
"link": "https://docs.microsoft.com/azure/virtual-desktop/environment-setup",
"link": "https://learn.microsoft.com/azure/virtual-desktop/environment-setup",
"severity": "Média",
"subcategory": "Clientes & Usuários",
"text": "Determine se todos os usuários terão o mesmo conjunto de aplicativos e/ou diferentes configurações do Pool de Hosts e/ou imagens do sistema operacional"
@ -103,7 +103,7 @@
"category": "Fundação",
"description": "As dependências de recursos externos ao pool AVD devem ser avaliadas e revisadas, por exemplo, Active Directory, compartilhamentos de arquivos externos ou outro armazenamento, serviços e recursos locais, componentes de infraestrutura de rede como VPN e ou Rota Expressa, serviços externos e componentes de terceiros. Para todos esses recursos, a latência do Pool de Hosts AVD precisa ser avaliada e a conectividade considerada. Além disso, as considerações de BCDR também precisam ser aplicadas a essas dependências.",
"guid": "6abca2a4-fda1-4dbf-9dc9-5d48c7c791dc",
"link": "https://docs.microsoft.com/azure/virtual-desktop/overview",
"link": "https://learn.microsoft.com/azure/virtual-desktop/overview",
"severity": "Baixo",
"subcategory": "Clientes & Usuários",
"text": "Avaliar dependências externas para cada Pool de Hosts"
@ -112,7 +112,7 @@
"category": "Fundação",
"description": "Revise as limitações de cada cliente e compare várias opções quando possível.",
"guid": "a1f6d565-99e5-458b-a37d-4985e1112dbd",
"link": "https://docs.microsoft.com/azure/virtual-desktop/connect-windows-7-10",
"link": "https://learn.microsoft.com/azure/virtual-desktop/connect-windows-7-10",
"severity": "Média",
"subcategory": "Clientes & Usuários",
"text": "Revise o sistema operacional do cliente usado e o tipo de cliente AVD"
@ -139,7 +139,7 @@
"category": "Fundação",
"description": "Determine se os usuários receberão áreas de trabalho completas e/ou Grupos de Aplicativos Remotos. ",
"guid": "13c00567-4b1e-4945-a459-837ee7ad6c6d",
"link": "https://docs.microsoft.com/azure/virtual-desktop/manage-app-groups",
"link": "https://learn.microsoft.com/azure/virtual-desktop/manage-app-groups",
"severity": "Baixo",
"subcategory": "Clientes & Usuários",
"text": "Determine se os usuários acessarão o AVD usando desktops completos e/ou aplicativos remotos "
@ -148,7 +148,7 @@
"category": "Fundação",
"description": "No momento, as configurações de RDP só podem ser definidas no nível do pool de hosts, não por usuário/grupo.",
"guid": "3b365a5c-7acb-4e48-abe5-4cd79f2e8776",
"link": "https://docs.microsoft.com/azure/virtual-desktop/customize-rdp-properties",
"link": "https://learn.microsoft.com/azure/virtual-desktop/customize-rdp-properties",
"severity": "Baixo",
"subcategory": "Clientes & Usuários",
"text": "Todos os usuários terão as mesmas configurações de RDP? "
@ -157,7 +157,7 @@
"category": "Fundação",
"description": "O Shortpath RDP para redes gerenciadas é um recurso da Área de Trabalho Virtual do Azure que estabelece um transporte direto baseado em UDP entre o Cliente de Área de Trabalho Remota e o host da Sessão. A remoção do relé extra reduz o tempo de ida e volta, o que melhora a experiência do usuário com aplicativos sensíveis à latência e métodos de entrada. Para dar suporte ao RDP Shortpath, o cliente da Área de Trabalho Virtual do Azure precisa de uma linha de visão direta para o host da sessão e deve estar executando o Windows 10 ou o Windows 7 e ter o cliente da Área de Trabalho do Windows instalado.",
"guid": "b2074747-d01a-4f61-b1aa-92ad793d9ff4",
"link": "https://docs.microsoft.com/en-us/azure/virtual-desktop/shortpath",
"link": "https://learn.microsoft.com/en-us/azure/virtual-desktop/shortpath",
"severity": "Média",
"subcategory": "Clientes & Usuários",
"text": "Avaliar o RDP ShortPath para clientes que se conectam a partir de redes internas gerenciadas"
@ -166,7 +166,7 @@
"category": "Fundação",
"description": "Compartilhado/Agrupado ou Dedicado/Pessoal",
"guid": "8468c55a-775c-46ee-a5b8-6ad8844ce3b2",
"link": "https://docs.microsoft.com/azure/virtual-desktop/create-host-pools-azure-marketplace",
"link": "https://learn.microsoft.com/azure/virtual-desktop/create-host-pools-azure-marketplace",
"severity": "Alto",
"subcategory": "Planejamento de capacidade",
"text": "Determinar o tipo de Pool de Hosts a ser usado"
@ -175,7 +175,7 @@
"category": "Fundação",
"description": "Confirme se a diferença entre atribuição automática e direta é bem compreendida e que a opção selecionada é apropriada para o cenário em questão.",
"guid": "b38b875b-a1cf-4204-a901-3a5d3ce474db",
"link": "https://docs.microsoft.com/azure/virtual-desktop/configure-host-pool-personal-desktop-assignment-type",
"link": "https://learn.microsoft.com/azure/virtual-desktop/configure-host-pool-personal-desktop-assignment-type",
"severity": "Média",
"subcategory": "Planejamento de capacidade",
"text": "Para o tipo de Pool de Hosts Pessoais, decida sobre o tipo de atribuição"
@ -184,16 +184,16 @@
"category": "Fundação",
"description": "Verifique qual deles usar e as opções disponíveis, esteja ciente de que, se o dimensionamento automático for usado, ele o definirá como amplitude primeiro. ",
"guid": "cbd8682a-6abc-4a2a-9fda-1dbf3dc95d48",
"link": "https://docs.microsoft.com/azure/virtual-desktop/host-pool-load-balancing",
"link": "https://learn.microsoft.com/azure/virtual-desktop/host-pool-load-balancing",
"severity": "Média",
"subcategory": "Planejamento de capacidade",
"text": "Para o tipo Pool de Hosts em Pool, decida sobre o método de balanceamento de carga"
},
{
"category": "Fundação",
"description": "Com base em seus critérios de seleção, quantos Pools de Hosts você precisaria? Você deve considerar ter vários se:? Várias imagens do sistema operacional? Várias regiões? Diferente HW necessário? Tipo diferente de Pool de Hosts (compartilhado versus pessoal)? Diferentes requisitos de usuário e SLA (Principais usuários, Executivos, Office Worker vs. Desenvolvedores, etc.)? Diferentes configurações de RDP (aplicadas no nível do Pool de Hosts), consulte https://docs.microsoft.com/azure/virtual-desktop/customize-rdp-properties? Número necessário de VMs no pool de hosts que excede os recursos máximos",
"description": "Com base em seus critérios de seleção, quantos Pools de Hosts você precisaria? Você deve considerar ter vários se:? Várias imagens do sistema operacional? Várias regiões? Diferente HW necessário? Tipo diferente de Pool de Hosts (compartilhado versus pessoal)? Diferentes requisitos de usuário e SLA (Principais usuários, Executivos, Office Worker vs. Desenvolvedores, etc.)? Diferentes configurações de RDP (aplicadas no nível do Pool de Hosts), consulte https://learn.microsoft.com/azure/virtual-desktop/customize-rdp-properties? Número necessário de VMs no pool de hosts que excede os recursos máximos",
"guid": "c7c791dc-a1f6-4d56-999e-558b937d4985",
"link": "https://docs.microsoft.com/azure/virtual-desktop/environment-setup",
"link": "https://learn.microsoft.com/azure/virtual-desktop/environment-setup",
"severity": "Alto",
"subcategory": "Planejamento de capacidade",
"text": "Estimar o número de pools de hosts diferentes a serem implantados "
@ -202,7 +202,7 @@
"category": "Fundação",
"description": "Use o link fornecido para definir um ponto de partida para a decisão de SKU e, em seguida, valide usando um teste de desempenho. Certifique-se de que um mínimo de 4 núcleos para Produção seja selecionado por Host da Sessão (várias sessões)",
"guid": "e1112dbd-7ba0-412e-9b94-ef6e047d2ea2",
"link": "https://docs.microsoft.com/windows-server/remote/remote-desktop-services/virtual-machine-recs",
"link": "https://learn.microsoft.com/windows-server/remote/remote-desktop-services/virtual-machine-recs",
"severity": "Média",
"subcategory": "Planejamento de capacidade",
"text": "Execute o teste de desempenho da carga de trabalho para determinar a melhor SKU e o tamanho da VM do Azure a serem usados (determine o número de hosts por pool)"
@ -211,7 +211,7 @@
"category": "Fundação",
"description": "É fundamental verificar a capacidade e os limites da AVD relatados no artigo referenciado. ",
"guid": "992b1cd6-d2f5-44b2-a769-e3a691e8838a",
"link": "https://docs.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop",
"link": "https://learn.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop",
"severity": "Alto",
"subcategory": "Planejamento de capacidade",
"text": "Verificar os limites de escalabilidade do AVD para o ambiente"
@ -220,7 +220,7 @@
"category": "Fundação",
"description": "Pools de hosts com GPU exigem configuração especial, por favor, certifique-se de rever o artigo referenciado. ",
"guid": "c936667e-13c0-4056-94b1-e945a459837e",
"link": "https://docs.microsoft.com/azure/virtual-desktop/configure-vm-gpu",
"link": "https://learn.microsoft.com/azure/virtual-desktop/configure-vm-gpu",
"severity": "Média",
"subcategory": "Planejamento de capacidade",
"text": "Determine se os hosts de sessão exigirão GPU"
@ -229,7 +229,7 @@
"category": "Fundação",
"description": "Sempre que possível, recomenda-se aproveitar as SKUs de VM com o recurso de Rede Acelerada. Hoje pnly Windows Server OS são suportados (veja a lista no artigo), no futuro Windows Client OS também pode incluído. ",
"guid": "b47a393a-0803-4272-a479-8b1578b219a4",
"link": "https://docs.microsoft.com/azure/virtual-network/create-vm-accelerated-networking-powershell",
"link": "https://learn.microsoft.com/azure/virtual-network/create-vm-accelerated-networking-powershell",
"severity": "Baixo",
"subcategory": "Planejamento de capacidade",
"text": "Recomendado o uso de SKUs de VM capazes de aproveitar o recurso de Rede Acelerada no Azure."
@ -238,7 +238,7 @@
"category": "Identidade",
"description": "Uma assinatura do Azure deve ser parente para o mesmo locatário do Azure AD, que contém uma rede virtual que contém ou está conectada ao Active Directory do Windows Server ou à instância do Azure AD DS.",
"guid": "6ceb5443-5125-4922-9442-93bb628537a5",
"link": "https://docs.microsoft.com/azure/virtual-desktop/overview",
"link": "https://learn.microsoft.com/azure/virtual-desktop/overview",
"severity": "Alto",
"subcategory": "Requisitos",
"text": "Um locatário do Active Directory do Azure deve estar disponível com pelo menos uma assinatura vinculada"
@ -247,7 +247,7 @@
"category": "Identidade",
"description": "Você pode configurar isso usando o Azure AD Connect (para organizações híbridas) ou os Serviços de Domínio do Azure AD (para organizações híbridas ou de nuvem).",
"guid": "5119bf8e-8f58-4542-a7d9-cec166cd072a",
"link": "https://docs.microsoft.com/azure/virtual-desktop/overview",
"link": "https://learn.microsoft.com/azure/virtual-desktop/overview",
"severity": "Alto",
"subcategory": "Requisitos",
"text": "Uma floresta/domínio do Active Directory do Windows Server está sincronizado com o Active Directory do Azure"
@ -256,7 +256,7 @@
"category": "Identidade",
"description": "(1) O usuário deve ser originado do mesmo Active Directory que está conectado ao Azure AD. A Área de Trabalho Virtual do Windows não oferece suporte a contas B2B ou MSA. (2) O UPN que você usa para assinar a Área de Trabalho Virtual do Windows deve existir no domínio do Active Directory ao qual a VM está associada.",
"guid": "f9b141a8-98a5-435e-9378-97e71ca7da7b",
"link": "https://docs.microsoft.com/azure/virtual-desktop/overview",
"link": "https://learn.microsoft.com/azure/virtual-desktop/overview",
"severity": "Média",
"subcategory": "Requisitos",
"text": "Verificar os requisitos da Conta de Usuário para se conectar à Área de Trabalho Virtual do Windows"
@ -265,7 +265,7 @@
"category": "Identidade",
"description": "As VMs devem ser ingressadas no domínio Padrão ou Híbridas associadas ao AD. As máquinas virtuais não podem ser associadas ao Azure AD.",
"guid": "ea962a15-9394-46da-a7cc-3923266b2258",
"link": "https://docs.microsoft.com/azure/virtual-desktop/overview",
"link": "https://learn.microsoft.com/azure/virtual-desktop/overview",
"severity": "Média",
"subcategory": "Requisitos",
"text": "Verifique os requisitos de VM para hosts de sessão AVD que serão criados"
@ -274,7 +274,7 @@
"category": "Identidade",
"description": "Comparar os Serviços de Domínio Active Directory autogerenciados, o Active Directory do Azure e os Serviços de Domínio do Active Directory gerenciados",
"guid": "6f4a1651-bddd-4ea8-a487-cdeb4861bc3b",
"link": "https://docs.microsoft.com/azure/active-directory-domain-services/compare-identity-solutions",
"link": "https://learn.microsoft.com/azure/active-directory-domain-services/compare-identity-solutions",
"severity": "Baixo",
"subcategory": "Requisitos",
"text": "Antes de usar os Serviços de Domínio Active Directory do Azure (AAD-DS) para AVD, verifique as limitações. "
@ -283,7 +283,7 @@
"category": "Identidade",
"description": "Os DCs do AD no Azure são recomendados para reduzir a latência para usuários que fazem logon em hosts de sessão do AVD e, eventualmente, para Arquivos NetApp do Azure e integração com o AD. O ADC precisa ser capaz de falar com DCs para TODOS os domínios filho. Como alternativa, a conectividade local deve ser usada para alcançar os DCs do AD. ",
"guid": "c14aea7e-65e8-4d9a-9aec-218e6436b073",
"link": "https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/identity/adds-extend-domain",
"link": "https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/identity/adds-extend-domain",
"severity": "Média",
"subcategory": "Diretório ativo",
"text": "Criar pelo menos dois controladores de domínio (DCs) do Active Directory no ambiente VNET do Azure próximo ao Pool de Hosts AVD"
@ -292,7 +292,7 @@
"category": "Identidade",
"description": "Recomendado para criar uma UO separada por Pool de Hosts em uma hierarquia de UO separada. Essas UOs conterão contas de máquina de hosts de sessão AVD. ",
"guid": "6db55f57-9603-4334-adf9-cc23418db612",
"link": "https://docs.microsoft.com/azure/virtual-desktop/create-host-pools-azure-marketplace",
"link": "https://learn.microsoft.com/azure/virtual-desktop/create-host-pools-azure-marketplace",
"severity": "Baixo",
"subcategory": "Diretório ativo",
"text": "Criar uma UO específica no Active Directory para cada Pool de Hosts"
@ -301,7 +301,7 @@
"category": "Identidade",
"description": "Revise cuidadosamente e, eventualmente, bloqueie/filtre a herança de GPOs para as UOs que contêm Pools de Host AVD. ",
"guid": "7126504b-b47a-4393-a080-327294798b15",
"link": "https://docs.microsoft.com/previous-versions/windows/desktop/Policy/group-policy-hierarchy",
"link": "https://learn.microsoft.com/previous-versions/windows/desktop/Policy/group-policy-hierarchy",
"severity": "Média",
"subcategory": "Diretório ativo",
"text": "Revise o GPO de domínio que será aplicado à UO e afetará as funcionalidades da VM do Pool de Hosts"
@ -310,7 +310,7 @@
"category": "Identidade",
"description": "Recomendado ter uma conta dedicada específica com permissões específicas e sem a limitação padrão de 10 ingressos. ",
"guid": "347dc560-28a7-41ff-b1cd-15dd2f0d5e77",
"link": "https://docs.microsoft.com/azure/virtual-desktop/create-host-pools-azure-marketplace",
"link": "https://learn.microsoft.com/azure/virtual-desktop/create-host-pools-azure-marketplace",
"severity": "Média",
"subcategory": "Diretório ativo",
"text": "Criar uma conta de usuário dedicada com apenas permissões para ingressar a VM no domínio"
@ -319,7 +319,7 @@
"category": "Identidade",
"description": "Evite conceder acesso por usuário, em vez disso, use grupos do AD e replique-os usando o ADC no Azure AD. ",
"guid": "2d41e361-1cc5-47b4-a4b1-410d43958a8c",
"link": "https://docs.microsoft.com/azure/virtual-desktop/manage-app-groups",
"link": "https://learn.microsoft.com/azure/virtual-desktop/manage-app-groups",
"severity": "Média",
"subcategory": "Diretório ativo",
"text": "Criar um grupo de usuários de domínio para cada conjunto de usuários que receberão acesso a cada Grupo de Aplicativos de Pool de Hosts (DAG ou RAG)"
@ -328,7 +328,7 @@
"category": "Identidade",
"description": "Como parte do procedimento para integrar o Compartilhamento de Arquivos do Azure e o autenticaton do Active Directory, uma conta do AD para representar a conta de armazenamento (compartilhamento de arquivos) será criada. Você pode optar por se registrar como uma conta de computador ou conta de logon de serviço, consulte Perguntas frequentes para obter detalhes. Para contas de computador, há uma idade de expiração de senha padrão definida no AD em 30 dias. Da mesma forma, a conta de logon de serviço pode ter uma idade de expiração de senha padrão definida no domínio do AD ou na Unidade Organizacional (UO). Para ambos os tipos de conta, recomendamos que você verifique a idade de expiração da senha configurada em seu ambiente do AD e planeje atualizar a senha da identidade da conta de armazenamento da conta do AD antes da idade máxima da senha. Você pode considerar a criação de uma nova Unidade Organizacional (UO) do AD no AD e desabilitar a diretiva de expiração de senha em contas de computador ou contas de logon de serviço de acordo.",
"guid": "2289b3d6-b57c-4fc6-9546-1e1a3e3453a3",
"link": "https://docs.microsoft.com/azure/storage/files/storage-files-identity-ad-ds-enable",
"link": "https://learn.microsoft.com/azure/storage/files/storage-files-identity-ad-ds-enable",
"severity": "Baixo",
"subcategory": "Diretório ativo",
"text": "Revisar a política de expiração de senha da sua organização para contas usadas pela integração do AD do Azure Files"
@ -337,7 +337,7 @@
"category": "Rede",
"description": "Que tipo de conectividade híbrida? Rota Expressa, VPN, NVA?",
"guid": "c8639648-a652-4d6c-85e5-02965388e5de",
"link": "https://docs.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/",
"link": "https://learn.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/",
"severity": "Média",
"subcategory": "Rede",
"text": "Revisar a arquitetura de conectividade híbrida para ambiente local"
@ -346,7 +346,7 @@
"category": "Rede",
"description": "Avalie os requisitos de largura de banda, garanta que a largura de banda VPN/ER seja suficiente e a latência tolerável. ",
"guid": "d227dd14-2b06-4c21-a799-9a646f4389a7",
"link": "https://docs.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/",
"link": "https://learn.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/",
"severity": "Média",
"subcategory": "Rede",
"text": "Avaliar quais recursos os usuários precisarão acessar dos Pools de Host do AVD para o local"
@ -355,7 +355,7 @@
"category": "Rede",
"description": "Revise ou recomende um novo onde colocar os Pools de Host AVD com base no CAF (vWAN vs. Hub & Spoke)",
"guid": "f42c78e7-8c06-4a63-a21a-4956e6a8dc4a",
"link": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/considerations/networking-options",
"link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/networking-options",
"severity": "Alto",
"subcategory": "Rede",
"text": "Revise a topologia de rede da zona de aterrissagem para o serviço AVD"
@ -364,14 +364,14 @@
"category": "Rede",
"description": "Verifique se cada sub-rede terá espaço suficiente para dimensionar o Pool de Hosts AVD. Para pools de hosts diferentes, é recomendável usar sub-redes separadas, se possível. ",
"guid": "20e27b3e-2971-41b1-952b-eee079b588de",
"link": "https://docs.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix",
"link": "https://learn.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix",
"severity": "Média",
"subcategory": "Rede",
"text": "Avaliar o posicionamento da VNET e da sub-rede para vários pools de hosts"
},
{
"category": "Rede",
"description": "Várias opções estão disponíveis. Você pode usar o Firewall do Azure ou o Firewall NVA, o NSG e/ou o Proxy. O NSG não é capaz de ativar/desabilitar por URL, apenas portas e protocolos. O proxy deve ser usado apenas como configuração explícita no navegador do usuário. Os detalhes sobre como usar o Firewall Premium do Azure com AVD estão aqui no https://aka.ms/AVDfirewall e aqui https://docs.microsoft.com/azure/firewall/protect-windows-virtual-desktop. Certifique-se de revisar a lista completa de requisitos para acesso a URLs AVD.",
"description": "Várias opções estão disponíveis. Você pode usar o Firewall do Azure ou o Firewall NVA, o NSG e/ou o Proxy. O NSG não é capaz de ativar/desabilitar por URL, apenas portas e protocolos. O proxy deve ser usado apenas como configuração explícita no navegador do usuário. Os detalhes sobre como usar o Firewall Premium do Azure com AVD estão aqui no https://aka.ms/AVDfirewall e aqui https://learn.microsoft.com/azure/firewall/protect-windows-virtual-desktop. Certifique-se de revisar a lista completa de requisitos para acesso a URLs AVD.",
"guid": "fc4972cd-3cd2-41bf-9703-6e5e6b4bed3d",
"link": "https://aka.ms/AVDfirewall",
"severity": "Média",
@ -389,18 +389,18 @@
},
{
"category": "Rede",
"description": "A UDR personalizada pode ser aplicada à sub-rede do Pool de Hosts AVD, por exemplo, para redirecionar para o Firewall do Azure ou NVA. Neste caso, recomenda-se uma revisão cuidadosa para garantir que o caminho ideal para o tráfego de saída para o plano de controle AVD seja usado. As etiquetas de serviço agora podem ser usadas com UDR e, em seguida, o tráfego do avião de gerenciamento AVD pode ser facilmente colocado na lista de permissões. https://docs.microsoft.com/azure/firewall/protect-windows-virtual-desktop#host-pool-outbound-access-to-windows-virtual-desktop ",
"description": "A UDR personalizada pode ser aplicada à sub-rede do Pool de Hosts AVD, por exemplo, para redirecionar para o Firewall do Azure ou NVA. Neste caso, recomenda-se uma revisão cuidadosa para garantir que o caminho ideal para o tráfego de saída para o plano de controle AVD seja usado. As etiquetas de serviço agora podem ser usadas com UDR e, em seguida, o tráfego do avião de gerenciamento AVD pode ser facilmente colocado na lista de permissões. https://learn.microsoft.com/azure/firewall/protect-windows-virtual-desktop#host-pool-outbound-access-to-windows-virtual-desktop ",
"guid": "523181a9-4174-4158-93ff-7ae7c6d37431",
"link": "https://docs.microsoft.com/azure/firewall/protect-windows-virtual-desktop",
"link": "https://learn.microsoft.com/azure/firewall/protect-windows-virtual-desktop",
"severity": "Baixo",
"subcategory": "Rede",
"text": "Revise UDR para a sub-rede do Pool de Hosts AVD"
},
{
"category": "Rede",
"description": "As URLs necessárias para o acesso ao plano de controle AVD por hosts de sessão estão documentadas aqui: https://docs.microsoft.com/azure/virtual-desktop/safe-url-list. Uma ferramenta de verificação está disponível para verificar a conectividade dos hosts de sessão: https://docs.microsoft.com/azure/virtual-desktop/safe-url-list#required-url-check-tool.",
"description": "As URLs necessárias para o acesso ao plano de controle AVD por hosts de sessão estão documentadas aqui: https://learn.microsoft.com/azure/virtual-desktop/safe-url-list. Uma ferramenta de verificação está disponível para verificar a conectividade dos hosts de sessão: https://learn.microsoft.com/azure/virtual-desktop/safe-url-list#required-url-check-tool.",
"guid": "65c7acbe-45bb-4e60-ad89-f2e87778424d",
"link": "https://docs.microsoft.com/azure/virtual-desktop/safe-url-list",
"link": "https://learn.microsoft.com/azure/virtual-desktop/safe-url-list",
"severity": "Alto",
"subcategory": "Rede",
"text": "Garantir que os endpoints do plano de controle AVD estejam acessíveis"
@ -409,7 +409,7 @@
"category": "Rede",
"description": "Recomenda-se avaliar e revisar os requisitos de largura de banda de rede para os usuários, com base no tipo de carga de trabalho específico. O artigo referenciado fornece estimativas e recomendações gerais, mas medidas específicas são necessárias para o dimensionamento adequado. ",
"guid": "516785c6-fa96-4c96-ad88-408f372734c8",
"link": "https://docs.microsoft.com/windows-server/remote/remote-desktop-services/network-guidance",
"link": "https://learn.microsoft.com/windows-server/remote/remote-desktop-services/network-guidance",
"severity": "Baixo",
"subcategory": "Rede",
"text": "Verifique a largura de banda de rede necessária para cada usuário e, no total, para a SKU da VM"
@ -418,7 +418,7 @@
"category": "Calcular",
"description": "Depois de selecionada a SKU da VM que será usada para a implantação do Pool de Hosts, recomenda-se usar o tipo Gen2 da SKU para maior segurança e recursos aprimorados.",
"guid": "e4633254-3185-40a1-b120-bd563a1c8e9d",
"link": "https://docs.microsoft.com/en-us/azure/virtual-machines/generation-2",
"link": "https://learn.microsoft.com/en-us/azure/virtual-machines/generation-2",
"severity": "Média",
"subcategory": "Host da Sessão",
"text": "Avaliar o uso da VM Gen2 para implantação do Pool de Hosts"
@ -427,7 +427,7 @@
"category": "Calcular",
"description": "Os aplicativos podem ser pré-instalados na(s) imagem(ns) dourada(s), podem ser anexados usando o recurso MSIX & AppAttach ou distribuindo para hosts após a implantação do pool usando métodos tradicionais de distribuição de SW.",
"guid": "86ba2802-1459-4014-95d3-8e5309ccbd97",
"link": "https://docs.microsoft.com/azure/virtual-desktop/set-up-customize-master-image",
"link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-customize-master-image",
"severity": "Alto",
"subcategory": "Imagem/s dourada(s)",
"text": "Determinar como os aplicativos serão implantados nos pools de hosts do AVD"
@ -436,7 +436,7 @@
"category": "Calcular",
"description": "Eles usarão mascaramento de aplicativos fslogix, que se prestariam a uma única imagem, ou várias imagens com diferentes aplicativos embutidos: o que é necessário mais de uma imagem para ser usada?",
"guid": "9266bcca-274f-4aa1-abf3-9d95d44c7c89",
"link": "https://docs.microsoft.com/azure/virtual-desktop/create-host-pools-azure-marketplace",
"link": "https://learn.microsoft.com/azure/virtual-desktop/create-host-pools-azure-marketplace",
"severity": "Média",
"subcategory": "Imagem/s dourada(s)",
"text": "Estimar o número de imagens douradas que serão necessárias"
@ -445,7 +445,7 @@
"category": "Calcular",
"description": "Determine qual sistema operacional convidado será usado para implantar cada Pool de Hosts: Windows 10 versus Windows Server, Marketplace versus Imagens personalizadas",
"guid": "19ca1f6d-5315-4ae5-84ba-34d4585e2213",
"link": "https://docs.microsoft.com/azure/virtual-desktop/overview",
"link": "https://learn.microsoft.com/azure/virtual-desktop/overview",
"severity": "Média",
"subcategory": "Imagem/s dourada(s)",
"text": "Determine qual(is) imagem(ns) do sistema operacional você usará para a implantação do Pool de Hosts"
@ -454,7 +454,7 @@
"category": "Calcular",
"description": "Se não houver nada, considere usar o Construtor de Imagens do Azure para automatizar o processo de compilação. ",
"guid": "9bd7bb01-2f7b-495e-86e1-54e2aa359282",
"link": "https://docs.microsoft.com/azure/virtual-machines/image-builder-overview",
"link": "https://learn.microsoft.com/azure/virtual-machines/image-builder-overview",
"severity": "Baixo",
"subcategory": "Imagem/s dourada(s)",
"text": "Se uma imagem personalizada for usada, determine se há um processo de compilação automatizado?"
@ -463,7 +463,7 @@
"category": "Calcular",
"description": "Avalie a Galeria de Computação do Azure.",
"guid": "5a2adb2c-3e23-426b-b225-ca44e1696fdd",
"link": "https://docs.microsoft.com/azure/virtual-machines/windows/shared-image-galleries",
"link": "https://learn.microsoft.com/azure/virtual-machines/windows/shared-image-galleries",
"severity": "Baixo",
"subcategory": "Imagem/s dourada(s)",
"text": "Se uma imagem personalizada for usada, existe um plano para organizar e gerenciar o ciclo de vida de suas imagens?"
@ -472,14 +472,14 @@
"category": "Calcular",
"description": "Existem algumas práticas recomendadas conhecidas e recomendações para a personalização da imagem dourada, certifique-se de verificar o artigo referenciado. ",
"guid": "deace4cb-1dec-44c6-90c3-fc14eebb36a3",
"link": "https://docs.microsoft.com/azure/virtual-desktop/set-up-customize-master-image",
"link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-customize-master-image",
"severity": "Média",
"subcategory": "Imagem/s dourada(s)",
"text": "Se a imagem personalizada for usada, verifique as práticas recomendadas para AVD sobre como criar uma imagem mestra"
},
{
"category": "Calcular",
"description": "Este conjunto de ferramentas foi criado para aplicar automaticamente a configuração referenciada no white paper 'Otimizando o Windows 10, versão 2004 para uma função de VDI (Virtual Desktop Infrastructure)': https://docs.microsoft.com/windows-server/remote/remote-desktop-services/rds-vdi-recommendations-2004. O uso da ferramenta e/ou otimizações mencionadas no white-paper devem ser considerados. ",
"description": "Este conjunto de ferramentas foi criado para aplicar automaticamente a configuração referenciada no white paper 'Otimizando o Windows 10, versão 2004 para uma função de VDI (Virtual Desktop Infrastructure)': https://learn.microsoft.com/windows-server/remote/remote-desktop-services/rds-vdi-recommendations-2004. O uso da ferramenta e/ou otimizações mencionadas no white-paper devem ser considerados. ",
"guid": "829e3fec-2183-4687-a017-7a2b5945bda4",
"link": "https://github.com/The-Virtual-Desktop-Team/Virtual-Desktop-Optimization-Tool",
"severity": "Média",
@ -490,7 +490,7 @@
"category": "Calcular",
"description": "Determine se uma ferramenta de gerenciamento de configuração já está em vigor para gerenciar a configuração da VM do Pool de Hosts após a implantação inicial, por exemplo, SCCM, MEM/Intune, GPO, soluções de 3rd-party.",
"guid": "3334fdf9-1c23-4418-8b65-285269440b4b",
"link": "https://docs.microsoft.com/mem/intune/fundamentals/windows-virtual-desktop-multi-session",
"link": "https://learn.microsoft.com/mem/intune/fundamentals/windows-virtual-desktop-multi-session",
"severity": "Baixo",
"subcategory": "Imagem/s dourada(s)",
"text": "Planejar/avaliar a estratégia de gerenciamento de configuração do AVD Session Host"
@ -499,7 +499,7 @@
"category": "Calcular",
"description": "Revise o artigo fornecido e verifique se os recursos do OneDrive 'Redirecionamento de Pasta Conhecida' e 'Arquivos sob Demanda' devem ser considerados e, eventualmente, adotados.",
"guid": "e3d3e084-4276-4d4b-bc01-5bcf219e4a1e",
"link": "https://docs.microsoft.com/azure/virtual-desktop/install-office-on-AVD-master-image",
"link": "https://learn.microsoft.com/azure/virtual-desktop/install-office-on-AVD-master-image",
"severity": "Média",
"subcategory": "Imagem/s dourada(s)",
"text": "Determine se o Microsoft OneDrive fará parte da implantação do AVD"
@ -508,7 +508,7 @@
"category": "Calcular",
"description": "Certifique-se de revisar este artigo e usar a versão mais recente, revisar e avaliar as exclusões do Teams para reduzir o tamanho do perfil.",
"guid": "b5887953-5d22-4788-9d30-b66c67be5951",
"link": "https://docs.microsoft.com/azure/virtual-desktop/teams-on-AVD",
"link": "https://learn.microsoft.com/azure/virtual-desktop/teams-on-AVD",
"severity": "Média",
"subcategory": "Imagem/s dourada(s)",
"text": "Determine se o Microsoft Teams fará parte da implantação do AVD"
@ -517,7 +517,7 @@
"category": "Calcular",
"description": "É altamente recomendável usar contas/compartilhamentos de armazenamento separados para armazenar pacotes MSIX. Se necessário, o armazenamento pode ser dimensionado de forma independente e não ser afetado por atividades de E/S de perfil. O Azure oferece várias opções de armazenamento que podem ser usadas para anexação de aplicativo MISX. Recomendamos o uso do Azure Files ou do Azure NetApp Files, pois essas opções oferecem o melhor valor entre custo e sobrecarga de gerenciamento. ",
"guid": "90083845-c587-4cb3-a1ec-16a1d076ef9f",
"link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-file-share",
"link": "https://learn.microsoft.com/azure/virtual-desktop/app-attach-file-share",
"severity": "Alto",
"subcategory": "MSIX & AppAttach",
"text": "Não use a mesma conta/compartilhamento de armazenamento que os contêineres de perfil/Office "
@ -526,7 +526,7 @@
"category": "Calcular",
"description": "No artigo referenciado, relatamos poucas, mas importantes considerações de desempenho para o uso de MSIX no contexto da AVD, certifique-se de revisar cuidadosamente.",
"guid": "241addce-5793-477b-adb3-751ab2ac1fad",
"link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-file-share",
"link": "https://learn.microsoft.com/azure/virtual-desktop/app-attach-file-share",
"severity": "Alto",
"subcategory": "MSIX & AppAttach",
"text": "Analisar as considerações de desempenho para o MSIX"
@ -535,7 +535,7 @@
"category": "Calcular",
"description": "A anexação de aplicativo MSIX requer permissões somente leitura para acessar o compartilhamento de arquivos. Se você estiver armazenando seus aplicativos MSIX nos Arquivos do Azure, para seus hosts de sessão, precisará atribuir a todas as VMs de host de sessão permissões RBAC (controle de acesso baseado em função) de conta de armazenamento e NTFS (Sistema de Arquivos de Nova Tecnologia) no compartilhamento.",
"guid": "66e15d4d-5a2a-4db2-a3e2-326bf225ca41",
"link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-file-share",
"link": "https://learn.microsoft.com/azure/virtual-desktop/app-attach-file-share",
"severity": "Média",
"subcategory": "MSIX & AppAttach",
"text": "Verifique as permissões de host de sessão adequadas para o compartilhamento MSIX"
@ -544,7 +544,7 @@
"category": "Calcular",
"description": "O fornecedor de software de 3ª parte deve fornecer um pacote MSY, não é recomendável que o cliente tente o procedimento de conversão sem o suporte adequado do proprietário do aplicativo.",
"guid": "bd362caa-ab79-4b19-adab-81932c9fc9d1",
"link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-faq",
"link": "https://learn.microsoft.com/azure/virtual-desktop/app-attach-faq",
"severity": "Média",
"subcategory": "MSIX & AppAttach",
"text": "Pacotes MSIX para aplicativos 3rd-party"
@ -553,7 +553,7 @@
"category": "Calcular",
"description": "A anexação de aplicativo MSIX não oferece suporte à atualização automática para aplicativos MSIX e, em seguida, deve ser desabilitada.",
"guid": "bb88037f-5e6b-4fbb-aed5-03547cc447e8",
"link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-faq",
"link": "https://learn.microsoft.com/azure/virtual-desktop/app-attach-faq",
"severity": "Baixo",
"subcategory": "MSIX & AppAttach",
"text": "Desabilitar a atualização automática para pacotes MSIX"
@ -562,7 +562,7 @@
"category": "Calcular",
"description": "Para aproveitar o MSIX & App Attach, a imagem do sistema operacional convidado para o pool de hosts AVD deve ser Windows 10 Enterprise ou Windows 10 Enterprise Multi-session, versão 2004 ou posterior.",
"guid": "26128a71-f0f1-4cac-9d9e-f1d5e832e42e",
"link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-faq",
"link": "https://learn.microsoft.com/azure/virtual-desktop/app-attach-faq",
"severity": "Média",
"subcategory": "MSIX & AppAttach",
"text": "Revisar o suporte a sistemas operacionais"
@ -571,7 +571,7 @@
"category": "Armazenamento",
"description": "HDD padrão, SSD padrão ou SSD Premium, discos efêmeros não são suportados, Ultra-Discos não recomendados. Recomendado para avaliar o disco Premium para OS se a densidade do usuário não for baixa e se você for usar o Cloud Cache. ",
"guid": "3611c818-b0a0-4bc5-80e4-3a18a9cd289c",
"link": "https://docs.microsoft.com/azure/virtual-machines/disks-types",
"link": "https://learn.microsoft.com/azure/virtual-machines/disks-types",
"severity": "Média",
"subcategory": "Host da Sessão ",
"text": "Determinar que tipo de disco gerenciado será usado para os hosts de sessão "
@ -580,16 +580,16 @@
"category": "Armazenamento",
"description": "Arquivos NetApp do Azure, Arquivos do Azure, Servidor de Arquivos baseado em VM. Servidor de arquivos não recomendado. O Azure Files Premium normalmente é um bom ponto de partida. A NetApp geralmente só é necessária para ambientes de grande escala/alto desempenho. ",
"guid": "ed6b17db-8255-4462-b2ae-e4553afc8339",
"link": "https://docs.microsoft.com/azure/virtual-desktop/store-fslogix-profile",
"link": "https://learn.microsoft.com/azure/virtual-desktop/store-fslogix-profile",
"severity": "Alto",
"subcategory": "FSLogix",
"text": "Determinar qual solução de back-end de armazenamento será usada para FSLogix Profile e Office Containers"
},
{
"category": "Armazenamento",
"description": "A recomendação na Área de Trabalho Virtual do Windows é usar o Contêiner de Perfil sem o Contêiner do Office, a menos que você esteja planejando cenários específicos de BCDR (Business Continuity and Disaster Recovery), conforme descrito na seção Recuperação de Desastres abaixo. https://docs.microsoft.com/fslogix/profile-container-office-container-cncpt ",
"description": "A recomendação na Área de Trabalho Virtual do Windows é usar o Contêiner de Perfil sem o Contêiner do Office, a menos que você esteja planejando cenários específicos de BCDR (Business Continuity and Disaster Recovery), conforme descrito na seção Recuperação de Desastres abaixo. https://learn.microsoft.com/fslogix/profile-container-office-container-cncpt ",
"guid": "df47d2d9-2881-4b1c-b5d1-e54a29759e39",
"link": "https://docs.microsoft.com/fslogix/profile-container-office-container-cncpt",
"link": "https://learn.microsoft.com/fslogix/profile-container-office-container-cncpt",
"severity": "Baixo",
"subcategory": "FSLogix",
"text": "Avalie a possibilidade de separar os Contêineres de Perfil dos Contêineres do Office"
@ -598,7 +598,7 @@
"category": "Armazenamento",
"description": "Como ponto de partida para estimar os requisitos de desempenho de armazenamento de contêiner de perfil, recomendamos assumir 10 IOPS por usuário no estado estacionário e 50 IOPS por usuário durante a entrada/saída.",
"guid": "680e7828-9c93-4665-9d02-bff4564b0d93",
"link": "https://docs.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix",
"link": "https://learn.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix",
"severity": "Alto",
"subcategory": "FSLogix",
"text": "Verificar os limites de escalabilidade do armazenamento para dar suporte aos requisitos do Pool de Hosts"
@ -616,7 +616,7 @@
"category": "Armazenamento",
"description": "Evite introduzir latência e custos adicionais associados ao tráfego de rede entre regiões sempre que possível.",
"guid": "8aad53cc-79e2-4e86-9673-57c549675c5e",
"link": "https://docs.microsoft.com/azure/virtual-desktop/fslogix-containers-azure-files",
"link": "https://learn.microsoft.com/azure/virtual-desktop/fslogix-containers-azure-files",
"severity": "Alto",
"subcategory": "FSLogix",
"text": "Para obter o desempenho ideal, a solução de armazenamento e o contêiner de perfil FSLogix devem estar no mesmo local do data center."
@ -625,16 +625,16 @@
"category": "Armazenamento",
"description": "Certifique-se de configurar as seguintes exclusões de antivírus para discos rígidos virtuais FSLogix Profile Container, conforme documentado no artigo referenciado.",
"guid": "83f63047-22ee-479d-9b5c-3632054b69ba",
"link": "https://docs.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix",
"link": "https://learn.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix",
"severity": "Média",
"subcategory": "FSLogix",
"text": "Configure as exclusões antivírus recomendadas para o FSLogix (inclui não verificar arquivos VHD(x) na conexão)."
},
{
"category": "Armazenamento",
"description": "As configurações básicas e recomendadas padrão estão aqui: https://docs.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix#best-practice-settings-for-enterprises Veja aqui o conjunto principal: https://docs.microsoft.com/fslogix/configure-profile-container-tutorialSee aqui para referência completa: https://docs.microsoft.com/fslogix/profile-container-configuration-reference ",
"description": "As configurações básicas e recomendadas padrão estão aqui: https://learn.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix#best-practice-settings-for-enterprises Veja aqui o conjunto principal: https://learn.microsoft.com/fslogix/configure-profile-container-tutorialSee aqui para referência completa: https://learn.microsoft.com/fslogix/profile-container-configuration-reference ",
"guid": "d34aad5e-8c78-4e1d-9666-7313c405674c",
"link": "https://docs.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix",
"link": "https://learn.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix",
"severity": "Alto",
"subcategory": "FSLogix",
"text": "Revise as chaves do Registro FSLogix e determine quais devem ser aplicadas"
@ -643,7 +643,7 @@
"category": "Armazenamento",
"description": "Conexões simultâneas ou múltiplas são desencorajadas na Área de Trabalho Virtual do Windows. A prática recomendada é criar um local de perfil diferente para cada sessão (como um pool de hosts).",
"guid": "5e985b85-9c77-43e7-b261-623b775a917e",
"link": "https://docs.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix",
"link": "https://learn.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix",
"severity": "Alto",
"subcategory": "FSLogix",
"text": "Verificar o uso de conexões simultâneas ou múltiplas com o mesmo perfil"
@ -652,7 +652,7 @@
"category": "Armazenamento",
"description": "Como uma estimativa geral, a ser validada em um ambiente de teste, para cada usuário 5 - 15 IOPS devem ser primeiro considerados, dependendo da carga de trabalho. Arquivos do Azure: IOPS máximo de 100k por compartilhamento Premium (máximo de 100TB) e até 5Gbps com latência de 3ms. Esteja ciente de como os Arquivos do Azure são provisionados, ou seja, IOPS estritamente vinculadas ao SIZE provisionado. Capacidade de dimensionamento de burst em alguns casos. Certifique-se de fornecer ao UPFRONT mais espaço do que o necessário para ter certeza de ter IOPS suficiente. NOTA: O Azure Premium talvez seja mais barato do que o Standard porque você não paga transações e, em seguida, detalhes importantes a serem lembrados. Arquivos NetApp do Azure: lembre-se de um máximo de 1000 IPs conectados, pode ajustar IOPS em tempo real, capacidade provisionada mínima de 4 TB. ",
"guid": "1f348ff3-64d2-47d4-8e8b-bbc868155abb",
"link": "https://docs.microsoft.com/azure/virtual-desktop/store-fslogix-profile",
"link": "https://learn.microsoft.com/azure/virtual-desktop/store-fslogix-profile",
"severity": "Alto",
"subcategory": "FSLogix",
"text": "Revise as práticas recomendadas e as principais considerações para o dimensionamento do armazenamento"
@ -661,7 +661,7 @@
"category": "Armazenamento",
"description": "Certifique-se de verificar a lista de práticas recomendadas e recomendações descritas no artigo referenciado.",
"guid": "9164e990-9ae2-48c8-9c33-b6b7808bafe6",
"link": "https://docs.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix",
"link": "https://learn.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix",
"severity": "Média",
"subcategory": "FSLogix",
"text": "Verificar as práticas recomendadas para os Arquivos do Azure (se usados)"
@ -670,7 +670,7 @@
"category": "Armazenamento",
"description": "Certifique-se de verificar a lista de práticas recomendadas e recomendações descritas no artigo referenciado.",
"guid": "c42149d4-13a9-423c-9574-d11028ac6aae",
"link": "https://docs.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix",
"link": "https://learn.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix",
"severity": "Média",
"subcategory": "FSLogix",
"text": "Verificar as práticas recomendadas para o NetApp Files (se usado)"
@ -679,7 +679,7 @@
"category": "Armazenamento",
"description": "Os contêineres de perfil têm um tamanho máximo padrão de 30 GB. Se os Contêineres de Perfil grandes estiverem previstos e os clientes quiserem tentar mantê-los pequenos, considere usar o OneDrive para hospedar arquivos do Office 365 fora do perfil FSLogic.",
"guid": "01e6a84d-e5df-443d-8992-481718d5d1e5",
"link": "https://docs.microsoft.com/fslogix/profile-container-configuration-reference",
"link": "https://learn.microsoft.com/fslogix/profile-container-configuration-reference",
"severity": "Alto",
"subcategory": "FSLogix",
"text": "Revise e confirme o tamanho máximo do perfil configurado no FSLogix"
@ -688,7 +688,7 @@
"category": "Armazenamento",
"description": "O Cloud Cache usa o disco local como cache e pode gerar muita pressão sobre o disco da VM. Recomendado para aproveitar o poder do disco de VM temporário (e conectado localmente), se possível com base na SKU da VM. ",
"guid": "b2d1215a-e114-4ba3-9df5-85ecdcd9bd3b",
"link": "https://docs.microsoft.com/fslogix/cloud-cache-configuration-reference",
"link": "https://learn.microsoft.com/fslogix/cloud-cache-configuration-reference",
"severity": "Média",
"subcategory": "FSLogix",
"text": "Se o FSLogix Cloud Cache for usado, mova o diretório Cache para a unidade temporária."
@ -697,7 +697,7 @@
"category": "Armazenamento",
"description": "REDIRECTION.XML arquivo é usado para controlar quais pastas são redirecionadas do contêiner de perfil para a unidade C:. As exclusões devem ser a exceção e nunca devem ser usadas, a menos que a exclusão específica seja completamente compreendida pela pessoa que configura a exclusão. As exclusões devem ser sempre totalmente testadas no ambiente em que se destinam a ser implementadas. A configuração de exclusões pode afetar a funcionalidade, a estabilidade e o desempenho.",
"guid": "0b50ca97-b1d2-473c-b4d9-6e98b0f912de",
"link": "https://docs.microsoft.com/fslogix/manage-profile-content-cncpt#redirectionsxml",
"link": "https://learn.microsoft.com/fslogix/manage-profile-content-cncpt#redirectionsxml",
"severity": "Média",
"subcategory": "FSLogix",
"text": "Revise o uso do redirecionamento FSLogix."
@ -706,7 +706,7 @@
"category": "Armazenamento",
"description": "Um Site do Active Directory deve ser criado para o ambiente de rede virtual do Azure onde a sub-rede ANF será criada, e esse nome de site deve ser especificado na propriedade de conexão ANF ao executar o procedimento de associação, conforme explicado no artigo de referência.",
"guid": "6647e977-db49-48a8-bc35-743f17499d42",
"link": "https://docs.microsoft.com/en-us/azure/azure-netapp-files/create-active-directory-connections",
"link": "https://learn.microsoft.com/en-us/azure/azure-netapp-files/create-active-directory-connections",
"severity": "Alto",
"subcategory": "FSLogix",
"text": "Se o armazenamento dos Arquivos NetApp do Azure for usado, marque a configuração do nome do Site do AD na Conexão do AD."
@ -724,34 +724,34 @@
"category": "Segurança",
"description": "Recomendamos que você não conceda aos usuários acesso de administrador a áreas de trabalho virtuais. Se você precisar de pacotes de software, recomendamos disponibilizá-los por meio de utilitários de gerenciamento de configuração, como o Microsoft Endpoint Manager. Em um ambiente de várias sessões, recomendamos que você não permita que os usuários instalem o software diretamente.",
"guid": "a0cdb3b5-4eb2-4eb0-9dda-a3592718e2ed",
"link": "https://docs.microsoft.com/azure/virtual-desktop/security-guide",
"link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide",
"severity": "Média",
"subcategory": "Configuração do host",
"text": "Certifique-se de que os usuários do AVD não terão privilégios de administrador local nos hosts do AVD. "
},
{
"category": "Segurança",
"description": "O Microsoft Defender for Endpoint agora oferece suporte a várias sessões da Área de Trabalho Virtual do Windows para Windows 10 Enterprise. Consulte o artigo para integrar dispositivos VDI (infraestrutura de área de trabalho virtual) não persistentes: https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi",
"description": "O Microsoft Defender for Endpoint agora oferece suporte a várias sessões da Área de Trabalho Virtual do Windows para Windows 10 Enterprise. Consulte o artigo para integrar dispositivos VDI (infraestrutura de área de trabalho virtual) não persistentes: https://learn.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi",
"guid": "b1172576-9ef6-4691-a483-5ac932223ece",
"link": "https://docs.microsoft.com/azure/virtual-desktop/security-guide",
"link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide",
"severity": "Alto",
"subcategory": "Configuração do host",
"text": "Certifique-se de que a solução antivírus e antimalware seja usada"
},
{
"category": "Segurança",
"description": "Certifique-se de que as seguintes exclusões estão em vigor: https://docs.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix#antivirus-exclusions .",
"description": "Certifique-se de que as seguintes exclusões estão em vigor: https://learn.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix#antivirus-exclusions .",
"guid": "80b12308-1a54-4174-8583-3ea3ad2c2de7",
"link": "https://docs.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix",
"link": "https://learn.microsoft.com/azure/architecture/example-scenario/AVD/windows-virtual-desktop-fslogix",
"severity": "Alto",
"subcategory": "Configuração do host",
"text": "Certifique-se de que as exclusões AV adequadas estejam em vigor"
},
{
"category": "Segurança",
"description": "Os discos no Azure já são criptografados em repouso por padrão com chaves gerenciadas da Microsoft. A criptografia de disco do Host VM OS é possível e suportada usando ADE e DES: dados de usuário sensíveis e peristent não devem ser armazenadosdf no disco Host da Sessão, então eles devem ser usados somente se estritamente necessário por motivo de conformidade. A criptografia do armazenamento FSLogix usando o Arquivos do Azure pode ser feita usando o SSE no Armazenamento do Azure.Para criptografia do OneDrive, consulte este artigo: https://docs.microsoft.com/compliance/assurance/assurance-encryption-for-microsoft-365-services.",
"description": "Os discos no Azure já são criptografados em repouso por padrão com chaves gerenciadas da Microsoft. A criptografia de disco do Host VM OS é possível e suportada usando ADE e DES: dados de usuário sensíveis e peristent não devem ser armazenadosdf no disco Host da Sessão, então eles devem ser usados somente se estritamente necessário por motivo de conformidade. A criptografia do armazenamento FSLogix usando o Arquivos do Azure pode ser feita usando o SSE no Armazenamento do Azure.Para criptografia do OneDrive, consulte este artigo: https://learn.microsoft.com/compliance/assurance/assurance-encryption-for-microsoft-365-services.",
"guid": "0fd32907-98bc-4178-adc5-a06ca7144351",
"link": "https://docs.microsoft.com/azure/virtual-desktop/security-guide",
"link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide",
"severity": "Baixo",
"subcategory": "Configuração do host",
"text": "Avaliar os requisitos de criptografia de disco para hosts AVD"
@ -769,7 +769,7 @@
"category": "Segurança",
"description": "Recomendamos que você habilite o Azure Security Center Standard para assinaturas, máquinas virtuais, cofres de chaves e contas de armazenamento. Com o Azure Security Center Standard é possível avaliar e gerenciar vulnerabilidades, avaliar a conformidade com estruturas comuns, como PCI, fortalecer a segurança geral do seu ambiente AVD.",
"guid": "1814387e-5ca9-4c26-a9b3-2ab5bdfc6998",
"link": "https://docs.microsoft.com/azure/virtual-desktop/security-guide",
"link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide",
"severity": "Média",
"subcategory": "Segurança",
"text": "Avaliar o uso da Central de Segurança do Azure (ASC) para hosts de sessão AVD"
@ -778,7 +778,7 @@
"category": "Segurança",
"description": "Deve ser usado, por exemplo, para impor bloqueio de área de trabalho e encerramento de sessão ociosa. Os GPOs existentes aplicados ao ambiente local devem ser revisados e, eventualmente, aplicados para proteger também os hosts AVD. ",
"guid": "a135e337-897e-431c-97d6-8cb6a22ac19f",
"link": "https://docs.microsoft.com/azure/virtual-desktop/security-guide",
"link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide",
"severity": "Média",
"subcategory": "Segurança",
"text": "Revisar GPOs do Active Directory para proteger sessões RDP"
@ -787,7 +787,7 @@
"category": "Segurança",
"description": "Para obter detalhes e insights adicionais, consulte este artigo: https://christiaanbrinkhoff.com/2020/03/23/learn-how-to-increase-the-security-level-of-your-windows-virtual-desktop-environment-e-g-windows-client-with-azure-mfa-and-conditional-access",
"guid": "916d697d-8ead-4ed2-9bdd-186f1ac252b9",
"link": "https://docs.microsoft.com/azure/virtual-desktop/set-up-mfa",
"link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-mfa",
"severity": "Baixo",
"subcategory": "Segurança",
"text": "Avaliar o uso de MFA para usuários de AVD"
@ -796,7 +796,7 @@
"category": "Segurança",
"description": "A habilitação do Acesso Condicional permite que você gerencie riscos antes de conceder aos usuários acesso ao seu ambiente de Área de Trabalho Virtual do Windows. Ao decidir a quais usuários conceder acesso, recomendamos que você também considere quem é o usuário, como ele entra e qual dispositivo está usando.",
"guid": "556246b4-3856-44b4-bc74-a748b6633ad2",
"link": "https://docs.microsoft.com/azure/virtual-desktop/security-guide",
"link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide",
"severity": "Baixo",
"subcategory": "Segurança",
"text": "Avaliar o uso do Acesso Condicional para usuários"
@ -805,7 +805,7 @@
"category": "Segurança",
"description": "A habilitação da coleta de logs de auditoria permite exibir a atividade do usuário e do administrador relacionada à Área de Trabalho Virtual do Windows. Este também é um requisito para eanble e usar a ferramenta de monitoramento AVD. Altamente recomendado para habilitar. ",
"guid": "a0916a76-4980-4ad0-b278-ee293c1bc352",
"link": "https://docs.microsoft.com/azure/virtual-desktop/security-guide",
"link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide",
"severity": "Média",
"subcategory": "Segurança",
"text": "Habilitar o log de diagnóstico e auditoria no espaço de trabalho central do Log Analytics"
@ -814,7 +814,7 @@
"category": "Segurança",
"description": "O AVD usa RBAC (controles de acesso baseados em função) do Azure para atribuir funções a usuários e administradores. Essas funções dão aos administradores permissão para executar determinadas tarefas. Se a separação de tarefas for necessária, a Área de Trabalho Virtual do Windows terá funções adicionais que permitem separar funções de gerenciamento para pools de hosts, grupos de aplicativos e espaços de trabalho. Essa separação permite que você tenha um controle mais granular sobre as tarefas administrativas. Essas funções são nomeadas em conformidade com as funções padrão do Azure e a metodologia de privilégios mínimos.",
"guid": "baaab757-1849-4ab8-893d-c9fc9d1bb73b",
"link": "https://docs.microsoft.com/azure/virtual-desktop/rbac",
"link": "https://learn.microsoft.com/azure/virtual-desktop/rbac",
"severity": "Baixo",
"subcategory": "Segurança",
"text": "Avaliar o requisito de usar funções RBAC personalizadas para gerenciamento de AVD "
@ -823,7 +823,7 @@
"category": "Segurança",
"description": "Um conjunto abrangente de práticas recomendadas de segurança e recomendações estão contidas no artigo referenciado, recomenda-se revisar. ",
"guid": "36a5a67f-bb9e-4d5b-9547-8c4479816b28",
"link": "https://docs.microsoft.com/azure/virtual-desktop/security-guide",
"link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide",
"severity": "Média",
"subcategory": "Segurança",
"text": "Revise todas as práticas recomendadas de segurança para o ambiente AVD"
@ -832,7 +832,7 @@
"category": "Monitoramento e Gerenciamento",
"description": "O Azure Monitor para Área de Trabalho Virtual do Windows é um painel criado em Pastas de Trabalho do Azure Monitor que ajuda os profissionais de TI a entender seus ambientes de Área de Trabalho Virtual do Windows. Leia o artigo referenciado para saber como configurar o Monitor do Azure para Área de Trabalho Virtual do Windows para monitorar seus ambientes de Área de Trabalho Virtual do Windows.",
"guid": "63cfff1c-ac59-49ef-8d5a-83dd4de36c1c",
"link": "https://docs.microsoft.com/azure/virtual-desktop/azure-monitor",
"link": "https://learn.microsoft.com/azure/virtual-desktop/azure-monitor",
"severity": "Alto",
"subcategory": "Monitorização",
"text": "Habilitar o Monitoramento do Azure para AVD"
@ -841,16 +841,16 @@
"category": "Monitoramento e Gerenciamento",
"description": "A Área de Trabalho Virtual do Windows usa o Azure Monitor e o Log Analytics para monitoramento e alertas, como muitos outros serviços do Azure. Isso permite que os administradores identifiquem problemas por meio de uma única interface. O serviço cria logs de atividades para ações administrativas e de usuário. Cada registro de atividades se enquadra nas seguintes categorias: Gerenciamento, Feed, Conexões, Registro de Host, Erros, Pontos de Verificação. ",
"guid": "81770afb-c4c0-4e43-a186-58d2857ed671",
"link": "https://docs.microsoft.com/azure/virtual-desktop/diagnostics-log-analytics",
"link": "https://learn.microsoft.com/azure/virtual-desktop/diagnostics-log-analytics",
"severity": "Média",
"subcategory": "Monitorização",
"text": "Habilitar e redirecionar configurações de diagnóstico para Espaços de Trabalho, Pools de Hosts, Grupos de Aplicativos e VMs Host para o espaço de trabalho do Log Analytics"
},
{
"category": "Monitoramento e Gerenciamento",
"description": "Consulte o artigo referenciado e este adicional para configurar o monitoramento e o alerta adequados para armazenamento: https://docs.microsoft.com/azure/storage/files/storage-troubleshooting-files-performance. ",
"description": "Consulte o artigo referenciado e este adicional para configurar o monitoramento e o alerta adequados para armazenamento: https://learn.microsoft.com/azure/storage/files/storage-troubleshooting-files-performance. ",
"guid": "2463cffe-179c-4599-be0d-5973dd4ce32c",
"link": "https://docs.microsoft.com/azure/storage/files/storage-files-monitoring?tabs=azure-portal",
"link": "https://learn.microsoft.com/azure/storage/files/storage-files-monitoring?tabs=azure-portal",
"severity": "Média",
"subcategory": "Monitorização",
"text": "Criar alertas no armazenamento de perfis a serem alertados em caso de alto uso e limitação"
@ -859,7 +859,7 @@
"category": "Monitoramento e Gerenciamento",
"description": "Você pode usar a Integridade do Serviço do Azure para monitorar problemas de serviço e avisos de integridade da Área de Trabalho Virtual do Windows. A Integridade do Serviço do Azure pode notificá-lo com diferentes tipos de alertas (por exemplo, email ou SMS), ajudá-lo a entender o efeito de um problema e mantê-lo atualizado à medida que o problema é resolvido.",
"guid": "18813706-f7c4-4c0d-9e51-4548d2457ed6",
"link": "https://docs.microsoft.com/azure/virtual-desktop/set-up-service-alerts",
"link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-service-alerts",
"severity": "Média",
"subcategory": "Monitorização",
"text": "Configurar a Integridade do Serviço do Azure para alertas AVD "
@ -868,7 +868,7 @@
"category": "Monitoramento e Gerenciamento",
"description": "A ferramenta de dimensionamento fornece uma opção de automação de baixo custo para clientes que desejam otimizar seus custos de VM de host de sessão. Você pode usar a ferramenta de dimensionamento para agendar VMs para iniciar e parar com base no horário comercial de pico e fora de pico, expandir VMs com base no número de sessões por núcleo de CPU, dimensionar em VMs durante o horário de pico fora de pico, deixando o número mínimo de VMs de host de sessão em execução. Ainda não disponível para o tipo de Pool de Host Pessoal, recomenda-se ter uma configuração separada para cada pool de hosts. ",
"guid": "7138b820-102c-4e16-be30-1e6e872e52e3",
"link": "https://docs.microsoft.com/azure/virtual-desktop/set-up-scaling-script",
"link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-scaling-script",
"severity": "Baixo",
"subcategory": "Gestão",
"text": "Avaliar o requisito de capacidade de dimensionamento automático do pool de hosts"
@ -877,7 +877,7 @@
"category": "Monitoramento e Gerenciamento",
"description": "O Supervisor do Azure analisa suas configurações e telemetria para oferecer recomendações personalizadas para resolver problemas comuns. Com essas recomendações, você pode otimizar seus recursos do Azure para confiabilidade, segurança, excelência operacional, desempenho e custo.",
"guid": "611dd68c-5a4b-4252-8e44-a59a9c2399c4",
"link": "https://docs.microsoft.com/azure/virtual-desktop/azure-advisor",
"link": "https://learn.microsoft.com/azure/virtual-desktop/azure-advisor",
"severity": "Baixo",
"subcategory": "Gestão",
"text": "Verifique periodicamente as recomendações do Azure Advisor para AVD"
@ -886,16 +886,16 @@
"category": "Monitoramento e Gerenciamento",
"description": "Prepare uma estratégia para gerenciar atualizações para imagens douradas, por exemplo, para aplicar hotfixes de segurança e/ou atualizar aplicativos instalados dentro da imagem. O Serviço Construtor de Imagens do Azure é uma solução de 1ª parte para automatizar a compilação e a personalização de VMs.Os modelos ARM podem ser usados para criar novos hosts e, em seguida, encerrar os antigos: https://github.com/Azure/RDS-Templates/tree/master/ARM-AVD-templates/AddVirtualMachinesToHostPool A abordagem recomendada é criar um novo pool lado a lado, mais fácil de reverter, não utilizável para pool dedicadoReimplantar e aumentar o número de VMs com o modelo ARM também é uma opção viável. Os clientes também podem querer usar métodos de distribuição de software existentes para atualizar a imagem sem reimplantar, para exame com SCCM ou similar.",
"guid": "d7b68d0c-7555-462f-8b3e-4563b4d874a7",
"link": "https://docs.microsoft.com/azure/virtual-machines/windows/image-builder-virtual-desktop",
"link": "https://learn.microsoft.com/azure/virtual-machines/windows/image-builder-virtual-desktop",
"severity": "Média",
"subcategory": "Gestão",
"text": "Planejar uma estratégia de gerenciamento de atualização de imagem dourada"
},
{
"category": "Monitoramento e Gerenciamento",
"description": "Os clientes podem ter várias opções:- Microsoft Endpoint Configuration Manager, este artigo explica como configurar o Microsoft Endpoint Configuration Manager para aplicar automaticamente atualizações a um host de Área de Trabalho Virtual do Windows executando o Windows 10 Enterprise com várias sessões: https://docs.microsoft.com/azure/virtual-desktop/configure-automatic-updates- Microsoft Intune: https://docs.microsoft.com/mem/intune/fundamentals/windows-virtual-desktop-multi-session- Windows Server Update Services (WSUS)- 3ª Parte que dá suporte ao seu sistema operacional.- Gerenciamento de Atualização do Azure (Automação do Azure), atualmente sem suporte para o sistema operacional cliente: recomenda-se que https://docs.microsoft.com/azure/automation/update-management/overview#unsupported-operating-systemsIt se afaste de uma estratégia de aplicação de patches e mude para uma estratégia de recriação de imagens, se possível. ",
"description": "Os clientes podem ter várias opções:- Microsoft Endpoint Configuration Manager, este artigo explica como configurar o Microsoft Endpoint Configuration Manager para aplicar automaticamente atualizações a um host de Área de Trabalho Virtual do Windows executando o Windows 10 Enterprise com várias sessões: https://learn.microsoft.com/azure/virtual-desktop/configure-automatic-updates- Microsoft Intune: https://learn.microsoft.com/mem/intune/fundamentals/windows-virtual-desktop-multi-session- Windows Server Update Services (WSUS)- 3ª Parte que dá suporte ao seu sistema operacional.- Gerenciamento de Atualização do Azure (Automação do Azure), atualmente sem suporte para o sistema operacional cliente: recomenda-se que https://learn.microsoft.com/azure/automation/update-management/overview#unsupported-operating-systemsIt se afaste de uma estratégia de aplicação de patches e mude para uma estratégia de recriação de imagens, se possível. ",
"guid": "04722da2-9c2b-41cd-922f-54b29bade3aa",
"link": "https://docs.microsoft.com/azure/virtual-machines/windows/image-builder-virtual-desktop",
"link": "https://learn.microsoft.com/azure/virtual-machines/windows/image-builder-virtual-desktop",
"severity": "Média",
"subcategory": "Gestão",
"text": "Planejar uma estratégia de correção e atualização do Host da Sessão"
@ -904,7 +904,7 @@
"category": "Monitoramento e Gerenciamento",
"description": "Os pools de hosts são uma coleção de uma ou mais máquinas virtuais idênticas no ambiente da Área de Trabalho Virtual do Windows. É altamente recomendável que você crie um pool de hosts de validação em que as atualizações de serviço sejam aplicadas primeiro. Isso permite que você monitore as atualizações de serviço antes que o serviço as aplique ao seu ambiente padrão ou de não validação.",
"guid": "d1e8c38e-c936-4667-913c-005674b1e944",
"link": "https://docs.microsoft.com/azure/virtual-desktop/create-validation-host-pool",
"link": "https://learn.microsoft.com/azure/virtual-desktop/create-validation-host-pool",
"severity": "Baixo",
"subcategory": "Gestão",
"text": "Avaliar o requisito para um ambiente canário de teste AVD"
@ -922,7 +922,7 @@
"category": "Monitoramento e Gerenciamento",
"description": "Depois de registrar uma VM em um pool de hosts no serviço Área de Trabalho Virtual do Windows, o agente atualiza regularmente o token da VM sempre que a VM está ativa. O certificado para o token de registro é válido por 90 dias. Devido a esse limite de 90 dias, recomendamos que as VMs fiquem online por 20 minutos a cada 90 dias para que a máquina possa atualizar seus tokens e atualizar o agente e os componentes da pilha lado a lado.",
"guid": "ebe54cd7-df2e-48bb-ac35-81559bb9153e",
"link": "https://docs.microsoft.com/azure/virtual-desktop/faq",
"link": "https://learn.microsoft.com/azure/virtual-desktop/faq",
"severity": "Média",
"subcategory": "Gestão",
"text": "Ativar VMs regularmente a cada 90 dias para atualização de token"
@ -940,7 +940,7 @@
"category": "BC/DR",
"description": "O modelo Active-Active' pode ser alcançado com vários pools de hosts em diferentes regiões. Um único Pool de Hosts com VMs de diferentes regiões não é recomendado. Se vários pools para os mesmos usuários forem usados, o problema de como sincronizar/replicar perfis de usuário deverá ser resolvido. O FSLogix Cloud Cache pode ser usado, mas precisa ser cuidadosamente revisado e planejado, ou os clientes podem decidir não sincronizar/replicar. 'Ativo-Passivo' pode ser alcançado usando o Azure Site Recovery (ASR) ou a implantação de Pool sob demanda com mecanismo automatizado.",
"guid": "6acc076e-f9b1-441a-a989-579e76b897e7",
"link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery",
"link": "https://learn.microsoft.com/azure/virtual-desktop/disaster-recovery",
"severity": "Média",
"subcategory": "Calcular",
"text": "Avaliar a região de recuperação de desastres geográficos para pools de hosts AVD"
@ -949,7 +949,7 @@
"category": "BC/DR",
"description": "Antes de abordar o planejamento e o design do BCDR da Área de Trabalho Virtual do Windows, é importante considerar inicialmente quais aplicativos são consumidos por meio do AVD são críticos. Talvez você queira separá-los de aplicativos não críticos e usar um Pool de Hosts separado com uma abordagem e recursos de recuperação de desastres diferentes.",
"guid": "10a7da7b-e996-46e1-9d3c-4ada97cc3d13",
"link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery",
"link": "https://learn.microsoft.com/azure/virtual-desktop/disaster-recovery",
"severity": "Média",
"subcategory": "Calcular",
"text": "Separe aplicativos críticos em diferentes pools de hosts AVD"
@ -958,7 +958,7 @@
"category": "BC/DR",
"description": "? Você selecionou o nível de resiliência adequado para suas VMs de Pool de Hosts (Conjunto de Disponibilidade vs. Zonas de Disponibilidade)?? Você está ciente das implicações no SLA de HA e nos limites de escalabilidade que acompanham o AS ou o AZ? Atualmente, você pode implantar 399 VMs por implantação de modelo ARM da Área de Trabalho Virtual do Windows sem Conjuntos de Disponibilidade ou 200 VMs por Conjunto de Disponibilidade.? Você pode aumentar o número de VMs por implantação desativando os Conjuntos de Disponibilidade no modelo ARM ou no registro do pool de hosts do portal do Azure. A implantação do AZ agora é possível, um AZ de cada vez no momento, precisa criar manualmente uma fração de VMs em cada AZ desejada. ",
"guid": "25ab225c-6f4e-4168-9fdd-dea8a4b7cdeb",
"link": "https://docs.microsoft.com/azure/virtual-desktop/faq",
"link": "https://learn.microsoft.com/azure/virtual-desktop/faq",
"severity": "Alto",
"subcategory": "Calcular",
"text": "Planejar a melhor opção de resiliência para a implantação do Pool de Hosts AVD"
@ -967,7 +967,7 @@
"category": "BC/DR",
"description": "O Backup do Azure também pode ser usado para proteger VMs de Pool de Hosts, essa prática é suportada, mesmo que as VMs de Pool de Hosts devam ser sem monitoração de estado. Essa opção pode ser considerada para Pools de Host Pessoais. ",
"guid": "4c61fc3f-c14e-4ea6-b69e-8d9a3eec218e",
"link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery",
"link": "https://learn.microsoft.com/azure/virtual-desktop/disaster-recovery",
"severity": "Média",
"subcategory": "Calcular",
"text": "Avaliar o requisito para fazer backup de hosts de sessão AVD"
@ -976,7 +976,7 @@
"category": "BC/DR",
"description": "Nem todos os dados dentro dos perfis de usuário do FSLogix podem merecer proteção contra desastres. Além disso, se o armazenamento externo for usado, por exemplo, OneDrive ou Servidores/Compartilhamentos de Arquivos, o que resta no perfil FSLogix é mínimo e pode ser perdido em algumas circunstâncias extremas. Em outros casos, os dados dentro do perfil podem ser recriados a partir de outros armazenamentos (por exemplo, a Caixa de Entrada do Outlook no modo em cache). ",
"guid": "687ab077-adb5-49e5-a960-3334fdf8cc23",
"link": "https://docs.microsoft.com/fslogix/manage-profile-content-cncpt",
"link": "https://learn.microsoft.com/fslogix/manage-profile-content-cncpt",
"severity": "Média",
"subcategory": "Armazenamento",
"text": "Avaliar quais dados precisam ser protegidos dentro dos contêineres de perfil e do Office"
@ -985,7 +985,7 @@
"category": "BC/DR",
"description": "Evitar a perda de dados para dados críticos do usuário é importante, o primeiro passo é avaliar quais dados precisam ser salvos e protegidos. Se estiver usando o OneDrive ou outro armazenamento externo, talvez não seja necessário salvar dados de Perfil de usuário e/ou Contêineres do Office. Deve ser considerado um mecanismo adequado para fornecer proteção aos dados críticos do usuário. O serviço de Backup do Azure pode ser usado para proteger os dados de Perfil e Contêineres do Office quando armazenados nas camadas Padrão e Premium do Azure Files. Os Instantâneos e Políticas de Arquivos NetApp do Azure podem ser usados para Arquivos NetApp do Azure (todas as camadas).",
"guid": "fc4972cc-3cd2-45bf-a707-6e9eab4bed32",
"link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery",
"link": "https://learn.microsoft.com/azure/virtual-desktop/disaster-recovery",
"severity": "Média",
"subcategory": "Armazenamento",
"text": "Criar uma estratégia de proteção de backup para contêineres de perfil e do Office"
@ -994,16 +994,16 @@
"category": "BC/DR",
"description": "No AVD, vários mecanismos e estratégias de replicação podem ser usados para dados do usuário que residem em contêineres FSLogix:? Padrão de Perfil #1: Mecanismos nativos de replicação de armazenamento do Azure, por exemplo, replicação GRS do Azure Files Standard, Replicação entre Regiões de Arquivos NetApp do Azure ou Sincronização de Arquivos do Azure para servidores de arquivos baseados em VM? É recomendável usar o ZRS (Armazenamento Replicado de Zona) ou o GRS (Armazenamento Replicado Geo) para Arquivos do Azure.Use Zone Replicated Storage (ZRS) or Geo replicated storage (GRS) for Azure Files é recomendado.? O LRS com resiliência apenas local pode ser usado se nenhuma proteção de zona/região for necessária.? NOTA: O Padrão de Compartilhamento de Arquivos do Azure é LRS/ZRS/GRS, mas com suporte grande de 100 TB habilitado, somente o LRS/ZRS é suportado. ? Padrão de perfil #2: O FSLogix Cloud Cache é criado em mecanismo automático para replicar contêineres entre diferentes (até 4) contas de armazenamento. O Cloud Cache deve ser usado somente quando:? A disponibilidade de dados de perfis de usuário ou contêineres do Office exigida SLA de alta disponibilidade é crítica e precisa ser resiliente a falhas na região.? A opção de armazenamento selecionada não é capaz de atender aos requisitos de BCDR. Por exemplo, com a camada Premium do Compartilhamento de Arquivos do Azure ou o Padrão de Compartilhamento de Arquivos do Azure com Suporte a Arquivos Grandes habilitado, o GRS não está disponível.? Quando a replicação entre armazenamentos diferentes é necessária.? Padrão de perfil #3: Configure apenas a recuperação de desastres geográficos para dados de aplicativos e não para contêineres de dados/perfis de usuários: armazene dados importantes de aplicativos em armazenamentos separados, como o OneDrive ou outro armazenamento externo com seu próprio mecanismo de DR interno.",
"guid": "9f7547c1-746d-4c56-868a-714435bd09dd",
"link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery",
"link": "https://learn.microsoft.com/azure/virtual-desktop/disaster-recovery",
"severity": "Média",
"subcategory": "Armazenamento",
"text": "Avaliar os requisitos de replicação e resiliência do armazenamento de contêiner de perfil para fins de BCDR"
},
{
"category": "BC/DR",
"description": "Geo Disaster Recovery: O Azure NetApp Files é essencialmente LRS (armazenamento replicado localmente), então você precisa arquitetar algo mais se quiser replicação entre regiões. A recomendação para várias regiões no momento é o NetApp Cloud Sync, replicando para outra região do Azure (e NetApp Volume). Backup: Os backups são tratados por instantâneos, mas não são automáticos, precisam ser agendados usando políticas. https://docs.microsoft.com/azure/azure-netapp-files/azure-netapp-files-manage-snapshots. Há um limite máximo de instantâneos (255) por volume, conforme documentado aqui: https://docs.microsoft.com/azure/azure-netapp-files/azure-netapp-files-resource-limits.",
"description": "Geo Disaster Recovery: O Azure NetApp Files é essencialmente LRS (armazenamento replicado localmente), então você precisa arquitetar algo mais se quiser replicação entre regiões. A recomendação para várias regiões no momento é o NetApp Cloud Sync, replicando para outra região do Azure (e NetApp Volume). Backup: Os backups são tratados por instantâneos, mas não são automáticos, precisam ser agendados usando políticas. https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-manage-snapshots. Há um limite máximo de instantâneos (255) por volume, conforme documentado aqui: https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-resource-limits.",
"guid": "23429db7-2281-4376-85cc-57b4a4b18142",
"link": "https://docs.microsoft.com/azure/azure-netapp-files/azure-netapp-files-manage-snapshots",
"link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-manage-snapshots",
"severity": "Média",
"subcategory": "Armazenamento",
"text": "Revise a estratégia de DR do Azure NetApp Files"
@ -1012,7 +1012,7 @@
"category": "BC/DR",
"description": "Recuperação de desastres geográficos: o GRS para Arquivos do Azure só está disponível com SKU padrão e sem suporte a compartilhamento grande, não sendo adequado na maioria dos cenários de clientes. Se a replicação geográfica for necessária, ao usar o Azure File Share Premium, a replicação com o FSLogix Cloud Cache deve ser avaliada ou a resiliência somente da Zona de Disponibilidade (AZ) 'na região' deve ser considerada. Backup: o Backup do Azure dá suporte total ao Compartilhamento de Arquivos do Azure em todas as SKUs e é a solução recomendada para proteger os Contêineres de Perfil. Se estiver usando o OneDrive ou outro armazenamento externo, talvez não seja necessário salvar dados de Perfil de usuário e/ou Contêineres do Office.",
"guid": "3d4f3537-c134-46dc-9602-7a71efe1bd05",
"link": "https://docs.microsoft.com/azure/backup/backup-afs",
"link": "https://learn.microsoft.com/azure/backup/backup-afs",
"severity": "Média",
"subcategory": "Armazenamento",
"text": "Revise a estratégia de DR do Azure Files"
@ -1021,7 +1021,7 @@
"category": "BC/DR",
"description": "Se imagens personalizadas forem usadas para implantar VMs do Pool de Hosts do AVD, é importante garantir que esses artefatos estejam disponíveis em todas as regiões, mesmo que em caso de um grande desastre. O serviço Galeria de Computação do Azure pode ser usado para replicar imagens em todas as regiões onde um Pool de Hosts é implantado, com armazenamento redundante e em várias cópias.",
"guid": "dd2e0d5d-771d-441e-9610-cc57b4a4a141",
"link": "https://docs.microsoft.com/azure/virtual-machines/windows/shared-images-portal",
"link": "https://learn.microsoft.com/azure/virtual-machines/windows/shared-images-portal",
"severity": "Baixo",
"subcategory": "Dependências",
"text": "Planejar a disponibilidade da Golden Image em várias regiões"
@ -1030,7 +1030,7 @@
"category": "BC/DR",
"description": "Se os usuários da infraestrutura AVD precisarem de acesso a recursos locais, a alta disponibilidade da infraestrutura de rede necessária para se conectar também é crítica e deve ser considerada. A resiliência da infraestrutura de autenticação precisa ser avaliada e avaliada. Os aspectos do BCDR para aplicativos dependentes e outros recursos precisam ser considerados para garantir a disponibilidade no local de DR secundário.",
"guid": "fd339489-8c12-488b-9c6a-57cfb644451e",
"link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery",
"link": "https://learn.microsoft.com/azure/virtual-desktop/disaster-recovery",
"severity": "Média",
"subcategory": "Dependências",
"text": "Avalie as dependências de infraestrutura e aplicativos "

16
checklists/eh_security_checklist.en.json
Просмотреть файл

@ -7,7 +7,7 @@
"description": "Azure Event Hub provides encryption of data at rest. If you use your own key, the data is still encrypted using the Microsoft-managed key, but in addition the Microsoft-managed key will be encrypted using the customer-managed key. ",
"guid": "7aaf12e7-b94e-4f6e-847d-2d92981b1cd6",
"severity": "Low",
"training": "https://docs.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
"training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
"link": "https://learn.microsoft.com/azure/event-hubs/configure-customer-managed-key"
},
{
@ -17,7 +17,7 @@
"description": "Azure Event Hubs namespaces permit clients to send and receive data with TLS 1.0 and above. To enforce stricter security measures, you can configure your Event Hubs namespace to require that clients send and receive data with a newer version of TLS. If an Event Hubs namespace requires a minimum version of TLS, then any requests made with an older version will fail. ",
"guid": "d2f54b29-769e-43a6-a0e7-828ac936657e",
"severity": "Medium",
"training": "https://docs.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
"training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
"link": "https://learn.microsoft.com/azure/event-hubs/transport-layer-security-configure-minimum-version"
},
{
@ -27,7 +27,7 @@
"description": "When you create an Event Hubs namespace, a policy rule named RootManageSharedAccessKey is automatically created for the namespace. This policy has manage permissions for the entire namespace. It\u2019s recommended that you treat this rule like an administrative root account and don\u2019t use it in your application. Using AAD as an authentication provider with RBAC is recommended. ",
"guid": "13b0f566-4b1e-4944-a459-837ee79d6c6d",
"severity": "Medium",
"training": "https://docs.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/",
"training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/",
"link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-shared-access-signature#shared-access-authorization-policies"
},
{
@ -37,7 +37,7 @@
"description": "Managed identities for Azure resources can authorize access to Event Hubs resources using Azure AD credentials from applications running in Azure Virtual Machines (VMs), Function apps, Virtual Machine Scale Sets, and other services. By using managed identities for Azure resources together with Azure AD authentication, you can avoid storing credentials with your applications that run in the cloud. ",
"guid": "3a365a5c-7acb-4e48-abd5-4cd79f2e8776",
"severity": "Medium",
"training": "https://docs.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
"training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
"link": "https://learn.microsoft.com/azure/event-hubs/authenticate-managed-identity?tabs=latest"
},
{
@ -47,7 +47,7 @@
"description": "When creating permissions, provide fine-grained control over a client's access to Azure Event Hub. Permissions in Azure Event Hub can and should be scoped to the individual resource level e.g. consumer group, event hub entity, event hub namespaces, etc.",
"guid": "8357c559-675c-45ee-a5b8-6ad8844ce3b2",
"severity": "High",
"training": "https://docs.microsoft.com/learn/modules/explore-basic-services-identity-types/",
"training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
"link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-azure-active-directory#azure-built-in-roles-for-azure-event-hubs"
},
{
@ -57,7 +57,7 @@
"description": "Azure Event Hub resource logs include operational logs, virtual network and Kafka logs. Runtime audit logs capture aggregated diagnostic information for all data plane access operations (such as send or receive events) in Event Hubs.",
"guid": "b38b875b-a1cf-4104-a900-3a4d3ce474db",
"severity": "Medium",
"training": "https://docs.microsoft.com/learn/paths/manage-identity-and-access/",
"training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
"link": "https://learn.microsoft.com/azure/event-hubs/monitor-event-hubs-reference"
},
{
@ -67,7 +67,7 @@
"description": "Azure Event Hub by default has a public IP address and is Internet-reachable. Private endpoints allow traffic between your virtual network and Azure Event Hub traverses over the Microsoft backbone network. In addition to that, you should disable public endpoints if those are not used. ",
"guid": "5abca2a4-eda1-4dae-8cc9-5d48c6b791dc",
"severity": "Medium",
"training": "https://docs.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
"training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
"link": "https://learn.microsoft.com/azure/event-hubs/private-link-service"
},
{
@ -77,7 +77,7 @@
"description": "With IP firewall, you can restrict public endpoint further to only a set of IPv4 addresses or IPv4 address ranges in CIDR (Classless Inter-Domain Routing) notation. ",
"guid": "a0e6c465-89e5-458b-a37d-3974d1112dbd",
"severity": "Medium",
"training": "https://docs.microsoft.com/learn/paths/implement-resource-mgmt-security/",
"training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
"link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-ip-filtering"
}
],

16
checklists/eh_security_checklist.es.json
Просмотреть файл

@ -13,7 +13,7 @@
"severity": "Bajo",
"subcategory": "Protección de datos",
"text": "Usar la opción de clave administrada por el cliente en el cifrado de datos en reposo cuando sea necesario",
"training": "https://docs.microsoft.com/learn/modules/plan-implement-administer-conditional-access/"
"training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/"
},
{
"category": "Seguridad",
@ -23,7 +23,7 @@
"severity": "Medio",
"subcategory": "Protección de datos",
"text": "Aplicar una versión mínima requerida de Seguridad de la capa de transporte (TLS) para las solicitudes ",
"training": "https://docs.microsoft.com/learn/modules/secure-aad-users-with-mfa/"
"training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/"
},
{
"category": "Seguridad",
@ -33,7 +33,7 @@
"severity": "Medio",
"subcategory": "Gestión de identidades y accesos",
"text": "Evite usar una cuenta root cuando no sea necesario",
"training": "https://docs.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/"
"training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/"
},
{
"category": "Seguridad",
@ -43,7 +43,7 @@
"severity": "Medio",
"subcategory": "Gestión de identidades y accesos",
"text": "Siempre que sea posible, la aplicación debe usar una identidad administrada para autenticarse en Azure Event Hub. Si no es así, considere la posibilidad de tener la credencial de almacenamiento (SAS, credencial de entidad de servicio) en Azure Key Vault o un servicio equivalente",
"training": "https://docs.microsoft.com/learn/modules/azure-ad-privileged-identity-management/"
"training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/"
},
{
"category": "Seguridad",
@ -53,7 +53,7 @@
"severity": "Alto",
"subcategory": "Gestión de identidades y accesos",
"text": "Usar RBAC del plano de datos con privilegios mínimos",
"training": "https://docs.microsoft.com/learn/modules/explore-basic-services-identity-types/"
"training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/"
},
{
"category": "Seguridad",
@ -63,7 +63,7 @@
"severity": "Medio",
"subcategory": "Monitorización",
"text": "Habilite el registro para la investigación de seguridad. Use Azure Monitor para capturar métricas y registros, como registros de recursos, registros de auditoría en tiempo de ejecución y registros de Kafka",
"training": "https://docs.microsoft.com/learn/paths/manage-identity-and-access/"
"training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/"
},
{
"category": "Seguridad",
@ -73,7 +73,7 @@
"severity": "Medio",
"subcategory": "Gestión de redes",
"text": "Considere la posibilidad de usar puntos de conexión privados para acceder a Azure Event Hub y deshabilitar el acceso a la red pública cuando corresponda.",
"training": "https://docs.microsoft.com/learn/modules/azure-ad-privileged-identity-management/"
"training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/"
},
{
"category": "Seguridad",
@ -83,7 +83,7 @@
"severity": "Medio",
"subcategory": "Gestión de redes",
"text": "Considere la posibilidad de permitir solo el acceso al espacio de nombres de Azure Event Hub desde direcciones IP o intervalos específicos",
"training": "https://docs.microsoft.com/learn/paths/implement-resource-mgmt-security/"
"training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/"
}
],
"metadata": {

16
checklists/eh_security_checklist.ja.json
Просмотреть файл

@ -13,7 +13,7 @@
"severity": "低い",
"subcategory": "データ保護",
"text": "必要に応じて、保存データの暗号化でカスタマー マネージド キー オプションを使用する",
"training": "https://docs.microsoft.com/learn/modules/plan-implement-administer-conditional-access/"
"training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/"
},
{
"category": "安全",
@ -23,7 +23,7 @@
"severity": "中程度",
"subcategory": "データ保護",
"text": "要求に最低限必要なバージョンのトランスポート層セキュリティ (TLS) を適用する",
"training": "https://docs.microsoft.com/learn/modules/secure-aad-users-with-mfa/"
"training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/"
},
{
"category": "安全",
@ -33,7 +33,7 @@
"severity": "中程度",
"subcategory": "ID およびアクセス管理",
"text": "不要な場合はrootアカウントを使用しないでください",
"training": "https://docs.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/"
"training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/"
},
{
"category": "安全",
@ -43,7 +43,7 @@
"severity": "中程度",
"subcategory": "ID およびアクセス管理",
"text": "可能であれば、アプリケーションはマネージド ID を使用して Azure Event Hub に対する認証を行う必要があります。そうでない場合は、ストレージ資格情報 (SAS、サービス プリンシパル資格情報) を Azure Key Vault または同等のサービスに配置することを検討してください。",
"training": "https://docs.microsoft.com/learn/modules/azure-ad-privileged-identity-management/"
"training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/"
},
{
"category": "安全",
@ -53,7 +53,7 @@
"severity": "高い",
"subcategory": "ID およびアクセス管理",
"text": "最小特権データ プレーン RBAC を使用する",
"training": "https://docs.microsoft.com/learn/modules/explore-basic-services-identity-types/"
"training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/"
},
{
"category": "安全",
@ -63,7 +63,7 @@
"severity": "中程度",
"subcategory": "モニタリング",
"text": "セキュリティ調査のログ記録を有効にします。Azure Monitor を使用して、リソース ログ、ランタイム監査ログ、Kafka ログなどのメトリックとログをキャプチャする",
"training": "https://docs.microsoft.com/learn/paths/manage-identity-and-access/"
"training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/"
},
{
"category": "安全",
@ -73,7 +73,7 @@
"severity": "中程度",
"subcategory": "ネットワーキング",
"text": "プライベート エンドポイントを使用して Azure Event Hub にアクセスし、該当する場合はパブリック ネットワーク アクセスを無効にすることを検討してください。",
"training": "https://docs.microsoft.com/learn/modules/azure-ad-privileged-identity-management/"
"training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/"
},
{
"category": "安全",
@ -83,7 +83,7 @@
"severity": "中程度",
"subcategory": "ネットワーキング",
"text": "特定の IP アドレスまたは範囲からの Azure イベント ハブ名前空間へのアクセスのみを許可することを検討してください",
"training": "https://docs.microsoft.com/learn/paths/implement-resource-mgmt-security/"
"training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/"
}
],
"metadata": {

16
checklists/eh_security_checklist.ko.json
Просмотреть файл

@ -13,7 +13,7 @@
"severity": "낮다",
"subcategory": "데이터 보호",
"text": "필요한 경우 미사용 데이터 암호화에서 고객 관리형 키 옵션 사용",
"training": "https://docs.microsoft.com/learn/modules/plan-implement-administer-conditional-access/"
"training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/"
},
{
"category": "안전",
@ -23,7 +23,7 @@
"severity": "보통",
"subcategory": "데이터 보호",
"text": "요청에 필요한 최소 버전의 TLS(전송 계층 보안) 적용 ",
"training": "https://docs.microsoft.com/learn/modules/secure-aad-users-with-mfa/"
"training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/"
},
{
"category": "안전",
@ -33,7 +33,7 @@
"severity": "보통",
"subcategory": "ID 및 액세스 관리",
"text": "필요하지 않은 경우 루트 계정을 사용하지 마십시오.",
"training": "https://docs.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/"
"training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/"
},
{
"category": "안전",
@ -43,7 +43,7 @@
"severity": "보통",
"subcategory": "ID 및 액세스 관리",
"text": "가능한 경우 애플리케이션은 관리 ID를 사용하여 Azure 이벤트 허브에 인증해야 합니다. 그렇지 않은 경우 Azure Key Vault 또는 이와 동등한 서비스에 스토리지 자격 증명(SAS, 서비스 주체 자격 증명)이 있는 것이 좋습니다.",
"training": "https://docs.microsoft.com/learn/modules/azure-ad-privileged-identity-management/"
"training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/"
},
{
"category": "안전",
@ -53,7 +53,7 @@
"severity": "높다",
"subcategory": "ID 및 액세스 관리",
"text": "최소 권한 데이터부 RBAC 사용",
"training": "https://docs.microsoft.com/learn/modules/explore-basic-services-identity-types/"
"training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/"
},
{
"category": "안전",
@ -63,7 +63,7 @@
"severity": "보통",
"subcategory": "모니터링",
"text": "보안 조사를 위해 로깅을 사용하도록 설정합니다. Azure Monitor를 사용하여 캡처된 메트릭 및 로그(예: 리소스 로그, 런타임 감사 로그 및 Kafka 로그)를 사용합니다.",
"training": "https://docs.microsoft.com/learn/paths/manage-identity-and-access/"
"training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/"
},
{
"category": "안전",
@ -73,7 +73,7 @@
"severity": "보통",
"subcategory": "네트워킹",
"text": "프라이빗 엔드포인트를 사용하여 Azure Event Hub에 액세스하고 해당하는 경우 공용 네트워크 액세스를 사용하지 않도록 설정하는 것이 좋습니다.",
"training": "https://docs.microsoft.com/learn/modules/azure-ad-privileged-identity-management/"
"training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/"
},
{
"category": "안전",
@ -83,7 +83,7 @@
"severity": "보통",
"subcategory": "네트워킹",
"text": "특정 IP 주소 또는 범위에서 Azure 이벤트 허브 네임스페이스에 대한 액세스만 허용하는 것이 좋습니다.",
"training": "https://docs.microsoft.com/learn/paths/implement-resource-mgmt-security/"
"training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/"
}
],
"metadata": {

16
checklists/eh_security_checklist.pt.json
Просмотреть файл

@ -13,7 +13,7 @@
"severity": "Baixo",
"subcategory": "Proteção de Dados",
"text": "Usar a opção de chave gerenciada pelo cliente na criptografia de dados em repouso quando necessário",
"training": "https://docs.microsoft.com/learn/modules/plan-implement-administer-conditional-access/"
"training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/"
},
{
"category": "Segurança",
@ -23,7 +23,7 @@
"severity": "Média",
"subcategory": "Proteção de Dados",
"text": "Impor uma versão mínima necessária do Transport Layer Security (TLS) para solicitações ",
"training": "https://docs.microsoft.com/learn/modules/secure-aad-users-with-mfa/"
"training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/"
},
{
"category": "Segurança",
@ -33,7 +33,7 @@
"severity": "Média",
"subcategory": "Gerenciamento de Identidade e Acesso",
"text": "Evite usar a conta root quando não for necessário",
"training": "https://docs.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/"
"training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/"
},
{
"category": "Segurança",
@ -43,7 +43,7 @@
"severity": "Média",
"subcategory": "Gerenciamento de Identidade e Acesso",
"text": "Quando possível, seu aplicativo deve estar usando uma identidade gerenciada para autenticar no Hub de Eventos do Azure. Caso contrário, considere ter a credencial de armazenamento (SAS, credencial da entidade de serviço) no Cofre da Chave do Azure ou em um serviço equivalente",
"training": "https://docs.microsoft.com/learn/modules/azure-ad-privileged-identity-management/"
"training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/"
},
{
"category": "Segurança",
@ -53,7 +53,7 @@
"severity": "Alto",
"subcategory": "Gerenciamento de Identidade e Acesso",
"text": "Usar RBAC do plano de dados de privilégios mínimos",
"training": "https://docs.microsoft.com/learn/modules/explore-basic-services-identity-types/"
"training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/"
},
{
"category": "Segurança",
@ -63,7 +63,7 @@
"severity": "Média",
"subcategory": "Monitorização",
"text": "Habilite o log para investigação de segurança. Usar o Azure Monitor para capturar métricas e logs, como logs de recursos, logs de auditoria de tempo de execução e logs do Kafka",
"training": "https://docs.microsoft.com/learn/paths/manage-identity-and-access/"
"training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/"
},
{
"category": "Segurança",
@ -73,7 +73,7 @@
"severity": "Média",
"subcategory": "Rede",
"text": "Considere o uso de pontos de extremidade privados para acessar o Hub de Eventos do Azure e desabilitar o acesso à rede pública, quando aplicável.",
"training": "https://docs.microsoft.com/learn/modules/azure-ad-privileged-identity-management/"
"training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/"
},
{
"category": "Segurança",
@ -83,7 +83,7 @@
"severity": "Média",
"subcategory": "Rede",
"text": "Considere permitir apenas o acesso ao namespace do Hub de Eventos do Azure a partir de endereços IP ou intervalos específicos",
"training": "https://docs.microsoft.com/learn/paths/implement-resource-mgmt-security/"
"training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/"
}
],
"metadata": {

514
checklists/lz_checklist.en.json
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

514
checklists/lz_checklist.es.json
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

514
checklists/lz_checklist.ja.json
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

514
checklists/lz_checklist.ko.json
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

514
checklists/lz_checklist.pt.json
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

60
checklists/multitenancy_checklist.en.json
Просмотреть файл

@ -7,7 +7,7 @@
"text": "Understand what kind of solution you're creating, such as business-to-business (B2B), business-to-consumer (B2C), or your enterprise software, and how tenants are different from users.",
"guid": "41177955-fe8f-430b-ae72-20dc5b6880da",
"severity": "High",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/overview"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/overview"
},
{
"category": "Business",
@ -15,7 +15,7 @@
"text": "Define your tenants. Understand how many tenants you will support initially, and your growth plans.",
"guid": "2d33d1b7-697c-49f9-b944-afbeac0b2c8f",
"severity": "High",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models"
},
{
"category": "Business",
@ -23,7 +23,7 @@
"text": "Define your pricing model and ensure it aligns with your tenants' consumption of Azure resources.",
"guid": "a2111b8b-cc66-4aa2-9da6-c09fa23851b6",
"severity": "High",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/considerations/pricing-models"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/pricing-models"
},
{
"category": "Business",
@ -31,7 +31,7 @@
"text": "Understand whether you need to separate your tenants into different tiers. Tiers might have different pricing, features, performance promises, geographic locations, and so forth.",
"guid": "331e84a6-2d65-4359-92ff-a1870b062995",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/considerations/pricing-models"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/pricing-models"
},
{
"category": "Business",
@ -39,7 +39,7 @@
"text": "Based on your customers' requirements, decide on the tenancy models that are appropriate for various parts of your solution.",
"guid": "90516b37-aab1-46ca-95bb-cc14a6a1608b",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models"
},
{
"category": "Business",
@ -47,7 +47,7 @@
"text": "When you're ready, sell your B2B multitenant solution using the Microsoft Commercial Marketplace.",
"guid": "f5d76ae1-7048-4ff5-abba-f1ca799578b9",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/marketplace/plan-saas-offer"
"link": "https://learn.microsoft.com/azure/marketplace/plan-saas-offer"
},
{
"category": "Reliability",
@ -55,7 +55,7 @@
"text": "Review the Azure Well-Architected Reliability checklist, which is applicable to all workloads.",
"guid": "9e7cedd9-1e05-4aeb-a7b3-01fe695a394c",
"severity": "High",
"link": "https://docs.microsoft.com/azure/architecture/framework/resiliency/design-checklist"
"link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/design-checklist"
},
{
"category": "Reliability",
@ -63,7 +63,7 @@
"text": "Understand the Noisy Neighbor antipattern. Prevent individual tenants from impacting the system's availability for other tenants.",
"guid": "e9521a55-2a7c-425c-8f3e-c38fd0c4df75",
"severity": "High",
"link": "https://docs.microsoft.com/azure/architecture/antipatterns/noisy-neighbor/noisy-neighbor"
"link": "https://learn.microsoft.com/azure/architecture/antipatterns/noisy-neighbor/noisy-neighbor"
},
{
"category": "Reliability",
@ -71,7 +71,7 @@
"text": "Design your multitenant solution for the level of growth that you expect. But don't overengineer for unrealistic growth.",
"guid": "2b99cb00-9abb-49b6-b11c-f2af9692f09e",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/approaches/overview"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/overview"
},
{
"category": "Reliability",
@ -79,7 +79,7 @@
"text": "Define service-level objectives (SLOs) and optionally service-level agreements (SLAs) for your solution. SLAs and SLOs should be based on the requirements of your tenants, as well as the composite SLA of the Azure resources in your architecture.",
"guid": "7a634a0e-1c9d-42b1-aac2-5a5378f103f1",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/architecture/framework/resiliency/business-metrics"
"link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/business-metrics"
},
{
"category": "Reliability",
@ -87,7 +87,7 @@
"text": "Test the scale of your solution. Ensure that it performs well under all levels of load, and that it scales correctly as the number of tenants increases.",
"guid": "45beeeaf-fc59-4079-8fca-65d5724abaa7",
"severity": "High",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/approaches/compute"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/compute"
},
{
"category": "Reliability",
@ -95,7 +95,7 @@
"text": "Apply chaos engineering principles to test the reliability of your solution.",
"guid": "2ff55551-984b-4606-95eb-bfb9c8b36761",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/approaches/compute"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/compute"
},
{
"category": "Security",
@ -103,7 +103,7 @@
"text": "Apply the Zero Trust and least privilege principles in all layers of your solution.",
"guid": "8238c038-8eb2-4a02-8bd5-4908c9442c1c",
"severity": "High",
"link": "https://docs.microsoft.com/security/zero-trust"
"link": "https://learn.microsoft.com/security/zero-trust"
},
{
"category": "Security",
@ -111,7 +111,7 @@
"text": "Ensure that you can correctly map user requests to tenants. Consider including the tenant context as part of the identity system, or by using another means, like application-level tenant authorization.",
"guid": "92160e00-6894-4102-97e0-615d4ed93c01",
"severity": "High",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/considerations/map-requests"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/map-requests"
},
{
"category": "Security",
@ -119,7 +119,7 @@
"text": "Perform ongoing penetration testing and security code reviews.",
"guid": "3c1538b4-5676-4b85-b451-432befb37b4f",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/security/fundamentals/pen-testing"
"link": "https://learn.microsoft.com/azure/security/fundamentals/pen-testing"
},
{
"category": "Security",
@ -127,7 +127,7 @@
"text": "Understand your tenants' compliance requirements, including data residency and any compliance or regulatory standards that they require you to meet.",
"guid": "5fca45ce-cf2d-42c0-a62c-aac92ba31498",
"severity": "High",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/approaches/governance-compliance"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/governance-compliance"
},
{
"category": "Security",
@ -135,7 +135,7 @@
"text": "Correctly manage domain names and avoid vulnerabilities like dangling DNS and subdomain takeover attacks.",
"guid": "30adb90d-83d4-4a2e-986e-327ffe04e7a5",
"severity": "High",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/considerations/domain-names"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/domain-names"
},
{
"category": "Security",
@ -143,7 +143,7 @@
"text": "Follow service-specific guidance for multitenancy.",
"guid": "72ded36d-c633-4e0d-bd41-799a29da3481",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/service/overview"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/service/overview"
},
{
"category": "Cost Optimization",
@ -151,7 +151,7 @@
"text": "Review the Azure Well-Architected Operational Excellence checklist, which is applicable to all workloads.",
"guid": "db30a9fc-9b1d-40f3-ab90-01f6a3e87fc8",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/architecture/framework/cost/design-checklist"
"link": "https://learn.microsoft.com/azure/architecture/framework/cost/design-checklist"
},
{
"category": "Cost Optimization",
@ -159,7 +159,7 @@
"text": "Ensure you can adequately measure per-tenant consumption and correlate it with your infrastructure costs.",
"guid": "8533af39-52f6-45b6-a9c3-81b2a54a31e0",
"severity": "High",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/considerations/measure-consumption"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/measure-consumption"
},
{
"category": "Cost Optimization",
@ -167,7 +167,7 @@
"text": "Avoid antipatterns. Antipatterns include failing to track costs, tracking costs with unnecessary precision, real-time measurement, and using monitoring tools for billing.",
"guid": "c851fd44-7cf1-459c-95a4-f6455d75a981",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/approaches/cost-management-allocation"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/cost-management-allocation"
},
{
"category": "Operational Excellence",
@ -175,7 +175,7 @@
"text": "Review the Azure Well-Architected Operational Excellence checklist, which is applicable to all workloads.",
"guid": "0d475a5a-2c0f-47ab-b1e1-701da68d3407",
"severity": "High",
"link": "https://docs.microsoft.com/azure/architecture/checklist/data-ops"
"link": "https://learn.microsoft.com/azure/architecture/checklist/data-ops"
},
{
"category": "Operational Excellence",
@ -183,7 +183,7 @@
"text": "Use automation to manage the tenant lifecycle, such as onboarding, deployment, provisioning, and configuration.",
"guid": "9f7fa7a9-47fc-4f04-81f6-9f9e87571ed3",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/considerations/tenant-lifecycle"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenant-lifecycle"
},
{
"category": "Operational Excellence",
@ -191,7 +191,7 @@
"text": "Find the right balance for deploying service updates. Consider both your tenants' requirements and your own operational requirements.",
"guid": "e0bfceed-4f4e-492d-b9f5-898815faa363",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/considerations/updates"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/updates"
},
{
"category": "Operational Excellence",
@ -213,7 +213,7 @@
"text": "Organize your Azure resources for isolation and scale.",
"guid": "c0c72a1b-e34d-4b3d-b808-2e49f51ce47e",
"severity": "High",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/approaches/resource-organization"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/resource-organization"
},
{
"category": "Operational Excellence",
@ -221,7 +221,7 @@
"text": "Avoid deployment and configuration antipatterns. Antipatterns include running separate versions of the solution for each tenant, hardcoding tenant-specific configurations or logic, and manual deployments.",
"guid": "c5c5e22d-4b51-4cac-a980-f7aac1a4b427",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/approaches/deployment-configuration"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/deployment-configuration"
},
{
"category": "Performance Efficiency",
@ -229,7 +229,7 @@
"text": "Review the Azure Well-Architected Performance Efficiency checklist, which is applicable to all workloads.",
"guid": "f0b1fbd8-689c-4ab3-be1d-ad7607d2fbfd",
"severity": "High",
"link": "https://docs.microsoft.com/azure/architecture/framework/scalability/performance-efficiency"
"link": "https://learn.microsoft.com/azure/architecture/framework/scalability/performance-efficiency"
},
{
"category": "Performance Efficiency",
@ -237,7 +237,7 @@
"text": "If you use shared infrastructure, plan for how you'll mitigate Noisy Neighbor concerns. Ensure that one tenant can't reduce the performance of the system for other tenants.",
"guid": "18911c4c-934c-49a8-839a-60c092afce30",
"severity": "High",
"link": "https://docs.microsoft.com/azure/architecture/antipatterns/noisy-neighbor/noisy-neighbor"
"link": "https://learn.microsoft.com/azure/architecture/antipatterns/noisy-neighbor/noisy-neighbor"
},
{
"category": "Performance Efficiency",
@ -245,7 +245,7 @@
"text": "Determine how you'll scale your compute, storage, networking, and other Azure resources to match the demands of your tenants.",
"guid": "6acf7eb5-24a3-47c7-ae87-1196cd96048e",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/approaches/compute"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/compute"
},
{
"category": "Performance Efficiency",
@ -253,7 +253,7 @@
"text": "Consider each Azure resource's scale limits. Organize your resources appropriately, in order to avoid resource organization antipatterns. For example, don't over-architect your solution to work within unrealistic scale requirements.",
"guid": "ea55400d-f97d-45aa-b71b-34224bf91ed4",
"severity": "High",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/approaches/resource-organization"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/resource-organization"
}
],
"categories": [

60
checklists/multitenancy_checklist.es.json
Просмотреть файл

@ -65,7 +65,7 @@
"text": "Comprenda qué tipo de solución está creando, como de empresa a empresa (B2B), de empresa a consumidor (B2C) o su software empresarial, y en qué se diferencian los inquilinos de los usuarios.",
"guid": "41177955-fe8f-430b-ae72-20dc5b6880da",
"severity": "Alto",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/overview"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/overview"
},
{
"category": "Negocio",
@ -73,7 +73,7 @@
"text": "Defina sus inquilinos. Comprenda cuántos inquilinos apoyará inicialmente y sus planes de crecimiento.",
"guid": "2d33d1b7-697c-49f9-b944-afbeac0b2c8f",
"severity": "Alto",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models"
},
{
"category": "Negocio",
@ -81,7 +81,7 @@
"text": "Defina su modelo de precios y asegúrese de que se alinea con el consumo de recursos de Azure de sus inquilinos.",
"guid": "a2111b8b-cc66-4aa2-9da6-c09fa23851b6",
"severity": "Alto",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/considerations/pricing-models"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/pricing-models"
},
{
"category": "Negocio",
@ -89,7 +89,7 @@
"text": "Comprenda si necesita separar a sus inquilinos en diferentes niveles. Los niveles pueden tener diferentes precios, características, promesas de rendimiento, ubicaciones geográficas, etc.",
"guid": "331e84a6-2d65-4359-92ff-a1870b062995",
"severity": "Medio",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/considerations/pricing-models"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/pricing-models"
},
{
"category": "Negocio",
@ -97,7 +97,7 @@
"text": "En función de los requisitos de sus clientes, decida los modelos de arrendamiento que sean apropiados para varias partes de su solución.",
"guid": "90516b37-aab1-46ca-95bb-cc14a6a1608b",
"severity": "Medio",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models"
},
{
"category": "Negocio",
@ -105,7 +105,7 @@
"text": "Cuando esté listo, venda su solución multiinquilino B2B con Microsoft Commercial Marketplace.",
"guid": "90516b37-aab1-46ca-95bb-cc14a6a1608b",
"severity": "Medio",
"link": "https://docs.microsoft.com/azure/marketplace/plan-saas-offer"
"link": "https://learn.microsoft.com/azure/marketplace/plan-saas-offer"
},
{
"category": "Fiabilidad",
@ -113,7 +113,7 @@
"text": "Revise la lista de comprobación de confiabilidad bien diseñada de Azure, que se aplica a todas las cargas de trabajo.",
"guid": "9e7cedd9-1e05-4aeb-a7b3-01fe695a394c",
"severity": "Alto",
"link": "https://docs.microsoft.com/azure/architecture/framework/resiliency/design-checklist"
"link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/design-checklist"
},
{
"category": "Fiabilidad",
@ -121,7 +121,7 @@
"text": "Comprenda el antipatrón Noisy Neighbor. Evite que los inquilinos individuales afecten la disponibilidad del sistema para otros inquilinos.",
"guid": "e9521a55-2a7c-425c-8f3e-c38fd0c4df75",
"severity": "Alto",
"link": "https://docs.microsoft.com/azure/architecture/antipatterns/noisy-neighbor/noisy-neighbor"
"link": "https://learn.microsoft.com/azure/architecture/antipatterns/noisy-neighbor/noisy-neighbor"
},
{
"category": "Fiabilidad",
@ -129,7 +129,7 @@
"text": "Diseñe su solución multiinquilino para el nivel de crecimiento que espera. Pero no hagas un exceso de ingeniería para un crecimiento poco realista.",
"guid": "2b99cb00-9abb-49b6-b11c-f2af9692f09e",
"severity": "Medio",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/approaches/overview"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/overview"
},
{
"category": "Fiabilidad",
@ -137,7 +137,7 @@
"text": "Defina objetivos de nivel de servicio (SLO) y, opcionalmente, acuerdos de nivel de servicio (SLA) para su solución. Los SLA y los SLO deben basarse en los requisitos de los inquilinos, así como en el SLA compuesto de los recursos de Azure de la arquitectura.",
"guid": "7a634a0e-1c9d-42b1-aac2-5a5378f103f1",
"severity": "Medio",
"link": "https://docs.microsoft.com/azure/architecture/framework/resiliency/business-metrics"
"link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/business-metrics"
},
{
"category": "Fiabilidad",
@ -145,7 +145,7 @@
"text": "Pruebe la escala de la solución. Asegúrese de que funciona bien en todos los niveles de carga y que se escala correctamente a medida que aumenta el número de inquilinos.",
"guid": "45beeeaf-fc59-4079-8fca-65d5724abaa7",
"severity": "Alto",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/approaches/compute"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/compute"
},
{
"category": "Fiabilidad",
@ -153,7 +153,7 @@
"text": "Aplique los principios de ingeniería del caos para probar la fiabilidad de su solución.",
"guid": "2ff55551-984b-4606-95eb-bfb9c8b36761",
"severity": "Medio",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/approaches/compute"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/compute"
},
{
"category": "Seguridad",
@ -161,7 +161,7 @@
"text": "Aplique los principios de confianza cero y privilegios mínimos en todas las capas de su solución.",
"guid": "8238c038-8eb2-4a02-8bd5-4908c9442c1c",
"severity": "Alto",
"link": "https://docs.microsoft.com/security/zero-trust"
"link": "https://learn.microsoft.com/security/zero-trust"
},
{
"category": "Seguridad",
@ -169,7 +169,7 @@
"text": "Asegúrese de que puede asignar correctamente las solicitudes de los usuarios a los inquilinos. Considere la posibilidad de incluir el contexto del inquilino como parte del sistema de identidad o mediante otro medio, como la autorización del inquilino de nivel de aplicación.",
"guid": "92160e00-6894-4102-97e0-615d4ed93c01",
"severity": "Alto",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/considerations/map-requests"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/map-requests"
},
{
"category": "Seguridad",
@ -177,7 +177,7 @@
"text": "Realice pruebas de penetración continuas y revisiones de código de seguridad.",
"guid": "3c1538b4-5676-4b85-b451-432befb37b4f",
"severity": "Medio",
"link": "https://docs.microsoft.com/azure/security/fundamentals/pen-testing"
"link": "https://learn.microsoft.com/azure/security/fundamentals/pen-testing"
},
{
"category": "Seguridad",
@ -185,7 +185,7 @@
"text": "Comprenda los requisitos de cumplimiento de sus inquilinos, incluida la residencia de datos y cualquier estándar normativo o de cumplimiento que requieran que cumpla.",
"guid": "5fca45ce-cf2d-42c0-a62c-aac92ba31498",
"severity": "Alto",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/approaches/governance-compliance"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/governance-compliance"
},
{
"category": "Seguridad",
@ -193,7 +193,7 @@
"text": "Administre correctamente los nombres de dominio y evite vulnerabilidades como colgar DNS y ataques de adquisición de subdominios.",
"guid": "30adb90d-83d4-4a2e-986e-327ffe04e7a5",
"severity": "Alto",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/considerations/domain-names"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/domain-names"
},
{
"category": "Seguridad",
@ -201,7 +201,7 @@
"text": "Siga las instrucciones específicas del servicio para la multitenencia.",
"guid": "72ded36d-c633-4e0d-bd41-799a29da3481",
"severity": "Medio",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/service/overview"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/service/overview"
},
{
"category": "Optimización de costos",
@ -209,7 +209,7 @@
"text": "Revise la lista de comprobación de Excelencia operativa bien diseñada de Azure, que se aplica a todas las cargas de trabajo.",
"guid": "db30a9fc-9b1d-40f3-ab90-01f6a3e87fc8",
"severity": "Medio",
"link": "https://docs.microsoft.com/azure/architecture/framework/cost/design-checklist"
"link": "https://learn.microsoft.com/azure/architecture/framework/cost/design-checklist"
},
{
"category": "Optimización de costos",
@ -217,7 +217,7 @@
"text": "Asegúrese de que puede medir adecuadamente el consumo por inquilino y correlacionarlo con sus costos de infraestructura.",
"guid": "8533af39-52f6-45b6-a9c3-81b2a54a31e0",
"severity": "Alto",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/considerations/measure-consumption"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/measure-consumption"
},
{
"category": "Optimización de costos",
@ -225,7 +225,7 @@
"text": "Evite los antipatrones. Los antipatrones incluyen no realizar un seguimiento de los costos, rastrear los costos con precisión innecesaria, medición en tiempo real y usar herramientas de monitoreo para la facturación.",
"guid": "c851fd44-7cf1-459c-95a4-f6455d75a981",
"severity": "Medio",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/approaches/cost-management-allocation"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/cost-management-allocation"
},
{
"category": "Excelencia Operacional",
@ -233,7 +233,7 @@
"text": "Revise la lista de comprobación de Excelencia operativa bien diseñada de Azure, que se aplica a todas las cargas de trabajo.",
"guid": "c851fd44-7cf1-459c-95a4-f6455d75a981",
"severity": "Alto",
"link": "https://docs.microsoft.com/azure/architecture/checklist/data-ops"
"link": "https://learn.microsoft.com/azure/architecture/checklist/data-ops"
},
{
"category": "Excelencia Operacional",
@ -241,7 +241,7 @@
"text": "Use la automatización para administrar el ciclo de vida del inquilino, como la incorporación, la implementación, el aprovisionamiento y la configuración.",
"guid": "9f7fa7a9-47fc-4f04-81f6-9f9e87571ed3",
"severity": "Medio",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/considerations/tenant-lifecycle"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenant-lifecycle"
},
{
"category": "Excelencia Operacional",
@ -249,7 +249,7 @@
"text": "Encuentre el equilibrio adecuado para implementar actualizaciones de servicio. Considere tanto los requisitos de sus inquilinos como sus propios requisitos operativos.",
"guid": "e0bfceed-4f4e-492d-b9f5-898815faa363",
"severity": "Medio",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/considerations/updates"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/updates"
},
{
"category": "Excelencia Operacional",
@ -271,7 +271,7 @@
"text": "Organice los recursos de Azure para el aislamiento y la escala.",
"guid": "c0c72a1b-e34d-4b3d-b808-2e49f51ce47e",
"severity": "Alto",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/approaches/resource-organization"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/resource-organization"
},
{
"category": "Excelencia Operacional",
@ -279,7 +279,7 @@
"text": "Evite los antipatrones de implementación y configuración. Los antipatrones incluyen la ejecución de versiones independientes de la solución para cada inquilino, la codificación rígida de configuraciones o lógica específicas del inquilino y las implementaciones manuales.",
"guid": "c5c5e22d-4b51-4cac-a980-f7aac1a4b427",
"severity": "Medio",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/approaches/deployment-configuration"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/deployment-configuration"
},
{
"category": "Eficiencia de rendimiento",
@ -287,7 +287,7 @@
"text": "Revise la lista de comprobación de eficiencia del rendimiento bien diseñado de Azure, que se aplica a todas las cargas de trabajo.",
"guid": "f0b1fbd8-689c-4ab3-be1d-ad7607d2fbfd",
"severity": "Alto",
"link": "https://docs.microsoft.com/azure/architecture/framework/scalability/performance-efficiency"
"link": "https://learn.microsoft.com/azure/architecture/framework/scalability/performance-efficiency"
},
{
"category": "Eficiencia de rendimiento",
@ -295,7 +295,7 @@
"text": "Si usa infraestructura compartida, planifique cómo mitigará las preocupaciones de los vecinos ruidosos. Asegúrese de que un inquilino no pueda reducir el rendimiento del sistema para otros inquilinos.",
"guid": "18911c4c-934c-49a8-839a-60c092afce30",
"severity": "Alto",
"link": "https://docs.microsoft.com/azure/architecture/antipatterns/noisy-neighbor/noisy-neighbor"
"link": "https://learn.microsoft.com/azure/architecture/antipatterns/noisy-neighbor/noisy-neighbor"
},
{
"category": "Eficiencia de rendimiento",
@ -303,7 +303,7 @@
"text": "Determine cómo escalará el proceso, el almacenamiento, las redes y otros recursos de Azure para que coincidan con las demandas de los inquilinos.",
"guid": "6acf7eb5-24a3-47c7-ae87-1196cd96048e",
"severity": "Medio",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/approaches/compute"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/compute"
},
{
"category": "Eficiencia de rendimiento",
@ -311,7 +311,7 @@
"text": "Considere los límites de escala de cada recurso de Azure. Organice sus recursos adecuadamente, con el fin de evitar antipatrones de organización de recursos. Por ejemplo, no sobre-diseñe su solución para trabajar dentro de requisitos de escala poco realistas.",
"guid": "ea55400d-f97d-45aa-b71b-34224bf91ed4",
"severity": "Alto",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/approaches/resource-organization"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/resource-organization"
}
]
}

60
checklists/multitenancy_checklist.ja.json
Просмотреть файл

@ -65,7 +65,7 @@
"text": "企業間 (B2B)、企業間 (B2C)、エンタープライズ ソフトウェアなど、作成しているソリューションの種類と、テナントとユーザーの違いを理解します。",
"guid": "41177955-fe8f-430b-ae72-20dc5b6880da",
"severity": "高い",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/overview"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/overview"
},
{
"category": "事",
@ -73,7 +73,7 @@
"text": "テナントを定義します。最初にサポートするテナントの数と、成長計画を理解します。",
"guid": "2d33d1b7-697c-49f9-b944-afbeac0b2c8f",
"severity": "高い",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models"
},
{
"category": "事",
@ -81,7 +81,7 @@
"text": "価格モデルを定義し、テナントの Azure リソースの消費に合わせて調整します。",
"guid": "a2111b8b-cc66-4aa2-9da6-c09fa23851b6",
"severity": "高い",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/considerations/pricing-models"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/pricing-models"
},
{
"category": "事",
@ -89,7 +89,7 @@
"text": "テナントを異なる層に分ける必要があるかどうかを理解します。階層には、価格、機能、パフォーマンスの約束、地理的な場所などが異なる場合があります。",
"guid": "331e84a6-2d65-4359-92ff-a1870b062995",
"severity": "中程度",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/considerations/pricing-models"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/pricing-models"
},
{
"category": "事",
@ -97,7 +97,7 @@
"text": "顧客の要件に基づいて、ソリューションのさまざまな部分に適したテナント モデルを決定します。",
"guid": "90516b37-aab1-46ca-95bb-cc14a6a1608b",
"severity": "中程度",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models"
},
{
"category": "事",
@ -105,7 +105,7 @@
"text": "準備ができたら、Microsoft Commercial Marketplace を使用して B2B マルチテナント ソリューションを販売します。",
"guid": "90516b37-aab1-46ca-95bb-cc14a6a1608b",
"severity": "中程度",
"link": "https://docs.microsoft.com/azure/marketplace/plan-saas-offer"
"link": "https://learn.microsoft.com/azure/marketplace/plan-saas-offer"
},
{
"category": "確実",
@ -113,7 +113,7 @@
"text": "すべてのワークロードに適用できる Azure の適切に設計された信頼性チェックリストを確認します。",
"guid": "9e7cedd9-1e05-4aeb-a7b3-01fe695a394c",
"severity": "高い",
"link": "https://docs.microsoft.com/azure/architecture/framework/resiliency/design-checklist"
"link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/design-checklist"
},
{
"category": "確実",
@ -121,7 +121,7 @@
"text": "騒々しいネイバーのアンチパターンを理解する。個々のテナントが他のテナントのシステムの可用性に影響を与えないようにします。",
"guid": "e9521a55-2a7c-425c-8f3e-c38fd0c4df75",
"severity": "高い",
"link": "https://docs.microsoft.com/azure/architecture/antipatterns/noisy-neighbor/noisy-neighbor"
"link": "https://learn.microsoft.com/azure/architecture/antipatterns/noisy-neighbor/noisy-neighbor"
},
{
"category": "確実",
@ -129,7 +129,7 @@
"text": "マルチテナント ソリューションを、期待するレベルの成長に合わせて設計します。しかし、非現実的な成長のために過剰にエンジニアリングしないでください。",
"guid": "2b99cb00-9abb-49b6-b11c-f2af9692f09e",
"severity": "中程度",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/approaches/overview"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/overview"
},
{
"category": "確実",
@ -137,7 +137,7 @@
"text": "ソリューションのサービス レベル目標 (SLO) と、オプションでサービス レベル アグリーメント (SLA) を定義します。SLA と SLO は、テナントの要件と、アーキテクチャ内の Azure リソースの複合 SLA に基づいている必要があります。",
"guid": "7a634a0e-1c9d-42b1-aac2-5a5378f103f1",
"severity": "中程度",
"link": "https://docs.microsoft.com/azure/architecture/framework/resiliency/business-metrics"
"link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/business-metrics"
},
{
"category": "確実",
@ -145,7 +145,7 @@
"text": "ソリューションのスケールをテストします。すべてのレベルの負荷の下で適切に動作し、テナントの数が増えるにつれて正しくスケーリングされることを確認します。",
"guid": "45beeeaf-fc59-4079-8fca-65d5724abaa7",
"severity": "高い",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/approaches/compute"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/compute"
},
{
"category": "確実",
@ -153,7 +153,7 @@
"text": "カオスエンジニアリングの原則を適用して、ソリューションの信頼性をテストします。",
"guid": "2ff55551-984b-4606-95eb-bfb9c8b36761",
"severity": "中程度",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/approaches/compute"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/compute"
},
{
"category": "安全",
@ -161,7 +161,7 @@
"text": "ゼロ トラストと最小特権の原則をソリューションのすべてのレイヤーに適用します。",
"guid": "8238c038-8eb2-4a02-8bd5-4908c9442c1c",
"severity": "高い",
"link": "https://docs.microsoft.com/security/zero-trust"
"link": "https://learn.microsoft.com/security/zero-trust"
},
{
"category": "安全",
@ -169,7 +169,7 @@
"text": "ユーザー要求をテナントに正しくマップできることを確認します。テナント コンテキストを ID システムの一部として、またはアプリケーション レベルのテナント承認などの別の方法を使用することを検討してください。",
"guid": "92160e00-6894-4102-97e0-615d4ed93c01",
"severity": "高い",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/considerations/map-requests"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/map-requests"
},
{
"category": "安全",
@ -177,7 +177,7 @@
"text": "継続的な侵入テストとセキュリティ コード レビューを実行します。",
"guid": "3c1538b4-5676-4b85-b451-432befb37b4f",
"severity": "中程度",
"link": "https://docs.microsoft.com/azure/security/fundamentals/pen-testing"
"link": "https://learn.microsoft.com/azure/security/fundamentals/pen-testing"
},
{
"category": "安全",
@ -185,7 +185,7 @@
"text": "テナントのコンプライアンス要件 (データの常駐、テナントが満たす必要があるコンプライアンスまたは規制基準など) を理解します。",
"guid": "5fca45ce-cf2d-42c0-a62c-aac92ba31498",
"severity": "高い",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/approaches/governance-compliance"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/governance-compliance"
},
{
"category": "安全",
@ -193,7 +193,7 @@
"text": "ドメイン名を正しく管理し、ぶら下がっているDNSやサブドメインの乗っ取り攻撃などの脆弱性を回避します。",
"guid": "30adb90d-83d4-4a2e-986e-327ffe04e7a5",
"severity": "高い",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/considerations/domain-names"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/domain-names"
},
{
"category": "安全",
@ -201,7 +201,7 @@
"text": "マルチテナントに関するサービス固有のガイダンスに従います。",
"guid": "72ded36d-c633-4e0d-bd41-799a29da3481",
"severity": "中程度",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/service/overview"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/service/overview"
},
{
"category": "コストの最適化",
@ -209,7 +209,7 @@
"text": "すべてのワークロードに適用できる Azure の適切に設計されたオペレーショナル エクセレンス チェックリストを確認します。",
"guid": "db30a9fc-9b1d-40f3-ab90-01f6a3e87fc8",
"severity": "中程度",
"link": "https://docs.microsoft.com/azure/architecture/framework/cost/design-checklist"
"link": "https://learn.microsoft.com/azure/architecture/framework/cost/design-checklist"
},
{
"category": "コストの最適化",
@ -217,7 +217,7 @@
"text": "テナントごとの消費量を適切に測定し、インフラストラクチャ コストと関連付けることができることを確認します。",
"guid": "8533af39-52f6-45b6-a9c3-81b2a54a31e0",
"severity": "高い",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/considerations/measure-consumption"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/measure-consumption"
},
{
"category": "コストの最適化",
@ -225,7 +225,7 @@
"text": "アンチパターンは避けてください。アンチパターンには、コストの追跡の失敗、不要な精度でのコストの追跡、リアルタイム測定、請求のための監視ツールの使用などがあります。",
"guid": "c851fd44-7cf1-459c-95a4-f6455d75a981",
"severity": "中程度",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/approaches/cost-management-allocation"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/cost-management-allocation"
},
{
"category": "オペレーショナル・エクセレンス",
@ -233,7 +233,7 @@
"text": "すべてのワークロードに適用できる Azure の適切に設計されたオペレーショナル エクセレンス チェックリストを確認します。",
"guid": "c851fd44-7cf1-459c-95a4-f6455d75a981",
"severity": "高い",
"link": "https://docs.microsoft.com/azure/architecture/checklist/data-ops"
"link": "https://learn.microsoft.com/azure/architecture/checklist/data-ops"
},
{
"category": "オペレーショナル・エクセレンス",
@ -241,7 +241,7 @@
"text": "自動化を使用して、オンボーディング、展開、プロビジョニング、構成などのテナントのライフサイクルを管理します。",
"guid": "9f7fa7a9-47fc-4f04-81f6-9f9e87571ed3",
"severity": "中程度",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/considerations/tenant-lifecycle"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenant-lifecycle"
},
{
"category": "オペレーショナル・エクセレンス",
@ -249,7 +249,7 @@
"text": "サービス更新プログラムを展開するための適切なバランスを見つけます。テナントの要件と独自の運用要件の両方を考慮します。",
"guid": "e0bfceed-4f4e-492d-b9f5-898815faa363",
"severity": "中程度",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/considerations/updates"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/updates"
},
{
"category": "オペレーショナル・エクセレンス",
@ -271,7 +271,7 @@
"text": "分離とスケーリングのために Azure リソースを整理します。",
"guid": "c0c72a1b-e34d-4b3d-b808-2e49f51ce47e",
"severity": "高い",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/approaches/resource-organization"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/resource-organization"
},
{
"category": "オペレーショナル・エクセレンス",
@ -279,7 +279,7 @@
"text": "展開と構成のアンチパターンは避けてください。アンチパターンには、テナントごとに個別のバージョンのソリューションを実行すること、テナント固有の構成またはロジックをハードコーディングすること、および手動展開が含まれます。",
"guid": "c5c5e22d-4b51-4cac-a980-f7aac1a4b427",
"severity": "中程度",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/approaches/deployment-configuration"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/deployment-configuration"
},
{
"category": "パフォーマンス効率",
@ -287,7 +287,7 @@
"text": "すべてのワークロードに適用される Azure の適切に設計されたパフォーマンス効率チェックリストを確認します。",
"guid": "f0b1fbd8-689c-4ab3-be1d-ad7607d2fbfd",
"severity": "高い",
"link": "https://docs.microsoft.com/azure/architecture/framework/scalability/performance-efficiency"
"link": "https://learn.microsoft.com/azure/architecture/framework/scalability/performance-efficiency"
},
{
"category": "パフォーマンス効率",
@ -295,7 +295,7 @@
"text": "共有インフラストラクチャを使用する場合は、イズの多い近隣住民の懸念を軽減する方法を計画します。1 つのテナントが他のテナントのシステムのパフォーマンスを低下させないようにします。",
"guid": "18911c4c-934c-49a8-839a-60c092afce30",
"severity": "高い",
"link": "https://docs.microsoft.com/azure/architecture/antipatterns/noisy-neighbor/noisy-neighbor"
"link": "https://learn.microsoft.com/azure/architecture/antipatterns/noisy-neighbor/noisy-neighbor"
},
{
"category": "パフォーマンス効率",
@ -303,7 +303,7 @@
"text": "テナントの要求に合わせてコンピューティング、ストレージ、ネットワーク、およびその他の Azure リソースをスケーリングする方法を決定します。",
"guid": "6acf7eb5-24a3-47c7-ae87-1196cd96048e",
"severity": "中程度",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/approaches/compute"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/compute"
},
{
"category": "パフォーマンス効率",
@ -311,7 +311,7 @@
"text": "各 Azure リソースのスケール制限を考慮してください。リソース編成のアンチパターンを避けるために、リソースを適切に編成します。たとえば、非現実的なスケール要件で動作するようにソリューションを過剰に設計しないでください。",
"guid": "ea55400d-f97d-45aa-b71b-34224bf91ed4",
"severity": "高い",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/approaches/resource-organization"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/resource-organization"
}
]
}

60
checklists/multitenancy_checklist.ko.json
Просмотреть файл

@ -65,7 +65,7 @@
"text": "B2B(기업 간), B2C(기업 대 소비자) 또는 엔터프라이즈 소프트웨어와 같이 어떤 종류의 솔루션을 만들고 있는지, 테넌트가 사용자와 어떻게 다른지 이해합니다.",
"guid": "41177955-fe8f-430b-ae72-20dc5b6880da",
"severity": "높다",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/overview"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/overview"
},
{
"category": "사업",
@ -73,7 +73,7 @@
"text": "테넌트를 정의합니다. 처음에 지원할 테넌트 수와 성장 계획을 이해합니다.",
"guid": "2d33d1b7-697c-49f9-b944-afbeac0b2c8f",
"severity": "높다",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models"
},
{
"category": "사업",
@ -81,7 +81,7 @@
"text": "가격 책정 모델을 정의하고 테넌트의 Azure 리소스 사용량과 일치하는지 확인합니다.",
"guid": "a2111b8b-cc66-4aa2-9da6-c09fa23851b6",
"severity": "높다",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/considerations/pricing-models"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/pricing-models"
},
{
"category": "사업",
@ -89,7 +89,7 @@
"text": "테넌트를 다른 계층으로 분리해야 하는지 여부를 이해합니다. 계층에는 가격, 기능, 성능 약속, 지리적 위치 등이 다를 수 있습니다.",
"guid": "331e84a6-2d65-4359-92ff-a1870b062995",
"severity": "보통",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/considerations/pricing-models"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/pricing-models"
},
{
"category": "사업",
@ -97,7 +97,7 @@
"text": "고객의 요구 사항에 따라 솔루션의 다양한 부분에 적합한 테넌시 모델을 결정합니다.",
"guid": "90516b37-aab1-46ca-95bb-cc14a6a1608b",
"severity": "보통",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models"
},
{
"category": "사업",
@ -105,7 +105,7 @@
"text": "준비가 되면 Microsoft 상업용 마켓플레이스를 사용하여 B2B 다중 테넌트 솔루션을 판매합니다.",
"guid": "90516b37-aab1-46ca-95bb-cc14a6a1608b",
"severity": "보통",
"link": "https://docs.microsoft.com/azure/marketplace/plan-saas-offer"
"link": "https://learn.microsoft.com/azure/marketplace/plan-saas-offer"
},
{
"category": "신뢰도",
@ -113,7 +113,7 @@
"text": "모든 워크로드에 적용할 수 있는 Azure 잘 설계된 안정성 검사 목록을 검토합니다.",
"guid": "9e7cedd9-1e05-4aeb-a7b3-01fe695a394c",
"severity": "높다",
"link": "https://docs.microsoft.com/azure/architecture/framework/resiliency/design-checklist"
"link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/design-checklist"
},
{
"category": "신뢰도",
@ -121,7 +121,7 @@
"text": "시끄러운 이웃 안티 패턴을 이해하십시오. 개별 테넌트가 다른 테넌트에 대한 시스템의 가용성에 영향을 주지 않도록 합니다.",
"guid": "e9521a55-2a7c-425c-8f3e-c38fd0c4df75",
"severity": "높다",
"link": "https://docs.microsoft.com/azure/architecture/antipatterns/noisy-neighbor/noisy-neighbor"
"link": "https://learn.microsoft.com/azure/architecture/antipatterns/noisy-neighbor/noisy-neighbor"
},
{
"category": "신뢰도",
@ -129,7 +129,7 @@
"text": "예상하는 성장 수준에 맞게 다중 테넌트 솔루션을 설계합니다. 그러나 비현실적인 성장을 위해 지나치게 설계하지 마십시오.",
"guid": "2b99cb00-9abb-49b6-b11c-f2af9692f09e",
"severity": "보통",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/approaches/overview"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/overview"
},
{
"category": "신뢰도",
@ -137,7 +137,7 @@
"text": "솔루션에 대한 SLO(서비스 수준 목표) 및 선택적으로 SLA(서비스 수준 계약)를 정의합니다. SLA 및 SLO는 테넌트의 요구 사항과 아키텍처의 Azure 리소스의 복합 SLA를 기반으로 해야 합니다.",
"guid": "7a634a0e-1c9d-42b1-aac2-5a5378f103f1",
"severity": "보통",
"link": "https://docs.microsoft.com/azure/architecture/framework/resiliency/business-metrics"
"link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/business-metrics"
},
{
"category": "신뢰도",
@ -145,7 +145,7 @@
"text": "솔루션의 규모를 테스트합니다. 모든 수준의 부하에서 잘 수행되고 테넌트 수가 증가함에 따라 올바르게 확장되는지 확인하십시오.",
"guid": "45beeeaf-fc59-4079-8fca-65d5724abaa7",
"severity": "높다",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/approaches/compute"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/compute"
},
{
"category": "신뢰도",
@ -153,7 +153,7 @@
"text": "카오스 엔지니어링 원칙을 적용하여 솔루션의 신뢰성을 테스트합니다.",
"guid": "2ff55551-984b-4606-95eb-bfb9c8b36761",
"severity": "보통",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/approaches/compute"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/compute"
},
{
"category": "안전",
@ -161,7 +161,7 @@
"text": "제로 트러스트 및 최소 권한 원칙을 솔루션의 모든 계층에 적용하십시오.",
"guid": "8238c038-8eb2-4a02-8bd5-4908c9442c1c",
"severity": "높다",
"link": "https://docs.microsoft.com/security/zero-trust"
"link": "https://learn.microsoft.com/security/zero-trust"
},
{
"category": "안전",
@ -169,7 +169,7 @@
"text": "사용자 요청을 테넌트에 올바르게 매핑할 수 있는지 확인합니다. 테넌트 컨텍스트를 ID 시스템의 일부로 포함하거나 응용 프로그램 수준 테넌트 권한 부여와 같은 다른 방법을 사용하는 것이 좋습니다.",
"guid": "92160e00-6894-4102-97e0-615d4ed93c01",
"severity": "높다",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/considerations/map-requests"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/map-requests"
},
{
"category": "안전",
@ -177,7 +177,7 @@
"text": "지속적인 침투 테스트 및 보안 코드 검토를 수행합니다.",
"guid": "3c1538b4-5676-4b85-b451-432befb37b4f",
"severity": "보통",
"link": "https://docs.microsoft.com/azure/security/fundamentals/pen-testing"
"link": "https://learn.microsoft.com/azure/security/fundamentals/pen-testing"
},
{
"category": "안전",
@ -185,7 +185,7 @@
"text": "데이터 상주 및 충족해야 하는 규정 준수 또는 규제 표준을 포함하여 테넌트의 규정 준수 요구 사항을 이해합니다.",
"guid": "5fca45ce-cf2d-42c0-a62c-aac92ba31498",
"severity": "높다",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/approaches/governance-compliance"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/governance-compliance"
},
{
"category": "안전",
@ -193,7 +193,7 @@
"text": "도메인 이름을 올바르게 관리하고 DNS 및 하위 도메인 인수 공격과 같은 취약점을 방지합니다.",
"guid": "30adb90d-83d4-4a2e-986e-327ffe04e7a5",
"severity": "높다",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/considerations/domain-names"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/domain-names"
},
{
"category": "안전",
@ -201,7 +201,7 @@
"text": "다중 테넌시에 대한 서비스별 지침을 따르십시오.",
"guid": "72ded36d-c633-4e0d-bd41-799a29da3481",
"severity": "보통",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/service/overview"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/service/overview"
},
{
"category": "비용 최적화",
@ -209,7 +209,7 @@
"text": "모든 워크로드에 적용할 수 있는 Azure Well-Architected Operational Excellence 검사 목록을 검토합니다.",
"guid": "db30a9fc-9b1d-40f3-ab90-01f6a3e87fc8",
"severity": "보통",
"link": "https://docs.microsoft.com/azure/architecture/framework/cost/design-checklist"
"link": "https://learn.microsoft.com/azure/architecture/framework/cost/design-checklist"
},
{
"category": "비용 최적화",
@ -217,7 +217,7 @@
"text": "테넌트당 사용량을 적절하게 측정하고 인프라 비용과 상호 연관시킬 수 있는지 확인합니다.",
"guid": "8533af39-52f6-45b6-a9c3-81b2a54a31e0",
"severity": "높다",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/considerations/measure-consumption"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/measure-consumption"
},
{
"category": "비용 최적화",
@ -225,7 +225,7 @@
"text": "안티 패턴을 피하십시오. 안티패턴에는 비용 추적 실패, 불필요한 정밀도로 비용 추적, 실시간 측정, 청구를 위한 모니터링 도구 사용 등이 포함됩니다.",
"guid": "c851fd44-7cf1-459c-95a4-f6455d75a981",
"severity": "보통",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/approaches/cost-management-allocation"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/cost-management-allocation"
},
{
"category": "운영 우수성",
@ -233,7 +233,7 @@
"text": "모든 워크로드에 적용할 수 있는 Azure Well-Architected Operational Excellence 검사 목록을 검토합니다.",
"guid": "c851fd44-7cf1-459c-95a4-f6455d75a981",
"severity": "높다",
"link": "https://docs.microsoft.com/azure/architecture/checklist/data-ops"
"link": "https://learn.microsoft.com/azure/architecture/checklist/data-ops"
},
{
"category": "운영 우수성",
@ -241,7 +241,7 @@
"text": "자동화를 사용하여 온보딩, 배포, 프로비저닝 및 구성과 같은 테넌트 수명 주기를 관리합니다.",
"guid": "9f7fa7a9-47fc-4f04-81f6-9f9e87571ed3",
"severity": "보통",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/considerations/tenant-lifecycle"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenant-lifecycle"
},
{
"category": "운영 우수성",
@ -249,7 +249,7 @@
"text": "서비스 업데이트를 배포하기 위한 적절한 균형을 찾습니다. 테넌트의 요구 사항과 자체 운영 요구 사항을 모두 고려하십시오.",
"guid": "e0bfceed-4f4e-492d-b9f5-898815faa363",
"severity": "보통",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/considerations/updates"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/updates"
},
{
"category": "운영 우수성",
@ -271,7 +271,7 @@
"text": "격리 및 크기 조정을 위해 Azure 리소스를 구성합니다.",
"guid": "c0c72a1b-e34d-4b3d-b808-2e49f51ce47e",
"severity": "높다",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/approaches/resource-organization"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/resource-organization"
},
{
"category": "운영 우수성",
@ -279,7 +279,7 @@
"text": "배포 및 구성 안티패턴을 피하십시오. 안티패턴에는 각 테넌트에 대해 별도의 버전의 솔루션 실행, 테넌트별 구성 또는 논리를 하드 코딩, 수동 배포가 포함됩니다.",
"guid": "c5c5e22d-4b51-4cac-a980-f7aac1a4b427",
"severity": "보통",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/approaches/deployment-configuration"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/deployment-configuration"
},
{
"category": "성능 효율성",
@ -287,7 +287,7 @@
"text": "모든 워크로드에 적용할 수 있는 Azure 잘 설계된 성능 효율성 검사 목록을 검토합니다.",
"guid": "f0b1fbd8-689c-4ab3-be1d-ad7607d2fbfd",
"severity": "높다",
"link": "https://docs.microsoft.com/azure/architecture/framework/scalability/performance-efficiency"
"link": "https://learn.microsoft.com/azure/architecture/framework/scalability/performance-efficiency"
},
{
"category": "성능 효율성",
@ -295,7 +295,7 @@
"text": "공유 인프라를 사용하는 경우 시끄러운 이웃 문제를 완화하는 방법을 계획하십시오. 한 테넌트가 다른 테넌트에 대한 시스템 성능을 저하시킬 수 없는지 확인합니다.",
"guid": "18911c4c-934c-49a8-839a-60c092afce30",
"severity": "높다",
"link": "https://docs.microsoft.com/azure/architecture/antipatterns/noisy-neighbor/noisy-neighbor"
"link": "https://learn.microsoft.com/azure/architecture/antipatterns/noisy-neighbor/noisy-neighbor"
},
{
"category": "성능 효율성",
@ -303,7 +303,7 @@
"text": "테넌트의 요구에 맞게 컴퓨팅, 저장소, 네트워킹 및 기타 Azure 리소스를 확장하는 방법을 결정합니다.",
"guid": "6acf7eb5-24a3-47c7-ae87-1196cd96048e",
"severity": "보통",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/approaches/compute"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/compute"
},
{
"category": "성능 효율성",
@ -311,7 +311,7 @@
"text": "각 Azure 리소스의 크기 제한을 고려합니다. 자원 조직 안티 패턴을 피하기 위해 자원을 적절하게 구성하십시오. 예를 들어, 비현실적인 규모 요구 사항 내에서 작동하도록 솔루션을 과도하게 설계하지 마십시오.",
"guid": "ea55400d-f97d-45aa-b71b-34224bf91ed4",
"severity": "높다",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/approaches/resource-organization"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/resource-organization"
}
]
}

60
checklists/multitenancy_checklist.pt.json
Просмотреть файл

@ -65,7 +65,7 @@
"text": "Entenda que tipo de solução você está criando, como business-to-business (B2B), business-to-consumer (B2C), ou seu software corporativo, e como os inquilinos são diferentes dos usuários.",
"guid": "41177955-fe8f-430b-ae72-20dc5b6880da",
"severity": "Alto",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/overview"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/overview"
},
{
"category": "Negócio",
@ -73,7 +73,7 @@
"text": "Defina seus inquilinos. Entenda quantos inquilinos você apoiará inicialmente e seus planos de crescimento.",
"guid": "2d33d1b7-697c-49f9-b944-afbeac0b2c8f",
"severity": "Alto",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models"
},
{
"category": "Negócio",
@ -81,7 +81,7 @@
"text": "Defina seu modelo de preços e certifique-se de que ele esteja alinhado com o consumo de recursos do Azure de seus inquilinos.",
"guid": "a2111b8b-cc66-4aa2-9da6-c09fa23851b6",
"severity": "Alto",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/considerations/pricing-models"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/pricing-models"
},
{
"category": "Negócio",
@ -89,7 +89,7 @@
"text": "Entenda se você precisa separar seus inquilinos em diferentes níveis. Os níveis podem ter preços, recursos, promessas de desempenho, locais geográficos e assim por diante.",
"guid": "331e84a6-2d65-4359-92ff-a1870b062995",
"severity": "Média",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/considerations/pricing-models"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/pricing-models"
},
{
"category": "Negócio",
@ -97,7 +97,7 @@
"text": "Com base nas necessidades de seus clientes, decida sobre os modelos de locação apropriados para várias partes da sua solução.",
"guid": "90516b37-aab1-46ca-95bb-cc14a6a1608b",
"severity": "Média",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models"
},
{
"category": "Negócio",
@ -105,7 +105,7 @@
"text": "Quando estiver pronto, venda sua solução multitenante B2B usando o Microsoft Commercial Marketplace.",
"guid": "90516b37-aab1-46ca-95bb-cc14a6a1608b",
"severity": "Média",
"link": "https://docs.microsoft.com/azure/marketplace/plan-saas-offer"
"link": "https://learn.microsoft.com/azure/marketplace/plan-saas-offer"
},
{
"category": "Fiabilidade",
@ -113,7 +113,7 @@
"text": "Revise a lista de verificação de confiabilidade bem arquitetada do Azure, que é aplicável a todas as cargas de trabalho.",
"guid": "9e7cedd9-1e05-4aeb-a7b3-01fe695a394c",
"severity": "Alto",
"link": "https://docs.microsoft.com/azure/architecture/framework/resiliency/design-checklist"
"link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/design-checklist"
},
{
"category": "Fiabilidade",
@ -121,7 +121,7 @@
"text": "Entenda o antipattern do Vizinho Barulhento. Evite que inquilinos individuais impactem a disponibilidade do sistema para outros inquilinos.",
"guid": "e9521a55-2a7c-425c-8f3e-c38fd0c4df75",
"severity": "Alto",
"link": "https://docs.microsoft.com/azure/architecture/antipatterns/noisy-neighbor/noisy-neighbor"
"link": "https://learn.microsoft.com/azure/architecture/antipatterns/noisy-neighbor/noisy-neighbor"
},
{
"category": "Fiabilidade",
@ -129,7 +129,7 @@
"text": "Projete sua solução multitenente para o nível de crescimento que você espera. Mas não seja muito engenheiro para um crescimento irreal.",
"guid": "2b99cb00-9abb-49b6-b11c-f2af9692f09e",
"severity": "Média",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/approaches/overview"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/overview"
},
{
"category": "Fiabilidade",
@ -137,7 +137,7 @@
"text": "Defina os objetivos de nível de serviço (SLOs) e, opcionalmente, os SLAs (Service-Level Agreements, contratos de nível de serviço) para sua solução. SLAs e SLOs devem ser baseados nos requisitos de seus inquilinos, bem como no SLA composto dos recursos do Azure em sua arquitetura.",
"guid": "7a634a0e-1c9d-42b1-aac2-5a5378f103f1",
"severity": "Média",
"link": "https://docs.microsoft.com/azure/architecture/framework/resiliency/business-metrics"
"link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/business-metrics"
},
{
"category": "Fiabilidade",
@ -145,7 +145,7 @@
"text": "Teste a escala da sua solução. Certifique-se de que ele tenha um bom desempenho sob todos os níveis de carga, e que ele dimensione corretamente à medida que o número de inquilinos aumenta.",
"guid": "45beeeaf-fc59-4079-8fca-65d5724abaa7",
"severity": "Alto",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/approaches/compute"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/compute"
},
{
"category": "Fiabilidade",
@ -153,7 +153,7 @@
"text": "Aplique princípios de engenharia do caos para testar a confiabilidade de sua solução.",
"guid": "2ff55551-984b-4606-95eb-bfb9c8b36761",
"severity": "Média",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/approaches/compute"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/compute"
},
{
"category": "Segurança",
@ -161,7 +161,7 @@
"text": "Aplique o Zero Trust e os princípios de menor privilégio em todas as camadas da sua solução.",
"guid": "8238c038-8eb2-4a02-8bd5-4908c9442c1c",
"severity": "Alto",
"link": "https://docs.microsoft.com/security/zero-trust"
"link": "https://learn.microsoft.com/security/zero-trust"
},
{
"category": "Segurança",
@ -169,7 +169,7 @@
"text": "Certifique-se de que você pode mapear corretamente as solicitações do usuário para os inquilinos. Considere incluir o contexto do inquilino como parte do sistema de identidade, ou usando outros meios, como a autorização de inquilino de nível de aplicativo.",
"guid": "92160e00-6894-4102-97e0-615d4ed93c01",
"severity": "Alto",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/considerations/map-requests"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/map-requests"
},
{
"category": "Segurança",
@ -177,7 +177,7 @@
"text": "Realize testes contínuos de penetração e revisões de código de segurança.",
"guid": "3c1538b4-5676-4b85-b451-432befb37b4f",
"severity": "Média",
"link": "https://docs.microsoft.com/azure/security/fundamentals/pen-testing"
"link": "https://learn.microsoft.com/azure/security/fundamentals/pen-testing"
},
{
"category": "Segurança",
@ -185,7 +185,7 @@
"text": "Entenda os requisitos de conformidade de seus inquilinos, incluindo residência de dados e quaisquer padrões de conformidade ou regulamentação que eles exijam que você cumpra.",
"guid": "5fca45ce-cf2d-42c0-a62c-aac92ba31498",
"severity": "Alto",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/approaches/governance-compliance"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/governance-compliance"
},
{
"category": "Segurança",
@ -193,7 +193,7 @@
"text": "Gerencie corretamente nomes de domínio e evite vulnerabilidades como DNS pendentes e ataques de aquisição de subdomínios.",
"guid": "30adb90d-83d4-4a2e-986e-327ffe04e7a5",
"severity": "Alto",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/considerations/domain-names"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/domain-names"
},
{
"category": "Segurança",
@ -201,7 +201,7 @@
"text": "Siga as orientações específicas do serviço para a multitenência.",
"guid": "72ded36d-c633-4e0d-bd41-799a29da3481",
"severity": "Média",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/service/overview"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/service/overview"
},
{
"category": "Otimização de custos",
@ -209,7 +209,7 @@
"text": "Revise a lista de verificação de Excelência Operacional Bem Arquitetada do Azure, que é aplicável a todas as cargas de trabalho.",
"guid": "db30a9fc-9b1d-40f3-ab90-01f6a3e87fc8",
"severity": "Média",
"link": "https://docs.microsoft.com/azure/architecture/framework/cost/design-checklist"
"link": "https://learn.microsoft.com/azure/architecture/framework/cost/design-checklist"
},
{
"category": "Otimização de custos",
@ -217,7 +217,7 @@
"text": "Certifique-se de que você pode medir adequadamente o consumo por inquilino e correlacioná-lo com seus custos de infraestrutura.",
"guid": "8533af39-52f6-45b6-a9c3-81b2a54a31e0",
"severity": "Alto",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/considerations/measure-consumption"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/measure-consumption"
},
{
"category": "Otimização de custos",
@ -225,7 +225,7 @@
"text": "Evite anti-preços. Os antipatos incluem não rastrear custos, rastrear custos com precisão desnecessária, medição em tempo real e usar ferramentas de monitoramento para faturamento.",
"guid": "c851fd44-7cf1-459c-95a4-f6455d75a981",
"severity": "Média",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/approaches/cost-management-allocation"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/cost-management-allocation"
},
{
"category": "Excelência Operacional",
@ -233,7 +233,7 @@
"text": "Revise a lista de verificação de Excelência Operacional Bem Arquitetada do Azure, que é aplicável a todas as cargas de trabalho.",
"guid": "c851fd44-7cf1-459c-95a4-f6455d75a981",
"severity": "Alto",
"link": "https://docs.microsoft.com/azure/architecture/checklist/data-ops"
"link": "https://learn.microsoft.com/azure/architecture/checklist/data-ops"
},
{
"category": "Excelência Operacional",
@ -241,7 +241,7 @@
"text": "Use a automação para gerenciar o ciclo de vida do inquilino, como onboarding, implantação, provisionamento e configuração.",
"guid": "9f7fa7a9-47fc-4f04-81f6-9f9e87571ed3",
"severity": "Média",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/considerations/tenant-lifecycle"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenant-lifecycle"
},
{
"category": "Excelência Operacional",
@ -249,7 +249,7 @@
"text": "Encontre o saldo certo para a implantação de atualizações de serviço. Considere os requisitos de seus inquilinos e seus próprios requisitos operacionais.",
"guid": "e0bfceed-4f4e-492d-b9f5-898815faa363",
"severity": "Média",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/considerations/updates"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/updates"
},
{
"category": "Excelência Operacional",
@ -271,7 +271,7 @@
"text": "Organize seus recursos do Azure para isolamento e escala.",
"guid": "c0c72a1b-e34d-4b3d-b808-2e49f51ce47e",
"severity": "Alto",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/approaches/resource-organization"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/resource-organization"
},
{
"category": "Excelência Operacional",
@ -279,7 +279,7 @@
"text": "Evite antipadrões de implantação e configuração. Os antipadrões incluem executar versões separadas da solução para cada inquilino, configurações ou lógica específicas do inquilino de codificação dura e implantações manuais.",
"guid": "c5c5e22d-4b51-4cac-a980-f7aac1a4b427",
"severity": "Média",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/approaches/deployment-configuration"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/deployment-configuration"
},
{
"category": "Eficiência de desempenho",
@ -287,7 +287,7 @@
"text": "Revise a lista de verificação de eficiência de desempenho bem arquitetada do Azure, que é aplicável a todas as cargas de trabalho.",
"guid": "f0b1fbd8-689c-4ab3-be1d-ad7607d2fbfd",
"severity": "Alto",
"link": "https://docs.microsoft.com/azure/architecture/framework/scalability/performance-efficiency"
"link": "https://learn.microsoft.com/azure/architecture/framework/scalability/performance-efficiency"
},
{
"category": "Eficiência de desempenho",
@ -295,7 +295,7 @@
"text": "Se você usar infraestrutura compartilhada, planeje como você mitigará as preocupações do Vizinho Barulhento. Certifique-se de que um inquilino não pode reduzir o desempenho do sistema para outros inquilinos.",
"guid": "18911c4c-934c-49a8-839a-60c092afce30",
"severity": "Alto",
"link": "https://docs.microsoft.com/azure/architecture/antipatterns/noisy-neighbor/noisy-neighbor"
"link": "https://learn.microsoft.com/azure/architecture/antipatterns/noisy-neighbor/noisy-neighbor"
},
{
"category": "Eficiência de desempenho",
@ -303,7 +303,7 @@
"text": "Determine como você dimensionará seus recursos de computação, armazenamento, rede e outros recursos do Azure para corresponder às demandas de seus inquilinos.",
"guid": "6acf7eb5-24a3-47c7-ae87-1196cd96048e",
"severity": "Média",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/approaches/compute"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/compute"
},
{
"category": "Eficiência de desempenho",
@ -311,7 +311,7 @@
"text": "Considere os limites de escala de cada recurso do Azure. Organize seus recursos adequadamente, a fim de evitar antipatos de organização de recursos. Por exemplo, não arquitete sua solução para trabalhar dentro de requisitos irrealistas de escala.",
"guid": "ea55400d-f97d-45aa-b71b-34224bf91ed4",
"severity": "Alto",
"link": "https://docs.microsoft.com/azure/architecture/guide/multitenant/approaches/resource-organization"
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/resource-organization"
}
]
}

198
checklists/sap_checklist.en.json
Просмотреть файл

@ -6,7 +6,7 @@
"text": "Enforce a RBAC model for management groups, subscriptions, resource groups and resources",
"guid": "fda1dbf3-dc95-4d48-a7c7-91dca0f6c565",
"severity": "High",
"training": "https://docs.microsoft.com/en-gb/learn/paths/implement-resource-mgmt-security/"
"training": "https://learn.microsoft.com/en-gb/learn/paths/implement-resource-mgmt-security/"
},
{
"category": "Identity and Access",
@ -14,7 +14,7 @@
"text": "Enforce Principle propogation for forwarding the identity from SAP cloud application to SAP on-premises (Including IaaS) through cloud connector",
"guid": "45911475-e39e-4530-accc-d979366bcda2",
"severity": "Medium",
"training": "https://docs.microsoft.com/learn/modules/plan-implement-administer-conditional-access/"
"training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/"
},
{
"category": "Identity and Access",
@ -22,7 +22,7 @@
"text": "Implement Single Sign on (SSO) using Azure Active Directory or Active Directory Federation Services (AD FS) for end users to con nect to SAP applications where possible.",
"guid": "750ab1ab-039d-495d-94c7-c8929cb107d5",
"severity": "High",
"training": "https://docs.microsoft.com/en-gb/learn/modules/secure-aad-users-with-mfa/"
"training": "https://learn.microsoft.com/en-gb/learn/modules/secure-aad-users-with-mfa/"
},
{
"category": "Identity and Access",
@ -30,8 +30,8 @@
"text": "If SuccessFactor is used as HCM application leverage the automated user provisioning feature to Azure AD.",
"guid": "325ae525-ba34-4d46-a5e2-213ace7bb122",
"severity": "Medium",
"training": "https://docs.microsoft.com/en-gb/learn/paths/azure-administrator-manage-identities-governance/",
"link": "https://docs.microsoft.com/en-gb/azure/active-directory/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial"
"training": "https://learn.microsoft.com/en-gb/learn/paths/azure-administrator-manage-identities-governance/",
"link": "https://learn.microsoft.com/en-gb/azure/active-directory/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial"
},
{
"category": "Identity and Access",
@ -39,8 +39,8 @@
"text": "SSO to SAP Netweaver based web applications like Fiori, webgui etc. can be implemented using SAML",
"guid": "f7c95f06-e154-4e3a-a359-2829e6e20617",
"severity": "Medium",
"training": "https://docs.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
"link": "https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure"
"training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
"link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure"
},
{
"category": "Identity and Access",
@ -48,8 +48,8 @@
"text": "SSO to SAP GUI can be implemented using either SAP SSO or a 3rd party solution",
"guid": "3686af46-791f-4893-9ada-43324e138115",
"severity": "High",
"training": "https://docs.microsoft.com/learn/modules/explore-basic-services-identity-types/",
"link": "https://docs.microsoft.com/azure/active-directory-b2c/user-overview"
"training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
"link": "https://learn.microsoft.com/azure/active-directory-b2c/user-overview"
},
{
"category": "Identity and Access",
@ -57,8 +57,8 @@
"text": "SSO to SAP SaaS applications like SAP Analytics Cloud, SAP Cloud Platform, SAP Cloud Platform IAS and SAP C4C with Azure AD can be implemented using SAML",
"guid": "23181aa4-1742-4694-9ff8-ae7d7d474317",
"severity": "Medium",
"training": "https://docs.microsoft.com/en-gb/learn/paths/manage-identity-and-access/",
"link": "https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal"
"training": "https://learn.microsoft.com/en-gb/learn/paths/manage-identity-and-access/",
"link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal"
},
{
"category": "Identity and Access",
@ -66,8 +66,8 @@
"text": "&nbsp",
"guid": "6c8bcbf4-5bbe-4609-b8a0-3e97778424d6",
"severity": "Medium",
"training": "https://docs.microsoft.com/learn/modules/create-custom-azure-roles-with-rbac/",
"link": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access"
"training": "https://learn.microsoft.com/learn/modules/create-custom-azure-roles-with-rbac/",
"link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access"
},
{
"category": "Identity and Access",
@ -75,7 +75,7 @@
"text": "&nbsp",
"guid": "16785d6f-a96c-496a-b885-18f482734c88",
"severity": "Medium",
"training": "https://docs.microsoft.com/en-gb/learn/paths/secure-your-cloud-data/",
"training": "https://learn.microsoft.com/en-gb/learn/paths/secure-your-cloud-data/",
"link": "https://azure.microsoft.com/resources/achieving-compliant-data-residency-and-security-with-azure/"
},
{
@ -84,8 +84,8 @@
"text": "enforce existing Management Group policies to SAP Subscriptions",
"guid": "6ba28021-4591-4147-9e39-e5309cccd979",
"severity": "Medium",
"training": "https://docs.microsoft.com/learn/modules/azure-architecture-fundamentals/",
"link": "https://docs.microsoft.com/azure/governance/management-groups/overview"
"training": "https://learn.microsoft.com/learn/modules/azure-architecture-fundamentals/",
"link": "https://learn.microsoft.com/azure/governance/management-groups/overview"
},
{
"category": "Management Group and Subscriptions",
@ -93,8 +93,8 @@
"text": "enfore closely closely coupled applications into the same SAP Subscription to avoid additional routing and management complexity",
"guid": "366bcda2-750a-4b1a-a039-d95d54c7c892",
"severity": "Medium",
"training": "https://docs.microsoft.com/learn/paths/implement-resource-mgmt-security/",
"link": "https://docs.microsoft.com/azure/cloud-adoption-framework/decision-guides/resource-tagging/?toc=/azure/azure-resource-manager/management/toc.json"
"training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
"link": "https://learn.microsoft.com/azure/cloud-adoption-framework/decision-guides/resource-tagging/?toc=/azure/azure-resource-manager/management/toc.json"
},
{
"category": "Management Group and Subscriptions",
@ -102,8 +102,8 @@
"text": "Leverage Suscription as scale unit and scaling our resources, consider deploying subscription per environment eg. Sandbox, non-prod, prod ",
"guid": "9cb107d5-325a-4e52-9ba3-4d4685e2213a",
"severity": "Medium",
"training": "https://docs.microsoft.com/learn/paths/enterprise-scale-architecture/",
"link": "https://docs.microsoft.com/azure/governance/management-groups/overview"
"training": "https://learn.microsoft.com/learn/paths/enterprise-scale-architecture/",
"link": "https://learn.microsoft.com/azure/governance/management-groups/overview"
},
{
"category": "Management Group and Subscriptions",
@ -111,8 +111,8 @@
"text": "Ensure quota increase as a part of subscription provisioning (e.g. total available VM cores within a subscription).",
"guid": "ce7bb122-f7c9-45f0-9e15-4e3aa3592829",
"severity": "Medium",
"training": "https://docs.microsoft.com/learn/paths/enterprise-scale-architecture/",
"link": "https://docs.microsoft.com/azure/governance/management-groups/overview"
"training": "https://learn.microsoft.com/learn/paths/enterprise-scale-architecture/",
"link": "https://learn.microsoft.com/azure/governance/management-groups/overview"
},
{
"category": "Management Group and Subscriptions",
@ -120,8 +120,8 @@
"text": "Ensure required services and features are available within the chosen deployment regions eg. ANF , Zone etc.",
"guid": "e6e20617-3686-4af4-9791-f8935ada4332",
"severity": "Medium",
"training": "https://docs.microsoft.com/learn/paths/enterprise-scale-architecture/",
"link": "https://docs.microsoft.com/azure/governance/management-groups/overview"
"training": "https://learn.microsoft.com/learn/paths/enterprise-scale-architecture/",
"link": "https://learn.microsoft.com/azure/governance/management-groups/overview"
},
{
"category": "Management Group and Subscriptions",
@ -129,7 +129,7 @@
"text": "Leverage Azure resource tag for cost categorization and resource grouping (: BillTo, Department (or Business Unit), Environment (Production, Stage, Development), Tier (Web Tier, Application Tier), Application Owner, ProjectName)",
"guid": "4e138115-2318-41aa-9174-26943ff8ae7d",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/governance/management-groups/overview"
"link": "https://learn.microsoft.com/azure/governance/management-groups/overview"
},
{
"category": "Management Group and Subscriptions",
@ -137,7 +137,7 @@
"text": "&nbsp",
"guid": "7d474317-6c8b-4cbf-95bb-e609d8a03e97",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/governance/management-groups/overview"
"link": "https://learn.microsoft.com/azure/governance/management-groups/overview"
},
{
"category": "Management Group and Subscriptions",
@ -145,7 +145,7 @@
"text": "&nbsp",
"guid": "778424d6-1678-45d6-ba96-c96ad88518f4",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/governance/management-groups/overview"
"link": "https://learn.microsoft.com/azure/governance/management-groups/overview"
},
{
"category": "Network Topology and Connectivity",
@ -153,8 +153,8 @@
"text": "Public I.P assignment to VM running SAP Workload is not recommended.",
"guid": "82734c88-6ba2-4802-8459-11475e39e530",
"severity": "Medium",
"training": "https://docs.microsoft.com/en-gb/learn/paths/architect-network-infrastructure/",
"link": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing"
"training": "https://learn.microsoft.com/en-gb/learn/paths/architect-network-infrastructure/",
"link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing"
},
{
"category": "Network Topology and Connectivity",
@ -162,8 +162,8 @@
"text": "Consider reserving I.P address on DR side when configuring ASR",
"guid": "9cccd979-366b-4cda-8750-ab1ab039d95d",
"severity": "Medium",
"training": "https://docs.microsoft.com/en-gb/learn/paths/architect-network-infrastructure/",
"link": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing"
"training": "https://learn.microsoft.com/en-gb/learn/paths/architect-network-infrastructure/",
"link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing"
},
{
"category": "Network Topology and Connectivity",
@ -171,8 +171,8 @@
"text": "Avoid using overlapping IP address ranges for production and DR sites.",
"guid": "54c7c892-9cb1-407d-9325-ae525ba34d46",
"severity": "Medium",
"training": "https://docs.microsoft.com/en-gb/learn/paths/az-104-manage-virtual-networks/",
"link": "https://docs.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances"
"training": "https://learn.microsoft.com/en-gb/learn/paths/az-104-manage-virtual-networks/",
"link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances"
},
{
"category": "Network Topology and Connectivity",
@ -180,8 +180,8 @@
"text": "Ensure Accelarated Networking is enable for all VM where it is applicable.",
"guid": "85e2213a-ce7b-4b12-8f7c-95f06e154e3a",
"severity": "Medium",
"training": "https://docs.microsoft.com/en-gb/learn/paths/az-104-manage-virtual-networks/",
"link": "https://docs.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances"
"training": "https://learn.microsoft.com/en-gb/learn/paths/az-104-manage-virtual-networks/",
"link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances"
},
{
"category": "Network Topology and Connectivity",
@ -189,8 +189,8 @@
"text": "Local and global VNet peering provide connectivity and are the preferred approaches to ensure connectivity between landing zones for SAP deployments across multiple Azure regions",
"guid": "a3592829-e6e2-4061-9368-6af46791f893",
"severity": "Medium",
"training": "https://docs.microsoft.com/learn/modules/design-implement-azure-expressroute/",
"link": "https://docs.microsoft.com/azure/networking/"
"training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
"link": "https://learn.microsoft.com/azure/networking/"
},
{
"category": "Network Topology and Connectivity",
@ -198,8 +198,8 @@
"text": "Use a web application firewall to scan your traffic when it's exposed to the internet. Another option is to use it with your load balancer or with resources that have built-in firewall capabilities like Application Gateway or third-party solutions.",
"guid": "5ada4332-4e13-4811-9231-81aa41742694",
"severity": "Medium",
"training": "https://docs.microsoft.com/learn/paths/implement-network-security/?source=learn",
"link": "https://docs.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services"
"training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
"link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services"
},
{
"category": "Network Topology and Connectivity",
@ -214,8 +214,8 @@
"text": "Use Azure Firewall to govern Azure outbound traffic to the internet, non-HTTP/S inbound connections, and East/West traffic filtering (if the organization requires it)",
"guid": "d8a03e97-7784-424d-9167-85d6fa96c96a",
"severity": "Medium",
"training": "https://docs.microsoft.com/en-gb/learn/paths/secure-networking-infrastructure/",
"link": "https://docs.microsoft.com/azure/app-service/networking-features"
"training": "https://learn.microsoft.com/en-gb/learn/paths/secure-networking-infrastructure/",
"link": "https://learn.microsoft.com/azure/app-service/networking-features"
},
{
"category": "Network Topology and Connectivity",
@ -223,8 +223,8 @@
"text": "Use SAP Web dispatcher or third party service like NetScaler in conjuction with Application gateway if necessary to overcome reverse proxy limitation for SAP web Apps.",
"guid": "d88518f4-8273-44c8-a6ba-280214591147",
"severity": "Medium",
"training": "https://docs.microsoft.com/learn/paths/secure-application-delivery/",
"link": "https://docs.microsoft.com/azure/firewall/"
"training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"link": "https://learn.microsoft.com/azure/firewall/"
},
{
"category": "Network Topology and Connectivity",
@ -232,8 +232,8 @@
"text": "Use Azure Front Door and WAF policies to provide global protection across Azure regions for inbound HTTP/S connections to a landing zone.",
"guid": "5e39e530-9ccc-4d97-a366-bcda2750ab1a",
"severity": "Medium",
"training": "https://docs.microsoft.com/learn/paths/secure-application-delivery/",
"link": "https://docs.microsoft.com/azure/web-application-firewall/ag/ag-overview"
"training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview"
},
{
"category": "Network Topology and Connectivity",
@ -241,8 +241,8 @@
"text": "When using Azure Front Door and Azure Application Gateway to help protect HTTP/S apps, use WAF policies in Azure Front Door. Lock down Azure Application Gateway to receive traffic only from Azure Front Door.",
"guid": "b039d95d-54c7-4c89-89cb-107d5325ae52",
"severity": "Medium",
"training": "https://docs.microsoft.com/learn/paths/secure-application-delivery/",
"link": "https://docs.microsoft.com/azure/web-application-firewall/ag/ag-overview"
"training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview"
},
{
"category": "Network Topology and Connectivity",
@ -250,8 +250,8 @@
"text": "For secure delivery of HTTP/S apps, use Application Gateway v2 and ensure that WAF protection and policies are enabled.",
"guid": "5ba34d46-85e2-4213-ace7-bb122f7c95f0",
"severity": "Medium",
"training": "https://docs.microsoft.com/learn/paths/secure-application-delivery/",
"link": "https://docs.microsoft.com/azure/ddos-protection/ddos-protection-overview"
"training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview"
},
{
"category": "Network Topology and Connectivity",
@ -259,8 +259,8 @@
"text": "If Azure NetApp Files is used for SAP deployment , ensure that only one delegate subnet can exist in a Vnet for Azure NetAppFiles",
"guid": "6e154e3a-a359-4282-ae6e-206173686af4",
"severity": "Medium",
"training": "https://docs.microsoft.com/learn/paths/implement-network-security/",
"link": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/organize-resources?tabs=AzureManagementGroupsAndHierarchy"
"training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
"link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/organize-resources?tabs=AzureManagementGroupsAndHierarchy"
},
{
"category": "Network Topology and Connectivity",
@ -268,8 +268,8 @@
"text": "Use NSGs and application security groups to micro-segment traffic within SAP application layer, like App subnet, DB subnet and Web subnet etc.",
"guid": "6791f893-5ada-4433-84e1-3811523181aa",
"severity": "Medium",
"training": "https://docs.microsoft.com/learn/paths/implement-network-security/",
"link": "https://docs.microsoft.com/azure/virtual-network/network-security-group-how-it-works"
"training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
"link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works"
},
{
"category": "Network Topology and Connectivity",
@ -277,8 +277,8 @@
"text": "It is not supported to deploy any NVA between SAP application and SAP Database server",
"guid": "41742694-3ff8-4ae7-b7d4-743176c8bcbf",
"severity": "Medium",
"training": "https://docs.microsoft.com/learn/modules/design-implement-network-monitoring/",
"link": "https://docs.microsoft.com/azure/virtual-network/network-security-group-how-it-works"
"training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/",
"link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works"
},
{
"category": "Network Topology and Connectivity",
@ -307,8 +307,8 @@
"text": "Run a VM Extension for SAP check. VM Extension for SAP uses the assigned managed identity of a virtual machine to access VM monitoring and configuration data.",
"guid": "2750ab1a-b039-4d95-b54c-7c8929cb107d",
"severity": "Medium",
"training": "https://docs.microsoft.com/learn/paths/architect-infrastructure-operations/",
"link": "https://docs.microsoft.com/azure/azure-monitor/logs/design-logs-deployment"
"training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
"link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment"
},
{
"category": "Management and Monitoring",
@ -316,8 +316,8 @@
"text": "Use Azure Policy for access control and compliance reporting. Azure Policy provides the ability to enforce organization-wide settings to ensure consistent policy adherence and fast violation detection. ",
"guid": "5325ae52-5ba3-44d4-985e-2213ace7bb12",
"severity": "Medium",
"training": "https://docs.microsoft.com/learn/paths/architect-infrastructure-operations/",
"link": "https://docs.microsoft.com/azure/azure-monitor/logs/design-logs-deployment"
"training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
"link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment"
},
{
"category": "Management and Monitoring",
@ -325,8 +325,8 @@
"text": "Protect your HANA database with Azure Backup service. If you deploy Azure NetApp Files (ANF) for your HANA database, use the Azure Application Consistent Snapshot tool (AzAcSnap) to take application-consistent snapshots",
"guid": "2f7c95f0-6e15-44e3-aa35-92829e6e2061",
"severity": "Medium",
"training": "https://docs.microsoft.com/learn/paths/implement-resource-mgmt-security/",
"link": "https://docs.microsoft.com/azure/governance/policy/how-to/guest-configuration-create"
"training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
"link": "https://learn.microsoft.com/azure/governance/policy/how-to/guest-configuration-create"
},
{
"category": "Management and Monitoring",
@ -334,8 +334,8 @@
"text": "Perform a quality check for SAP HANA on the provisioned Azure infrastructure to verify that provisioned VMs comply with SAP HANA on Azure best practices.",
"guid": "73686af4-6791-4f89-95ad-a43324e13811",
"severity": "Medium",
"training": "https://docs.microsoft.com/learn/paths/azure-administrator-manage-compute-resources/",
"link": "https://docs.microsoft.com/azure/automation/update-management/overview"
"training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-compute-resources/",
"link": "https://learn.microsoft.com/azure/automation/update-management/overview"
},
{
"category": "Management and Monitoring",
@ -343,8 +343,8 @@
"text": "Use Network Watcher Connection Monitor to monitor SAP database and application server latency metrics, or collect and display network latency measurements with Azure Monitor.",
"guid": "523181aa-4174-4269-93ff-8ae7d7d47431",
"severity": "Medium",
"training": "https://docs.microsoft.com/learn/modules/configure-network-watcher/",
"link": "https://docs.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview"
"training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/",
"link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview"
},
{
"category": "Management and Monitoring",
@ -352,8 +352,8 @@
"text": "Optimize and manage SAP Basis operations by using SAP Landscape Management (LaMa). Use the SAP LaMa connector for Azure to relocate, copy, clone, and refresh SAP systems.",
"guid": "76c8bcbf-45bb-4e60-ad8a-03e97778424d",
"severity": "Medium",
"training": "https://docs.microsoft.com/learn/paths/implement-resource-mgmt-security/",
"link": "https://docs.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json"
"training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
"link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json"
},
{
"category": "Management and Monitoring",
@ -361,7 +361,7 @@
"text": "For each Azure subscription, run an Azure Availability Zone latency test before zonal deployment to choose low-latency zones for SAP on Azure deployment.",
"guid": "616785d6-fa96-4c96-ad88-518f482734c8",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/governance/policy/overview"
"link": "https://learn.microsoft.com/azure/governance/policy/overview"
},
{
"category": "Management and Monitoring",
@ -369,7 +369,7 @@
"text": "Implement threat protection for SAP with Microsoft Sentinel.",
"guid": "86ba2802-1459-4114-95e3-9e5309cccd97",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/sentinel/quickstart-onboard"
"link": "https://learn.microsoft.com/azure/sentinel/quickstart-onboard"
},
{
"category": "Management and Monitoring",
@ -377,7 +377,7 @@
"text": "Enforcing configuration of update management through policy ensures all VMs are included in the patch management regimen, provides application teams with the ability to manage patch deployment for their VMs, and provides central IT with visibility and enforcement capabilities across all VMs",
"guid": "4d116785-d2fa-456c-96ad-48408fe72734",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/azure-monitor/logs/design-logs-deployment"
"link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment"
},
{
"category": "Management and Monitoring",
@ -385,7 +385,7 @@
"text": "Enable VM Insights for VM's running SAP Workloads.",
"guid": "c486ba28-0dc0-4591-af65-de8e1309cccd",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor"
"link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor"
},
{
"category": "Management and Monitoring",
@ -393,7 +393,7 @@
"text": "Azure tagging can be leveraged to logically group and track resources, automate their deployments, and most importantly, provide visibility on the incurred costs.",
"guid": "579266bc-ca27-45fa-a1ab-fe9d55d04c3c",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery"
"link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery"
},
{
"category": "Management and Monitoring",
@ -401,7 +401,7 @@
"text": "&nbsp",
"guid": "4919cb1b-3d13-425a-b124-ba34df685edd",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/backup/backup-center-overview"
"link": "https://learn.microsoft.com/azure/backup/backup-center-overview"
},
{
"category": "Security, Governance and Compliance",
@ -409,7 +409,7 @@
"text": "Use Azure Key Vault to store your secrets and credentials",
"guid": "ce9bd3bb-0cdb-43b5-9eb2-ec14eeaa3592",
"severity": "High",
"link": "https://docs.microsoft.com/azure/key-vault/general/overview"
"link": "https://learn.microsoft.com/azure/key-vault/general/overview"
},
{
"category": "Security, Governance and Compliance",
@ -417,7 +417,7 @@
"text": "It is recommended to LOCK the Azure Resources post successful deployment to safeguard against unauthorized changes",
"guid": "829e2edb-2173-4676-aff6-691b4935ada4",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/key-vault/general/overview-throttling"
"link": "https://learn.microsoft.com/azure/key-vault/general/overview-throttling"
},
{
"category": "Security, Governance and Compliance",
@ -425,7 +425,7 @@
"text": "Provision Azure Key Vault with the soft delete and purge policies enabled to allow retention protection for deleted objects.",
"guid": "2223ece8-1b12-4318-8a54-17415833fb4a",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/key-vault/general/best-practices"
"link": "https://learn.microsoft.com/azure/key-vault/general/best-practices"
},
{
"category": "Security, Governance and Compliance",
@ -433,7 +433,7 @@
"text": "Based on existing requirements, regulatory and compliance controls (internal/external) - Determine what Azure Policies and Azure RBAC role are needed",
"guid": "e3c2df74-3165-4c3a-abe0-5bbe209d490d",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/key-vault/general/best-practices"
"link": "https://learn.microsoft.com/azure/key-vault/general/best-practices"
},
{
"category": "Security, Governance and Compliance",
@ -441,7 +441,7 @@
"text": "When you enable Microsoft Defender for Cloud Standard for SAP, make sure to exclude the SAP database servers from any policy that installs endpoint protection.",
"guid": "a4777842-4d11-4678-9d2f-a56c56ad4840",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/key-vault/general/best-practices"
"link": "https://learn.microsoft.com/azure/key-vault/general/best-practices"
},
{
"category": "Security, Governance and Compliance",
@ -449,7 +449,7 @@
"text": "Delegate an SAP admin custom role with just-in-time access.",
"guid": "8fe72734-c486-4ba2-a0dc-0591cf65de8e",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/key-vault/general/best-practices"
"link": "https://learn.microsoft.com/azure/key-vault/general/best-practices"
},
{
"category": "Security, Governance and Compliance",
@ -457,7 +457,7 @@
"text": "encrypt data in transit by integrating the third-party security product with secure network communications (SNC) for DIAG (SAP GUI), RFC, and SPNEGO for HTTPS",
"guid": "1309cccd-5792-466b-aca2-75faa1abfe9d",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/key-vault/general/best-practices"
"link": "https://learn.microsoft.com/azure/key-vault/general/best-practices"
},
{
"category": "Security, Governance and Compliance",
@ -465,7 +465,7 @@
"text": "Azure Active Directory (Azure AD) with SAML 2.0 can also provide SSO to a range of SAP applications and platforms like SAP NetWeaver, SAP HANA, and the SAP Cloud Platform",
"guid": "55d04c3c-4919-4cb1-a3d1-325ae124ba34",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/key-vault/general/best-practices"
"link": "https://learn.microsoft.com/azure/key-vault/general/best-practices"
},
{
"category": "Security, Governance and Compliance",
@ -473,7 +473,7 @@
"text": "Make sure you harden the operating system to eradicate vulnerabilities that could lead to attacks on the SAP database.",
"guid": "df685edd-ce9b-4d3b-a0cd-b3b55eb2ec14",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/key-vault/general/best-practices"
"link": "https://learn.microsoft.com/azure/key-vault/general/best-practices"
},
{
"category": "Security, Governance and Compliance",
@ -481,7 +481,7 @@
"text": "Default to Microsoft-managed keys for principal encryption functionality and use customer-managed keys when required.",
"guid": "eeaa3592-829e-42ed-a217-3676aff6691b",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/key-vault/general/best-practices"
"link": "https://learn.microsoft.com/azure/key-vault/general/best-practices"
},
{
"category": "Security, Governance and Compliance",
@ -489,7 +489,7 @@
"text": "Use an Azure Key Vault per application per environment per region.",
"guid": "4935ada4-2223-4ece-a1b1-23181a541741",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/key-vault/general/best-practices"
"link": "https://learn.microsoft.com/azure/key-vault/general/best-practices"
},
{
"category": "Security, Governance and Compliance",
@ -497,7 +497,7 @@
"text": "&nbsp",
"guid": "5833fb4a-e3c2-4df7-9316-5c3acbe05bbe",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/key-vault/general/best-practices"
"link": "https://learn.microsoft.com/azure/key-vault/general/best-practices"
},
{
"category": "Security, Governance and Compliance",
@ -505,7 +505,7 @@
"text": "Customize role-based access control (RBAC) roles for SAP on Azure spoke subscriptions to avoid accidental network-related changes",
"guid": "209d490d-a477-4784-84d1-16785d2fa56c",
"severity": "High",
"link": "https://docs.microsoft.com/azure/governance/policy/overview"
"link": "https://learn.microsoft.com/azure/governance/policy/overview"
},
{
"category": "Security, Governance and Compliance",
@ -513,7 +513,7 @@
"text": "Isolate DMZs and NVAs from the rest of the SAP estate, configure Azure Private Link, and securely manage and control the SAP on Azure resources",
"guid": "56ad4840-8fe7-4273-9c48-6ba280dc0591",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/governance/policy/overview"
"link": "https://learn.microsoft.com/azure/governance/policy/overview"
},
{
"category": "Security, Governance and Compliance",
@ -521,7 +521,7 @@
"text": "For SAP database server encryption, use the SAP HANA native encryption technology. If you're using Azure SQL Database, use Transparent Data Encryption (TDE) offered by the DBMS provider to secure your data and log files, and ensure the backups are also encrypted.",
"guid": "cf65de8e-1309-4ccc-b579-266bcca275fa",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/governance/policy/overview"
"link": "https://learn.microsoft.com/azure/governance/policy/overview"
},
{
"category": "Security, Governance and Compliance",
@ -529,7 +529,7 @@
"text": "Azure Storage encryption is enabled by default",
"guid": "a1abfe9d-55d0-44c3-a491-9cb1b3d1325a",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/governance/policy/overview"
"link": "https://learn.microsoft.com/azure/governance/policy/overview"
},
{
"category": "Security, Governance and Compliance",
@ -537,7 +537,7 @@
"text": "&nbsp",
"guid": "e124ba34-df68-45ed-bce9-bd3bb0cdb3b5",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/governance/policy/overview"
"link": "https://learn.microsoft.com/azure/governance/policy/overview"
},
{
"category": "Security, Governance and Compliance",
@ -545,7 +545,7 @@
"text": "&nbsp",
"guid": "5eb2ec14-eeaa-4359-8829-e2edb2173676",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/governance/policy/overview"
"link": "https://learn.microsoft.com/azure/governance/policy/overview"
},
{
"category": "Business Continuity and Disaster Recovery",
@ -553,7 +553,7 @@
"text": "Do not combine ASCS and Database cluster on to single/same VM",
"guid": "aff6691b-4935-4ada-9222-3ece81b12318",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/active-directory/reports-monitoring/overview-reports"
"link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/overview-reports"
},
{
"category": "Business Continuity and Disaster Recovery",
@ -561,7 +561,7 @@
"text": "Make sure the Floating IP is enabled on the Load balancer",
"guid": "1a541741-5833-4fb4-ae3c-2df743165c3a",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/azure-monitor/logs/logs-data-export?tabs=portal"
"link": "https://learn.microsoft.com/azure/azure-monitor/logs/logs-data-export?tabs=portal"
},
{
"category": "Business Continuity and Disaster Recovery",
@ -569,7 +569,7 @@
"text": "Do not mix servers of different roles in the same availability set. Keep central services VMs, database VMs, application VMs in their own availability sets",
"guid": "cbe05bbe-209d-4490-ba47-778424d11678",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/security-center/"
"link": "https://learn.microsoft.com/azure/security-center/"
},
{
"category": "Business Continuity and Disaster Recovery",
@ -577,7 +577,7 @@
"text": "Use one proximity placement group per SAP SID. Groups don't span across Availability Zones or Azure regions",
"guid": "5d2fa56c-56ad-4484-88fe-72734c486ba2",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/security-center/"
"link": "https://learn.microsoft.com/azure/security-center/"
},
{
"category": "Business Continuity and Disaster Recovery",
@ -585,7 +585,7 @@
"text": "Azure doesn't currently support combining ASCS and db HA in the same Linux Pacemaker cluster; separate them into individual clusters. However, you can combine up to five multiple central-services clusters into a pair of VMs.",
"guid": "80dc0591-cf65-4de8-b130-9cccd579266b",
"severity": "Medium",
"link": "https://docs.microsoft.com/azure/azure-monitor/logs/design-logs-deployment"
"link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment"
},
{
"category": "Business Continuity and Disaster Recovery",
@ -593,7 +593,7 @@
"text": "Use a Standard Load Balancer SKU in front of ASCS and DB clusters",
"guid": "cca275fa-a1ab-4fe9-b55d-04c3c4919cb1",
"severity": "Medium",
"link": "https://docs.microsoft.com/security/benchmark/azure/security-control-incident-response"
"link": "https://learn.microsoft.com/security/benchmark/azure/security-control-incident-response"
},
{
"category": "Business Continuity and Disaster Recovery",
@ -609,7 +609,7 @@
"text": "Native database replication technology should be used to synchronize the database in a HA pair.",
"guid": "b0cdb3b5-5eb2-4ec1-9eea-a3592829e2ed",
"severity": "Medium",
"link": "https://docs.microsoft.com/security/benchmark/azure/security-control-incident-response"
"link": "https://learn.microsoft.com/security/benchmark/azure/security-control-incident-response"
},
{
"category": "Business Continuity and Disaster Recovery",
@ -617,7 +617,7 @@
"text": "Perform a point-in-time recovery for your production databases at any point and in a time frame that meets your RTO; point-in-time recovery typically includes operator errors deleting data either on the DBMS layer or through SAP, incidentally",
"guid": "b2173676-aff6-4691-a493-5ada42223ece",
"severity": "Medium",
"link": "https://docs.microsoft.com/security/benchmark/azure/security-control-incident-response"
"link": "https://learn.microsoft.com/security/benchmark/azure/security-control-incident-response"
},
{
"category": "Business Continuity and Disaster Recovery",

198
checklists/sap_checklist.es.json
Просмотреть файл

@ -6,7 +6,7 @@
"text": "Aplicar un modelo RBAC para grupos de administración, suscripciones, grupos de recursos y recursos",
"guid": "fda1dbf3-dc95-4d48-a7c7-91dca0f6c565",
"severity": "Alto",
"training": "https://docs.microsoft.com/en-gb/learn/paths/implement-resource-mgmt-security/"
"training": "https://learn.microsoft.com/en-gb/learn/paths/implement-resource-mgmt-security/"
},
{
"category": "Identidad y acceso",
@ -14,7 +14,7 @@
"text": "Aplicar la propogación del principio para reenviar la identidad de la aplicación en la nube de SAP a SAP local (incluida IaaS) a través del conector en la nube",
"guid": "45911475-e39e-4530-accc-d979366bcda2",
"severity": "Medio",
"training": "https://docs.microsoft.com/learn/modules/plan-implement-administer-conditional-access/"
"training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/"
},
{
"category": "Identidad y acceso",
@ -22,7 +22,7 @@
"text": "Implemente el inicio de sesión único (SSO) con Azure Active Directory o los Servicios de federación de Active Directory (AD FS) para que los usuarios finales puedan conectarse a las aplicaciones SAP siempre que sea posible.",
"guid": "750ab1ab-039d-495d-94c7-c8929cb107d5",
"severity": "Alto",
"training": "https://docs.microsoft.com/en-gb/learn/modules/secure-aad-users-with-mfa/"
"training": "https://learn.microsoft.com/en-gb/learn/modules/secure-aad-users-with-mfa/"
},
{
"category": "Identidad y acceso",
@ -30,8 +30,8 @@
"text": "Si SuccessFactor se usa como aplicación HCM, aproveche la característica de aprovisionamiento automatizado de usuarios en Azure AD.",
"guid": "325ae525-ba34-4d46-a5e2-213ace7bb122",
"severity": "Medio",
"training": "https://docs.microsoft.com/en-gb/learn/paths/azure-administrator-manage-identities-governance/",
"link": "https://docs.microsoft.com/en-gb/azure/active-directory/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial"
"training": "https://learn.microsoft.com/en-gb/learn/paths/azure-administrator-manage-identities-governance/",
"link": "https://learn.microsoft.com/en-gb/azure/active-directory/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial"
},
{
"category": "Identidad y acceso",
@ -39,8 +39,8 @@
"text": "Las aplicaciones web basadas en SSO a SAP Netweaver como Fiori, webgui, etc. se pueden implementar utilizando SAML",
"guid": "f7c95f06-e154-4e3a-a359-2829e6e20617",
"severity": "Medio",
"training": "https://docs.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
"link": "https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure"
"training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
"link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure"
},
{
"category": "Identidad y acceso",
@ -48,8 +48,8 @@
"text": "SSO a SAP GUI se puede implementar utilizando SAP SSO o una solución de 3ª parte",
"guid": "3686af46-791f-4893-9ada-43324e138115",
"severity": "Alto",
"training": "https://docs.microsoft.com/learn/modules/explore-basic-services-identity-types/",
"link": "https://docs.microsoft.com/azure/active-directory-b2c/user-overview"
"training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
"link": "https://learn.microsoft.com/azure/active-directory-b2c/user-overview"
},
{
"category": "Identidad y acceso",
@ -57,8 +57,8 @@
"text": "Las aplicaciones de SSO a SAP SaaS como SAP Analytics Cloud, SAP Cloud Platform, SAP Cloud Platform IAS y SAP C4C con Azure AD se pueden implementar mediante SAML",
"guid": "23181aa4-1742-4694-9ff8-ae7d7d474317",
"severity": "Medio",
"training": "https://docs.microsoft.com/en-gb/learn/paths/manage-identity-and-access/",
"link": "https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal"
"training": "https://learn.microsoft.com/en-gb/learn/paths/manage-identity-and-access/",
"link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal"
},
{
"category": "Identidad y acceso",
@ -66,8 +66,8 @@
"text": "&nbsp",
"guid": "6c8bcbf4-5bbe-4609-b8a0-3e97778424d6",
"severity": "Medio",
"training": "https://docs.microsoft.com/learn/modules/create-custom-azure-roles-with-rbac/",
"link": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access"
"training": "https://learn.microsoft.com/learn/modules/create-custom-azure-roles-with-rbac/",
"link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access"
},
{
"category": "Identidad y acceso",
@ -75,7 +75,7 @@
"text": "&nbsp",
"guid": "16785d6f-a96c-496a-b885-18f482734c88",
"severity": "Medio",
"training": "https://docs.microsoft.com/en-gb/learn/paths/secure-your-cloud-data/",
"training": "https://learn.microsoft.com/en-gb/learn/paths/secure-your-cloud-data/",
"link": "https://azure.microsoft.com/resources/achieving-compliant-data-residency-and-security-with-azure/"
},
{
@ -84,8 +84,8 @@
"text": "aplicar las directivas existentes del grupo de administración a las suscripciones de SAP",
"guid": "6ba28021-4591-4147-9e39-e5309cccd979",
"severity": "Medio",
"training": "https://docs.microsoft.com/learn/modules/azure-architecture-fundamentals/",
"link": "https://docs.microsoft.com/azure/governance/management-groups/overview"
"training": "https://learn.microsoft.com/learn/modules/azure-architecture-fundamentals/",
"link": "https://learn.microsoft.com/azure/governance/management-groups/overview"
},
{
"category": "Grupo de administración y suscripciones",
@ -93,8 +93,8 @@
"text": "acople las aplicaciones estrechamente acopladas en la misma suscripción de SAP para evitar una complejidad adicional de enrutamiento y administración",
"guid": "366bcda2-750a-4b1a-a039-d95d54c7c892",
"severity": "Medio",
"training": "https://docs.microsoft.com/learn/paths/implement-resource-mgmt-security/",
"link": "https://docs.microsoft.com/azure/cloud-adoption-framework/decision-guides/resource-tagging/?toc=/azure/azure-resource-manager/management/toc.json"
"training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
"link": "https://learn.microsoft.com/azure/cloud-adoption-framework/decision-guides/resource-tagging/?toc=/azure/azure-resource-manager/management/toc.json"
},
{
"category": "Grupo de administración y suscripciones",
@ -102,8 +102,8 @@
"text": "Aproveche la suscripción como unidad de escala y amplíe nuestros recursos, considere implementar la suscripción por entorno, por ejemplo. Sandbox, non-prod, prod ",
"guid": "9cb107d5-325a-4e52-9ba3-4d4685e2213a",
"severity": "Medio",
"training": "https://docs.microsoft.com/learn/paths/enterprise-scale-architecture/",
"link": "https://docs.microsoft.com/azure/governance/management-groups/overview"
"training": "https://learn.microsoft.com/learn/paths/enterprise-scale-architecture/",
"link": "https://learn.microsoft.com/azure/governance/management-groups/overview"
},
{
"category": "Grupo de administración y suscripciones",
@ -111,8 +111,8 @@
"text": "Asegúrese de aumentar la cuota como parte del aprovisionamiento de suscripciones (por ejemplo, el total de núcleos de vm disponibles dentro de una suscripción).",
"guid": "ce7bb122-f7c9-45f0-9e15-4e3aa3592829",
"severity": "Medio",
"training": "https://docs.microsoft.com/learn/paths/enterprise-scale-architecture/",
"link": "https://docs.microsoft.com/azure/governance/management-groups/overview"
"training": "https://learn.microsoft.com/learn/paths/enterprise-scale-architecture/",
"link": "https://learn.microsoft.com/azure/governance/management-groups/overview"
},
{
"category": "Grupo de administración y suscripciones",
@ -120,8 +120,8 @@
"text": "Asegúrese de que los servicios y características requeridos estén disponibles dentro de las regiones de implementación elegidas, por ejemplo. ANF, Zona, etc.",
"guid": "e6e20617-3686-4af4-9791-f8935ada4332",
"severity": "Medio",
"training": "https://docs.microsoft.com/learn/paths/enterprise-scale-architecture/",
"link": "https://docs.microsoft.com/azure/governance/management-groups/overview"
"training": "https://learn.microsoft.com/learn/paths/enterprise-scale-architecture/",
"link": "https://learn.microsoft.com/azure/governance/management-groups/overview"
},
{
"category": "Grupo de administración y suscripciones",
@ -129,7 +129,7 @@
"text": "Aproveche la etiqueta de recursos de Azure para la categorización de costos y la agrupación de recursos (: BillTo, Departamento (o unidad de negocio), Entorno (Producción, Etapa, Desarrollo), Nivel (nivel web, Nivel de aplicación), Propietario de la aplicación, ProjectName)",
"guid": "4e138115-2318-41aa-9174-26943ff8ae7d",
"severity": "Medio",
"link": "https://docs.microsoft.com/azure/governance/management-groups/overview"
"link": "https://learn.microsoft.com/azure/governance/management-groups/overview"
},
{
"category": "Grupo de administración y suscripciones",
@ -137,7 +137,7 @@
"text": "&nbsp",
"guid": "7d474317-6c8b-4cbf-95bb-e609d8a03e97",
"severity": "Medio",
"link": "https://docs.microsoft.com/azure/governance/management-groups/overview"
"link": "https://learn.microsoft.com/azure/governance/management-groups/overview"
},
{
"category": "Grupo de administración y suscripciones",
@ -145,7 +145,7 @@
"text": "&nbsp",
"guid": "778424d6-1678-45d6-ba96-c96ad88518f4",
"severity": "Medio",
"link": "https://docs.microsoft.com/azure/governance/management-groups/overview"
"link": "https://learn.microsoft.com/azure/governance/management-groups/overview"
},
{
"category": "Topología y conectividad de red",
@ -153,8 +153,8 @@
"text": "No se recomienda la asignación de I.P pública a máquinas virtuales que ejecuten SAP Workload.",
"guid": "82734c88-6ba2-4802-8459-11475e39e530",
"severity": "Medio",
"training": "https://docs.microsoft.com/en-gb/learn/paths/architect-network-infrastructure/",
"link": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing"
"training": "https://learn.microsoft.com/en-gb/learn/paths/architect-network-infrastructure/",
"link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing"
},
{
"category": "Topología y conectividad de red",
@ -162,8 +162,8 @@
"text": "Considere reservar la dirección IP en el lado DR al configurar ASR",
"guid": "9cccd979-366b-4cda-8750-ab1ab039d95d",
"severity": "Medio",
"training": "https://docs.microsoft.com/en-gb/learn/paths/architect-network-infrastructure/",
"link": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing"
"training": "https://learn.microsoft.com/en-gb/learn/paths/architect-network-infrastructure/",
"link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing"
},
{
"category": "Topología y conectividad de red",
@ -171,8 +171,8 @@
"text": "Evite el uso de rangos de direcciones IP superpuestos para sitios de producción y recuperación ante desastres.",
"guid": "54c7c892-9cb1-407d-9325-ae525ba34d46",
"severity": "Medio",
"training": "https://docs.microsoft.com/en-gb/learn/paths/az-104-manage-virtual-networks/",
"link": "https://docs.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances"
"training": "https://learn.microsoft.com/en-gb/learn/paths/az-104-manage-virtual-networks/",
"link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances"
},
{
"category": "Topología y conectividad de red",
@ -180,8 +180,8 @@
"text": "Asegúrese de que Accelarated Networking esté habilitado para todas las máquinas virtuales donde sea aplicable.",
"guid": "85e2213a-ce7b-4b12-8f7c-95f06e154e3a",
"severity": "Medio",
"training": "https://docs.microsoft.com/en-gb/learn/paths/az-104-manage-virtual-networks/",
"link": "https://docs.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances"
"training": "https://learn.microsoft.com/en-gb/learn/paths/az-104-manage-virtual-networks/",
"link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances"
},
{
"category": "Topología y conectividad de red",
@ -189,8 +189,8 @@
"text": "El emparejamiento de redes virtuales locales y globales proporciona conectividad y son los enfoques preferidos para garantizar la conectividad entre zonas de aterrizaje para implementaciones de SAP en varias regiones de Azure",
"guid": "a3592829-e6e2-4061-9368-6af46791f893",
"severity": "Medio",
"training": "https://docs.microsoft.com/learn/modules/design-implement-azure-expressroute/",
"link": "https://docs.microsoft.com/azure/networking/"
"training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
"link": "https://learn.microsoft.com/azure/networking/"
},
{
"category": "Topología y conectividad de red",
@ -198,8 +198,8 @@
"text": "Use un firewall de aplicaciones web para escanear su tráfico cuando esté expuesto a Internet. Otra opción es usarlo con su equilibrador de carga o con recursos que tengan capacidades de firewall integradas como Application Gateway o soluciones de terceros.",
"guid": "5ada4332-4e13-4811-9231-81aa41742694",
"severity": "Medio",
"training": "https://docs.microsoft.com/learn/paths/implement-network-security/?source=learn",
"link": "https://docs.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services"
"training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
"link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services"
},
{
"category": "Topología y conectividad de red",
@ -214,8 +214,8 @@
"text": "Usar Azure Firewall para controlar el tráfico saliente de Azure a Internet, las conexiones entrantes que no son HTTP/S y el filtrado de tráfico Este/Oeste (si la organización lo requiere)",
"guid": "d8a03e97-7784-424d-9167-85d6fa96c96a",
"severity": "Medio",
"training": "https://docs.microsoft.com/en-gb/learn/paths/secure-networking-infrastructure/",
"link": "https://docs.microsoft.com/azure/app-service/networking-features"
"training": "https://learn.microsoft.com/en-gb/learn/paths/secure-networking-infrastructure/",
"link": "https://learn.microsoft.com/azure/app-service/networking-features"
},
{
"category": "Topología y conectividad de red",
@ -223,8 +223,8 @@
"text": "Utilice SAP Web Dispatcher o un servicio de terceros como NetScaler en conjunción con Application Gateway si es necesario para superar la limitación de proxy inverso para SAP web Apps.",
"guid": "d88518f4-8273-44c8-a6ba-280214591147",
"severity": "Medio",
"training": "https://docs.microsoft.com/learn/paths/secure-application-delivery/",
"link": "https://docs.microsoft.com/azure/firewall/"
"training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"link": "https://learn.microsoft.com/azure/firewall/"
},
{
"category": "Topología y conectividad de red",
@ -232,8 +232,8 @@
"text": "Use las directivas de Azure Front Door y WAF para proporcionar protección global en todas las regiones de Azure para las conexiones HTTP/S entrantes a una zona de aterrizaje.",
"guid": "5e39e530-9ccc-4d97-a366-bcda2750ab1a",
"severity": "Medio",
"training": "https://docs.microsoft.com/learn/paths/secure-application-delivery/",
"link": "https://docs.microsoft.com/azure/web-application-firewall/ag/ag-overview"
"training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview"
},
{
"category": "Topología y conectividad de red",
@ -241,8 +241,8 @@
"text": "Cuando use Azure Front Door y Azure Application Gateway para ayudar a proteger las aplicaciones HTTP/S, use directivas WAF en Azure Front Door. Bloquee Azure Application Gateway para recibir tráfico solo de Azure Front Door.",
"guid": "b039d95d-54c7-4c89-89cb-107d5325ae52",
"severity": "Medio",
"training": "https://docs.microsoft.com/learn/paths/secure-application-delivery/",
"link": "https://docs.microsoft.com/azure/web-application-firewall/ag/ag-overview"
"training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview"
},
{
"category": "Topología y conectividad de red",
@ -250,8 +250,8 @@
"text": "Para una entrega segura de aplicaciones HTTP/S, use Application Gateway v2 y asegúrese de que la protección y las directivas de WAF estén habilitadas.",
"guid": "5ba34d46-85e2-4213-ace7-bb122f7c95f0",
"severity": "Medio",
"training": "https://docs.microsoft.com/learn/paths/secure-application-delivery/",
"link": "https://docs.microsoft.com/azure/ddos-protection/ddos-protection-overview"
"training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview"
},
{
"category": "Topología y conectividad de red",
@ -259,8 +259,8 @@
"text": "Si Azure NetApp Files se usa para la implementación de SAP, asegúrese de que solo pueda existir una subred delegada en una red virtual para Azure NetAppFiles",
"guid": "6e154e3a-a359-4282-ae6e-206173686af4",
"severity": "Medio",
"training": "https://docs.microsoft.com/learn/paths/implement-network-security/",
"link": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/organize-resources?tabs=AzureManagementGroupsAndHierarchy"
"training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
"link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/organize-resources?tabs=AzureManagementGroupsAndHierarchy"
},
{
"category": "Topología y conectividad de red",
@ -268,8 +268,8 @@
"text": "Utilice NSG y grupos de seguridad de aplicaciones para microsegmentar el tráfico dentro de la capa de aplicación de SAP, como la subred de aplicaciones, la subred de base de datos y la subred web, etc.",
"guid": "6791f893-5ada-4433-84e1-3811523181aa",
"severity": "Medio",
"training": "https://docs.microsoft.com/learn/paths/implement-network-security/",
"link": "https://docs.microsoft.com/azure/virtual-network/network-security-group-how-it-works"
"training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
"link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works"
},
{
"category": "Topología y conectividad de red",
@ -277,8 +277,8 @@
"text": "No se admite la implementación de ningún NVA entre la aplicación SAP y el servidor de base de datos SAP",
"guid": "41742694-3ff8-4ae7-b7d4-743176c8bcbf",
"severity": "Medio",
"training": "https://docs.microsoft.com/learn/modules/design-implement-network-monitoring/",
"link": "https://docs.microsoft.com/azure/virtual-network/network-security-group-how-it-works"
"training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/",
"link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works"
},
{
"category": "Topología y conectividad de red",
@ -305,8 +305,8 @@
"text": "Ejecute una extensión de máquina virtual para la comprobación de SAP. VM Extension for SAP utiliza la identidad administrada asignada de una máquina virtual para acceder a los datos de supervisión y configuración de VM.",
"guid": "2750ab1a-b039-4d95-b54c-7c8929cb107d",
"severity": "Medio",
"training": "https://docs.microsoft.com/learn/paths/architect-infrastructure-operations/",
"link": "https://docs.microsoft.com/azure/azure-monitor/logs/design-logs-deployment"
"training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
"link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment"
},
{
"category": "Gestión y Seguimiento",
@ -314,8 +314,8 @@
"text": "Use Azure Policy para el control de acceso y los informes de cumplimiento. Azure Policy proporciona la capacidad de aplicar la configuración de toda la organización para garantizar el cumplimiento coherente de las directivas y la detección rápida de infracciones. ",
"guid": "5325ae52-5ba3-44d4-985e-2213ace7bb12",
"severity": "Medio",
"training": "https://docs.microsoft.com/learn/paths/architect-infrastructure-operations/",
"link": "https://docs.microsoft.com/azure/azure-monitor/logs/design-logs-deployment"
"training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
"link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment"
},
{
"category": "Gestión y Seguimiento",
@ -323,8 +323,8 @@
"text": "Proteja su base de datos de HANA con el servicio Copia de seguridad de Azure. Si implementa Azure NetApp Files (ANF) para la base de datos hana, use la herramienta Azure Application Consistent Snapshot (AzAcSnap) para tomar instantáneas coherentes con la aplicación",
"guid": "2f7c95f0-6e15-44e3-aa35-92829e6e2061",
"severity": "Medio",
"training": "https://docs.microsoft.com/learn/paths/implement-resource-mgmt-security/",
"link": "https://docs.microsoft.com/azure/governance/policy/how-to/guest-configuration-create"
"training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
"link": "https://learn.microsoft.com/azure/governance/policy/how-to/guest-configuration-create"
},
{
"category": "Gestión y Seguimiento",
@ -332,8 +332,8 @@
"text": "Realice una comprobación de calidad de SAP HANA en la infraestructura de Azure aprovisionada para comprobar que las máquinas virtuales aprovisionadas cumplen con los procedimientos recomendados de SAP HANA en Azure.",
"guid": "73686af4-6791-4f89-95ad-a43324e13811",
"severity": "Medio",
"training": "https://docs.microsoft.com/learn/paths/azure-administrator-manage-compute-resources/",
"link": "https://docs.microsoft.com/azure/automation/update-management/overview"
"training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-compute-resources/",
"link": "https://learn.microsoft.com/azure/automation/update-management/overview"
},
{
"category": "Gestión y Seguimiento",
@ -341,8 +341,8 @@
"text": "Use network Watcher Connection Monitor para supervisar las métricas de latencia de la base de datos SAP y del servidor de aplicaciones, o recopile y muestre mediciones de latencia de red con Azure Monitor.",
"guid": "523181aa-4174-4269-93ff-8ae7d7d47431",
"severity": "Medio",
"training": "https://docs.microsoft.com/learn/modules/configure-network-watcher/",
"link": "https://docs.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview"
"training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/",
"link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview"
},
{
"category": "Gestión y Seguimiento",
@ -350,8 +350,8 @@
"text": "Optimice y gestione las operaciones de SAP Basis mediante SAP Landscape Management (LaMa). Use el conector de SAP LaMa para Azure para reubicar, copiar, clonar y actualizar sistemas SAP.",
"guid": "76c8bcbf-45bb-4e60-ad8a-03e97778424d",
"severity": "Medio",
"training": "https://docs.microsoft.com/learn/paths/implement-resource-mgmt-security/",
"link": "https://docs.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json"
"training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
"link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json"
},
{
"category": "Gestión y Seguimiento",
@ -359,7 +359,7 @@
"text": "Para cada suscripción de Azure, ejecute una prueba de latencia de la zona de disponibilidad de Azure antes de la implementación zonal para elegir zonas de baja latencia para SAP en la implementación de Azure.",
"guid": "616785d6-fa96-4c96-ad88-518f482734c8",
"severity": "Medio",
"link": "https://docs.microsoft.com/azure/governance/policy/overview"
"link": "https://learn.microsoft.com/azure/governance/policy/overview"
},
{
"category": "Gestión y Seguimiento",
@ -367,7 +367,7 @@
"text": "Implemente la protección contra amenazas para SAP con Microsoft Sentinel.",
"guid": "86ba2802-1459-4114-95e3-9e5309cccd97",
"severity": "Medio",
"link": "https://docs.microsoft.com/azure/sentinel/quickstart-onboard"
"link": "https://learn.microsoft.com/azure/sentinel/quickstart-onboard"
},
{
"category": "Gestión y Seguimiento",
@ -375,7 +375,7 @@
"text": "La aplicación de la configuración de la administración de actualizaciones a través de directivas garantiza que todas las máquinas virtuales se incluyan en el régimen de administración de revisiones, proporciona a los equipos de aplicaciones la capacidad de administrar la implementación de revisiones para sus máquinas virtuales y proporciona a la TI central capacidades de visibilidad y aplicación en todas las máquinas virtuales.",
"guid": "4d116785-d2fa-456c-96ad-48408fe72734",
"severity": "Medio",
"link": "https://docs.microsoft.com/azure/azure-monitor/logs/design-logs-deployment"
"link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment"
},
{
"category": "Gestión y Seguimiento",
@ -383,7 +383,7 @@
"text": "Habilite VM Insights para máquinas virtuales que ejecutan cargas de trabajo de SAP.",
"guid": "c486ba28-0dc0-4591-af65-de8e1309cccd",
"severity": "Medio",
"link": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor"
"link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor"
},
{
"category": "Gestión y Seguimiento",
@ -391,7 +391,7 @@
"text": "El etiquetado de Azure se puede aprovechar para agrupar y realizar un seguimiento lógico de los recursos, automatizar sus implementaciones y, lo que es más importante, proporcionar visibilidad sobre los costos incurridos.",
"guid": "579266bc-ca27-45fa-a1ab-fe9d55d04c3c",
"severity": "Medio",
"link": "https://docs.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery"
"link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery"
},
{
"category": "Gestión y Seguimiento",
@ -399,7 +399,7 @@
"text": "&nbsp",
"guid": "4919cb1b-3d13-425a-b124-ba34df685edd",
"severity": "Medio",
"link": "https://docs.microsoft.com/azure/backup/backup-center-overview"
"link": "https://learn.microsoft.com/azure/backup/backup-center-overview"
},
{
"category": "Seguridad, gobernanza y cumplimiento",
@ -407,7 +407,7 @@
"text": "Uso del Almacén de claves de Azure para almacenar sus secretos y credenciales",
"guid": "ce9bd3bb-0cdb-43b5-9eb2-ec14eeaa3592",
"severity": "Alto",
"link": "https://docs.microsoft.com/azure/key-vault/general/overview"
"link": "https://learn.microsoft.com/azure/key-vault/general/overview"
},
{
"category": "Seguridad, gobernanza y cumplimiento",
@ -415,7 +415,7 @@
"text": "Se recomienda BLOQUEAR los recursos de Azure después de la implementación correcta para protegerse contra cambios no autorizados",
"guid": "829e2edb-2173-4676-aff6-691b4935ada4",
"severity": "Medio",
"link": "https://docs.microsoft.com/azure/key-vault/general/overview-throttling"
"link": "https://learn.microsoft.com/azure/key-vault/general/overview-throttling"
},
{
"category": "Seguridad, gobernanza y cumplimiento",
@ -423,7 +423,7 @@
"text": "Aprovisione Azure Key Vault con las directivas de eliminación y purga por software habilitadas para permitir la protección de retención de objetos eliminados.",
"guid": "2223ece8-1b12-4318-8a54-17415833fb4a",
"severity": "Medio",
"link": "https://docs.microsoft.com/azure/key-vault/general/best-practices"
"link": "https://learn.microsoft.com/azure/key-vault/general/best-practices"
},
{
"category": "Seguridad, gobernanza y cumplimiento",
@ -431,7 +431,7 @@
"text": "En función de los requisitos existentes, los controles normativos y de cumplimiento (internos/externos): determine qué directivas de Azure y el rol RBAC de Azure son necesarios",
"guid": "e3c2df74-3165-4c3a-abe0-5bbe209d490d",
"severity": "Medio",
"link": "https://docs.microsoft.com/azure/key-vault/general/best-practices"
"link": "https://learn.microsoft.com/azure/key-vault/general/best-practices"
},
{
"category": "Seguridad, gobernanza y cumplimiento",
@ -439,7 +439,7 @@
"text": "Cuando habilite Microsoft Defender for Cloud Standard para SAP, asegúrese de excluir los servidores de bases de datos SAP de cualquier directiva que instale endpoint protection.",
"guid": "a4777842-4d11-4678-9d2f-a56c56ad4840",
"severity": "Medio",
"link": "https://docs.microsoft.com/azure/key-vault/general/best-practices"
"link": "https://learn.microsoft.com/azure/key-vault/general/best-practices"
},
{
"category": "Seguridad, gobernanza y cumplimiento",
@ -447,7 +447,7 @@
"text": "Delegue un rol personalizado de administrador de SAP con acceso justo a tiempo.",
"guid": "8fe72734-c486-4ba2-a0dc-0591cf65de8e",
"severity": "Medio",
"link": "https://docs.microsoft.com/azure/key-vault/general/best-practices"
"link": "https://learn.microsoft.com/azure/key-vault/general/best-practices"
},
{
"category": "Seguridad, gobernanza y cumplimiento",
@ -455,7 +455,7 @@
"text": "cifrar datos en tránsito integrando el producto de seguridad de terceros con comunicaciones de red seguras (SNC) para DIAG (SAP GUI), RFC y SPNEGO para HTTPS",
"guid": "1309cccd-5792-466b-aca2-75faa1abfe9d",
"severity": "Medio",
"link": "https://docs.microsoft.com/azure/key-vault/general/best-practices"
"link": "https://learn.microsoft.com/azure/key-vault/general/best-practices"
},
{
"category": "Seguridad, gobernanza y cumplimiento",
@ -463,7 +463,7 @@
"text": "Azure Active Directory (Azure AD) con SAML 2.0 también puede proporcionar SSO a una amplia gama de aplicaciones y plataformas de SAP como SAP NetWeaver, SAP HANA y SAP Cloud Platform",
"guid": "55d04c3c-4919-4cb1-a3d1-325ae124ba34",
"severity": "Medio",
"link": "https://docs.microsoft.com/azure/key-vault/general/best-practices"
"link": "https://learn.microsoft.com/azure/key-vault/general/best-practices"
},
{
"category": "Seguridad, gobernanza y cumplimiento",
@ -471,7 +471,7 @@
"text": "Asegúrese de reforzar el sistema operativo para erradicar las vulnerabilidades que podrían provocar ataques a la base de datos SAP.",
"guid": "df685edd-ce9b-4d3b-a0cd-b3b55eb2ec14",
"severity": "Medio",
"link": "https://docs.microsoft.com/azure/key-vault/general/best-practices"
"link": "https://learn.microsoft.com/azure/key-vault/general/best-practices"
},
{
"category": "Seguridad, gobernanza y cumplimiento",
@ -479,7 +479,7 @@
"text": "De forma predeterminada, las claves administradas por Microsoft para la funcionalidad de cifrado principal y usar claves administradas por el cliente cuando sea necesario.",
"guid": "eeaa3592-829e-42ed-a217-3676aff6691b",
"severity": "Medio",
"link": "https://docs.microsoft.com/azure/key-vault/general/best-practices"
"link": "https://learn.microsoft.com/azure/key-vault/general/best-practices"
},
{
"category": "Seguridad, gobernanza y cumplimiento",
@ -487,7 +487,7 @@
"text": "Use un Almacén de claves de Azure por aplicación, por entorno y por región.",
"guid": "4935ada4-2223-4ece-a1b1-23181a541741",
"severity": "Medio",
"link": "https://docs.microsoft.com/azure/key-vault/general/best-practices"
"link": "https://learn.microsoft.com/azure/key-vault/general/best-practices"
},
{
"category": "Seguridad, gobernanza y cumplimiento",
@ -495,7 +495,7 @@
"text": "&nbsp",
"guid": "5833fb4a-e3c2-4df7-9316-5c3acbe05bbe",
"severity": "Medio",
"link": "https://docs.microsoft.com/azure/key-vault/general/best-practices"
"link": "https://learn.microsoft.com/azure/key-vault/general/best-practices"
},
{
"category": "Seguridad, gobernanza y cumplimiento",
@ -503,7 +503,7 @@
"text": "Personalice los roles de control de acceso basado en roles (RBAC) para sap en suscripciones radiales de Azure para evitar cambios accidentales relacionados con la red",
"guid": "209d490d-a477-4784-84d1-16785d2fa56c",
"severity": "Alto",
"link": "https://docs.microsoft.com/azure/governance/policy/overview"
"link": "https://learn.microsoft.com/azure/governance/policy/overview"
},
{
"category": "Seguridad, gobernanza y cumplimiento",
@ -511,7 +511,7 @@
"text": "Aísle las DMZ y las NVA del resto del patrimonio de SAP, configure Azure Private Link y administre y controle de forma segura los recursos de SAP en Azure",
"guid": "56ad4840-8fe7-4273-9c48-6ba280dc0591",
"severity": "Medio",
"link": "https://docs.microsoft.com/azure/governance/policy/overview"
"link": "https://learn.microsoft.com/azure/governance/policy/overview"
},
{
"category": "Seguridad, gobernanza y cumplimiento",
@ -519,7 +519,7 @@
"text": "Para el cifrado del servidor de base de datos SAP, utilice la tecnología de cifrado nativa SAP HANA. Si usa Base de datos SQL de Azure, use cifrado de datos transparente (TDE) ofrecido por el proveedor de DBMS para proteger los datos y los archivos de registro, y asegúrese de que las copias de seguridad también estén cifradas.",
"guid": "cf65de8e-1309-4ccc-b579-266bcca275fa",
"severity": "Medio",
"link": "https://docs.microsoft.com/azure/governance/policy/overview"
"link": "https://learn.microsoft.com/azure/governance/policy/overview"
},
{
"category": "Seguridad, gobernanza y cumplimiento",
@ -527,7 +527,7 @@
"text": "El cifrado de Almacenamiento de Azure está habilitado de forma predeterminada",
"guid": "a1abfe9d-55d0-44c3-a491-9cb1b3d1325a",
"severity": "Medio",
"link": "https://docs.microsoft.com/azure/governance/policy/overview"
"link": "https://learn.microsoft.com/azure/governance/policy/overview"
},
{
"category": "Seguridad, gobernanza y cumplimiento",
@ -535,7 +535,7 @@
"text": "&nbsp",
"guid": "e124ba34-df68-45ed-bce9-bd3bb0cdb3b5",
"severity": "Medio",
"link": "https://docs.microsoft.com/azure/governance/policy/overview"
"link": "https://learn.microsoft.com/azure/governance/policy/overview"
},
{
"category": "Seguridad, gobernanza y cumplimiento",
@ -543,7 +543,7 @@
"text": "&nbsp",
"guid": "5eb2ec14-eeaa-4359-8829-e2edb2173676",
"severity": "Medio",
"link": "https://docs.microsoft.com/azure/governance/policy/overview"
"link": "https://learn.microsoft.com/azure/governance/policy/overview"
},
{
"category": "Continuidad del negocio y recuperación ante desastres",
@ -551,7 +551,7 @@
"text": "No combine ASCS y clúster de base de datos en una sola o misma máquina virtual",
"guid": "aff6691b-4935-4ada-9222-3ece81b12318",
"severity": "Medio",
"link": "https://docs.microsoft.com/azure/active-directory/reports-monitoring/overview-reports"
"link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/overview-reports"
},
{
"category": "Continuidad del negocio y recuperación ante desastres",
@ -559,7 +559,7 @@
"text": "Asegúrese de que la IP flotante esté habilitada en el equilibrador de carga",
"guid": "1a541741-5833-4fb4-ae3c-2df743165c3a",
"severity": "Medio",
"link": "https://docs.microsoft.com/azure/azure-monitor/logs/logs-data-export?tabs=portal"
"link": "https://learn.microsoft.com/azure/azure-monitor/logs/logs-data-export?tabs=portal"
},
{
"category": "Continuidad del negocio y recuperación ante desastres",
@ -567,7 +567,7 @@
"text": "No mezcle servidores de diferentes roles en el mismo conjunto de disponibilidad. Mantenga las máquinas virtuales de servicios centrales, las máquinas virtuales de bases de datos y las máquinas virtuales de aplicaciones en sus propios conjuntos de disponibilidad",
"guid": "cbe05bbe-209d-4490-ba47-778424d11678",
"severity": "Medio",
"link": "https://docs.microsoft.com/azure/security-center/"
"link": "https://learn.microsoft.com/azure/security-center/"
},
{
"category": "Continuidad del negocio y recuperación ante desastres",
@ -575,7 +575,7 @@
"text": "Utilice un grupo de colocación de proximidad por SID de SAP. Los grupos no abarcan zonas de disponibilidad ni regiones de Azure",
"guid": "5d2fa56c-56ad-4484-88fe-72734c486ba2",
"severity": "Medio",
"link": "https://docs.microsoft.com/azure/security-center/"
"link": "https://learn.microsoft.com/azure/security-center/"
},
{
"category": "Continuidad del negocio y recuperación ante desastres",
@ -583,7 +583,7 @@
"text": "Azure no admite actualmente la combinación de ASCS y db HA en el mismo clúster de Linux Pacemaker; separarlos en grupos individuales. Sin embargo, puede combinar hasta cinco clústeres de servicios centrales en un par de máquinas virtuales.",
"guid": "80dc0591-cf65-4de8-b130-9cccd579266b",
"severity": "Medio",
"link": "https://docs.microsoft.com/azure/azure-monitor/logs/design-logs-deployment"
"link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment"
},
{
"category": "Continuidad del negocio y recuperación ante desastres",
@ -591,7 +591,7 @@
"text": "Usar una SKU de equilibrador de carga estándar delante de clústeres ASCS y DB",
"guid": "cca275fa-a1ab-4fe9-b55d-04c3c4919cb1",
"severity": "Medio",
"link": "https://docs.microsoft.com/security/benchmark/azure/security-control-incident-response"
"link": "https://learn.microsoft.com/security/benchmark/azure/security-control-incident-response"
},
{
"category": "Continuidad del negocio y recuperación ante desastres",
@ -607,7 +607,7 @@
"text": "Se debe utilizar la tecnología de replicación de bases de datos nativas para sincronizar la base de datos en un par de alta disponibilidad.",
"guid": "b0cdb3b5-5eb2-4ec1-9eea-a3592829e2ed",
"severity": "Medio",
"link": "https://docs.microsoft.com/security/benchmark/azure/security-control-incident-response"
"link": "https://learn.microsoft.com/security/benchmark/azure/security-control-incident-response"
},
{
"category": "Continuidad del negocio y recuperación ante desastres",
@ -615,7 +615,7 @@
"text": "Realice una recuperación puntual para sus bases de datos de producción en cualquier momento y en un marco de tiempo que cumpla con su RTO; La recuperación puntual generalmente incluye errores del operador que eliminan datos en la capa DBMS o a través de SAP, incidentalmente",
"guid": "b2173676-aff6-4691-a493-5ada42223ece",
"severity": "Medio",
"link": "https://docs.microsoft.com/security/benchmark/azure/security-control-incident-response"
"link": "https://learn.microsoft.com/security/benchmark/azure/security-control-incident-response"
},
{
"category": "Continuidad del negocio y recuperación ante desastres",

198
checklists/sap_checklist.ja.json
Просмотреть файл

@ -6,7 +6,7 @@
"text": "管理グループ、サブスクリプション、リソース グループ、およびリソースに対する RBAC モデルの適用",
"guid": "fda1dbf3-dc95-4d48-a7c7-91dca0f6c565",
"severity": "高い",
"training": "https://docs.microsoft.com/en-gb/learn/paths/implement-resource-mgmt-security/"
"training": "https://learn.microsoft.com/en-gb/learn/paths/implement-resource-mgmt-security/"
},
{
"category": "アイデンティティとアクセス",
@ -14,7 +14,7 @@
"text": "クラウド コネクタを介して SAP クラウド アプリケーションからオンプレミス (IaaS を含む) に ID を転送するための原則の伝播を強制する",
"guid": "45911475-e39e-4530-accc-d979366bcda2",
"severity": "中程度",
"training": "https://docs.microsoft.com/learn/modules/plan-implement-administer-conditional-access/"
"training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/"
},
{
"category": "アイデンティティとアクセス",
@ -22,7 +22,7 @@
"text": "Azure Active Directory または Active Directory フェデレーション サービス (AD FS) を使用してシングル サインオン (SSO) を実装し、エンド ユーザーが可能な限り SAP アプリケーションに接続できるようにします。",
"guid": "750ab1ab-039d-495d-94c7-c8929cb107d5",
"severity": "高い",
"training": "https://docs.microsoft.com/en-gb/learn/modules/secure-aad-users-with-mfa/"
"training": "https://learn.microsoft.com/en-gb/learn/modules/secure-aad-users-with-mfa/"
},
{
"category": "アイデンティティとアクセス",
@ -30,8 +30,8 @@
"text": "SuccessFactor を HCM アプリケーションとして使用する場合は、Azure AD への自動ユーザー プロビジョニング機能を活用します。",
"guid": "325ae525-ba34-4d46-a5e2-213ace7bb122",
"severity": "中程度",
"training": "https://docs.microsoft.com/en-gb/learn/paths/azure-administrator-manage-identities-governance/",
"link": "https://docs.microsoft.com/en-gb/azure/active-directory/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial"
"training": "https://learn.microsoft.com/en-gb/learn/paths/azure-administrator-manage-identities-governance/",
"link": "https://learn.microsoft.com/en-gb/azure/active-directory/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial"
},
{
"category": "アイデンティティとアクセス",
@ -39,8 +39,8 @@
"text": "SSO から SAP Netweaver への Fiori、webgui などの Web アプリケーションは、SAML を使用して実装できます。",
"guid": "f7c95f06-e154-4e3a-a359-2829e6e20617",
"severity": "中程度",
"training": "https://docs.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
"link": "https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure"
"training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
"link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure"
},
{
"category": "アイデンティティとアクセス",
@ -48,8 +48,8 @@
"text": "SSO から SAP GUI への変換は、SAP SSO またはサードパーティ製ソリューションのいずれかを使用して実装できます。",
"guid": "3686af46-791f-4893-9ada-43324e138115",
"severity": "高い",
"training": "https://docs.microsoft.com/learn/modules/explore-basic-services-identity-types/",
"link": "https://docs.microsoft.com/azure/active-directory-b2c/user-overview"
"training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
"link": "https://learn.microsoft.com/azure/active-directory-b2c/user-overview"
},
{
"category": "アイデンティティとアクセス",
@ -57,8 +57,8 @@
"text": "SAP Analytics Cloud、SAP Cloud Platform、SAP Cloud Platform IAS、SAP C4C with Azure ADなどのSSOからSAP SaaSへのアプリケーションは、SAMLを使用して実装できます。",
"guid": "23181aa4-1742-4694-9ff8-ae7d7d474317",
"severity": "中程度",
"training": "https://docs.microsoft.com/en-gb/learn/paths/manage-identity-and-access/",
"link": "https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal"
"training": "https://learn.microsoft.com/en-gb/learn/paths/manage-identity-and-access/",
"link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal"
},
{
"category": "アイデンティティとアクセス",
@ -66,8 +66,8 @@
"text": "&nbsp",
"guid": "6c8bcbf4-5bbe-4609-b8a0-3e97778424d6",
"severity": "中程度",
"training": "https://docs.microsoft.com/learn/modules/create-custom-azure-roles-with-rbac/",
"link": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access"
"training": "https://learn.microsoft.com/learn/modules/create-custom-azure-roles-with-rbac/",
"link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access"
},
{
"category": "アイデンティティとアクセス",
@ -75,7 +75,7 @@
"text": "&nbsp",
"guid": "16785d6f-a96c-496a-b885-18f482734c88",
"severity": "中程度",
"training": "https://docs.microsoft.com/en-gb/learn/paths/secure-your-cloud-data/",
"training": "https://learn.microsoft.com/en-gb/learn/paths/secure-your-cloud-data/",
"link": "https://azure.microsoft.com/resources/achieving-compliant-data-residency-and-security-with-azure/"
},
{
@ -84,8 +84,8 @@
"text": "既存の管理グループポリシーをSAPサブスクリプションに適用する",
"guid": "6ba28021-4591-4147-9e39-e5309cccd979",
"severity": "中程度",
"training": "https://docs.microsoft.com/learn/modules/azure-architecture-fundamentals/",
"link": "https://docs.microsoft.com/azure/governance/management-groups/overview"
"training": "https://learn.microsoft.com/learn/modules/azure-architecture-fundamentals/",
"link": "https://learn.microsoft.com/azure/governance/management-groups/overview"
},
{
"category": "管理グループとサブスクリプション",
@ -93,8 +93,8 @@
"text": "緊密に結合されたアプリケーションを同じSAPサブスクリプションに組み込み、ルーティングと管理の複雑さを増すのを回避",
"guid": "366bcda2-750a-4b1a-a039-d95d54c7c892",
"severity": "中程度",
"training": "https://docs.microsoft.com/learn/paths/implement-resource-mgmt-security/",
"link": "https://docs.microsoft.com/azure/cloud-adoption-framework/decision-guides/resource-tagging/?toc=/azure/azure-resource-manager/management/toc.json"
"training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
"link": "https://learn.microsoft.com/azure/cloud-adoption-framework/decision-guides/resource-tagging/?toc=/azure/azure-resource-manager/management/toc.json"
},
{
"category": "管理グループとサブスクリプション",
@ -102,8 +102,8 @@
"text": "Suscriptionをスケールユニットとして活用し、リソースをスケーリングするには、環境ごとにサブスクリプションを展開することを検討してください。サンドボックス、非製品、製品",
"guid": "9cb107d5-325a-4e52-9ba3-4d4685e2213a",
"severity": "中程度",
"training": "https://docs.microsoft.com/learn/paths/enterprise-scale-architecture/",
"link": "https://docs.microsoft.com/azure/governance/management-groups/overview"
"training": "https://learn.microsoft.com/learn/paths/enterprise-scale-architecture/",
"link": "https://learn.microsoft.com/azure/governance/management-groups/overview"
},
{
"category": "管理グループとサブスクリプション",
@ -111,8 +111,8 @@
"text": "サブスクリプション プロビジョニングの一環としてクォータの増加を確認します (サブスクリプション内で使用可能な VM コアの合計など)。",
"guid": "ce7bb122-f7c9-45f0-9e15-4e3aa3592829",
"severity": "中程度",
"training": "https://docs.microsoft.com/learn/paths/enterprise-scale-architecture/",
"link": "https://docs.microsoft.com/azure/governance/management-groups/overview"
"training": "https://learn.microsoft.com/learn/paths/enterprise-scale-architecture/",
"link": "https://learn.microsoft.com/azure/governance/management-groups/overview"
},
{
"category": "管理グループとサブスクリプション",
@ -120,8 +120,8 @@
"text": "必要なサービスと機能が、選択した展開地域内で利用可能であることを確認します。ANF、ゾーンなど",
"guid": "e6e20617-3686-4af4-9791-f8935ada4332",
"severity": "中程度",
"training": "https://docs.microsoft.com/learn/paths/enterprise-scale-architecture/",
"link": "https://docs.microsoft.com/azure/governance/management-groups/overview"
"training": "https://learn.microsoft.com/learn/paths/enterprise-scale-architecture/",
"link": "https://learn.microsoft.com/azure/governance/management-groups/overview"
},
{
"category": "管理グループとサブスクリプション",
@ -129,7 +129,7 @@
"text": "Azure リソース タグを活用して、コストの分類とリソースのグループ化 (: BillTo、部門 (または部署)、環境 (運用、ステージ、開発)、層 (Web 層、アプリケーション層)、アプリケーション所有者、プロジェクト名)",
"guid": "4e138115-2318-41aa-9174-26943ff8ae7d",
"severity": "中程度",
"link": "https://docs.microsoft.com/azure/governance/management-groups/overview"
"link": "https://learn.microsoft.com/azure/governance/management-groups/overview"
},
{
"category": "管理グループとサブスクリプション",
@ -137,7 +137,7 @@
"text": "&nbsp",
"guid": "7d474317-6c8b-4cbf-95bb-e609d8a03e97",
"severity": "中程度",
"link": "https://docs.microsoft.com/azure/governance/management-groups/overview"
"link": "https://learn.microsoft.com/azure/governance/management-groups/overview"
},
{
"category": "管理グループとサブスクリプション",
@ -145,7 +145,7 @@
"text": "&nbsp",
"guid": "778424d6-1678-45d6-ba96-c96ad88518f4",
"severity": "中程度",
"link": "https://docs.microsoft.com/azure/governance/management-groups/overview"
"link": "https://learn.microsoft.com/azure/governance/management-groups/overview"
},
{
"category": "ネットワーク トポロジと接続性",
@ -153,8 +153,8 @@
"text": "SAP ワークロードを実行している VM へのパブリック I.P 割り当ては推奨されません。",
"guid": "82734c88-6ba2-4802-8459-11475e39e530",
"severity": "中程度",
"training": "https://docs.microsoft.com/en-gb/learn/paths/architect-network-infrastructure/",
"link": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing"
"training": "https://learn.microsoft.com/en-gb/learn/paths/architect-network-infrastructure/",
"link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing"
},
{
"category": "ネットワーク トポロジと接続性",
@ -162,8 +162,8 @@
"text": "ASR を設定するとき DR 側で I.P アドレスを予約することを検討して下さい",
"guid": "9cccd979-366b-4cda-8750-ab1ab039d95d",
"severity": "中程度",
"training": "https://docs.microsoft.com/en-gb/learn/paths/architect-network-infrastructure/",
"link": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing"
"training": "https://learn.microsoft.com/en-gb/learn/paths/architect-network-infrastructure/",
"link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing"
},
{
"category": "ネットワーク トポロジと接続性",
@ -171,8 +171,8 @@
"text": "運用サイトと DR サイトに重複する IP アドレス範囲を使用しないでください。",
"guid": "54c7c892-9cb1-407d-9325-ae525ba34d46",
"severity": "中程度",
"training": "https://docs.microsoft.com/en-gb/learn/paths/az-104-manage-virtual-networks/",
"link": "https://docs.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances"
"training": "https://learn.microsoft.com/en-gb/learn/paths/az-104-manage-virtual-networks/",
"link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances"
},
{
"category": "ネットワーク トポロジと接続性",
@ -180,8 +180,8 @@
"text": "[昇格ネットワーク] が該当するすべての VM で有効になっていることを確認します。",
"guid": "85e2213a-ce7b-4b12-8f7c-95f06e154e3a",
"severity": "中程度",
"training": "https://docs.microsoft.com/en-gb/learn/paths/az-104-manage-virtual-networks/",
"link": "https://docs.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances"
"training": "https://learn.microsoft.com/en-gb/learn/paths/az-104-manage-virtual-networks/",
"link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances"
},
{
"category": "ネットワーク トポロジと接続性",
@ -189,8 +189,8 @@
"text": "ローカルおよびグローバル VNet ピアリングは接続性を提供し、複数の Azure リージョンにまたがる SAP デプロイのランディング ゾーン間の接続性を確保するために推奨されるアプローチです。",
"guid": "a3592829-e6e2-4061-9368-6af46791f893",
"severity": "中程度",
"training": "https://docs.microsoft.com/learn/modules/design-implement-azure-expressroute/",
"link": "https://docs.microsoft.com/azure/networking/"
"training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
"link": "https://learn.microsoft.com/azure/networking/"
},
{
"category": "ネットワーク トポロジと接続性",
@ -198,8 +198,8 @@
"text": "Web アプリケーションファイアウォールを使用して、インターネットに公開されているトラフィックをスキャンします。もう1つのオプションは、ロードバランサー、またはアプリケーションゲートウェイやサードパーティのソリューションなどのファイアウォール機能が組み込まれているリソースで使用することです。",
"guid": "5ada4332-4e13-4811-9231-81aa41742694",
"severity": "中程度",
"training": "https://docs.microsoft.com/learn/paths/implement-network-security/?source=learn",
"link": "https://docs.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services"
"training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
"link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services"
},
{
"category": "ネットワーク トポロジと接続性",
@ -214,8 +214,8 @@
"text": "Azure ファイアウォールを使用して、インターネットへの Azure アウトバウンド トラフィック、非 HTTP/S インバウンド接続、および東/西トラフィック フィルタリング (組織で必要な場合) を管理します。",
"guid": "d8a03e97-7784-424d-9167-85d6fa96c96a",
"severity": "中程度",
"training": "https://docs.microsoft.com/en-gb/learn/paths/secure-networking-infrastructure/",
"link": "https://docs.microsoft.com/azure/app-service/networking-features"
"training": "https://learn.microsoft.com/en-gb/learn/paths/secure-networking-infrastructure/",
"link": "https://learn.microsoft.com/azure/app-service/networking-features"
},
{
"category": "ネットワーク トポロジと接続性",
@ -223,8 +223,8 @@
"text": "SAP WebディスパッチャまたはNetScalerなどのサードパーティサービスをアプリケーションゲートウェイと組み合わせて使用し、SAP Webアプリケーションのリバースプロキシ制限を克服します。",
"guid": "d88518f4-8273-44c8-a6ba-280214591147",
"severity": "中程度",
"training": "https://docs.microsoft.com/learn/paths/secure-application-delivery/",
"link": "https://docs.microsoft.com/azure/firewall/"
"training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"link": "https://learn.microsoft.com/azure/firewall/"
},
{
"category": "ネットワーク トポロジと接続性",
@ -232,8 +232,8 @@
"text": "Azure Front Door ポリシーと WAF ポリシーを使用して、ランディング ゾーンへの受信 HTTP/S 接続を Azure リージョン全体でグローバルに保護します。",
"guid": "5e39e530-9ccc-4d97-a366-bcda2750ab1a",
"severity": "中程度",
"training": "https://docs.microsoft.com/learn/paths/secure-application-delivery/",
"link": "https://docs.microsoft.com/azure/web-application-firewall/ag/ag-overview"
"training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview"
},
{
"category": "ネットワーク トポロジと接続性",
@ -241,8 +241,8 @@
"text": "Azure Front Door と Azure Application Gateway を使用して HTTP/S アプリを保護する場合は、Azure Front Door で WAF ポリシーを使用します。Azure Front Door からのみトラフィックを受信するように Azure Application Gateway をロックダウンします。",
"guid": "b039d95d-54c7-4c89-89cb-107d5325ae52",
"severity": "中程度",
"training": "https://docs.microsoft.com/learn/paths/secure-application-delivery/",
"link": "https://docs.microsoft.com/azure/web-application-firewall/ag/ag-overview"
"training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview"
},
{
"category": "ネットワーク トポロジと接続性",
@ -250,8 +250,8 @@
"text": "HTTP/S アプリを安全に配信するには、アプリケーション ゲートウェイ v2 を使用し、WAF 保護とポリシーが有効になっていることを確認します。",
"guid": "5ba34d46-85e2-4213-ace7-bb122f7c95f0",
"severity": "中程度",
"training": "https://docs.microsoft.com/learn/paths/secure-application-delivery/",
"link": "https://docs.microsoft.com/azure/ddos-protection/ddos-protection-overview"
"training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview"
},
{
"category": "ネットワーク トポロジと接続性",
@ -259,8 +259,8 @@
"text": "Azure NetApp Files が SAP デプロイに使用される場合、Azure NetAppFiles の Vnet に存在できるデリゲート サブネットが 1 つだけであることを確認します。",
"guid": "6e154e3a-a359-4282-ae6e-206173686af4",
"severity": "中程度",
"training": "https://docs.microsoft.com/learn/paths/implement-network-security/",
"link": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/organize-resources?tabs=AzureManagementGroupsAndHierarchy"
"training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
"link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/organize-resources?tabs=AzureManagementGroupsAndHierarchy"
},
{
"category": "ネットワーク トポロジと接続性",
@ -268,8 +268,8 @@
"text": "NSGとアプリケーションセキュリティグループを使用して、アプリケーションサブネット、DBサブネット、WebサブネットなどのSAPアプリケーション層内のトラフィックをマイクロセグメント化します。",
"guid": "6791f893-5ada-4433-84e1-3811523181aa",
"severity": "中程度",
"training": "https://docs.microsoft.com/learn/paths/implement-network-security/",
"link": "https://docs.microsoft.com/azure/virtual-network/network-security-group-how-it-works"
"training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
"link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works"
},
{
"category": "ネットワーク トポロジと接続性",
@ -277,8 +277,8 @@
"text": "SAP アプリケーションと SAP データベースサーバー間での NVA のデプロイはサポートされていません。",
"guid": "41742694-3ff8-4ae7-b7d4-743176c8bcbf",
"severity": "中程度",
"training": "https://docs.microsoft.com/learn/modules/design-implement-network-monitoring/",
"link": "https://docs.microsoft.com/azure/virtual-network/network-security-group-how-it-works"
"training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/",
"link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works"
},
{
"category": "ネットワーク トポロジと接続性",
@ -305,8 +305,8 @@
"text": "SAP チェック用の VM 拡張機能を実行します。SAP 用 VM 拡張機能は、仮想マシンの割り当てられた管理対象 ID を使用して、VM の監視および構成データにアクセスします。",
"guid": "2750ab1a-b039-4d95-b54c-7c8929cb107d",
"severity": "中程度",
"training": "https://docs.microsoft.com/learn/paths/architect-infrastructure-operations/",
"link": "https://docs.microsoft.com/azure/azure-monitor/logs/design-logs-deployment"
"training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
"link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment"
},
{
"category": "管理と監視",
@ -314,8 +314,8 @@
"text": "アクセス制御とコンプライアンス レポートには Azure Policy を使用します。Azure Policy では、組織全体の設定を適用して、一貫したポリシーの遵守と迅速な違反検出を確保できます。",
"guid": "5325ae52-5ba3-44d4-985e-2213ace7bb12",
"severity": "中程度",
"training": "https://docs.microsoft.com/learn/paths/architect-infrastructure-operations/",
"link": "https://docs.microsoft.com/azure/azure-monitor/logs/design-logs-deployment"
"training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
"link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment"
},
{
"category": "管理と監視",
@ -323,8 +323,8 @@
"text": "Azure Backup サービスで HANA データベースを保護します。HANA データベースに Azure NetApp Files (ANF) をデプロイする場合は、Azure Application Consistent Snapshot ツール (AzAcSnap) を使用して、アプリケーション整合性スナップショットを作成します。",
"guid": "2f7c95f0-6e15-44e3-aa35-92829e6e2061",
"severity": "中程度",
"training": "https://docs.microsoft.com/learn/paths/implement-resource-mgmt-security/",
"link": "https://docs.microsoft.com/azure/governance/policy/how-to/guest-configuration-create"
"training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
"link": "https://learn.microsoft.com/azure/governance/policy/how-to/guest-configuration-create"
},
{
"category": "管理と監視",
@ -332,8 +332,8 @@
"text": "プロビジョニングされた Azure インフラストラクチャで SAP HANA の品質チェックを実行して、プロビジョニングされた VM が SAP HANA on Azure のベスト プラクティスに準拠していることを確認します。",
"guid": "73686af4-6791-4f89-95ad-a43324e13811",
"severity": "中程度",
"training": "https://docs.microsoft.com/learn/paths/azure-administrator-manage-compute-resources/",
"link": "https://docs.microsoft.com/azure/automation/update-management/overview"
"training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-compute-resources/",
"link": "https://learn.microsoft.com/azure/automation/update-management/overview"
},
{
"category": "管理と監視",
@ -341,8 +341,8 @@
"text": "ネットワーク監視接続モニターを使用して、SAP データベースとアプリケーション サーバーの待機時間のメトリックを監視したり、Azure Monitor でネットワーク待機時間の測定値を収集して表示したりします。",
"guid": "523181aa-4174-4269-93ff-8ae7d7d47431",
"severity": "中程度",
"training": "https://docs.microsoft.com/learn/modules/configure-network-watcher/",
"link": "https://docs.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview"
"training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/",
"link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview"
},
{
"category": "管理と監視",
@ -350,8 +350,8 @@
"text": "SAP ランドスケープ管理 (LaMa) を使用して、SAP ベーシスオペレーションを最適化および管理します。Azure 用 SAP LaMa コネクタを使用して、SAP システムの再配置、コピー、複製、および更新を行います。",
"guid": "76c8bcbf-45bb-4e60-ad8a-03e97778424d",
"severity": "中程度",
"training": "https://docs.microsoft.com/learn/paths/implement-resource-mgmt-security/",
"link": "https://docs.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json"
"training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
"link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json"
},
{
"category": "管理と監視",
@ -359,7 +359,7 @@
"text": "Azure サブスクリプションごとに、ゾーン展開の前に Azure アベイラビリティーゾーンの待機時間テストを実行して、Azure デプロイ上の SAP の低待機時間ゾーンを選択します。",
"guid": "616785d6-fa96-4c96-ad88-518f482734c8",
"severity": "中程度",
"link": "https://docs.microsoft.com/azure/governance/policy/overview"
"link": "https://learn.microsoft.com/azure/governance/policy/overview"
},
{
"category": "管理と監視",
@ -367,7 +367,7 @@
"text": "Microsoft Sentinel を使用して SAP の脅威保護を実装します。",
"guid": "86ba2802-1459-4114-95e3-9e5309cccd97",
"severity": "中程度",
"link": "https://docs.microsoft.com/azure/sentinel/quickstart-onboard"
"link": "https://learn.microsoft.com/azure/sentinel/quickstart-onboard"
},
{
"category": "管理と監視",
@ -375,7 +375,7 @@
"text": "ポリシーを使用してパッチ管理の構成を適用すると、すべての VM がパッチ管理レジメンに含まれ、アプリケーション チームが VM のパッチ展開を管理できるようになり、すべての VM にわたる可視性と適用機能が中央 IT に提供されます。",
"guid": "4d116785-d2fa-456c-96ad-48408fe72734",
"severity": "中程度",
"link": "https://docs.microsoft.com/azure/azure-monitor/logs/design-logs-deployment"
"link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment"
},
{
"category": "管理と監視",
@ -383,7 +383,7 @@
"text": "VM で実行中の SAP ワークロードの VM インサイトを有効にします。",
"guid": "c486ba28-0dc0-4591-af65-de8e1309cccd",
"severity": "中程度",
"link": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor"
"link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor"
},
{
"category": "管理と監視",
@ -391,7 +391,7 @@
"text": "Azure のタグ付けを活用して、リソースを論理的にグループ化して追跡し、デプロイを自動化し、最も重要なのは、発生したコストを可視化することです。",
"guid": "579266bc-ca27-45fa-a1ab-fe9d55d04c3c",
"severity": "中程度",
"link": "https://docs.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery"
"link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery"
},
{
"category": "管理と監視",
@ -399,7 +399,7 @@
"text": "&nbsp",
"guid": "4919cb1b-3d13-425a-b124-ba34df685edd",
"severity": "中程度",
"link": "https://docs.microsoft.com/azure/backup/backup-center-overview"
"link": "https://learn.microsoft.com/azure/backup/backup-center-overview"
},
{
"category": "セキュリティ、ガバナンス、コンプライアンス",
@ -407,7 +407,7 @@
"text": "Azure Key Vault を使用してシークレットと資格情報を保存する",
"guid": "ce9bd3bb-0cdb-43b5-9eb2-ec14eeaa3592",
"severity": "高い",
"link": "https://docs.microsoft.com/azure/key-vault/general/overview"
"link": "https://learn.microsoft.com/azure/key-vault/general/overview"
},
{
"category": "セキュリティ、ガバナンス、コンプライアンス",
@ -415,7 +415,7 @@
"text": "デプロイが成功したら Azure リソースをロックして、承認されていない変更から保護することをお勧めします。",
"guid": "829e2edb-2173-4676-aff6-691b4935ada4",
"severity": "中程度",
"link": "https://docs.microsoft.com/azure/key-vault/general/overview-throttling"
"link": "https://learn.microsoft.com/azure/key-vault/general/overview-throttling"
},
{
"category": "セキュリティ、ガバナンス、コンプライアンス",
@ -423,7 +423,7 @@
"text": "論理的な削除ポリシーと削除ポリシーを有効にして Azure Key Vault をプロビジョニングし、削除されたオブジェクトの保持保護を許可します。",
"guid": "2223ece8-1b12-4318-8a54-17415833fb4a",
"severity": "中程度",
"link": "https://docs.microsoft.com/azure/key-vault/general/best-practices"
"link": "https://learn.microsoft.com/azure/key-vault/general/best-practices"
},
{
"category": "セキュリティ、ガバナンス、コンプライアンス",
@ -431,7 +431,7 @@
"text": "既存の要件、規制およびコンプライアンスの制御 (内部/外部) に基づいて、必要な Azure ポリシーと Azure RBAC ロールを決定します。",
"guid": "e3c2df74-3165-4c3a-abe0-5bbe209d490d",
"severity": "中程度",
"link": "https://docs.microsoft.com/azure/key-vault/general/best-practices"
"link": "https://learn.microsoft.com/azure/key-vault/general/best-practices"
},
{
"category": "セキュリティ、ガバナンス、コンプライアンス",
@ -439,7 +439,7 @@
"text": "Microsoft Defender for Cloud Standard for SAP を有効にする場合は、エンドポイント保護をインストールするポリシーから SAP データベース サーバーを除外してください。",
"guid": "a4777842-4d11-4678-9d2f-a56c56ad4840",
"severity": "中程度",
"link": "https://docs.microsoft.com/azure/key-vault/general/best-practices"
"link": "https://learn.microsoft.com/azure/key-vault/general/best-practices"
},
{
"category": "セキュリティ、ガバナンス、コンプライアンス",
@ -447,7 +447,7 @@
"text": "ジャストインタイムアクセスでSAP管理者カスタムロールを委任します。",
"guid": "8fe72734-c486-4ba2-a0dc-0591cf65de8e",
"severity": "中程度",
"link": "https://docs.microsoft.com/azure/key-vault/general/best-practices"
"link": "https://learn.microsoft.com/azure/key-vault/general/best-practices"
},
{
"category": "セキュリティ、ガバナンス、コンプライアンス",
@ -455,7 +455,7 @@
"text": "サードパーティのセキュリティ製品を DIAG (SAP GUI)、RFC、および SPNEGO for HTTPS 用のセキュア ネットワーク通信 (SNC) と統合することにより、転送中のデータを暗号化します。",
"guid": "1309cccd-5792-466b-aca2-75faa1abfe9d",
"severity": "中程度",
"link": "https://docs.microsoft.com/azure/key-vault/general/best-practices"
"link": "https://learn.microsoft.com/azure/key-vault/general/best-practices"
},
{
"category": "セキュリティ、ガバナンス、コンプライアンス",
@ -463,7 +463,7 @@
"text": "Azure Active Directory (Azure AD) with SAML 2.0 では、SAP NetWeaver、SAP HANA、SAP Cloud Platform などのさまざまな SAP アプリケーションおよびプラットフォームに SSO を提供することもできます。",
"guid": "55d04c3c-4919-4cb1-a3d1-325ae124ba34",
"severity": "中程度",
"link": "https://docs.microsoft.com/azure/key-vault/general/best-practices"
"link": "https://learn.microsoft.com/azure/key-vault/general/best-practices"
},
{
"category": "セキュリティ、ガバナンス、コンプライアンス",
@ -471,7 +471,7 @@
"text": "SAP データベースへの攻撃につながる可能性のある脆弱性を根絶するために、オペレーティングシステムを強化してください。",
"guid": "df685edd-ce9b-4d3b-a0cd-b3b55eb2ec14",
"severity": "中程度",
"link": "https://docs.microsoft.com/azure/key-vault/general/best-practices"
"link": "https://learn.microsoft.com/azure/key-vault/general/best-practices"
},
{
"category": "セキュリティ、ガバナンス、コンプライアンス",
@ -479,7 +479,7 @@
"text": "プリンシパル暗号化機能については、既定で Microsoft が管理するキーを使用し、必要に応じて顧客管理キーを使用します。",
"guid": "eeaa3592-829e-42ed-a217-3676aff6691b",
"severity": "中程度",
"link": "https://docs.microsoft.com/azure/key-vault/general/best-practices"
"link": "https://learn.microsoft.com/azure/key-vault/general/best-practices"
},
{
"category": "セキュリティ、ガバナンス、コンプライアンス",
@ -487,7 +487,7 @@
"text": "Azure Key Vault は、アプリケーションごとに、リージョンごとの環境ごとに使用します。",
"guid": "4935ada4-2223-4ece-a1b1-23181a541741",
"severity": "中程度",
"link": "https://docs.microsoft.com/azure/key-vault/general/best-practices"
"link": "https://learn.microsoft.com/azure/key-vault/general/best-practices"
},
{
"category": "セキュリティ、ガバナンス、コンプライアンス",
@ -495,7 +495,7 @@
"text": "&nbsp",
"guid": "5833fb4a-e3c2-4df7-9316-5c3acbe05bbe",
"severity": "中程度",
"link": "https://docs.microsoft.com/azure/key-vault/general/best-practices"
"link": "https://learn.microsoft.com/azure/key-vault/general/best-practices"
},
{
"category": "セキュリティ、ガバナンス、コンプライアンス",
@ -503,7 +503,7 @@
"text": "SAP on Azure スポーク サブスクリプションのロールベースのアクセス制御 (RBAC) ロールをカスタマイズして、偶発的なネットワーク関連の変更を回避します。",
"guid": "209d490d-a477-4784-84d1-16785d2fa56c",
"severity": "高い",
"link": "https://docs.microsoft.com/azure/governance/policy/overview"
"link": "https://learn.microsoft.com/azure/governance/policy/overview"
},
{
"category": "セキュリティ、ガバナンス、コンプライアンス",
@ -511,7 +511,7 @@
"text": "DMZ と NVA を SAP 資産の残りの部分から分離し、Azure プライベート リンクを構成し、Azure リソース上の SAP を安全に管理および制御します。",
"guid": "56ad4840-8fe7-4273-9c48-6ba280dc0591",
"severity": "中程度",
"link": "https://docs.microsoft.com/azure/governance/policy/overview"
"link": "https://learn.microsoft.com/azure/governance/policy/overview"
},
{
"category": "セキュリティ、ガバナンス、コンプライアンス",
@ -519,7 +519,7 @@
"text": "SAP データベースサーバーの暗号化には、SAP HANA ネイティブ暗号化テクロジを使用します。Azure SQL Database を使用している場合は、DBMS プロバイダーが提供する透過的なデータ暗号化 (TDE) を使用して、データとログ ファイルをセキュリティで保護し、バックアップも暗号化されていることを確認します。",
"guid": "cf65de8e-1309-4ccc-b579-266bcca275fa",
"severity": "中程度",
"link": "https://docs.microsoft.com/azure/governance/policy/overview"
"link": "https://learn.microsoft.com/azure/governance/policy/overview"
},
{
"category": "セキュリティ、ガバナンス、コンプライアンス",
@ -527,7 +527,7 @@
"text": "Azure Storage の暗号化は既定で有効になっています。",
"guid": "a1abfe9d-55d0-44c3-a491-9cb1b3d1325a",
"severity": "中程度",
"link": "https://docs.microsoft.com/azure/governance/policy/overview"
"link": "https://learn.microsoft.com/azure/governance/policy/overview"
},
{
"category": "セキュリティ、ガバナンス、コンプライアンス",
@ -535,7 +535,7 @@
"text": "&nbsp",
"guid": "e124ba34-df68-45ed-bce9-bd3bb0cdb3b5",
"severity": "中程度",
"link": "https://docs.microsoft.com/azure/governance/policy/overview"
"link": "https://learn.microsoft.com/azure/governance/policy/overview"
},
{
"category": "セキュリティ、ガバナンス、コンプライアンス",
@ -543,7 +543,7 @@
"text": "&nbsp",
"guid": "5eb2ec14-eeaa-4359-8829-e2edb2173676",
"severity": "中程度",
"link": "https://docs.microsoft.com/azure/governance/policy/overview"
"link": "https://learn.microsoft.com/azure/governance/policy/overview"
},
{
"category": "ビジネス継続性と災害復旧",
@ -551,7 +551,7 @@
"text": "ASCS とデータベース クラスタを単一/同一の VM に結合しない",
"guid": "aff6691b-4935-4ada-9222-3ece81b12318",
"severity": "中程度",
"link": "https://docs.microsoft.com/azure/active-directory/reports-monitoring/overview-reports"
"link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/overview-reports"
},
{
"category": "ビジネス継続性と災害復旧",
@ -559,7 +559,7 @@
"text": "フローティングIPがロードバランサーで有効になっていることを確認します",
"guid": "1a541741-5833-4fb4-ae3c-2df743165c3a",
"severity": "中程度",
"link": "https://docs.microsoft.com/azure/azure-monitor/logs/logs-data-export?tabs=portal"
"link": "https://learn.microsoft.com/azure/azure-monitor/logs/logs-data-export?tabs=portal"
},
{
"category": "ビジネス継続性と災害復旧",
@ -567,7 +567,7 @@
"text": "同じ可用性セット内で異なる役割のサーバーを混在させないでください。中央サービス VM、データベース VM、アプリケーション VM を独自の可用性セットに保持する",
"guid": "cbe05bbe-209d-4490-ba47-778424d11678",
"severity": "中程度",
"link": "https://docs.microsoft.com/azure/security-center/"
"link": "https://learn.microsoft.com/azure/security-center/"
},
{
"category": "ビジネス継続性と災害復旧",
@ -575,7 +575,7 @@
"text": "SAP SID ごとに 1 つの近接通信配置グループを使用します。グループがアベイラビリティーゾーンまたは Azure リージョンにまたがっていない",
"guid": "5d2fa56c-56ad-4484-88fe-72734c486ba2",
"severity": "中程度",
"link": "https://docs.microsoft.com/azure/security-center/"
"link": "https://learn.microsoft.com/azure/security-center/"
},
{
"category": "ビジネス継続性と災害復旧",
@ -583,7 +583,7 @@
"text": "Azure では現在、同じ Linux ペースメーカー クラスター内での ASCS と db HA の組み合わせはサポートされていません。それらを個々のクラスターに分離します。ただし、最大 5 つの複数の中央サービス クラスターを 1 組の VM に結合できます。",
"guid": "80dc0591-cf65-4de8-b130-9cccd579266b",
"severity": "中程度",
"link": "https://docs.microsoft.com/azure/azure-monitor/logs/design-logs-deployment"
"link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment"
},
{
"category": "ビジネス継続性と災害復旧",
@ -591,7 +591,7 @@
"text": "ASCS および DB クラスタの前で標準ロード バランサー SKU を使用する",
"guid": "cca275fa-a1ab-4fe9-b55d-04c3c4919cb1",
"severity": "中程度",
"link": "https://docs.microsoft.com/security/benchmark/azure/security-control-incident-response"
"link": "https://learn.microsoft.com/security/benchmark/azure/security-control-incident-response"
},
{
"category": "ビジネス継続性と災害復旧",
@ -607,7 +607,7 @@
"text": "ネイティブ・データベース・レプリケーション・テクロジーを使用して、HA ペアのデータベースを同期する必要があります。",
"guid": "b0cdb3b5-5eb2-4ec1-9eea-a3592829e2ed",
"severity": "中程度",
"link": "https://docs.microsoft.com/security/benchmark/azure/security-control-incident-response"
"link": "https://learn.microsoft.com/security/benchmark/azure/security-control-incident-response"
},
{
"category": "ビジネス継続性と災害復旧",
@ -615,7 +615,7 @@
"text": "運用データベースのポイント イン タイム リカバリを、RTO を満たす任意の時点および時間枠で実行します。ポイント・イン・タイム・リカバリには、通常、DBMSレイヤー上またはSAP経由でデータを削除するオペレータ・エラーが含まれます。",
"guid": "b2173676-aff6-4691-a493-5ada42223ece",
"severity": "中程度",
"link": "https://docs.microsoft.com/security/benchmark/azure/security-control-incident-response"
"link": "https://learn.microsoft.com/security/benchmark/azure/security-control-incident-response"
},
{
"category": "ビジネス継続性と災害復旧",

198
checklists/sap_checklist.ko.json
Просмотреть файл

@ -6,7 +6,7 @@
"text": "관리 그룹, 구독, 리소스 그룹 및 리소스에 대한 RBAC 모델 적용",
"guid": "fda1dbf3-dc95-4d48-a7c7-91dca0f6c565",
"severity": "높다",
"training": "https://docs.microsoft.com/en-gb/learn/paths/implement-resource-mgmt-security/"
"training": "https://learn.microsoft.com/en-gb/learn/paths/implement-resource-mgmt-security/"
},
{
"category": "ID 및 액세스",
@ -14,7 +14,7 @@
"text": "클라우드 커넥터를 통해 SAP 클라우드 애플리케이션에서 SAP 온프레미스(IaaS 포함)로 ID를 전달하기 위한 원칙 전파 적용",
"guid": "45911475-e39e-4530-accc-d979366bcda2",
"severity": "보통",
"training": "https://docs.microsoft.com/learn/modules/plan-implement-administer-conditional-access/"
"training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/"
},
{
"category": "ID 및 액세스",
@ -22,7 +22,7 @@
"text": "Azure Active Directory 또는 AD FS(Active Directory Federation Services)를 사용하여 SSO(Single Signon)를 구현하여 최종 사용자가 가능한 경우 SAP 응용 프로그램에 연결할 수 있도록 합니다.",
"guid": "750ab1ab-039d-495d-94c7-c8929cb107d5",
"severity": "높다",
"training": "https://docs.microsoft.com/en-gb/learn/modules/secure-aad-users-with-mfa/"
"training": "https://learn.microsoft.com/en-gb/learn/modules/secure-aad-users-with-mfa/"
},
{
"category": "ID 및 액세스",
@ -30,8 +30,8 @@
"text": "SuccessFactor가 HCM 응용 프로그램으로 사용되는 경우 자동화된 사용자 프로비저닝 기능을 Azure AD에 활용합니다.",
"guid": "325ae525-ba34-4d46-a5e2-213ace7bb122",
"severity": "보통",
"training": "https://docs.microsoft.com/en-gb/learn/paths/azure-administrator-manage-identities-governance/",
"link": "https://docs.microsoft.com/en-gb/azure/active-directory/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial"
"training": "https://learn.microsoft.com/en-gb/learn/paths/azure-administrator-manage-identities-governance/",
"link": "https://learn.microsoft.com/en-gb/azure/active-directory/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial"
},
{
"category": "ID 및 액세스",
@ -39,8 +39,8 @@
"text": "SSO는 피오리, 웹GUI 등과 같은 SAP Netweaver 기반 웹 응용 프로그램을 SAML을 사용하여 구현할 수 있습니다.",
"guid": "f7c95f06-e154-4e3a-a359-2829e6e20617",
"severity": "보통",
"training": "https://docs.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
"link": "https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure"
"training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
"link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure"
},
{
"category": "ID 및 액세스",
@ -48,8 +48,8 @@
"text": "SAP GUI에 대한 SSO는 SAP SSO 또는 제 3 자 솔루션을 사용하여 구현할 수 있습니다.",
"guid": "3686af46-791f-4893-9ada-43324e138115",
"severity": "높다",
"training": "https://docs.microsoft.com/learn/modules/explore-basic-services-identity-types/",
"link": "https://docs.microsoft.com/azure/active-directory-b2c/user-overview"
"training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
"link": "https://learn.microsoft.com/azure/active-directory-b2c/user-overview"
},
{
"category": "ID 및 액세스",
@ -57,8 +57,8 @@
"text": "SAP Analytics Cloud, SAP Cloud Platform, SAP Cloud Platform IAS 및 SAP C4C와 Azure AD와 같은 SAP SaaS 애플리케이션에 대한 SSO는 SAML을 사용하여 구현할 수 있습니다.",
"guid": "23181aa4-1742-4694-9ff8-ae7d7d474317",
"severity": "보통",
"training": "https://docs.microsoft.com/en-gb/learn/paths/manage-identity-and-access/",
"link": "https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal"
"training": "https://learn.microsoft.com/en-gb/learn/paths/manage-identity-and-access/",
"link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal"
},
{
"category": "ID 및 액세스",
@ -66,8 +66,8 @@
"text": "&nbsp",
"guid": "6c8bcbf4-5bbe-4609-b8a0-3e97778424d6",
"severity": "보통",
"training": "https://docs.microsoft.com/learn/modules/create-custom-azure-roles-with-rbac/",
"link": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access"
"training": "https://learn.microsoft.com/learn/modules/create-custom-azure-roles-with-rbac/",
"link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access"
},
{
"category": "ID 및 액세스",
@ -75,7 +75,7 @@
"text": "&nbsp",
"guid": "16785d6f-a96c-496a-b885-18f482734c88",
"severity": "보통",
"training": "https://docs.microsoft.com/en-gb/learn/paths/secure-your-cloud-data/",
"training": "https://learn.microsoft.com/en-gb/learn/paths/secure-your-cloud-data/",
"link": "https://azure.microsoft.com/resources/achieving-compliant-data-residency-and-security-with-azure/"
},
{
@ -84,8 +84,8 @@
"text": "SAP 구독에 기존 관리 그룹 정책 적용",
"guid": "6ba28021-4591-4147-9e39-e5309cccd979",
"severity": "보통",
"training": "https://docs.microsoft.com/learn/modules/azure-architecture-fundamentals/",
"link": "https://docs.microsoft.com/azure/governance/management-groups/overview"
"training": "https://learn.microsoft.com/learn/modules/azure-architecture-fundamentals/",
"link": "https://learn.microsoft.com/azure/governance/management-groups/overview"
},
{
"category": "관리 그룹 및 구독",
@ -93,8 +93,8 @@
"text": "추가 라우팅 및 관리 복잡성을 피하기 위해 동일한 SAP 구독에 밀접하게 결합 된 응용 프로그램을 미리 준비하십시오.",
"guid": "366bcda2-750a-4b1a-a039-d95d54c7c892",
"severity": "보통",
"training": "https://docs.microsoft.com/learn/paths/implement-resource-mgmt-security/",
"link": "https://docs.microsoft.com/azure/cloud-adoption-framework/decision-guides/resource-tagging/?toc=/azure/azure-resource-manager/management/toc.json"
"training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
"link": "https://learn.microsoft.com/azure/cloud-adoption-framework/decision-guides/resource-tagging/?toc=/azure/azure-resource-manager/management/toc.json"
},
{
"category": "관리 그룹 및 구독",
@ -102,8 +102,8 @@
"text": "Suscription을 확장 단위로 활용하고 리소스를 확장하면 환경별로 구독을 배포하는 것이 좋습니다. 샌드 박스, 비 prod, prod ",
"guid": "9cb107d5-325a-4e52-9ba3-4d4685e2213a",
"severity": "보통",
"training": "https://docs.microsoft.com/learn/paths/enterprise-scale-architecture/",
"link": "https://docs.microsoft.com/azure/governance/management-groups/overview"
"training": "https://learn.microsoft.com/learn/paths/enterprise-scale-architecture/",
"link": "https://learn.microsoft.com/azure/governance/management-groups/overview"
},
{
"category": "관리 그룹 및 구독",
@ -111,8 +111,8 @@
"text": "구독 프로비저닝의 일부로 할당량이 증가하는지 확인합니다(예: 구독 내에서 사용 가능한 총 VM 코어).",
"guid": "ce7bb122-f7c9-45f0-9e15-4e3aa3592829",
"severity": "보통",
"training": "https://docs.microsoft.com/learn/paths/enterprise-scale-architecture/",
"link": "https://docs.microsoft.com/azure/governance/management-groups/overview"
"training": "https://learn.microsoft.com/learn/paths/enterprise-scale-architecture/",
"link": "https://learn.microsoft.com/azure/governance/management-groups/overview"
},
{
"category": "관리 그룹 및 구독",
@ -120,8 +120,8 @@
"text": "필요한 서비스 및 기능을 선택한 배포 지역 내에서 사용할 수 있는지 확인합니다(예: ANF, 구역 등",
"guid": "e6e20617-3686-4af4-9791-f8935ada4332",
"severity": "보통",
"training": "https://docs.microsoft.com/learn/paths/enterprise-scale-architecture/",
"link": "https://docs.microsoft.com/azure/governance/management-groups/overview"
"training": "https://learn.microsoft.com/learn/paths/enterprise-scale-architecture/",
"link": "https://learn.microsoft.com/azure/governance/management-groups/overview"
},
{
"category": "관리 그룹 및 구독",
@ -129,7 +129,7 @@
"text": "비용 분류 및 리소스 그룹화에 Azure 리소스 태그 활용(: BillTo, 부서(또는 비즈니스 단위), 환경(프로덕션, 단계, 개발), 계층(웹 계층, 응용 프로그램 계층), 응용 프로그램 소유자, 프로젝트 이름)",
"guid": "4e138115-2318-41aa-9174-26943ff8ae7d",
"severity": "보통",
"link": "https://docs.microsoft.com/azure/governance/management-groups/overview"
"link": "https://learn.microsoft.com/azure/governance/management-groups/overview"
},
{
"category": "관리 그룹 및 구독",
@ -137,7 +137,7 @@
"text": "&nbsp",
"guid": "7d474317-6c8b-4cbf-95bb-e609d8a03e97",
"severity": "보통",
"link": "https://docs.microsoft.com/azure/governance/management-groups/overview"
"link": "https://learn.microsoft.com/azure/governance/management-groups/overview"
},
{
"category": "관리 그룹 및 구독",
@ -145,7 +145,7 @@
"text": "&nbsp",
"guid": "778424d6-1678-45d6-ba96-c96ad88518f4",
"severity": "보통",
"link": "https://docs.microsoft.com/azure/governance/management-groups/overview"
"link": "https://learn.microsoft.com/azure/governance/management-groups/overview"
},
{
"category": "네트워크 토폴로지 및 연결",
@ -153,8 +153,8 @@
"text": "SAP 워크로드를 실행하는 VM에 대한 공용 I.P 할당은 권장되지 않습니다.",
"guid": "82734c88-6ba2-4802-8459-11475e39e530",
"severity": "보통",
"training": "https://docs.microsoft.com/en-gb/learn/paths/architect-network-infrastructure/",
"link": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing"
"training": "https://learn.microsoft.com/en-gb/learn/paths/architect-network-infrastructure/",
"link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing"
},
{
"category": "네트워크 토폴로지 및 연결",
@ -162,8 +162,8 @@
"text": "ASR을 구성할 때 DR 측에서 I.P 주소를 예약하는 것이 좋습니다.",
"guid": "9cccd979-366b-4cda-8750-ab1ab039d95d",
"severity": "보통",
"training": "https://docs.microsoft.com/en-gb/learn/paths/architect-network-infrastructure/",
"link": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing"
"training": "https://learn.microsoft.com/en-gb/learn/paths/architect-network-infrastructure/",
"link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing"
},
{
"category": "네트워크 토폴로지 및 연결",
@ -171,8 +171,8 @@
"text": "프로덕션 및 DR 사이트에 겹치는 IP 주소 범위를 사용하지 마십시오.",
"guid": "54c7c892-9cb1-407d-9325-ae525ba34d46",
"severity": "보통",
"training": "https://docs.microsoft.com/en-gb/learn/paths/az-104-manage-virtual-networks/",
"link": "https://docs.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances"
"training": "https://learn.microsoft.com/en-gb/learn/paths/az-104-manage-virtual-networks/",
"link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances"
},
{
"category": "네트워크 토폴로지 및 연결",
@ -180,8 +180,8 @@
"text": "적용 가능한 모든 VM에 대해 가속 네트워킹이 사용하도록 설정되어 있는지 확인합니다.",
"guid": "85e2213a-ce7b-4b12-8f7c-95f06e154e3a",
"severity": "보통",
"training": "https://docs.microsoft.com/en-gb/learn/paths/az-104-manage-virtual-networks/",
"link": "https://docs.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances"
"training": "https://learn.microsoft.com/en-gb/learn/paths/az-104-manage-virtual-networks/",
"link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances"
},
{
"category": "네트워크 토폴로지 및 연결",
@ -189,8 +189,8 @@
"text": "로컬 및 글로벌 VNet 피어링은 연결을 제공하며 여러 Azure 지역에 걸쳐 SAP 배포를 위한 방문 영역 간의 연결을 보장하기 위해 선호되는 접근 방식입니다.",
"guid": "a3592829-e6e2-4061-9368-6af46791f893",
"severity": "보통",
"training": "https://docs.microsoft.com/learn/modules/design-implement-azure-expressroute/",
"link": "https://docs.microsoft.com/azure/networking/"
"training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
"link": "https://learn.microsoft.com/azure/networking/"
},
{
"category": "네트워크 토폴로지 및 연결",
@ -198,8 +198,8 @@
"text": "웹 응용 프로그램 방화벽을 사용하여 트래픽이 인터넷에 노출되었을 때 트래픽을 검사합니다. 또 다른 옵션은 부하 분산 장치 또는 응용 프로그램 게이트웨이 또는 타사 솔루션과 같은 기본 제공 방화벽 기능이 있는 리소스와 함께 사용하는 것입니다.",
"guid": "5ada4332-4e13-4811-9231-81aa41742694",
"severity": "보통",
"training": "https://docs.microsoft.com/learn/paths/implement-network-security/?source=learn",
"link": "https://docs.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services"
"training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
"link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services"
},
{
"category": "네트워크 토폴로지 및 연결",
@ -214,8 +214,8 @@
"text": "Azure 방화벽을 사용하여 인터넷에 대한 Azure 아웃바운드 트래픽, HTTP/S 인바운드 연결이 아닌 연결 및 동부/서부 트래픽 필터링(조직에서 요구하는 경우)을 제어합니다.",
"guid": "d8a03e97-7784-424d-9167-85d6fa96c96a",
"severity": "보통",
"training": "https://docs.microsoft.com/en-gb/learn/paths/secure-networking-infrastructure/",
"link": "https://docs.microsoft.com/azure/app-service/networking-features"
"training": "https://learn.microsoft.com/en-gb/learn/paths/secure-networking-infrastructure/",
"link": "https://learn.microsoft.com/azure/app-service/networking-features"
},
{
"category": "네트워크 토폴로지 및 연결",
@ -223,8 +223,8 @@
"text": "SAP 웹 디스패처 또는 NetScaler와 같은 타사 서비스를 필요한 경우 응용 프로그램 게이트웨이와 연결하여 SAP 웹 앱에 대한 역방향 프록시 제한을 극복하십시오.",
"guid": "d88518f4-8273-44c8-a6ba-280214591147",
"severity": "보통",
"training": "https://docs.microsoft.com/learn/paths/secure-application-delivery/",
"link": "https://docs.microsoft.com/azure/firewall/"
"training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"link": "https://learn.microsoft.com/azure/firewall/"
},
{
"category": "네트워크 토폴로지 및 연결",
@ -232,8 +232,8 @@
"text": "Azure Front Door 및 WAF 정책을 사용하여 방문 영역에 대한 인바운드 HTTP/S 연결에 대해 Azure 지역 전체에서 전역 보호를 제공합니다.",
"guid": "5e39e530-9ccc-4d97-a366-bcda2750ab1a",
"severity": "보통",
"training": "https://docs.microsoft.com/learn/paths/secure-application-delivery/",
"link": "https://docs.microsoft.com/azure/web-application-firewall/ag/ag-overview"
"training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview"
},
{
"category": "네트워크 토폴로지 및 연결",
@ -241,8 +241,8 @@
"text": "Azure Front Door 및 Azure Application Gateway를 사용하여 HTTP/S 앱을 보호하는 경우 Azure Front Door에서 WAF 정책을 사용합니다. Azure 응용 프로그램 게이트웨이를 잠궈 Azure 프런트 도어에서만 트래픽을 받습니다.",
"guid": "b039d95d-54c7-4c89-89cb-107d5325ae52",
"severity": "보통",
"training": "https://docs.microsoft.com/learn/paths/secure-application-delivery/",
"link": "https://docs.microsoft.com/azure/web-application-firewall/ag/ag-overview"
"training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview"
},
{
"category": "네트워크 토폴로지 및 연결",
@ -250,8 +250,8 @@
"text": "HTTP/S 앱을 안전하게 전달하려면 애플리케이션 게이트웨이 v2를 사용하고 WAF 보호 및 정책이 사용하도록 설정되어 있는지 확인합니다.",
"guid": "5ba34d46-85e2-4213-ace7-bb122f7c95f0",
"severity": "보통",
"training": "https://docs.microsoft.com/learn/paths/secure-application-delivery/",
"link": "https://docs.microsoft.com/azure/ddos-protection/ddos-protection-overview"
"training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview"
},
{
"category": "네트워크 토폴로지 및 연결",
@ -259,8 +259,8 @@
"text": "SAP 배포에 Azure NetApp 파일을 사용하는 경우 Azure NetAppFiles용 Vnet에 하나의 대리자 서브넷만 존재할 수 있는지 확인합니다.",
"guid": "6e154e3a-a359-4282-ae6e-206173686af4",
"severity": "보통",
"training": "https://docs.microsoft.com/learn/paths/implement-network-security/",
"link": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/organize-resources?tabs=AzureManagementGroupsAndHierarchy"
"training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
"link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/organize-resources?tabs=AzureManagementGroupsAndHierarchy"
},
{
"category": "네트워크 토폴로지 및 연결",
@ -268,8 +268,8 @@
"text": "NSG 및 애플리케이션 보안 그룹을 사용하여 앱 서브넷, DB 서브넷 및 웹 서브넷 등과 같은 SAP 애플리케이션 계층 내의 트래픽을 마이크로 세그먼트화합니다.",
"guid": "6791f893-5ada-4433-84e1-3811523181aa",
"severity": "보통",
"training": "https://docs.microsoft.com/learn/paths/implement-network-security/",
"link": "https://docs.microsoft.com/azure/virtual-network/network-security-group-how-it-works"
"training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
"link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works"
},
{
"category": "네트워크 토폴로지 및 연결",
@ -277,8 +277,8 @@
"text": "SAP 응용 프로그램과 SAP 데이터베이스 서버 간에 NVA를 배포하는 것은 지원되지 않습니다.",
"guid": "41742694-3ff8-4ae7-b7d4-743176c8bcbf",
"severity": "보통",
"training": "https://docs.microsoft.com/learn/modules/design-implement-network-monitoring/",
"link": "https://docs.microsoft.com/azure/virtual-network/network-security-group-how-it-works"
"training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/",
"link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works"
},
{
"category": "네트워크 토폴로지 및 연결",
@ -305,8 +305,8 @@
"text": "SAP 검사를 위해 VM 확장을 실행합니다. SAP용 VM 확장은 가상 머신의 할당된 관리 ID를 사용하여 VM 모니터링 및 구성 데이터에 액세스합니다.",
"guid": "2750ab1a-b039-4d95-b54c-7c8929cb107d",
"severity": "보통",
"training": "https://docs.microsoft.com/learn/paths/architect-infrastructure-operations/",
"link": "https://docs.microsoft.com/azure/azure-monitor/logs/design-logs-deployment"
"training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
"link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment"
},
{
"category": "관리 및 모니터링",
@ -314,8 +314,8 @@
"text": "액세스 제어 및 규정 준수 보고에 Azure 정책을 사용합니다. Azure Policy는 일관된 정책 준수와 빠른 위반 감지를 보장하기 위해 조직 전체 설정을 적용하는 기능을 제공합니다. ",
"guid": "5325ae52-5ba3-44d4-985e-2213ace7bb12",
"severity": "보통",
"training": "https://docs.microsoft.com/learn/paths/architect-infrastructure-operations/",
"link": "https://docs.microsoft.com/azure/azure-monitor/logs/design-logs-deployment"
"training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
"link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment"
},
{
"category": "관리 및 모니터링",
@ -323,8 +323,8 @@
"text": "Azure 백업 서비스를 사용하여 HANA 데이터베이스를 보호합니다. HANA 데이터베이스에 대해 Azure ANF(NetApp 파일)를 배포하는 경우 Azure 응용 프로그램 일관된 스냅숏 도구(AzAcSnap)를 사용하여 응용 프로그램 일관된 스냅숏을 만듭니다.",
"guid": "2f7c95f0-6e15-44e3-aa35-92829e6e2061",
"severity": "보통",
"training": "https://docs.microsoft.com/learn/paths/implement-resource-mgmt-security/",
"link": "https://docs.microsoft.com/azure/governance/policy/how-to/guest-configuration-create"
"training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
"link": "https://learn.microsoft.com/azure/governance/policy/how-to/guest-configuration-create"
},
{
"category": "관리 및 모니터링",
@ -332,8 +332,8 @@
"text": "프로비전된 Azure 인프라에서 SAP HANA에 대한 품질 검사를 수행하여 프로비전된 VM이 Azure 모범 사례에서 SAP HANA를 준수하는지 확인합니다.",
"guid": "73686af4-6791-4f89-95ad-a43324e13811",
"severity": "보통",
"training": "https://docs.microsoft.com/learn/paths/azure-administrator-manage-compute-resources/",
"link": "https://docs.microsoft.com/azure/automation/update-management/overview"
"training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-compute-resources/",
"link": "https://learn.microsoft.com/azure/automation/update-management/overview"
},
{
"category": "관리 및 모니터링",
@ -341,8 +341,8 @@
"text": "네트워크 감시자 연결 모니터를 사용하여 SAP 데이터베이스 및 응용 프로그램 서버 대기 시간 메트릭을 모니터링하거나 Azure Monitor를 사용하여 네트워크 대기 시간 측정값을 수집 및 표시합니다.",
"guid": "523181aa-4174-4269-93ff-8ae7d7d47431",
"severity": "보통",
"training": "https://docs.microsoft.com/learn/modules/configure-network-watcher/",
"link": "https://docs.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview"
"training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/",
"link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview"
},
{
"category": "관리 및 모니터링",
@ -350,8 +350,8 @@
"text": "SAP Landscape Management (LaMa)를 사용하여 SAP Basis 운영을 최적화하고 관리합니다. Azure용 SAP LaMa 커넥터를 사용하여 SAP 시스템을 재배치, 복사, 복제 및 새로 고칩니다.",
"guid": "76c8bcbf-45bb-4e60-ad8a-03e97778424d",
"severity": "보통",
"training": "https://docs.microsoft.com/learn/paths/implement-resource-mgmt-security/",
"link": "https://docs.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json"
"training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
"link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json"
},
{
"category": "관리 및 모니터링",
@ -359,7 +359,7 @@
"text": "각 Azure 구독에 대해 영역 배포 전에 Azure 가용성 영역 대기 시간 테스트를 실행하여 Azure 배포에서 SAP에 대해 대기 시간이 짧은 영역을 선택합니다.",
"guid": "616785d6-fa96-4c96-ad88-518f482734c8",
"severity": "보통",
"link": "https://docs.microsoft.com/azure/governance/policy/overview"
"link": "https://learn.microsoft.com/azure/governance/policy/overview"
},
{
"category": "관리 및 모니터링",
@ -367,7 +367,7 @@
"text": "Microsoft Sentinel을 사용하여 SAP에 대한 위협 보호를 구현합니다.",
"guid": "86ba2802-1459-4114-95e3-9e5309cccd97",
"severity": "보통",
"link": "https://docs.microsoft.com/azure/sentinel/quickstart-onboard"
"link": "https://learn.microsoft.com/azure/sentinel/quickstart-onboard"
},
{
"category": "관리 및 모니터링",
@ -375,7 +375,7 @@
"text": "정책을 통해 업데이트 관리의 구성을 적용하면 모든 VM이 패치 관리 요법에 포함되고, 애플리케이션 팀이 VM에 대한 패치 배포를 관리할 수 있는 기능을 제공하고, 중앙 IT에 모든 VM에 대한 가시성 및 적용 기능을 제공합니다.",
"guid": "4d116785-d2fa-456c-96ad-48408fe72734",
"severity": "보통",
"link": "https://docs.microsoft.com/azure/azure-monitor/logs/design-logs-deployment"
"link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment"
},
{
"category": "관리 및 모니터링",
@ -383,7 +383,7 @@
"text": "VM의 실행 중인 SAP 워크로드에 대해 VM 인사이트를 사용하도록 설정합니다.",
"guid": "c486ba28-0dc0-4591-af65-de8e1309cccd",
"severity": "보통",
"link": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor"
"link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor"
},
{
"category": "관리 및 모니터링",
@ -391,7 +391,7 @@
"text": "Azure 태그 지정을 활용하여 리소스를 논리적으로 그룹화 및 추적하고, 배포를 자동화하고, 가장 중요한 것은 발생한 비용에 대한 가시성을 제공하는 것입니다.",
"guid": "579266bc-ca27-45fa-a1ab-fe9d55d04c3c",
"severity": "보통",
"link": "https://docs.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery"
"link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery"
},
{
"category": "관리 및 모니터링",
@ -399,7 +399,7 @@
"text": "&nbsp",
"guid": "4919cb1b-3d13-425a-b124-ba34df685edd",
"severity": "보통",
"link": "https://docs.microsoft.com/azure/backup/backup-center-overview"
"link": "https://learn.microsoft.com/azure/backup/backup-center-overview"
},
{
"category": "보안, 거버넌스 및 규정 준수",
@ -407,7 +407,7 @@
"text": "Azure 키 자격 증명 모음을 사용하여 비밀 및 자격 증명 저장",
"guid": "ce9bd3bb-0cdb-43b5-9eb2-ec14eeaa3592",
"severity": "높다",
"link": "https://docs.microsoft.com/azure/key-vault/general/overview"
"link": "https://learn.microsoft.com/azure/key-vault/general/overview"
},
{
"category": "보안, 거버넌스 및 규정 준수",
@ -415,7 +415,7 @@
"text": "무단 변경으로부터 보호하기 위해 성공적인 배포 후 Azure 리소스를 잠그는 것이 좋습니다.",
"guid": "829e2edb-2173-4676-aff6-691b4935ada4",
"severity": "보통",
"link": "https://docs.microsoft.com/azure/key-vault/general/overview-throttling"
"link": "https://learn.microsoft.com/azure/key-vault/general/overview-throttling"
},
{
"category": "보안, 거버넌스 및 규정 준수",
@ -423,7 +423,7 @@
"text": "삭제된 개체에 대한 보존 보호를 허용하도록 설정된 소프트 삭제 및 제거 정책을 사용하여 Azure Key Vault를 프로비전합니다.",
"guid": "2223ece8-1b12-4318-8a54-17415833fb4a",
"severity": "보통",
"link": "https://docs.microsoft.com/azure/key-vault/general/best-practices"
"link": "https://learn.microsoft.com/azure/key-vault/general/best-practices"
},
{
"category": "보안, 거버넌스 및 규정 준수",
@ -431,7 +431,7 @@
"text": "기존 요구 사항, 규정 및 규정 준수 제어(내부/외부) 기반 - 필요한 Azure 정책 및 Azure RBAC 역할 결정",
"guid": "e3c2df74-3165-4c3a-abe0-5bbe209d490d",
"severity": "보통",
"link": "https://docs.microsoft.com/azure/key-vault/general/best-practices"
"link": "https://learn.microsoft.com/azure/key-vault/general/best-practices"
},
{
"category": "보안, 거버넌스 및 규정 준수",
@ -439,7 +439,7 @@
"text": "SAP용 클라우드 표준용 Microsoft Defender를 사용하도록 설정하는 경우 끝점 보호를 설치하는 정책에서 SAP 데이터베이스 서버를 제외해야 합니다.",
"guid": "a4777842-4d11-4678-9d2f-a56c56ad4840",
"severity": "보통",
"link": "https://docs.microsoft.com/azure/key-vault/general/best-practices"
"link": "https://learn.microsoft.com/azure/key-vault/general/best-practices"
},
{
"category": "보안, 거버넌스 및 규정 준수",
@ -447,7 +447,7 @@
"text": "적시 액세스를 사용하여 SAP 관리자 사용자 지정 역할을 위임합니다.",
"guid": "8fe72734-c486-4ba2-a0dc-0591cf65de8e",
"severity": "보통",
"link": "https://docs.microsoft.com/azure/key-vault/general/best-practices"
"link": "https://learn.microsoft.com/azure/key-vault/general/best-practices"
},
{
"category": "보안, 거버넌스 및 규정 준수",
@ -455,7 +455,7 @@
"text": "타사 보안 제품을 DIAG(SAP GUI), RFC 및 HTTPS용 SPNEGO용 보안 네트워크 통신(SNC)과 통합하여 전송 중인 데이터를 암호화합니다.",
"guid": "1309cccd-5792-466b-aca2-75faa1abfe9d",
"severity": "보통",
"link": "https://docs.microsoft.com/azure/key-vault/general/best-practices"
"link": "https://learn.microsoft.com/azure/key-vault/general/best-practices"
},
{
"category": "보안, 거버넌스 및 규정 준수",
@ -463,7 +463,7 @@
"text": "SAML 2.0이 포함된 Azure Active Directory(Azure AD)는 SAP NetWeaver, SAP HANA 및 SAP 클라우드 플랫폼과 같은 다양한 SAP 응용 프로그램 및 플랫폼에 SSO를 제공할 수도 있습니다.",
"guid": "55d04c3c-4919-4cb1-a3d1-325ae124ba34",
"severity": "보통",
"link": "https://docs.microsoft.com/azure/key-vault/general/best-practices"
"link": "https://learn.microsoft.com/azure/key-vault/general/best-practices"
},
{
"category": "보안, 거버넌스 및 규정 준수",
@ -471,7 +471,7 @@
"text": "SAP 데이터베이스에 대한 공격으로 이어질 수 있는 취약성을 근절하기 위해 운영 체제를 강화해야 합니다.",
"guid": "df685edd-ce9b-4d3b-a0cd-b3b55eb2ec14",
"severity": "보통",
"link": "https://docs.microsoft.com/azure/key-vault/general/best-practices"
"link": "https://learn.microsoft.com/azure/key-vault/general/best-practices"
},
{
"category": "보안, 거버넌스 및 규정 준수",
@ -479,7 +479,7 @@
"text": "주체 암호화 기능을 위해 Microsoft에서 관리하는 키로 기본 설정되며 필요한 경우 고객 관리 키를 사용합니다.",
"guid": "eeaa3592-829e-42ed-a217-3676aff6691b",
"severity": "보통",
"link": "https://docs.microsoft.com/azure/key-vault/general/best-practices"
"link": "https://learn.microsoft.com/azure/key-vault/general/best-practices"
},
{
"category": "보안, 거버넌스 및 규정 준수",
@ -487,7 +487,7 @@
"text": "지역별 환경당 응용 프로그램당 Azure Key Vault를 사용합니다.",
"guid": "4935ada4-2223-4ece-a1b1-23181a541741",
"severity": "보통",
"link": "https://docs.microsoft.com/azure/key-vault/general/best-practices"
"link": "https://learn.microsoft.com/azure/key-vault/general/best-practices"
},
{
"category": "보안, 거버넌스 및 규정 준수",
@ -495,7 +495,7 @@
"text": "&nbsp",
"guid": "5833fb4a-e3c2-4df7-9316-5c3acbe05bbe",
"severity": "보통",
"link": "https://docs.microsoft.com/azure/key-vault/general/best-practices"
"link": "https://learn.microsoft.com/azure/key-vault/general/best-practices"
},
{
"category": "보안, 거버넌스 및 규정 준수",
@ -503,7 +503,7 @@
"text": "실수로 네트워크 관련 변경을 방지하기 위해 Azure 스포크 구독의 SAP에 대한 RBAC(역할 기반 액세스 제어) 역할 사용자 지정",
"guid": "209d490d-a477-4784-84d1-16785d2fa56c",
"severity": "높다",
"link": "https://docs.microsoft.com/azure/governance/policy/overview"
"link": "https://learn.microsoft.com/azure/governance/policy/overview"
},
{
"category": "보안, 거버넌스 및 규정 준수",
@ -511,7 +511,7 @@
"text": "DMZ 및 NVA를 나머지 SAP 자산과 격리하고, Azure 개인 링크를 구성하고, Azure 리소스에서 SAP를 안전하게 관리 및 제어합니다.",
"guid": "56ad4840-8fe7-4273-9c48-6ba280dc0591",
"severity": "보통",
"link": "https://docs.microsoft.com/azure/governance/policy/overview"
"link": "https://learn.microsoft.com/azure/governance/policy/overview"
},
{
"category": "보안, 거버넌스 및 규정 준수",
@ -519,7 +519,7 @@
"text": "SAP 데이터베이스 서버 암호화의 경우 SAP HANA 네이티브 암호화 기술을 사용합니다. Azure SQL 데이터베이스를 사용하는 경우 DBMS 공급자가 제공하는 TDE(투명한 데이터 암호화)를 사용하여 데이터 및 로그 파일을 보호하고 백업도 암호화되도록 합니다.",
"guid": "cf65de8e-1309-4ccc-b579-266bcca275fa",
"severity": "보통",
"link": "https://docs.microsoft.com/azure/governance/policy/overview"
"link": "https://learn.microsoft.com/azure/governance/policy/overview"
},
{
"category": "보안, 거버넌스 및 규정 준수",
@ -527,7 +527,7 @@
"text": "Azure 저장소 암호화는 기본적으로 사용하도록 설정되어 있습니다.",
"guid": "a1abfe9d-55d0-44c3-a491-9cb1b3d1325a",
"severity": "보통",
"link": "https://docs.microsoft.com/azure/governance/policy/overview"
"link": "https://learn.microsoft.com/azure/governance/policy/overview"
},
{
"category": "보안, 거버넌스 및 규정 준수",
@ -535,7 +535,7 @@
"text": "&nbsp",
"guid": "e124ba34-df68-45ed-bce9-bd3bb0cdb3b5",
"severity": "보통",
"link": "https://docs.microsoft.com/azure/governance/policy/overview"
"link": "https://learn.microsoft.com/azure/governance/policy/overview"
},
{
"category": "보안, 거버넌스 및 규정 준수",
@ -543,7 +543,7 @@
"text": "&nbsp",
"guid": "5eb2ec14-eeaa-4359-8829-e2edb2173676",
"severity": "보통",
"link": "https://docs.microsoft.com/azure/governance/policy/overview"
"link": "https://learn.microsoft.com/azure/governance/policy/overview"
},
{
"category": "비즈니스 연속성 및 재해 복구",
@ -551,7 +551,7 @@
"text": "ASCS와 데이터베이스 클러스터를 단일/동일한 VM에 결합하지 마십시오.",
"guid": "aff6691b-4935-4ada-9222-3ece81b12318",
"severity": "보통",
"link": "https://docs.microsoft.com/azure/active-directory/reports-monitoring/overview-reports"
"link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/overview-reports"
},
{
"category": "비즈니스 연속성 및 재해 복구",
@ -559,7 +559,7 @@
"text": "부하 분산 장치에서 플로팅 IP가 활성화되어 있는지 확인합니다.",
"guid": "1a541741-5833-4fb4-ae3c-2df743165c3a",
"severity": "보통",
"link": "https://docs.microsoft.com/azure/azure-monitor/logs/logs-data-export?tabs=portal"
"link": "https://learn.microsoft.com/azure/azure-monitor/logs/logs-data-export?tabs=portal"
},
{
"category": "비즈니스 연속성 및 재해 복구",
@ -567,7 +567,7 @@
"text": "동일한 가용성 집합에서 서로 다른 역할의 서버를 혼합하지 마십시오. 중앙 서비스 VM, 데이터베이스 VM, 애플리케이션 VM을 자체 가용성 집합에 유지",
"guid": "cbe05bbe-209d-4490-ba47-778424d11678",
"severity": "보통",
"link": "https://docs.microsoft.com/azure/security-center/"
"link": "https://learn.microsoft.com/azure/security-center/"
},
{
"category": "비즈니스 연속성 및 재해 복구",
@ -575,7 +575,7 @@
"text": "SAP SID당 하나의 근접 배치 그룹을 사용합니다. 그룹이 가용 영역 또는 Azure 지역에 걸쳐 있지 않습니다.",
"guid": "5d2fa56c-56ad-4484-88fe-72734c486ba2",
"severity": "보통",
"link": "https://docs.microsoft.com/azure/security-center/"
"link": "https://learn.microsoft.com/azure/security-center/"
},
{
"category": "비즈니스 연속성 및 재해 복구",
@ -583,7 +583,7 @@
"text": "Azure는 현재 동일한 Linux 페이스메이커 클러스터에서 ASCS와 db HA의 결합을 지원하지 않습니다. 개별 클러스터로 분리하십시오. 그러나 최대 다섯 개의 여러 중앙 서비스 클러스터를 한 쌍의 VM으로 결합할 수 있습니다.",
"guid": "80dc0591-cf65-4de8-b130-9cccd579266b",
"severity": "보통",
"link": "https://docs.microsoft.com/azure/azure-monitor/logs/design-logs-deployment"
"link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment"
},
{
"category": "비즈니스 연속성 및 재해 복구",
@ -591,7 +591,7 @@
"text": "ASCS 및 DB 클러스터 앞에서 표준 부하 분산 장치 SKU 사용",
"guid": "cca275fa-a1ab-4fe9-b55d-04c3c4919cb1",
"severity": "보통",
"link": "https://docs.microsoft.com/security/benchmark/azure/security-control-incident-response"
"link": "https://learn.microsoft.com/security/benchmark/azure/security-control-incident-response"
},
{
"category": "비즈니스 연속성 및 재해 복구",
@ -607,7 +607,7 @@
"text": "네이티브 데이터베이스 복제 기술을 사용하여 HA 쌍에서 데이터베이스를 동기화해야 합니다.",
"guid": "b0cdb3b5-5eb2-4ec1-9eea-a3592829e2ed",
"severity": "보통",
"link": "https://docs.microsoft.com/security/benchmark/azure/security-control-incident-response"
"link": "https://learn.microsoft.com/security/benchmark/azure/security-control-incident-response"
},
{
"category": "비즈니스 연속성 및 재해 복구",
@ -615,7 +615,7 @@
"text": "RTO를 충족하는 시간 프레임에서 프로덕션 데이터베이스에 대한 특정 시점 복구를 수행합니다. 특정 시점 복구에는 일반적으로 DBMS 계층 또는 SAP를 통해 데이터를 삭제하는 운영자 오류가 포함됩니다.",
"guid": "b2173676-aff6-4691-a493-5ada42223ece",
"severity": "보통",
"link": "https://docs.microsoft.com/security/benchmark/azure/security-control-incident-response"
"link": "https://learn.microsoft.com/security/benchmark/azure/security-control-incident-response"
},
{
"category": "비즈니스 연속성 및 재해 복구",

198
checklists/sap_checklist.pt.json
Просмотреть файл

@ -6,7 +6,7 @@
"text": "Imponha um modelo RBAC para grupos de gerenciamento, assinaturas, grupos de recursos e recursos",
"guid": "fda1dbf3-dc95-4d48-a7c7-91dca0f6c565",
"severity": "Alto",
"training": "https://docs.microsoft.com/en-gb/learn/paths/implement-resource-mgmt-security/"
"training": "https://learn.microsoft.com/en-gb/learn/paths/implement-resource-mgmt-security/"
},
{
"category": "Identidade e Acesso",
@ -14,7 +14,7 @@
"text": "Imponha propogação de princípio para o encaminhamento da identidade do aplicativo de nuvem SAP para SAP no local (Incluindo IaaS) através do conector de nuvem",
"guid": "45911475-e39e-4530-accc-d979366bcda2",
"severity": "Média",
"training": "https://docs.microsoft.com/learn/modules/plan-implement-administer-conditional-access/"
"training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/"
},
{
"category": "Identidade e Acesso",
@ -22,7 +22,7 @@
"text": "Implemente o Single Sign on (SSO) usando o Azure Active Directory ou o Active Directory Federation Services (AD FS) para que os usuários finais condam o nécto aos aplicativos SAP, sempre que possível.",
"guid": "750ab-039d-495d-94c7-c8929cb107d5",
"severity": "Alto",
"training": "https://docs.microsoft.com/en-gb/learn/modules/secure-aad-users-with-mfa/"
"training": "https://learn.microsoft.com/en-gb/learn/modules/secure-aad-users-with-mfa/"
},
{
"category": "Identidade e Acesso",
@ -30,8 +30,8 @@
"text": "Se o SuccessFactor for usado como aplicativo HCM, aproveite o recurso automatizado de provisionamento do usuário para o Azure AD.",
"guid": "325ae525-ba34-4d46-a5e2-213ace7bb122",
"severity": "Média",
"training": "https://docs.microsoft.com/en-gb/learn/paths/azure-administrator-manage-identities-governance/",
"link": "https://docs.microsoft.com/en-gb/azure/active-directory/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial"
"training": "https://learn.microsoft.com/en-gb/learn/paths/azure-administrator-manage-identities-governance/",
"link": "https://learn.microsoft.com/en-gb/azure/active-directory/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial"
},
{
"category": "Identidade e Acesso",
@ -39,8 +39,8 @@
"text": "Aplicativos web baseados em SSO para SAP Netweaver como Fiori, webgui etc. podem ser implementados usando SAML",
"guid": "f7c95f06-e154-4e3a-a359-2829e6e20617",
"severity": "Média",
"training": "https://docs.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
"link": "https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure"
"training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
"link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure"
},
{
"category": "Identidade e Acesso",
@ -48,8 +48,8 @@
"text": "O SSO para SAP GUI pode ser implementado usando o SAP SSO ou uma solução de terceiros",
"guid": "3686af46-791f-4893-9ada-43324e138115",
"severity": "Alto",
"training": "https://docs.microsoft.com/learn/modules/explore-basic-services-identity-types/",
"link": "https://docs.microsoft.com/azure/active-directory-b2c/user-overview"
"training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
"link": "https://learn.microsoft.com/azure/active-directory-b2c/user-overview"
},
{
"category": "Identidade e Acesso",
@ -57,8 +57,8 @@
"text": "Aplicativos SSO para SAP SaaS como SAP Analytics Cloud, SAP Cloud Platform, SAP Cloud Platform IAS e SAP C4C com AZure AD podem ser implementados usando SAML",
"guid": "23181aa4-1742-4694-9ff8-ae7d7d474317",
"severity": "Média",
"training": "https://docs.microsoft.com/en-gb/learn/paths/manage-identity-and-access/",
"link": "https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal"
"training": "https://learn.microsoft.com/en-gb/learn/paths/manage-identity-and-access/",
"link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal"
},
{
"category": "Identidade e Acesso",
@ -66,8 +66,8 @@
"text": "&nbsp",
"guid": "6c8bcbf4-5bbe-4609-b8a0-3e97778424d6",
"severity": "Média",
"training": "https://docs.microsoft.com/learn/modules/create-custom-azure-roles-with-rbac/",
"link": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access"
"training": "https://learn.microsoft.com/learn/modules/create-custom-azure-roles-with-rbac/",
"link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access"
},
{
"category": "Identidade e Acesso",
@ -75,7 +75,7 @@
"text": "&nbsp",
"guid": "16785d6f-a96c-496a-b885-18f482734c88",
"severity": "Média",
"training": "https://docs.microsoft.com/en-gb/learn/paths/secure-your-cloud-data/",
"training": "https://learn.microsoft.com/en-gb/learn/paths/secure-your-cloud-data/",
"link": "https://azure.microsoft.com/resources/achieving-compliant-data-residency-and-security-with-azure/"
},
{
@ -84,8 +84,8 @@
"text": "aplicar as políticas existentes do Grupo de Gerenciamento para assinaturas SAP",
"guid": "6ba28021-4591-4147-9e39-e5309cccd979",
"severity": "Média",
"training": "https://docs.microsoft.com/learn/modules/azure-architecture-fundamentals/",
"link": "https://docs.microsoft.com/azure/governance/management-groups/overview"
"training": "https://learn.microsoft.com/learn/modules/azure-architecture-fundamentals/",
"link": "https://learn.microsoft.com/azure/governance/management-groups/overview"
},
{
"category": "Grupo de Gestão e Assinaturas",
@ -93,8 +93,8 @@
"text": "enfore aplicativos intimamente acoplado na mesma assinatura SAP para evitar roteamento adicional e complexidade de gerenciamento",
"guid": "366bcda2-750a-4b1a-a039-d95d54c7c892",
"severity": "Média",
"training": "https://docs.microsoft.com/learn/paths/implement-resource-mgmt-security/",
"link": "https://docs.microsoft.com/azure/cloud-adoption-framework/decision-guides/resource-tagging/?toc=/azure/azure-resource-manager/management/toc.json"
"training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
"link": "https://learn.microsoft.com/azure/cloud-adoption-framework/decision-guides/resource-tagging/?toc=/azure/azure-resource-manager/management/toc.json"
},
{
"category": "Grupo de Gestão e Assinaturas",
@ -102,8 +102,8 @@
"text": "Aproveite a Suscription como unidade de escala e dimensione nossos recursos, considere implantar a assinatura por ambiente, por exemplo. Sandbox, não-prod, prod ",
"guid": "9cb107d5-325a-4e52-9ba3-4d4685e2213a",
"severity": "Média",
"training": "https://docs.microsoft.com/learn/paths/enterprise-scale-architecture/",
"link": "https://docs.microsoft.com/azure/governance/management-groups/overview"
"training": "https://learn.microsoft.com/learn/paths/enterprise-scale-architecture/",
"link": "https://learn.microsoft.com/azure/governance/management-groups/overview"
},
{
"category": "Grupo de Gestão e Assinaturas",
@ -111,8 +111,8 @@
"text": "Garanta o aumento do contingente como parte do provisionamento de subscrição (por exemplo, núcleos VM totais disponíveis dentro de uma assinatura).",
"guid": "ce7bb122-f7c9-45f0-9e15-4e3aa3592829",
"severity": "Média",
"training": "https://docs.microsoft.com/learn/paths/enterprise-scale-architecture/",
"link": "https://docs.microsoft.com/azure/governance/management-groups/overview"
"training": "https://learn.microsoft.com/learn/paths/enterprise-scale-architecture/",
"link": "https://learn.microsoft.com/azure/governance/management-groups/overview"
},
{
"category": "Grupo de Gestão e Assinaturas",
@ -120,8 +120,8 @@
"text": "Certifique-se de que os serviços e recursos necessários estejam disponíveis nas regiões de implantação escolhidas, por exemplo. ANF, Zona etc.",
"guid": "e6e20617-3686-4af4-9791-f8935ada4332",
"severity": "Média",
"training": "https://docs.microsoft.com/learn/paths/enterprise-scale-architecture/",
"link": "https://docs.microsoft.com/azure/governance/management-groups/overview"
"training": "https://learn.microsoft.com/learn/paths/enterprise-scale-architecture/",
"link": "https://learn.microsoft.com/azure/governance/management-groups/overview"
},
{
"category": "Grupo de Gestão e Assinaturas",
@ -129,7 +129,7 @@
"text": "Aproveite a etiqueta de recursos do Azure para categorização de custos e agrupamento de recursos (: BillTo, Departamento (ou Unidade de Negócios), Ambiente (Produção, Estágio, Desenvolvimento), Nível (Nível Web, Nível de Aplicação), Proprietário de Aplicativos, ProjectName)",
"guid": "4e138115-2318-41aa-9174-26943ff8ae7d",
"severity": "Média",
"link": "https://docs.microsoft.com/azure/governance/management-groups/overview"
"link": "https://learn.microsoft.com/azure/governance/management-groups/overview"
},
{
"category": "Grupo de Gestão e Assinaturas",
@ -137,7 +137,7 @@
"text": "&nbsp",
"guid": "7d474317-6c8b-4cbf-95bb-e609d8a03e97",
"severity": "Média",
"link": "https://docs.microsoft.com/azure/governance/management-groups/overview"
"link": "https://learn.microsoft.com/azure/governance/management-groups/overview"
},
{
"category": "Grupo de Gestão e Assinaturas",
@ -145,7 +145,7 @@
"text": "&nbsp",
"guid": "778424d6-1678-45d6-ba96-c96ad88518f4",
"severity": "Média",
"link": "https://docs.microsoft.com/azure/governance/management-groups/overview"
"link": "https://learn.microsoft.com/azure/governance/management-groups/overview"
},
{
"category": "Topologia e Conectividade de Rede",
@ -153,8 +153,8 @@
"text": "A atribuição de I.P pública para VM executando a carga de trabalho SAP não é recomendada.",
"guid": "82734c88-6ba2-4802-8459-11475e39e530",
"severity": "Média",
"training": "https://docs.microsoft.com/en-gb/learn/paths/architect-network-infrastructure/",
"link": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing"
"training": "https://learn.microsoft.com/en-gb/learn/paths/architect-network-infrastructure/",
"link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing"
},
{
"category": "Topologia e Conectividade de Rede",
@ -162,8 +162,8 @@
"text": "Considere reservar endereço I.P no lado DR ao configurar ASR",
"guid": "9cccd979-366b-4cda-8750-ab1ab039d95d",
"severity": "Média",
"training": "https://docs.microsoft.com/en-gb/learn/paths/architect-network-infrastructure/",
"link": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing"
"training": "https://learn.microsoft.com/en-gb/learn/paths/architect-network-infrastructure/",
"link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing"
},
{
"category": "Topologia e Conectividade de Rede",
@ -171,8 +171,8 @@
"text": "Evite usar faixas de endereço IP sobrepostas para locais de produção e DR.",
"guid": "54c7c892-9cb1-407d-9325-ae525ba34d46",
"severity": "Média",
"training": "https://docs.microsoft.com/en-gb/learn/paths/az-104-manage-virtual-networks/",
"link": "https://docs.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances"
"training": "https://learn.microsoft.com/en-gb/learn/paths/az-104-manage-virtual-networks/",
"link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances"
},
{
"category": "Topologia e Conectividade de Rede",
@ -180,8 +180,8 @@
"text": "Certifique-se de que o Networking Accelarated esteja habilitado para todos os VM quando for aplicável.",
"guid": "85e2213a-ce7b-4b12-8f7c-95f06e154e3a",
"severity": "Média",
"training": "https://docs.microsoft.com/en-gb/learn/paths/az-104-manage-virtual-networks/",
"link": "https://docs.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances"
"training": "https://learn.microsoft.com/en-gb/learn/paths/az-104-manage-virtual-networks/",
"link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances"
},
{
"category": "Topologia e Conectividade de Rede",
@ -189,8 +189,8 @@
"text": "Os pares VNet locais e globais fornecem conectividade e são as abordagens preferidas para garantir conectividade entre zonas de pouso para implantações SAP em várias regiões do Azure",
"guid": "a3592829-e6e2-4061-9368-6af46791f893",
"severity": "Média",
"training": "https://docs.microsoft.com/learn/modules/design-implement-azure-expressroute/",
"link": "https://docs.microsoft.com/azure/networking/"
"training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
"link": "https://learn.microsoft.com/azure/networking/"
},
{
"category": "Topologia e Conectividade de Rede",
@ -198,8 +198,8 @@
"text": "Use um firewall de aplicativo web para digitalizar seu tráfego quando ele estiver exposto à internet. Outra opção é usá-lo com seu balanceador de carga ou com recursos que tenham recursos de firewall incorporados, como o Application Gateway ou soluções de terceiros.",
"guid": "5ada4332-4e13-4811-9231-81aa41742694",
"severity": "Média",
"training": "https://docs.microsoft.com/learn/paths/implement-network-security/?source=learn",
"link": "https://docs.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services"
"training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
"link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services"
},
{
"category": "Topologia e Conectividade de Rede",
@ -214,8 +214,8 @@
"text": "Use o Firewall Azure para governar o tráfego de saída do Azure para a internet, conexões de entrada não-HTTP/S e filtragem de tráfego Leste/Oeste (se a organização exigir)",
"guid": "d8a03e97-7784-424d-9167-85d6fa96c96a",
"severity": "Média",
"training": "https://docs.microsoft.com/en-gb/learn/paths/secure-networking-infrastructure/",
"link": "https://docs.microsoft.com/azure/app-service/networking-features"
"training": "https://learn.microsoft.com/en-gb/learn/paths/secure-networking-infrastructure/",
"link": "https://learn.microsoft.com/azure/app-service/networking-features"
},
{
"category": "Topologia e Conectividade de Rede",
@ -223,8 +223,8 @@
"text": "Use o despachante SAP Web ou serviço de terceiros como o NetScaler em conjucção com o gateway do aplicativo, se necessário, para superar a limitação reversa do proxy para aplicativos web SAP.",
"guid": "d88518f4-8273-44c8-a6ba-280214591147",
"severity": "Média",
"training": "https://docs.microsoft.com/learn/paths/secure-application-delivery/",
"link": "https://docs.microsoft.com/azure/firewall/"
"training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"link": "https://learn.microsoft.com/azure/firewall/"
},
{
"category": "Topologia e Conectividade de Rede",
@ -232,8 +232,8 @@
"text": "Use as políticas Azure Front Door e WAF para fornecer proteção global em todas as regiões do Azure para conexões HTTP/S de entrada a uma zona de pouso.",
"guid": "5e39e530-9ccc-4d97-a366-bcda2750ab1a",
"severity": "Média",
"training": "https://docs.microsoft.com/learn/paths/secure-application-delivery/",
"link": "https://docs.microsoft.com/azure/web-application-firewall/ag/ag-overview"
"training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview"
},
{
"category": "Topologia e Conectividade de Rede",
@ -241,8 +241,8 @@
"text": "Ao usar o Azure Front Door e o Azure Application Gateway para ajudar a proteger aplicativos HTTP/S, use as políticas WAF no Azure Front Door. Bloqueie o Portal de Aplicativos Azure para receber tráfego apenas a partir da Porta da Frente do Azure.",
"guid": "b039d95d-54c7-4c89-89cb-107d5325ae52",
"severity": "Média",
"training": "https://docs.microsoft.com/learn/paths/secure-application-delivery/",
"link": "https://docs.microsoft.com/azure/web-application-firewall/ag/ag-overview"
"training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview"
},
{
"category": "Topologia e Conectividade de Rede",
@ -250,8 +250,8 @@
"text": "Para uma entrega segura de aplicativos HTTP/S, use o Application Gateway v2 e garanta que a proteção e as políticas do WAF estejam ativadas.",
"guid": "5ba34d46-85e2-4213-ace7-bb122f7c95f0",
"severity": "Média",
"training": "https://docs.microsoft.com/learn/paths/secure-application-delivery/",
"link": "https://docs.microsoft.com/azure/ddos-protection/ddos-protection-overview"
"training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview"
},
{
"category": "Topologia e Conectividade de Rede",
@ -259,8 +259,8 @@
"text": "Se os arquivos do Azure NetApp forem usados para implantação sap, certifique-se de que apenas uma sub-rede de delegados pode existir em uma Vnet para Azure NetAppFiles",
"guid": "6e154e3a-a359-4282-ae6e-206173686af4",
"severity": "Média",
"training": "https://docs.microsoft.com/learn/paths/implement-network-security/",
"link": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/organize-resources?tabs=AzureManagementGroupsAndHierarchy"
"training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
"link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/organize-resources?tabs=AzureManagementGroupsAndHierarchy"
},
{
"category": "Topologia e Conectividade de Rede",
@ -268,8 +268,8 @@
"text": "Use NSGs e grupos de segurança de aplicativos para tráfego de microsegmentar dentro da camada de aplicativos SAP, como sub-rede de aplicativos, sub-rede DB e sub-rede web etc.",
"guid": "6791f893-5ada-4433-84e1-3811523181aa",
"severity": "Média",
"training": "https://docs.microsoft.com/learn/paths/implement-network-security/",
"link": "https://docs.microsoft.com/azure/virtual-network/network-security-group-how-it-works"
"training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
"link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works"
},
{
"category": "Topologia e Conectividade de Rede",
@ -277,8 +277,8 @@
"text": "Ele não é suportado para implantar qualquer NVA entre o aplicativo SAP e o servidor SAP Database",
"guid": "41742694-3ff8-4ae7-b7d4-743176c8bcbf",
"severity": "Média",
"training": "https://docs.microsoft.com/learn/modules/design-implement-network-monitoring/",
"link": "https://docs.microsoft.com/azure/virtual-network/network-security-group-how-it-works"
"training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/",
"link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works"
},
{
"category": "Topologia e Conectividade de Rede",
@ -305,8 +305,8 @@
"text": "Execute uma extensão VM para verificação SAP. A VM Extension for SAP usa a identidade gerenciada atribuída de uma máquina virtual para acessar dados de monitoramento e configuração de VM.",
"guid": "2750ab1a-b039-4d95-b54c-7c8929cb107d",
"severity": "Média",
"training": "https://docs.microsoft.com/learn/paths/architect-infrastructure-operations/",
"link": "https://docs.microsoft.com/azure/azure-monitor/logs/design-logs-deployment"
"training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
"link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment"
},
{
"category": "Gestão e Monitoramento",
@ -314,8 +314,8 @@
"text": "Use a Política Azure para relatórios de controle de acesso e conformidade. A Política Azure fornece a capacidade de impor configurações em toda a organização para garantir a adesão consistente à política e a rápida detecção de violações. ",
"guid": "5325ae52-5ba3-44d4-985e-2213ace7bb12",
"severity": "Média",
"training": "https://docs.microsoft.com/learn/paths/architect-infrastructure-operations/",
"link": "https://docs.microsoft.com/azure/azure-monitor/logs/design-logs-deployment"
"training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
"link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment"
},
{
"category": "Gestão e Monitoramento",
@ -323,8 +323,8 @@
"text": "Proteja seu banco de dados HANA com o serviço Azure Backup. Se você implantar os Arquivos do Azure NetApp (ANF) para o seu banco de dados HANA, use a ferramenta Azure Application Consistent Snapshot (AzAcSnap) para tirar instantâneos consistentes com aplicativos",
"guid": "2f7c95f0-6e15-44e3-aa35-92829e6e2061",
"severity": "Média",
"training": "https://docs.microsoft.com/learn/paths/implement-resource-mgmt-security/",
"link": "https://docs.microsoft.com/azure/governance/policy/how-to/guest-configuration-create"
"training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
"link": "https://learn.microsoft.com/azure/governance/policy/how-to/guest-configuration-create"
},
{
"category": "Gestão e Monitoramento",
@ -332,8 +332,8 @@
"text": "Realize uma verificação de qualidade para SAP HANA na infraestrutura do Azure provisionada para verificar se os VMs provisionados estão em conformidade com o SAP HANA sobre as melhores práticas do Azure.",
"guid": "73686af4-6791-4f89-95ad-a43324e13811",
"severity": "Média",
"training": "https://docs.microsoft.com/learn/paths/azure-administrator-manage-compute-resources/",
"link": "https://docs.microsoft.com/azure/automation/update-management/overview"
"training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-compute-resources/",
"link": "https://learn.microsoft.com/azure/automation/update-management/overview"
},
{
"category": "Gestão e Monitoramento",
@ -341,8 +341,8 @@
"text": "Use o Network Watcher Connection Monitor para monitorar as métricas de latência do servidor de banco de dados e aplicativos SAP ou coletar e exibir medições de latência da rede com o Azure Monitor.",
"guid": "523181aa-4174-4269-93ff-8ae7d7d47431",
"severity": "Média",
"training": "https://docs.microsoft.com/learn/modules/configure-network-watcher/",
"link": "https://docs.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview"
"training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/",
"link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview"
},
{
"category": "Gestão e Monitoramento",
@ -350,8 +350,8 @@
"text": "Otimize e gerencie as operações do SAP Base usando o SAP Landscape Management (LaMa). Use o conector SAP LaMa para o Azure para realocar, copiar, clonar e atualizar sistemas SAP.",
"guid": "76c8bcbf-45bb-4e60-ad8a-03e97778424d",
"severity": "Média",
"training": "https://docs.microsoft.com/learn/paths/implement-resource-mgmt-security/",
"link": "https://docs.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json"
"training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
"link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json"
},
{
"category": "Gestão e Monitoramento",
@ -359,7 +359,7 @@
"text": "Para cada assinatura do Azure, execute um teste de latência da Zona de Disponibilidade do Azure antes da implantação zonal para escolher zonas de baixa latência para SAP na implantação do Azure.",
"guid": "616785d6-fa96-4c96-ad88-518f482734c8",
"severity": "Média",
"link": "https://docs.microsoft.com/azure/governance/policy/overview"
"link": "https://learn.microsoft.com/azure/governance/policy/overview"
},
{
"category": "Gestão e Monitoramento",
@ -367,7 +367,7 @@
"text": "Implementar proteção contra ameaças para SAP com o Microsoft Sentinel.",
"guid": "86ba2802-1459-4114-95e3-9e5309cccd97",
"severity": "Média",
"link": "https://docs.microsoft.com/azure/sentinel/quickstart-onboard"
"link": "https://learn.microsoft.com/azure/sentinel/quickstart-onboard"
},
{
"category": "Gestão e Monitoramento",
@ -375,7 +375,7 @@
"text": "A aplicação da configuração do gerenciamento de atualizações por meio da política garante que todos os VMs sejam incluídos no regime de gerenciamento de patches, fornece às equipes de aplicativos a capacidade de gerenciar a implantação de patches para seus VMs e fornece recursos de visibilidade e execução de TI central em todos os VMs",
"guid": "4d116785-d2fa-456c-96ad-48408fe72734",
"severity": "Média",
"link": "https://docs.microsoft.com/azure/azure-monitor/logs/design-logs-deployment"
"link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment"
},
{
"category": "Gestão e Monitoramento",
@ -383,7 +383,7 @@
"text": "Habilite os insights de VM para as cargas de trabalho SAP em execução da VM.",
"guid": "c486ba28-0dc0-4591-af65-de8e1309cccd",
"severity": "Média",
"link": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor"
"link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor"
},
{
"category": "Gestão e Monitoramento",
@ -391,7 +391,7 @@
"text": "A marcação do Azure pode ser aproveitada para agrupar e rastrear logicamente recursos, automatizar suas implantações e, o mais importante, fornecer visibilidade sobre os custos incorridos.",
"guid": "579266bc-ca27-45fa-a1ab-fe9d55d04c3c",
"severity": "Média",
"link": "https://docs.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery"
"link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery"
},
{
"category": "Gestão e Monitoramento",
@ -399,7 +399,7 @@
"text": "&nbsp",
"guid": "4919cb1b-3d13-425a-b124-ba34df685edd",
"severity": "Média",
"link": "https://docs.microsoft.com/azure/backup/backup-center-overview"
"link": "https://learn.microsoft.com/azure/backup/backup-center-overview"
},
{
"category": "Segurança, Governança e Compliance",
@ -407,7 +407,7 @@
"text": "Use o Azure Key Vault para armazenar seus segredos e credenciais",
"guid": "ce9bd3bb-0cdb-43b5-9eb2-ec14eeaa3592",
"severity": "Alto",
"link": "https://docs.microsoft.com/azure/key-vault/general/overview"
"link": "https://learn.microsoft.com/azure/key-vault/general/overview"
},
{
"category": "Segurança, Governança e Compliance",
@ -415,7 +415,7 @@
"text": "Recomenda-se bloquear a implantação pós-sucesso do Azure Resources para proteger contra alterações não autorizadas",
"guid": "829e2edb-2173-4676-aff6-691b4935ada4",
"severity": "Média",
"link": "https://docs.microsoft.com/azure/key-vault/general/overview-throttling"
"link": "https://learn.microsoft.com/azure/key-vault/general/overview-throttling"
},
{
"category": "Segurança, Governança e Compliance",
@ -423,7 +423,7 @@
"text": "Provision Azure Key Vault com as políticas de exclusão e eliminação suaves habilitadas para permitir proteção de retenção para objetos excluídos.",
"guid": "2223ece8-1b12-4318-8a54-17415833fb4a",
"severity": "Média",
"link": "https://docs.microsoft.com/azure/key-vault/general/best-practices"
"link": "https://learn.microsoft.com/azure/key-vault/general/best-practices"
},
{
"category": "Segurança, Governança e Compliance",
@ -431,7 +431,7 @@
"text": "Com base nos requisitos existentes, controles regulatórios e de conformidade (internos/externos) - Determine quais são necessárias as Políticas Azure e o papel do Azure RBAC",
"guid": "e3c2df74-3165-4c3a-abe0-5bbe209d490d",
"severity": "Média",
"link": "https://docs.microsoft.com/azure/key-vault/general/best-practices"
"link": "https://learn.microsoft.com/azure/key-vault/general/best-practices"
},
{
"category": "Segurança, Governança e Compliance",
@ -439,7 +439,7 @@
"text": "Quando você habilitar o Microsoft Defender for Cloud Standard para SAP, certifique-se de excluir os servidores de banco de dados SAP de qualquer política que instale proteção de ponto final.",
"guid": "a4777842-4d11-4678-9d2f-a56c56ad4840",
"severity": "Média",
"link": "https://docs.microsoft.com/azure/key-vault/general/best-practices"
"link": "https://learn.microsoft.com/azure/key-vault/general/best-practices"
},
{
"category": "Segurança, Governança e Compliance",
@ -447,7 +447,7 @@
"text": "Delegue um papel personalizado de administração SAP com acesso just-in-time.",
"guid": "8fe72734-c486-4ba2-a0dc-0591cf65de8e",
"severity": "Média",
"link": "https://docs.microsoft.com/azure/key-vault/general/best-practices"
"link": "https://learn.microsoft.com/azure/key-vault/general/best-practices"
},
{
"category": "Segurança, Governança e Compliance",
@ -455,7 +455,7 @@
"text": "criptografar dados em trânsito integrando o produto de segurança de terceiros com comunicações seguras de rede (SNC) para DIAG (SAP GUI), RFC e SPNEGO para HTTPS",
"guid": "1309cccd-5792-466b-aca2-75faa1abfe9d",
"severity": "Média",
"link": "https://docs.microsoft.com/azure/key-vault/general/best-practices"
"link": "https://learn.microsoft.com/azure/key-vault/general/best-practices"
},
{
"category": "Segurança, Governança e Compliance",
@ -463,7 +463,7 @@
"text": "O Azure Active Directory (Azure AD) com o SAML 2.0 também pode fornecer SSO para uma gama de aplicativos e plataformas SAP como SAP NetWeaver, SAP HANA e a PLATAFORMA SAP Cloud",
"guid": "55d04c3c-4919-4cb1-a3d1-325ae124ba34",
"severity": "Média",
"link": "https://docs.microsoft.com/azure/key-vault/general/best-practices"
"link": "https://learn.microsoft.com/azure/key-vault/general/best-practices"
},
{
"category": "Segurança, Governança e Compliance",
@ -471,7 +471,7 @@
"text": "Certifique-se de endurecer o sistema operacional para erradicar vulnerabilidades que podem levar a ataques no banco de dados SAP.",
"guid": "df685edd-ce9b-4d3b-a0cd-b3b55eb2ec14",
"severity": "Média",
"link": "https://docs.microsoft.com/azure/key-vault/general/best-practices"
"link": "https://learn.microsoft.com/azure/key-vault/general/best-practices"
},
{
"category": "Segurança, Governança e Compliance",
@ -479,7 +479,7 @@
"text": "Padrão para as chaves gerenciadas pela Microsoft para a funcionalidade principal de criptografia e use chaves gerenciadas pelo cliente quando necessário.",
"guid": "eeaa3592-829e-42ed-a217-3676aff6691b",
"severity": "Média",
"link": "https://docs.microsoft.com/azure/key-vault/general/best-practices"
"link": "https://learn.microsoft.com/azure/key-vault/general/best-practices"
},
{
"category": "Segurança, Governança e Compliance",
@ -487,7 +487,7 @@
"text": "Use um Cofre de Chave Azure por aplicativo por ambiente por região.",
"guid": "4935ada4-2223-4ece-a1b1-23181a541741",
"severity": "Média",
"link": "https://docs.microsoft.com/azure/key-vault/general/best-practices"
"link": "https://learn.microsoft.com/azure/key-vault/general/best-practices"
},
{
"category": "Segurança, Governança e Compliance",
@ -495,7 +495,7 @@
"text": "&nbsp",
"guid": "5833fb4a-e3c2-4df7-9316-5c3acbe05bbe",
"severity": "Média",
"link": "https://docs.microsoft.com/azure/key-vault/general/best-practices"
"link": "https://learn.microsoft.com/azure/key-vault/general/best-practices"
},
{
"category": "Segurança, Governança e Compliance",
@ -503,7 +503,7 @@
"text": "Personalize funções de controle de acesso baseado em papel (RBAC) para assinaturas de voz SAP no Azure para evitar alterações acidentais relacionadas à rede",
"guid": "209d490d-a477-4784-84d1-16785d2fa56c",
"severity": "Alto",
"link": "https://docs.microsoft.com/azure/governance/policy/overview"
"link": "https://learn.microsoft.com/azure/governance/policy/overview"
},
{
"category": "Segurança, Governança e Compliance",
@ -511,7 +511,7 @@
"text": "Isole DMZs e NVAs do resto da propriedade SAP, configure o Azure Private Link e gerencie e controle com segurança o SAP sobre os recursos do Azure",
"guid": "56ad4840-8fe7-4273-9c48-6ba280dc0591",
"severity": "Média",
"link": "https://docs.microsoft.com/azure/governance/policy/overview"
"link": "https://learn.microsoft.com/azure/governance/policy/overview"
},
{
"category": "Segurança, Governança e Compliance",
@ -519,7 +519,7 @@
"text": "Para criptografia de servidor de banco de dados SAP, use a tecnologia de criptografia nativa SAP HANA. Se você estiver usando o Azure SQL Database, use O TDE (Transparent Data Encryption, criptografia de dados transparente) oferecido pelo provedor DBMS para proteger seus dados e registrar arquivos e garantir que os backups também sejam criptografados.",
"guid": "cf65de8e-1309-4ccc-b579-266bcca275fa",
"severity": "Média",
"link": "https://docs.microsoft.com/azure/governance/policy/overview"
"link": "https://learn.microsoft.com/azure/governance/policy/overview"
},
{
"category": "Segurança, Governança e Compliance",
@ -527,7 +527,7 @@
"text": "A criptografia de armazenamento do Azure é ativada por padrão",
"guid": "a1abfe9d-55d0-44c3-a491-9cb1b3d1325a",
"severity": "Média",
"link": "https://docs.microsoft.com/azure/governance/policy/overview"
"link": "https://learn.microsoft.com/azure/governance/policy/overview"
},
{
"category": "Segurança, Governança e Compliance",
@ -535,7 +535,7 @@
"text": "&nbsp",
"guid": "e124ba34-df68-45ed-bce9-bd3bb0cdb3b5",
"severity": "Média",
"link": "https://docs.microsoft.com/azure/governance/policy/overview"
"link": "https://learn.microsoft.com/azure/governance/policy/overview"
},
{
"category": "Segurança, Governança e Compliance",
@ -543,7 +543,7 @@
"text": "&nbsp",
"guid": "5eb2ec14-eeaa-4359-8829-e2edb2173676",
"severity": "Média",
"link": "https://docs.microsoft.com/azure/governance/policy/overview"
"link": "https://learn.microsoft.com/azure/governance/policy/overview"
},
{
"category": "Continuidade de Negócios e Recuperação de Desastres",
@ -551,7 +551,7 @@
"text": "Não combine o cluster ASCS e o database em VM único/mesmo",
"guid": "aff6691b-4935-4ada-9222-3ece81b12318",
"severity": "Média",
"link": "https://docs.microsoft.com/azure/active-directory/reports-monitoring/overview-reports"
"link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/overview-reports"
},
{
"category": "Continuidade de Negócios e Recuperação de Desastres",
@ -559,7 +559,7 @@
"text": "Certifique-se de que o IP flutuante está ativado no balanceador de carga",
"guid": "1a541741-5833-4fb4-ae3c-2df743165c3a",
"severity": "Média",
"link": "https://docs.microsoft.com/azure/azure-monitor/logs/logs-data-export?tabs=portal"
"link": "https://learn.microsoft.com/azure/azure-monitor/logs/logs-data-export?tabs=portal"
},
{
"category": "Continuidade de Negócios e Recuperação de Desastres",
@ -567,7 +567,7 @@
"text": "Não misture servidores de diferentes funções no mesmo conjunto de disponibilidade. Mantenha VMs de serviços centrais, VMs de banco de dados, VMs de aplicativos em seus próprios conjuntos de disponibilidade",
"guid": "cbe05bbe-209d-4490-ba47-778424d11678",
"severity": "Média",
"link": "https://docs.microsoft.com/azure/security-center/"
"link": "https://learn.microsoft.com/azure/security-center/"
},
{
"category": "Continuidade de Negócios e Recuperação de Desastres",
@ -575,7 +575,7 @@
"text": "Use um grupo de colocação de proximidade por SAP SID. Grupos não se estendem por zonas de disponibilidade ou regiões do Azure",
"guid": "5d2fa56c-56ad-4484-88fe-72734c486ba2",
"severity": "Média",
"link": "https://docs.microsoft.com/azure/security-center/"
"link": "https://learn.microsoft.com/azure/security-center/"
},
{
"category": "Continuidade de Negócios e Recuperação de Desastres",
@ -583,7 +583,7 @@
"text": "Atualmente, o Azure não suporta a combinação de ASCS e db HA no mesmo cluster Linux Pacemaker; separá-los em aglomerados individuais. No entanto, você pode combinar até cinco vários clusters de serviços centrais em um par de VMs.",
"guid": "80dc0591-cf65-4de8-b130-9cccd579266b",
"severity": "Média",
"link": "https://docs.microsoft.com/azure/azure-monitor/logs/design-logs-deployment"
"link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment"
},
{
"category": "Continuidade de Negócios e Recuperação de Desastres",
@ -591,7 +591,7 @@
"text": "Use um SKU balanceador de carga padrão na frente de clusters ASCS e DB",
"guid": "cca275fa-a1ab-4fe9-b55d-04c3c4919cb1",
"severity": "Média",
"link": "https://docs.microsoft.com/security/benchmark/azure/security-control-incident-response"
"link": "https://learn.microsoft.com/security/benchmark/azure/security-control-incident-response"
},
{
"category": "Continuidade de Negócios e Recuperação de Desastres",
@ -607,7 +607,7 @@
"text": "A tecnologia nativa de replicação do banco de dados deve ser usada para sincronizar o banco de dados em um par HA.",
"guid": "b0cdb3b5-5eb2-4ec1-9eea-a3592829e2ed",
"severity": "Média",
"link": "https://docs.microsoft.com/security/benchmark/azure/security-control-incident-response"
"link": "https://learn.microsoft.com/security/benchmark/azure/security-control-incident-response"
},
{
"category": "Continuidade de Negócios e Recuperação de Desastres",
@ -615,7 +615,7 @@
"text": "Realize uma recuperação pontual para seus bancos de dados de produção a qualquer momento e em um período de tempo que atenda ao seu RTO; a recuperação point-in-time normalmente inclui erros do operador excluindo dados na camada DBMS ou através do SAP, aliás",
"guid": "b2173676-aff6-4691-a493-5ada42223ece",
"severity": "Média",
"link": "https://docs.microsoft.com/security/benchmark/azure/security-control-incident-response"
"link": "https://learn.microsoft.com/security/benchmark/azure/security-control-incident-response"
},
{
"category": "Continuidade de Negócios e Recuperação de Desastres",

298
checklists/security_checklist.en.json
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

298
checklists/security_checklist.es.json
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

298
checklists/security_checklist.ja.json
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

298
checklists/security_checklist.ko.json
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

298
checklists/security_checklist.pt.json
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

2
web/README.md
Просмотреть файл

@ -19,7 +19,7 @@ This screenshot shows the `flask` container web interface that can be used to fr
The `fillgraphdb` container needs to authenticate to Azure to send the Azure Resource Graph queries. There are two options:
- **Working today**: With Service Principal credentials
- **Roadmap**: With a [User-Managed Identity](https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview#how-can-i-use-managed-identities-for-azure-resources) with read access to the subscription(s). The `identityId` parameter of the ARM template needs to be provided. Initial tests have shown that the User-Managed Identity is not available in the init containers.
- **Roadmap**: With a [User-Managed Identity](https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview#how-can-i-use-managed-identities-for-azure-resources) with read access to the subscription(s). The `identityId` parameter of the ARM template needs to be provided. Initial tests have shown that the User-Managed Identity is not available in the init containers.
The [Azure CLI deployment script for Service Principals](./arm/deploy_sp.azcli) shows how to create the Service Principal, assign the reader role for the whole subscription, and launch the ARM template to create the MySQL server and the Azure Container Instance (it doesn't store the Service Principal secret in an Azure Key Vault, that would be highly advisable). If you already have the Service Principal, you can deploy the ARM template graphically as well using the button below: